Query string processing

US 20020099671A1
Filed: 02/26/2001
Published: 07/25/2002
Est. Priority Date: 07/10/2000
Status: Active Grant

First Claim

Patent Images

1. A method for providing access to a resource on a network, comprising the steps of:

receiving an identification of said resource, said identification includes an absolute portion and a query portion;

using said query portion to identify a first access rule;

applying said first access rule; and

allowing access to said resource, said step of allowing access is not performed if said first access rule is not satisfied.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system is disclosed that is used to provide access management for resources on a network. The system makes use of query data from a URL (or another identification or request) to identify the appropriate access rule. Examples of an access rule include an authentication rule, an authorization rule, or an audit rule. The system can be configured to require the query data to match order dependent variables or order independent variables. In one option, the system can include two levels of rules and the query data can be used to identify first level rules, second level rules or both.

225 Citations

57 Claims

1. A method for providing access to a resource on a network, comprising the steps of:
- receiving an identification of said resource, said identification includes an absolute portion and a query portion;
  
  using said query portion to identify a first access rule;
  
  applying said first access rule; and
  
  allowing access to said resource, said step of allowing access is not performed if said first access rule is not satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A method according to claim 1, wherein:
    - said first access rule is an authorization rule.
  - 3. A method according to claim 1, wherein:
    - said first access rule is an authentication rule.
  - 4. A method according to claim 3, wherein:
    - said first access rule is satisfied if a user provides a correct user name and a correct password.
  - 5. A method according to claim 3, wherein:
    - said first access rule is satisfied with no action.
  - 6. A method according to claim 1, wherein:
    - said identification of said resource includes a URL; and
      
      said query portion includes query data in said URL.
  - 7. A method according to claim 1, wherein:
    - said identification of said resource includes a URL; and
      
      said absolute portion includes a file name.
  - 8. A method according to claim 1, wherein:
    - said absolute portion of said identification of said resource corresponds to said first access rule and one or more additional access rules; and
      
      said query portion of said identification of said resource corresponds to said first access rule and not to said one or more additional access rules.
  - 9. A method according to claim 1, wherein:
    - said first access rule is a member of a set of specific access rules;
      
      said set of specific access rules is associated with a group of resources;
      
      said group of resources includes a default access rule for resources not associated with any specific access rule; and
      
      said step of using said query portion includes identifying said first access rule from other access rules in said set of specific access rules.
  - 10. A method according to claim 9, further comprising the step of:
    - using said absolute portion to identify said group of resources.
  - 11. A method according to claim 1, wherein:
    - a set of resources are associated with a first policy domain;
      
      said policy domain includes one or more policies;
      
      said one or more policies includes a first policy;
      
      said first policy includes said first access rule;
      
      said step of using said query portion includes the steps of;
      
      identifying said first policy domain using said absolute portion; and
      
      identifying said first policy using said query portion.
  - 12. A method according to claim 1, wherein:
    - said query portion includes a first variable and a second variable; and
      
      said step of using said query portion uses said first variable and does not use said second variable.
  - 13. A method according to claim 1, wherein:
    - said step of using said query portion includes identifying an audit rule based on said query portion; and
      
      said step of allowing access includes logging said access.
  - 14. A method according to claim 1, wherein:
    - said step of using said query portion includes comparing at least a portion of said query portion to a string.
  - 15. A method according to claim 1, wherein:
    - said step of using said query portion includes determining whether said query portion includes a set of variables in a predetermined order.
  - 16. A method according to claim 15, wherein:
    - said step of determining whether said query portion includes a set of variables in a predetermined order includes evaluating wildcards.
  - 17. A method according to claim 1, wherein:
    - said step of using said query portion includes determining whether said query portion includes a set of order independent variables.
  - 18. A method according to claim 1, wherein:
    - said step of using said query portion includes determining whether said query portion includes a predefined set of variables having predefined values.
  - 19. A method according to claim 1, wherein said step of using said query portion comprises the steps of:
    - accessing a policy identifier, said policy identifier includes an absolute path and a query string, said policy identifier corresponds to said first access rule;
      
      comparing all or part of said identification of said resource to said absolute path;
      
      comparing all or part of said identification of said resource to said query string; and
      
      determining that said identification of said resource corresponds to said policy identifier if all or part of said identification of said resource matches said absolute path and all or part of said identification of said resource matches said query string.
  - 20. A method according to claim 1, wherein said step of using said query portion comprises the steps of:
    - accessing a policy identifier, said policy identifier includes an absolute path and one or more order independent query variables, said policy identifier corresponds to said first access rule;
      
      comparing all or part of said identification of said resource to said absolute path;
      
      comparing all or part of said identification of said resource to said one or more order independent query variables; and
      
      determining that said identification of said resource corresponds to said policy identifier if all or part of said identification of said resource matches said absolute path and all or part of said identification of said resource matches said one or more order independent query variables.

