Method and system for server support for pluggable authorization systems

US 20020178377A1
Filed: 03/21/2001
Published: 11/28/2002
Est. Priority Date: 03/21/2001
Status: Active Grant

First Claim

Patent Images

1. A method for authorizing access to a protected resource within a data processing system, the method comprising:

intercepting a remote procedure call for an authorization request directed to a first authorization service by an authorization plug-in associated with a second authorization service, wherein the authorization plug-in exports remote procedure call endpoints for the first authorization service; and

processing the authorization request in the authorization plug-in by calling application programming interfaces of the second authorization service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, apparatus, and computer program product is presented for plugging in a standard authorization system in a manner such that legacy applications can use the authorization APIs and backend remote interfaces of a legacy authorization system. When a legacy application makes a call intended for a routine within the legacy authorization system, the call is redirected to make the appropriate calls to the APIs of the standard authorization system.

51 Citations

View as Search Results

40 Claims

1. A method for authorizing access to a protected resource within a data processing system, the method comprising:
- intercepting a remote procedure call for an authorization request directed to a first authorization service by an authorization plug-in associated with a second authorization service, wherein the authorization plug-in exports remote procedure call endpoints for the first authorization service; and
  
  processing the authorization request in the authorization plug-in by calling application programming interfaces of the second authorization service.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the remote procedure call is intercepted from an initiator.
  - 3. The method of claim 1 wherein the remote procedure call is intercepted from a target application.
  - 4. The method of claim 1 further comprising:
    - recompiling or relinking a target application representing one or more protected resources to include program instructions from the authorization plug-in; and
      
      directing calls within the target application to application programming interfaces of the first authorization service to be executed by the program instructions from the authorization plug-in.
  - 5. The method of claim 1 wherein the first authorization service is a Distributed Computing Environment (DCE) authorization service.
  - 6. The method of claim 1 wherein the second authorization service conforms to the ISO 10181-3 standard.

7. A method for authorizing access to a protected resource within a data processing system, the method comprising:
- intercepting a remote procedure call for a remote routine of a Distributed Computing Environment (DCE) authorization service by an authorization plug-in associated with a second authorization service, wherein the authorization plug-in exports remote procedure call endpoints for the remote routines of the DCE authorization service, and wherein the second authorization service supports a standard-compliant authorization application programming interface; and
  
  processing the authorization request in the authorization plug-in by calling application programming interfaces of the second authorization service.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 16, 17, 18, 19, 20)
- - 8. The method of claim 7 further comprising:
    - intercepting a call to a DCE “
      
      rs_login_get_info”
      
      routine;
      
      retrieving privilege attributes for an initiator from a privilege attribute database in the second authorization service; and
      
      returning the privilege attributes to a DCE application programming interface.
  - 9. The method of claim 8 further comprising:
    - intercepting a call to a DCE “
      
      rpriv_get_epac”
      
      routine;
      
      obtaining authorization credentials for a DCE privilege service;
      
      storing the privilege attributes in a privilege attribute certificate;
      
      embedding the authorization credentials and the privilege attribute certificate in a DCE Extended Privilege Attribute Certificate (EPAC) structure; and
      
      returning the EPAC structure to a DCE application programming interface.
  - 10. The method of claim 7 further comprising:
    - recompiling or relinking a target application representing one or more protected resources to include program instructions from the authorization plug-in; and
      
      directing calls within the target application to application programming interfaces of the DCE authorization service to be executed by the program instructions from the authorization plug-in.
  - 11. The method of claim 10 further comprising:
    - accepting a call in the authorization plug-in to a “
      
      dce_acl_is_client_authorized”
      
      application programming interface; and
      
      authenticating the authorization credentials passed by the initiator to the target application.
  - 12. The method of claim 11 further comprising:
    - retrieving the privilege attribute certificate from the DCE EPAC structure;
      
      mapping a DCE Access Control List (ACL) manager Universally Unique Identifier (UUID) from the DCE EPAC structure to a resource manager in the second authorization service;
      
      mapping DCE ACL UUID from the DCE EPAC structure to a resource managed by the second authorization service;
      
      mapping the DCE permission set from the DCE EPAC structure to a permission set of the second authorization service;
      
      calling an application programming interface of the second authorization service to make an authorization decision based on the permission set of the second authorization service, the privilege attribute certificate, the resource, and the resource manager; and
      
