Security Impact of the OBJREF
We have concentrated on the OBJREF
and connection points in this chapter. Both of these discussions involve the passing of an interface pointer from one object to another. This is very powerful, but even if a client receives an interface pointer, it doesn’t mean that the client can successfully invoke methods using the received interface pointer. The reason for this is security. The receiver can invoke methods on the received interface pointer, barring security constraints.
For example, a ChatClient
component successfully obtains a ChatServer
object’s IUnknown interface pointer from the ChatBroker
component. Nevertheless, this doesn’t mean that the ChatClient
component can send chat messages to the ChatServer
component. This depends upon the ChatServer
component’s access security, which can be configured programmatically using CoInitializeSecurity or manually using dcomcnfg.exe. Even if these are correctly configured, the authentication levels and impersonation levels may also be a factor in successful invocations. You’ll have to correctly configure security in order for successful method invocations among different components.
As a different but related example, consider that a ChatClient
component successfully sends a chat message to a server, because it has access. However, it may be possible that the ChatServer
component cannot make callbacks to the client, because the client cannot authenticate the server. For instance, if you’ve configured the ...
Get Learning DCOM now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.