System and method for bridging identities in a service oriented architecture
First Claim
1. A system for securing Web services on one or more server computers by one or more client computers, the computers connected to one or more networks through one or more network interfaces, each computer having one or more memories and one or more central processing units (CPUs), the system comprising:
- a. one or more logical expressions that define constraints on one or more service releases; and
b. a gateway process receiving service request messages from one or more of said clients for;
i. identifying said service request message;
ii. processing said service request message in accordance with one or more of said logical expressions associated with the requested service; and
iii. providing access to said requested service if the constraints are satisfied.
3 Assignments
0 Petitions
Accused Products
Abstract
A system for bridging user identities between at least a first and a second security domain, comprising a bridge associated with the first security domain for intercepting messages for service in the second domain from users in the first domain. The bridge authenticates the user identities against a local authentication source by using an established key relationship and binds a security token with the message. A gateway is associated with the second domain for gating inbound access and outbound communication with a service in the second domain and for receiving the authenticated message and verifying the authenticity of the security token by using a certificate of the trusted authentication source and authorising access to the service upon confirmation of the authorisation, such that the authorisation is independent of the identity of the user.
268 Citations
14 Claims
-
1. A system for securing Web services on one or more server computers by one or more client computers, the computers connected to one or more networks through one or more network interfaces, each computer having one or more memories and one or more central processing units (CPUs), the system comprising:
-
a. one or more logical expressions that define constraints on one or more service releases; and
b. a gateway process receiving service request messages from one or more of said clients for;
i. identifying said service request message;
ii. processing said service request message in accordance with one or more of said logical expressions associated with the requested service; and
iii. providing access to said requested service if the constraints are satisfied. - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a network, a method for providing authorised access, the method comprising the steps of:
-
a. receiving from a user in said first security domain a request for service in a second security domain;
b. authenticating the service requestor in the first security domain;
c. forwarding said authenticated request to said second security domain for authorization; and
d. providing access to the service upon confirmation of authorisation. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. In a network environment a system for providing authorised access, comprising:
-
a. an request listener in a first security domain for receiving a request for service in a second security domain from a user;
b. an authenticator for authenticating the users credentials against a local authentication source and binding a security token to said request; and
c. a decorator for decorating said request in accordance with a retrieved security policy from said second domain; and
d. a gateway for receiving said decorated request and routing said request to said requested service upon verification of said request and said policy. - View Dependent Claims (13)
-
-
14. A system for bridging user identities between at least a first and a second security domain, comprising:
-
a. a bridge associated with said first security domain for intercepting messages for service in said second domain from users in said first domain and for authenticating said user identities against a local authentication source by using an established key relationship and for binding a security token with said message; and
b. a gateway associated with said second domain for gating inbound access and outbound communication with a service in said second domain and for receiving said authenticated message and verifying the authenticity of said security token by using a certificate of the trusted authentication source and authorising access to said service upon confirmation of said authorisation, such that the authorisation is independent of the identity of said user.
-
Specification