      returning an indication of the authorization decision to the target application.
  - 13. The method of claim 7 wherein the standard-compliant authorization application programming interface is The Open Group Technical Standard C908 for an Authorization API.
  - 16. The apparatus of claim 15 wherein the remote procedure call is intercepted from an initiator.
  - 17. The apparatus of claim 15 wherein the remote procedure call is intercepted from a target application.
  - 18. The apparatus of claim 15 further comprising:
    - modifying means for recompiling or relinking a target application representing one or more protected resources to include program instructions from the authorization plug-in; and
      
      directing means for directing calls within the target application to application programming interfaces of the first authorization service to be executed by the program instructions from the authorization plug-in.
  - 19. The apparatus of claim 15 wherein the first authorization service is a Distributed Computing Environment (DCE) authorization service.
  - 20. The apparatus of claim 15 wherein the second authorization service conforms to the ISO 10181-3 standard.

14. A method for authorizing access to a protected resource within a data processing system, the method comprising:
- receiving at a server an authorization request for a protected resource, wherein the authorization request is generated using an remote procedure call (RPC) application programming interface (API) to a first authorization service;
  
  intercepting the remote procedure call by an authorization plug-in associated with a second authorization service; and
  
  redirecting the authorization request to an API of the second authorization system.

15. An apparatus for authorizing access to a protected resource within a data processing system, the apparatus comprising:
- intercepting means for intercepting a remote procedure call for an authorization request directed to a first authorization service by an authorization plug-in associated with a second authorization service, wherein the authorization plug-in exports remote procedure call endpoints for the first authorization service; and
  
  processing means for processing the authorization request in the authorization plug-in by calling application programming interfaces of the second authorization service.

21. An apparatus for authorizing access to a protected resource within a data processing system, the apparatus comprising:
- first intercepting means for intercepting a remote procedure call for a remote routine of a Distributed Computing Environment (DCE) authorization service by an authorization plug-in associated with a second authorization service, wherein the authorization plug-in exports remote procedure call endpoints for the remote routines of the DCE authorization service, and wherein the second authorization service supports a standard-compliant authorization application programming interface; and
  
  processing means for processing the authorization request in the authorization plug-in by calling application programming interfaces of the second authorization service.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 29, 30, 31, 32, 33, 35, 36, 37, 38, 39, 40)
- - 22. The apparatus of claim 21 further comprising:
    - second intercepting means for intercepting a call to a DCE “
      
      rs_login_get_info”
      
      routine;
      
      first retrieving means for retrieving privilege attributes for an initiator from a privilege attribute database in the second authorization service; and
      
      first returning means for returning the privilege attributes to a DCE application programming interface.
  - 23. The apparatus of claim 22 further comprising:
    - third intercepting means for intercepting a call to a DCE “
      
      rpriv_get_epac”
      
      routine;
      
      obtaining means for obtaining authorization credentials for a DCE privilege service;
      
      storing means for storing the privilege attributes in a privilege attribute certificate;
      
      embedding means for embedding the authorization credentials and the privilege attribute certificate in a DCE Extended Privilege Attribute Certificate (EPAC) structure; and
      
      second returning means for returning the EPAC structure to a DCE application programming interface.
  - 24. The apparatus of claim 21 further comprising:
    - modifying means for recompiling or relinking a target application representing one or more protected resources to include program instructions from the authorization plug-in; and
      
      directing means for directing calls within the target application to application programming interfaces of the DCE authorization service to be executed by the program instructions from the authorization plug-in.
  - 25. The apparatus of claim 24 further comprising:
    - accepting means for accepting a call in the authorization plug-in to a “
      
      dce_acl_is_client_authorized”
      
      application programming interface; and
      
      authenticating means for authenticating the authorization credentials passed by the initiator to the target application.
  - 26. The apparatus of claim 25 further comprising:
    - second retrieving means for retrieving the privilege attribute certificate from the DCE EPAC structure;
      
      first mapping means for mapping a DCE Access Control List (ACL) manager Universally Unique Identifier (UUID) from the DCE EPAC structure to a resource manager in the second authorization service;
      
      second mapping means for mapping DCE ACL UUID from the DCE EPAC structure to a resource managed by the second authorization service;
      
      third mapping means for mapping the DCE permission set from the DCE EPAC structure to a permission set of the second authorization service;
      
      calling means for calling an application programming interface of the second authorization service to make an authorization decision based on the permission set of the second authorization service, the privilege attribute certificate, the resource, and the resource manager; and
      
