Nói chung, khi nhiều nguyên tắc áp dụng cho một quyết định truy cập vào việc một chủ đề được đưa ra trong một bối cảnh nhất định có thể truy cập vào một đối tượng, chính sách phải giải quyết nhiều các chỉ thị vào một quyết định có thể chấp nhận được. Chiến lược giải quyết | Middleware Security 211 Additional CSI level 0 and level 1 interoperability might exist between vendors. Only pair-wise testing can tell. Vendor Implementations of CORBA Security Vendors are charged with the difficult task of implementing all of the security APIs in a manner that is Independent of the underlying security controls Flexible in supporting multiple security policies Interoperable with multiple ORBs and with other security components The security service in line with other OMG goals must also be portable and fast. The fact that all the vendors claim compliance not only with the standard but also with the common security interoperability levels means very little. You have to test to see whether this claim holds because of subtle differences in vendor implementations in the choice of how structures are stored how messages are formatted how extensions are parsed or how errors are handled. Much of the details of how to accomplish these goals are left unspecified. Implementing security under these constraints is made all the more difficult due to the distributed nature of the CORBA software bus. Where do the components of the trusted core supporting all communications reside in a distributed environment What impact will security have on performance if this core is distributed across the enterprise Vendors are required to provide security services to applications by implementing all the security facilities and interfaces required to secure an ORB. They must also provide basic administrative support for all choices of policy but the standard allows for levels of interoperability requirements between security mechanisms. The CORBA Security Specification is very complex and has relatively low usage in applications because almost no compliant COTS products have been developed. Implementations that do exist force the architect to accept the vendor s interpretation of the open standard use proprietary APIs and create complex or brittle solutions that are hard to .