Java programmer in a COM world, apologies in advance if the terminology isn't quite right.
My Java app is going to receive a message from a COM component written by some folks who are COM developers. They want to include in the message some Principal information. On the basis of that information I'm going to make an authorisation decision.
My authorisation decision is really easy to make if I know which Active Directory groups the user indicated by the Principal belongs to - and I know for sure that Active Directory is in use in the target environment. In my Java code I can easily make LDAP calls to obtain information from Active Directory.
The COM folks say that they will be calling CoQueryClientBlanket to obtain a Principal Name. This principal name seems to come in a variety of flavours - msstd and fullsic. (They would be open to calling some other API if that helps.)
The question is: What (if any) information in the Principal could I use in making my LDAP query. Or am I better asking the COM guys to make some other Microsoft call to get the group information and pass that to me. If the latter, which call?
Aside, assume for the purposes of this question that:
- This extension of trust boundaries from COM to Java is sufficiently secure.
- We can't use standard techniques such as WS-Security and JEE Roles etc.