Mutual authentication between a client and server over the Internet utilizing
the IOP protocol in its current state is enabled by first engaging in a "dummy"
request when a client initiates a request to a new target server for the first
time. This provides the means for creating a two way authentication mechanism.
Rather than creating an object reference for the dummy request, the object reference
at hand in the client, which the client is about to utilize for a request, is reused
by extracting a proxy object from the request. The request is intercepted in the
client and the proxy object passed to the interception method. The client next
issues a two-way remote method already defined for the proxy object, such as the
"non_existent( )" method defined on the CORBA object. The client then computes
a security token, and sends the dummy request to the server. The server intercepts
the dummy request, validates the security token received in the dummy request,
and acquires a new authentication token to be returned to the client. Upon interception
of the outgoing message, the new security token is marshalled in the security service
context and sent to the client on the response message. The client intercepts the
reply message and demarshals the security service context to recover the security
token and complete mutual authentication.