      third returning means for returning an indication of the authorization decision to the target application.
  - 27. The apparatus of claim 21 wherein the standard-compliant authorization application programming interface is The Open Group Technical Standard C908 for an Authorization API.
  - 29. The computer program product of claim 28 wherein the remote procedure call is intercepted from an initiator.
  - 30. The computer program product of claim 28 wherein the remote procedure call is intercepted from a target application.
  - 31. The computer program product of claim 28 further comprising:
    - instructions for recompiling or relinking a target application representing one or more protected resources to include program instructions from the authorization plug-in; and
      
      instructions for directing calls within the target application to application programming interfaces of the first authorization service to be executed by the program instructions from the authorization plug-in.
  - 32. The computer program product of claim 28 wherein the first authorization service is a Distributed Computing Environment (DCE) authorization service.
  - 33. The computer program product of claim 28 wherein the second authorization service conforms to the ISO 10181-3 standard.
  - 35. The computer program product of claim 34 further comprising:
    - instructions for intercepting a call to a DCE “
      
      rs_login_get_info”
      
      routine;
      
      instructions for retrieving privilege attributes for an initiator from a privilege attribute database in the second authorization service; and
      
      instructions for returning the privilege attributes to a DCE application programming interface.
  - 36. The computer program product of claim 35 further comprising:
    - instructions for intercepting a call to a DCE “
      
      rpriv_get_epac”
      
      routine;
      
      instructions for obtaining authorization credentials for a DCE privilege service;
      
      instructions for storing the privilege attributes in a privilege attribute certificate;
      
      instructions for embedding the authorization credentials and the privilege attribute certificate in a DCE Extended Privilege Attribute Certificate (EPAC) structure; and
      
      instructions for returning the EPAC structure to a DCE application programming interface.
  - 37. The computer program product of claim 34 further comprising:
    - instructions for recompiling or relinking a target application representing one or more protected resources to include program instructions from the authorization plug-in; and
      
      instructions for directing calls within the target application to application programming interfaces of the DCE authorization service to be executed by the program instructions from the authorization plug-in.
  - 38. The computer program product of claim 37 further comprising:
    - instructions for accepting a call in the authorization plug-in to a “
      
      dce_acl_is_client_authorized”
      
      application programming interface; and
      
      instructions for authenticating the authorization credentials passed by the initiator to the target application.
  - 39. The computer program product of claim 38 further comprising:
    - instructions for retrieving the privilege attribute certificate from the DCE EPAC structure;
      
      instructions for mapping a DCE Access Control List (ACL) manager Universally Unique Identifier (UUID) from the DCE EPAC structure to a resource manager in the second authorization service;
      
      instructions for mapping DCE ACL UUID from the DCE EPAC structure to a resource managed by the second authorization service;
      
      instructions for mapping the DCE permission set from the DCE EPAC structure to a permission set of the second authorization service;
      
      instructions for calling an application programming interface of the second authorization service to make an authorization decision based on the permission set of the second authorization service, the privilege attribute certificate, the resource, and the resource manager; and
      
      instructions for returning an indication of the authorization decision to the target application.
  - 40. The computer program product of claim 34 wherein the standard-compliant authorization application programming interface is The Open Group Technical Standard C908 for an Authorization API.

28. A computer program product in a computer readable medium for use in a data processing system for authorizing access to a protected resource, the computer program product comprising:
- instructions for intercepting a remote procedure call for an authorization request directed to a first authorization service by an authorization plug-in associated with a second authorization service, wherein the authorization plug-in exports remote procedure call endpoints for the first authorization service; and
  
  instructions for processing the authorization request in the authorization plug-in by calling application programming interfaces of the second authorization service.

34. A computer program product in a computer readable medium for use in a data processing system for authorizing access to a protected resource, the computer program product comprising:
- instructions for intercepting a remote procedure call for a remote routine of a Distributed Computing Environment (DCE) authorization service by an authorization plug-in associated with a second authorization service, wherein the authorization plug-in exports remote procedure call endpoints for the remote routines of the DCE authorization service, and wherein the second authorization service supports a standard-compliant authorization application programming interface; and
  
  instructions for processing the authorization request in the authorization plug-in by calling application programming interfaces of the second authorization service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ServiceNow Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Hemsath, David Kurt, Skibbie, Donna E.

Granted Patent

US 7,320,141 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6218 to a system of files or obj...

Method and system for server support for pluggable authorization systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

40 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for server support for pluggable authorization systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

40 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links