System and method for server security and entitlement processing

US 20020188869A1
Filed: 06/11/2001
Published: 12/12/2002
Est. Priority Date: 06/11/2001
Status: Active Grant

First Claim

Patent Images

1. A security system for allowing a client to access a protected resource, comprising:

an application interface mechanism for receiving an access request from a client application to access a protected resource, and communicating said access request to a security service;

a security service for making a decision to permit or deny said access request; and

, a resource interface for communicating permitted access requests to said protected resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

480 Citations

39 Claims

1. A security system for allowing a client to access a protected resource, comprising:
- an application interface mechanism for receiving an access request from a client application to access a protected resource, and communicating said access request to a security service;
  
  a security service for making a decision to permit or deny said access request; and
  
  , a resource interface for communicating permitted access requests to said protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 36, 37, 38, 39)
- - 2. The security system of claim 1 wherein said application interface mechanism includes an application container for reading an application deployment description and registering said deployment description within the security service.
  - 3. The security system of claim 2 wherein said application container is an Enterprise Java Beans container.
  - 4. The security system of claim 2 wherein said application container is a WebApp container.
  - 5. The security system of claim 1 wherein said security service includes a plurality of access decision mechanisms for defining an access policy and for determining a contributory decision to permit, deny, or abstain from said access request.
  - 6. The security system of claim 5 wherein said security service further includes an access controller for transferring said access request to said plurality of access decision mechanisms, and for combining said contributory decisions into an overall decision by the security service to permit or deny said access request.
  - 7. The security system of claim 5 wherein said access decisions represent a business function related access policy.
  - 8. The security system of claim 5 wherein access decisions may be added to the security service to reflect changes in the access policy.
  - 9. The security system of claim 5 wherein said access decision mechanisms are used to define an entitlement for said client to access said protected resource.
  - 10. The security system of claim 5 wherein a deny or abstain by any one of said access decision mechanisms causes the security service to deny the access request.
  - 11. The security system of claim 5 wherein an abstain by any one of said access decision mechanisms does not cause the security service to deny the access request.
  - 12. The security system of claim 5 wherein said security service further includes an audit mechanism for auditing the determinations of said plurality of access requests.
  - 13. The security system of claim 1 wherein said resource interface includes an interface mechanism to pass requests to or from a protected resource.
  - 14. The security system of claim 13 wherein said interface mechanism includes a Java J2EE security interface.
  - 15. The security system of claim 13 wherein said interface mechanism includes a security provider interface.
  - 16. The security system of claim 13 wherein said interface mechanism is included as a plug-in in said resource interface.
  - 17. The security system of claim 1 wherein the security service further makes a decision on whether to permit or deny a response to said access request from said protected resource to said client.
  - 19. The method of claim 18 wherein said application interface mechanism includes an application container for reading an application deployment description and registering said deployment description within the security service.
  - 20. The method of claim 19 wherein said application container is an Enterprise Java Beans container.
  - 21. The method of claim 19 wherein said application container is a WebApp container.
  - 22. The method of claim 18 further comprising:
    - defining an access policy via a plurality of access decision mechanisms within said security service; and
      
      , determining a teach access decision mechanism a contributory decision to permit, deny, or abstain from said access request.
  - 23. The method of claim 22 further comprising:
    - transferring via an access controller said access request to said plurality of access decision mechanisms, and combining said contributory decisions into an overall decision by the security service to permit or deny said access request.
  - 24. The method of claim 22 wherein said access decisions represent a business function related access policy.
  - 25. The method of claim 22 wherein access decisions may be added to the security service to reflect changes in the access policy.
  - 26. The method of claim 22 further comprising:
    - using said access decision mechanisms to define an entitlement for said client to access said protected resource.
  - 27. The method of claim 22 wherein a deny or abstain by any one of said access decision mechanisms causes the security service to deny the access request.
  - 28. The method of claim 22 wherein an abstain by any one of said access decision mechanisms does not cause the security service to deny the access request.
  - 29. The method of claim 22 further comprising:
    - auditing via an audit mechanism the determinations of said plurality of access requests.
  - 30. The method of claim 18 wherein said step of communicating via a resource interface includes passing requests via an interface mechanism to or from a protected resource.
  - 31. The method of claim 30 wherein said interface mechanism includes a Java J2EE security interface.
  - 32. The method of claim 30 wherein said interface mechanism includes a security provider interface.
  - 33. The method of claim 30 wherein said interface mechanism is included as a plug-in in said resource interface.
  - 34. The method of claim 18 further comprising:
    - making a decision on whether to permit or deny a response to said access request from said protected resource to said client.
  - 36. The method of claim 35 wherein said entitlement determines the type of access available to the user of said protected resource.
  - 37. The method of claim 36 wherein said type of access includes any of view, modify, delete, or copy, any part or all of said protected resource.
  - 38. The method of claim 35 wherein information about said user entitlement can be communicated from a first security realm to a second security realm.
  - 39. The method of claim 38 wherein additional information from a first security realm can be used to modify the user entitlement, prior to communicating said information about said user entitlement from said first security realm to said second security realm.

18. A method of allowing a client to access a protected resource, comprising:
- receiving at an application interface mechanism an access request from a client application to access a protected resource and communicating said access request to a security service;
  
  making a decision at said security service to permit or deny said access request; and
  
  , communicating via a resource interface a permitted access request to said protected resource.

35. A method for determining a user entitlement to access protected resources in a secure environment, comprising:
- receiving an access request from a user application to access a protected resource invoking a security service with said access request;
  
  determining a user entitlement to access said protected resource;
  
  making a decision at said security service based on said user entitlement to permit or deny said access request; and
  
  , the steps of either (a) communicating a permitted access request to said protected resource, or (b) denying a denied access request to said protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Patrick, Paul

Granted Patent

US 7,392,546 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

System and method for server security and entitlement processing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

480 Citations

39 Claims

Specification

Use Cases

Quick Links

Others

System and method for server security and entitlement processing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

480 Citations

39 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others