Method for maintaining application compatibility within an application isolation policy
First Claim
1. A method for integrating a legacy application into a security zone runtime system, comprising:
- defining an export policy corresponding to a first module within a first security zone, wherein the export policy declares an interface to the first module;
determining whether or not a second module belongs to the same or a higher security zone than the first security zone; and
denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security zone that than the first module unless the export policy explicitly permits the access.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a method for providing Java modularity class loader protection by controlling the visibility of WebSphere, service provider, library and utility code interfaces. Interface access authorization is checked once, during class loading to effectively protect vulnerable programming interfaces, eliminating repeating permission checking during execution. Code in a WebSphere Application server (WAS) computing environment is categorized into a finite number of sets in which one permission zone is assigned to each set and the code in each set runs at the same privilege zone. Each set exposes programming interfaces to provide functional service and code in a particular set can only access code in the same or a lower security zone set. Also provided is a technique for explicitly providing to specific modules in lower security zones access to modules or designated interfaces of modules in higher security zones.
60 Citations
20 Claims
-
1. A method for integrating a legacy application into a security zone runtime system, comprising:
-
defining an export policy corresponding to a first module within a first security zone, wherein the export policy declares an interface to the first module;
determining whether or not a second module belongs to the same or a higher security zone than the first security zone; and
denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security zone that than the first module unless the export policy explicitly permits the access. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for integrating a legacy application into a security zone runtime system, comprising:
-
a plurality of security zones;
a first module within a first security zone of the plurality of security zones;
an export policy, wherein the export policy declares an interface to the first module;
a second module;
logic for determining whether or not the second module belongs to the same or a higher security zone than the first security zone; and
logic for denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security class that than the first module unless the export policy explicitly permits the access. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer programming product for integrating a legacy application into a security zone runtime system, comprising:
-
a memory;
logic, stored on the memory, for defining an export policy corresponding to a first module within a first security zone, wherein the export policy declares an interface to the first module;
logic, stored on the memory, for determining whether or not a second module belongs to the same or a higher security zone than the first security zone; and
logic, stored on the memory, for denying, during a class loader operation, the second module access to the interface if the a second module does not belong to the same or a higher security zone that than the first module unless the export policy explicitly permits the access. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification