Selective cache flushing in identity and access management systems

US 20070027986A1
Filed: 10/03/2006
Published: 02/01/2007
Est. Priority Date: 07/10/2000
Status: Active Grant

First Claim

Patent Images

1-28. -28. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides cache flushing of selected data while leaving remaining cached data intact. Data can be flushed from caches distributed across various components of a network-based computer system. These caches can contain various types of data. In one embodiment, the caches exist in an Access System and contain user identity profile information. In another embodiment, the caches exist in an Access Management System and contain authentication, authorization, or auditing rules. A system in accordance with the invention detects a change to data residing on a server and transmits a synchronization record to a component of the system. The synchronization record identifies the changed data. The system flushes the changed data identified by the synchronization record from caches of the component.

Citations

77 Claims

1-28. -28. (canceled)

29. A method for flushing cache memories in an Access System, comprising the steps of:
- detecting a change to data residing on an LDAP directory server;
  
  assigning a first global sequence number to said detected change;
  
  transmitting a synchronization record to an Access Server of said system, said synchronization record identifying said changed data;
  
  flushing said changed data identified by said synchronization record from caches of said Access Server;
  
  storing said first global sequence number in said Access Server;
  
  storing said synchronization record in said Access Server;
  
  transmitting said first global sequence number from said Access Server to a component of said system, said component storing a second global sequence number;
  
  comparing said first global sequence number to said second global sequence number;
  
  requesting all synchronization records comprising global sequence numbers generated after said second global sequence number;
  
  requesting all synchronization records identified by a list of synchronization records stored by said component;
  
  transmitting synchronization records to said component;
  
  flushing from caches of said component all data identified by said synchronization records transmitted to said component; and
  
  storing said first global sequence number in said component.

30-39. -39. (canceled)

40. A method for flushing cache memories in a network-based system, the method comprising:
- detecting at an administration server for said system a change to data residing on a directory server;
  
  transmitting a synchronization record to a component of said system, said synchronization record identifying said data, wherein a web server comprises said component; and
  
  flushing said data identified in said synchronization record from caches of said component.
- View Dependent Claims (41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65)
- - 41. The method of claim 40, further comprising:
    - storing said synchronization record in said component.
  - 42. The method of claim 40, further comprising:
    - assigning a first global sequence number to said detected change; and
      
      storing said first global sequence number in said component.
  - 43. The method of claim 42, further comprising:
    - comparing said first global sequence number to a second global sequence number stored by said component;
      
      requesting all synchronization records comprising global sequence numbers generated after said second global sequence number; and
      
      flushing from said caches of said component all changed data identified by said synchronization records transmitted to said component, in place of said step of flushing.
  - 44. The method of claim 43, said method further comprising the steps of:
    - requesting all synchronization records identified by a list of synchronization records stored by said component; and
      
      removing said transmitted synchronization records from said list.
  - 45. The method of claim 42, wherein:
    - said detecting and assigning are performed by an Access Manager running on an Administration Server.
  - 46. The method of claim 42, wherein:
    - said synchronization record comprises;
      
      said first global sequence number;
      
      an identification of said changed data;
      
      a description of a type of said detected change; and
      
      a time at which said step of detecting occurred.
  - 47. The method of claim 40, wherein:
    - said component is a Web Server plug-in.
  - 48. The method of claim 47, wherein:
    - said plug-in is an NSAPI Web Server plug-in.
  - 49. The method of claim 47, wherein:
    - said plug-in is an ISAPI Web Server plug-in.
  - 50. The method of claim 47, wherein:
    - said caches of said plug-in comprise;
      