21. A method for providing access to a resource on a network, comprising the steps of:
- transmitting an identification of said resource, said identification includes an absolute portion and a query portion, said query portion is used by a remote server to identify a first access rule;
  
  participating in performing said first access rule; and
  
  receiving access to said resource, said step of receiving access is not performed if said first access rule is not satisfied.
- View Dependent Claims (22, 23, 24, 25, 26, 28, 29, 30, 31, 32)
- - 22. A method according to claim 21, wherein:
    - said first access rule is an authentication rule.
  - 23. A method according to claim 21, wherein:
    - said absolute portion of said identification of said resource corresponds to said first access rule and one or more additional access rules; and
      
      said query portion of said identification of said resource corresponds to said first access rule and not to said one or more additional access rules.
  - 24. A method according to claim 21, wherein:
    - a set of resources is associated with a first policy domain;
      
      said policy domain includes one or more policies;
      
      said one or more policies includes a first policy;
      
      said first policy includes said first access rule; and
      
      said query portion is used by said remote server to identify said first policy domain using said absolute portion and identify said first policy using said query portion.
  - 25. A method according to claim 21, wherein:
    - said remote server evaluates wildcards and determines whether said query portion includes a set of variables in a predetermined order.
  - 26. A method according to claim 21, wherein:
    - said remote server determines whether said query portion includes a set of variables in any order.
  - 28. A method according to claim 27, wherein:
    - said first access rule is an authentication rule.
  - 29. A method according to claim 27, further comprising the step of:
    - identifying an absolute identification path to be associated with said first access rule.
  - 30. A method according to claim 27, wherein:
    - said step of identifying one or more query variables includes identifying an order of said one or more query variables.
  - 31. A method according to claim 27, wherein:
    - said one or more query variables are order independent.
  - 32. A method according to claim 27, further comprising the steps of:
    - creating a second access rule; and
      
      creating a third access rule, said third access rule is a first level generic access rule for a set of resources on a network, said first access rule is a second level specific access rule for a first resource, said second access rule is a second level specific access rule for a second resource, said second resource and said first resource are part of said set of resources.

27. A method for creating access criteria, comprising the steps of:
- creating a first access rule for one or more resources;
  
  identifying a set of one or more query variables to be associated with said first access rule; and
  
  identifying one or more values for said one or more query variables.

33. On e or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- receiving an identification of a resource, said identification including an absolute portion and a query portion;
  
  using said query portion to identify a first access rule;
  
  applying said first access rule; and
  
  allowing access to said resource, said step of allowing access is not performed if said first access rule is not satisfied.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 34. One or more processor readable storage devices according to claim 33, wherein:
    - said first access rule is an authentication rule.
  - 35. One or more processor readable storage devices according to claim 33, wherein:
    - said identification of said resource includes a URL;
      
      said query portion includes query data in said URL; and
      
      said absolute portion includes a file name.
  - 36. One or more processor readable storage devices according to claim 33, wherein:
    - said absolute portion of said identification of said resource corresponds to said first access rule and on e o r more additional access rules; and
      
      said query portion of said identification of said resource corresponds to said first access rule and not to said one or more additional access rules.
  - 37. One or more processor readable storage devices according to claim 33, wherein:
    - a set of resources are associated with a first policy domain;
      
      said policy domain includes one or more policies;
      
      said one or more policies includes a first policy;
      
      said first policy includes said first access rule; and
      
      said step of using said query portion includes the steps of;
      
      identifying said first policy domain using said absolute portion, and identifying said first policy using said query portion.
  - 38. One or more processor readable storage devices according to claim 33, wherein:
    - said query portion includes a first variable and a second variable; and
      
      said step of using said query portion uses said first variable and does not use said second variable.
  - 39. One or more processor readable storage devices according to claim 33, wherein:
    - said step of using said query portion includes determining whether said query portion includes a set of variables in a predetermined order ; and
      
      said step of determining whether said query portion includes a s et of variable s in a predetermined order includes evaluating wildcards.
  - 40. One or more processor readable storage devices according to claim 33, wherein:
    - said step of using said query portion includes determining whether said query portion includes a set of order independent variables.
  - 41. One or more processor readable storage devices according to claim 33, wherein said step of using said query portion comprises the steps of:
    - accessing a policy identifier, said policy identifier includes an absolute path and a query string, said policy identifier corresponds to said first access rule;
      
      comparing all or part of said identification of said resource to said absolute path;
      
      comparing all or part of said identification of said resource to said query string; and
      
      determining that said identification of said resource corresponds to said policy identifier if all or part of said identification of said resource matches said absolute path and all or part of said identification of said resource matches said query string.
  - 42. One or more processor readable storage devices according to claim 33, wherein said step of using said query portion comprises the steps of:
    - accessing a policy identifier, said policy identifier includes an absolute path and one or more order independent query variables, said policy identifier corresponds to said first access rule;
      
      comparing all or part of said identification of said resource to said absolute path;
      
      comparing all or part of said identification of said resource to said one or more order independent query variables; and
      
      determining that said identification of said resource corresponds to said policy identifier if all or part of said identification of said resource matches said absolute path and all or part of said identification of said resource matches said one or more order independent query variables.

