Dynamic identity switching

US 10,135,803 B2
Filed: 10/20/2016
Issued: 11/20/2018
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a computer system, an invocation by a web application acting as a web service client of a web service, wherein the invocation by the web application comprises a first username property representing a first identity using the web application and a second username property representing a second identity declared to be propagateable in web service invocations;

while executing a first task using the first identity, receiving a request to dynamically switch from the first identity to the second identity, wherein the first identity is of a first user and the second identity is of a second user that is different from the first user;

determining, by the computer system, a set of one or more switching rules using the first identity and the second identity in the invocation of the web service;

verifying, by the computer system, during runtime that the switch from the first identity to the second identity that is included in the invocation is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object;

including, by the computer system, the second identity in the second username property in a service request to the web service when the switch is permitted, wherein including the second identity in the service request comprises storing the second identity in a Security Assertion Markup Language (SAML) security token included in the service request;

communicating, by the computer system, the service request to the web service; and

executing, by the web service, a second task using the second identity in accordance with the one or more switching rules, wherein after executing the second task using the second identity, switching from the second identity to the first identity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for dynamically switching user identity when generating a web service request by receiving, at a client application, an invocation of a web service, the invocation associated with a first authenticated user identity of a first user, identifying a second user identity, verifying that a switch from the first user identity to the second user identity is permitted by switching rules, including the second user identity in a service request when the switch is permitted, and communicating the service request to the web service. The switching rules can include associations between initial user identities and permitted user identities. Verifying that a switch is permitted can include searching the associations for an entry having an initial user identity that matches the first authenticated user identity and a new user identity that matches the second user identity, wherein the switch is permitted when the entry is found.

Citations

15 Claims

1. A method comprising:
- receiving, by a computer system, an invocation by a web application acting as a web service client of a web service, wherein the invocation by the web application comprises a first username property representing a first identity using the web application and a second username property representing a second identity declared to be propagateable in web service invocations;
  
  while executing a first task using the first identity, receiving a request to dynamically switch from the first identity to the second identity, wherein the first identity is of a first user and the second identity is of a second user that is different from the first user;
  
  determining, by the computer system, a set of one or more switching rules using the first identity and the second identity in the invocation of the web service;
  
  verifying, by the computer system, during runtime that the switch from the first identity to the second identity that is included in the invocation is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object;
  
  including, by the computer system, the second identity in the second username property in a service request to the web service when the switch is permitted, wherein including the second identity in the service request comprises storing the second identity in a Security Assertion Markup Language (SAML) security token included in the service request;
  
  communicating, by the computer system, the service request to the web service; and
  
  executing, by the web service, a second task using the second identity in accordance with the one or more switching rules, wherein after executing the second task using the second identity, switching from the second identity to the first identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the permission object identifies a trusted application that can be accessed by the second identity.
  - 3. The method of claim 1, wherein the one or more switching rules comprise associations between initial user identities and permitted user identities, andverifying that a switch is permitted comprises searching, by the computer system, the associations for an entry having an initial user identity that matches the first identity and a new user identity that matches the second identity,wherein the switch is permitted when the entry is found in the associations.
  - 4. The method of claim 1, wherein invocation by the second identity is permitted when one or more attributes of at least one of the one or more switching rules match corresponding values determined at runtime.
  - 5. The method of claim 1, wherein a first rule of the one or more switching rules comprises the permitted application, a permitted initial identity, and a permitted new identity, and the verifying that a switch is permitted comprises:
    - comparing the permitted application to a client application that invoked the web service,comparing the permitted initial identity to the first identity, andcomparing the permitted new identity to the second identity,wherein the invocation by the second identity is permitted when the permitted application matches the client application, the permitted initial identity matches the first identity, and the permitted new identity matches the second identity.
  - 6. The method of claim 5, wherein the first rule of the one or more switching rules comprises a condition based on one or more attributes of the client application, and invocation by the second identity is permitted when the condition is satisfied.
  - 7. The method of claim 6, wherein the condition is further based upon one or more values determined at runtime.
  - 8. The method according to claim 1, wherein the set of one or more switching rules comprises a permitted identity identified in accordance with a permission map.
  - 9. The method according to claim 1, wherein the permission object specifies one or more permitted applications corresponding to one or more permitted identities.
  - 10. The method according to claim 1, wherein the second user has authorization privileges that are different from authorization privileges of the first user.