      a resource cache; and
      
      an authentication scheme cache.
  - 51. The method of claim 40, wherein:
    - said system is an Access System.
  - 52. The method of claim 51, wherein:
    - said data is an attribute of a user identity profile.
  - 53. The method of claim 51, wherein:
    - said data is a default authentication rule specifying a default challenge method for verifying user identities to authenticate users for resources mapped to a policy domain.
  - 54. The method of claim 51, wherein:
    - said data is a policy authentication rule specifying a challenge method for verifying user identities to authenticate users for resources matched to a policy.
  - 55. The method of claim 51, wherein:
    - said data is a first level authorization rule for granting user access to resources in said Access System.
  - 56. The method of claim 51, wherein:
    - said data is a second level authorization rule for granting user access to a subset of resources in said Access System.
  - 57. The method of claim 51, wherein:
    - said data is a first level auditing rule specifying a default set of information logged in response to an access system event in said Access System.
  - 58. The method of claim 51, wherein:
    - said data is a second level auditing rule specifying a set of information logged in response to an access system event pertaining to a subset of resources in said Access System.
  - 59. The method of claim 40, wherein:
    - said system is an Access Management System.
  - 60. The method of claim 59, wherein:
    - said data is a policy domain.
  - 61. The method of claim 40, wherein:
    - said server is an LDAP directory server.
  - 62. The method of claim 40, wherein:
    - said directory server utilizes LDAP, said system further comprising;
      
      an Administration Server;
      
      a plurality of Access Servers utilizing LDAP; and
      
      a plurality of Web Servers running Web Server plug-ins.
  - 63. The method of claim 40, wherein:
    - said detected change is a modification to said data.
  - 64. The method of claim 40, wherein:
    - said detected change is a deletion of said data.
  - 65. The method of claim 40, wherein:
    - said detected change is an addition of said data.

66. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors, said processor readable code comprising:
- code for detecting a change to data residing on a server;
  
  code for transmitting a synchronization record to a component of said system, said synchronization record identifying said data, wherein a web server comprises said component; and
  
  code for flushing said data identified in said synchronization record from caches of said component.
- View Dependent Claims (67)
- - 67. One or more processor readable storage devices according to claim 66, wherein said processor readable code further comprises:
    - code for storing said synchronization record in said component.

71. An apparatus, comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said communication interface, said one or more storage devices comprising processor readable code for programming said one or more processors, said processor readable code comprising;
  
  code for detecting a change to data residing on a server, code for transmitting a synchronization record to a component of said system, said synchronization record identifying said data, wherein a web server comprises said component; and
  
  code for flushing said data identified in said synchronization record from caches of said component.
- View Dependent Claims (72, 73, 74, 75)
- - 72. An apparatus according to claim 71, wherein said processor readable code further comprises:
    - code for storing said synchronization record in said component.
  - 73. An apparatus according to claim 71, wherein said processor readable code further comprises:
    - code for assigning a first global sequence number to said detected change; and
      
      code for storing said first global sequence number in said component.
  - 74. An apparatus according to claim 73, wherein said processor readable code further comprises:
    - code for comparing said first global sequence number to a second global sequence number stored by said component;
      
      code for requesting all synchronization records comprising global sequence numbers generated after said second global sequence number; and
      
      code for flushing from said caches of said component all changed data identified by said synchronization records transmitted to said component, in place of said step of flushing.
  - 75. An apparatus according to claim 74, wherein said processor readable code further comprises:
    - code for requesting all synchronization records identified by a list of synchronization records stored by said component; and
      
      code for removing said transmitted synchronization records from said list.

76. A system, comprising:
- a web server comprising a component;
  
  a directory server in communication with the web server; and
  
  an administration server in communication with the web server and the directory server, wherein the administration server comprises computer readable code executable by the administration server, the computer readable code comprising;
  
  code for detecting a change to data residing on the directory server; and
  
  code for transmitting a synchronization record for reception by the web server, wherein the synchronization record identifies a set of data to be flushed from a cache at the web server;
  
  wherein the web server is configured to flush from one or more caches of the component the set of data identified in the synchronization record.
- View Dependent Claims (77)
- - 77. The system recited by claim 76, wherein the component is a web server plug in.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Summers, Robert, Swadi, Praveen, Joshi, Vrinda

Granted Patent

US 7,398,311 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

G06F 12/0804   with main memory updating G...

G06F 16/955   using information identifie...

G06F 16/9574   of access to content, e.g. ...

G06F 21/62   Protecting access to data v...

H04L 61/4523   using lightweight directory...

H04L 63/08   for authentication of entit...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Y10S 707/99938   Concurrency, e.g. lock mana...

Y10S 707/99953   Recoverability

Selective cache flushing in identity and access management systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

77 Claims

Specification

Solutions

Use Cases

Quick Links

Selective cache flushing in identity and access management systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

77 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links