43. An apparatus, comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said communication interface, said one or more processors programmed to preform a method comprising the steps of;
  
  receiving an identification of said resource, said identification including an absolute portion and a query portion, using said query portion to identify a first access rule, applying said first access rule, and allowing access to said resource, said step of allowing access is not performed if said first access rule is not satisfied.
- View Dependent Claims (44, 45, 46, 48, 49, 50, 51, 52)
- - 44. An apparatus according to claim 43, wherein:
    - said identification of said resource includes a URL;
      
      said query portion includes query data in said URL; and
      
      said absolute portion includes a file name.
  - 45. An apparatus according to claim 43, wherein:
    - said absolute portion of said identification of said resource corresponds to said first access rule and one or more additional access rules; and
      
      said query portion of said identification of said resource corresponds to said first access rule and not to said one or more additional access rules.
  - 46. An apparatus according to claim 43, wherein:
    - a set of resources are associated with a first policy domain;
      
      said policy domain includes one or more policies;
      
      said one or more policies includes a first policy;
      
      said first policy includes said first access rule; and
      
      said step of using said query portion includes the steps of;
      
      identifying said first policy domain using said absolute portion, and identifying said first policy using said query portion.
  - 48. One or more processor readable storage devices according to claim 47, wherein:
    - said first access rule is an authentication rule to be used in an access management system.
  - 49. One or more processor readable storage devices according to claim 47, wherein said method further comprises the step of:
    - receiving and storing an absolute identification path to be associated with said first access rule.
  - 50. One or more processor readable storage devices according to claim 47, wherein:
    - said step of receiving and storing one or more query variables includes storing an order of said one or more query variables.
  - 51. One or more processor readable storage devices according to claim 47, wherein:
    - said one or more query variables are order independent.
  - 52. One or more processor readable storage devices according to claim 47, wherein said method further comprises the steps of:
    - providing for creation of a second access rule; and
      
      providing for creation of a third access rule, said third access rule is a first level generic access rule for a set of resources on a network, said first access rule is a second level specific access rule for a first resource, said second access rule is a second level specific access rule for a second resource, said second resource a nd said first resource are part of set of resources.

47. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method comprising the steps of:
- providing for creation of a first access rule for one or more resources;
  
  receiving and storing a set of one or more query variables to be associated with said first access rule; and
  
  receiving and storing one or more values for said one or more query variables.

53. An apparatus, comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said communication interface, said one or more processors programmed to preform a method comprising the steps of;
  
  providing for creation of a first access rule for one or more resources, receiving and storing a set of one or more query variables to be associated with said first access rule, and receiving and storing one or more values for said one or more query variables.
- View Dependent Claims (54, 55, 56, 57)
- - 54. An apparatus according to claim 53, wherein said method further comprises the step of:
    - receiving and storing an absolute identification path to be associated with said first access rule.
  - 55. An apparatus according to claim 53, wherein:
    - said step of storing one or more query variables includes storing an order of said one or more query variables.
  - 56. An apparatus according to claim 53, wherein:
    - said one or more query variables are order independent.
  - 57. An apparatus according to claim 53, wherein said method further comprises the steps of:
    - providing for creation of a second access rule; and
      
      providing for creation of a third access rule, said third access rule is a first level generic access rule for a set of resources on a network, said first access rule is a second level specific access rule for a first resource, said second access rule is a second level specific access rule for a second resource, said second resource and said first resource are part of set of resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Mastin Crosbie, Tanya M., Knouse, Charles W.

Granted Patent

US 8,204,999 B2
Time in Patent Office

Days
Field of Search
US Class Current

705/500
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 16/955   using information identifie...

G06F 21/62   Protecting access to data v...

G06Q 99/00   Subject matter not provided...

H04L 2463/102   applying security measure f...

H04L 61/4523   using lightweight directory...

H04L 63/0823   using certificates cryptogr...

H04L 63/105   Multiple levels of security

H04L 67/02   based on web technology, e....

H04L 67/142   Managing session states for...

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

Query string processing

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

225 Citations

57 Claims

Specification

Solutions

Use Cases

Quick Links

Query string processing

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

225 Citations

57 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links