11. A non-transitory machine-readable medium storing a series of instructions executable by a processor of a computer system, the non-transitory computer-readable medium comprising:
- instructions that cause the processor to receive an invocation by a web application acting as a web service client of a web service, wherein the invocation by the web application comprises a first username property representing a first identity of using the web application and a second username property representing a second identity declared to be propagateable in web service invocations;
  
  instructions that cause the processor to while executing a first task using the first identity, receive a request to dynamically switch from the first identity to the second identity, wherein the first identity is of a first user and the second identity is of a second user that is different from the first user;
  
  instructions that cause the processor to determine a set of one or more switching rules using the first identity and the second identity in the invocation of the web service;
  
  instructions that cause the processor to verify during runtime that the switch from the first identity to the second identity that is included in the invocation is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object;
  
  instructions that cause the processor to include the second identity in the second username property in a service request to the web service when the switch is permitted, wherein including the second identity in the service request comprises storing the second identity in a Security Assertion Markup Language (SAML) security token included in the service request;
  
  instructions that cause the processor to communicate the service request to the web service; and
  
  instructions that cause the web service to execute a second task using the second identity in accordance with the one or more switching rules, wherein after executing the second task using the second identity, switching from the second identity to the first identity.
- View Dependent Claims (12, 13, 14)
- - 12. The machine-readable medium of claim 11, wherein the one or more switching rules comprise associations between initial identities and permitted identities, andthe instructions that cause the processor to verify that a switch is permitted comprise instructions that cause the processor to search the associations for an entry having an initial identity that matches the first identity and a new identity that matches the second identity,wherein the switch is permitted when the entry is found in the associations.
  - 13. The machine-readable medium of claim 11, wherein invocation by the second identity is permitted when one or more attributes of the rule match corresponding values determined at runtime.
  - 14. The machine-readable medium of claim 11, wherein a first rule of the one or more switching rules comprises the permitted application, a permitted initial identity, and a permitted new identity, and the instructions that cause the processor to verify that a switch is permitted comprise:
    - instructions that cause the processor to compare the permitted application to a client application,instructions that cause the processor to compare the permitted initial identity to the first identity, andinstructions that cause the processor to compare the permitted new identity to the second identity,wherein the invocation by the second identity is permitted when the permitted application matches the client application, the permitted initial identity matches the identity of the first identity, and the permitted new identity matches the second identity.

15. A system for dynamically switching between identities of different entities to request web services, the system comprising:
- a hardware processor; and
  
  a non-transitory memory configured to store a set of instructions which when executed by the processor causes the processor to;
  
  receive an invocation by a web application acting as a web service client of a web service, wherein the invocation by the web application comprises a first username property representing a first identity using the web application and a second username property representing a second identity declared to be propagateable in web service invocations;
  
  while executing a first task using the first identity, receive a request to dynamically switch from the first identity to the second identity, wherein the first identity is of a first user and the second identity is of a second user that is different from the first user;
  
  determine a set of one or more switching rules using the first identity and the second identity in the invocation of the web service;
  
  verify during runtime that the switch from the first identity to the second identity that is included in the invocation is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object;
  
  include the second identity in the second username property in a service request to the web service when the switch is permitted, wherein including the second identity in the service request comprises storing the second identity in a Security Assertion Markup Language (SAML) security token included in the service request;
  
  communicate the service request to the web service; and
  
  execute, by the web service, a second task using the second identity in accordance with the one or more switching rules, wherein after executing the second task using the second identity, switching from the second identity to the first identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kavantzas, Nickolas, Guo, Jiandong, Gupta, Pratibha
Primary Examiner(s)
Chiang, Jason

Application Number

US15/299,196
Publication Number

US 20170041308A1
Time in Patent Office

761 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/33   using certificates

G06F 21/6218   to a system of files or obj...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Dynamic identity switching

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic identity switching

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links