FINE-GRAINED AUTHORIZATION FRAMEWORK

US 20080256030A1
Filed: 04/11/2008
Published: 10/16/2008
Est. Priority Date: 04/12/2007
Status: Abandoned Application

First Claim

Patent Images

1. A method for controlling access to an instance method on an instance-specific basis comprising the steps of:

(a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification;

(b) determining a caller of the instance method invocation identification;

(c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule;

(d) associating the caller access control cache with a transaction;

(e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set;

(f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance;

(g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set;

(h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification;

(i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction;

(j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context;

(k) optimizing a query of the instance access control rule;

(l) determining results from executing the optimized query of the instance access control rule;

(m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium;

(n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and

(o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for controlling access to an instance method on an instance-specific basis by intercepting an invocation of the instance method on an instance.

9 Citations

View as Search Results

18 Claims

1. A method for controlling access to an instance method on an instance-specific basis comprising the steps of:
- (a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification;
  
  (b) determining a caller of the instance method invocation identification;
  
  (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule;
  
  (d) associating the caller access control cache with a transaction;
  
  (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set;
  
  (f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance;
  
  (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set;
  
  (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification;
  
  (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction;
  
  (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context;
  
  (k) optimizing a query of the instance access control rule;
  
  (l) determining results from executing the optimized query of the instance access control rule;
  
  (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium;
  
  (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and
  
  (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein said step of optimizing further comprises the step of:
    - limiting the results to ranges not present in the high/low segment.
  - 3. The method of claim 1 further comprising the steps of:
    - registering an object class with an access control engine;
      
      loading the instance access control rules for the object class from the computer readable medium;
      
      preparing the instance access control rules for execution; and
      
      storing the prepared instance access control rules in the access control engine in the computer readable medium.
  - 4. The method of claim 3 wherein said step of registering object classes comprises the step of:
    - optimizing a structure for the object class to accommodate access checking.
  - 5. The method of claim 1 further comprising the steps of:
    - receiving a notification that the transaction has completed;
      
      retrieving the caller access control cache associated with the transaction from the computer readable medium;
      
      clearing the instance segment of the caller access control cache; and
      
      disassociating the caller access control cache from the transaction.
  - 6. The method of claim 1 further comprising the steps of:
    - initializing the access control engine including the steps of;
      
      determining configuration information from an XML file on a computer readable medium, wherein the configuration information includes transaction, security, and variable resolution connectors;
      
      defining a security object that is a representation of the caller that is understood by the access control engine; and
      
      integrating queries defined outside of the access control rules with the access control rules.
  - 7. The method of claim 6 wherein said step of determining a caller of instance method comprises the steps of:
    - accessing a security context;
      
      mapping an application server security context object from the security context to a security object defined for the access control engine; and
      
      determining, by the access control engine, the identity of the caller based on the security object.
  - 8. The method of claim 1 further comprising the steps of:
    - associating an access control engine with the caller access control cache including the steps of;
      
      defining a structure for the caller access control cache including a nested hash map of the grant set, the deny set, and the set associated with the transaction, and a hierarchical data structure having levels including object class names represented as a hash map, method group names represented as a hash map, and the instance method invocation identifications represented as a hash set;
      
      defining the object class names and the method group names globally; and
      
      storing the instance method invocation identification in the caller access control cache in the computer readable medium.
  - 9. The method of claim 8 further comprising the steps of:
    - binding the access control cache to a thread-local variable; and
      
      defining global data elements to refer to the object class names and the method group names in the caller access control cache.

10. A system for controlling access to an instance method on an instance-specific basis comprising:
- a caller access control cache associated with a caller, said caller access control cache including;
  
  an instance segment having a set of instance method invocation identifications;
  
  a grant segment having a grant set of said instance method invocation identifications;
  
  a deny segment having a deny set of said instance method invocation identifications; and
  
  a high/low segment including a set of non-overlapping instance identification ranges for each access control rule;
  
  an associater associating said caller access control cache with a transaction;
  
  an interceptor intercepting an instance method invocation having said instance method invocation identification;
  
  an access control engine;
  
  granting said access to the caller to said instance invoked by said instance method having said instance method invocation identification if said instance method invocation identification matches one of said set, or if said instance method invocation identification matches one of said grant set;
  
  adding said instance method invocation identification to said set if said instance method created an instance;
  
  denying said access to the caller to said instance invoked by said instance method having said instance method invocation identification if said instance method invocation identification matches one of said deny set;
  
  adding said instance method invocation identification to said deny segment if there are no more instance access control rules associated with said instance having said instance method invocation identification;
  
  adding said instance method invocation identification to said deny segment if said instance method invocation identification is within said high/low set for said instance access control rule and if said instance access control rule does not define a scope that matches the caller and an application context associated with said transaction;
  
  determining additional instance methods with which said instance access control rule is associated if there are more said instance access control rules associated with said instance, and if said instance method invocation identification is outside said high/low set for said instance access control rule, and if said instance access control rule defines said scope that matches the caller and said application context;
  
  optimizing an instance access control rule query by limiting results to ranges not present in said high/low segment;
  
  determining said results from executing the optimized instance access control rule query;
  
  storing said results and said additional instance methods in said grant segment and said high/low segment of said caller access control cache;
  
  granting said access to the caller to said instance invoked by the instance method having said instance method invocation identification if said instance method invocation identification matches an entry in said results; and
  
  denying said access to the caller if said instance method invocation identification matches no entry in said results.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10 further comprising:
    - a registrar;
      
      registering an object class with an access control engine;
      
      loading said instance access control rules for said object class;
      
      preparing said instance access control rules for execution; and
      
      storing the prepared instance access control rules in said access control engine in a computer readable medium.
  - 12. The system of claim 11 wherein said registrar further optimizes a structure for said object class to accommodate access checking.
  - 13. The system of claim 10 further comprising:
    - a transaction terminator;
      
      receiving a notification that said transaction has completed;
      
      retrieving said caller access control cache associated with said transaction;
      
      clearing said instance segment of said caller access control cache; and
      
      disassociating said caller access control cache from said transaction.
  - 14. The system of claim 10 further comprising:
    - an initializer for initializing said access control engine, wherein said initializer;
      
      determines configuration information from an XML file, wherein said configuration information includes transaction, security, and variable resolution connectors;
      
      defines a security object that is a representation of the caller that is understood by said access control engine; and
      
      integrates queries defined outside of said access control rules with said access control rules.
  - 15. The system of claim 10 wherein said associator further:
    - determines the caller;
      
      determines, if said caller access control cache for the caller exists, said caller access control cache for the caller;
      
      creates, if said caller access control cache for the caller does not exist, a new caller access control cache including a nested hash map of said grant set, said deny set, and said set associated with said transaction, and a hierarchical data structure having levels including object class names represented as a hash map, method group names represented as another hash map, and said instance method invocation identification represented as a hash set;
      
      binds said access control cache to a thread-local variable;
      
      retrieves a current transaction; and
      
      registers a callback object with said current transaction so that said current transaction can receive notification of completion of said transaction.

16. A communication network comprising at least application server and at least one application client executing instructions to implement the steps of:
- (a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification;
  
  (b) determining a caller of the instance method invocation identification;
  
  (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule;
  
  (d) associating the caller access control cache with a transaction;
  
  (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set;
  
  (f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the method invocation created a new instance;
  
  (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set;
  
  (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification;
  
  (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction;
  
  (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context;
  
  (k) optimizing a query of the instance access control rule;
  
  (l) determining results from executing the optimized query of the instance access control rule;
  
  (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium;
  
  (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and
  
  (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.

17. An arrangement for embedding supplemental data in a signal embodied in electromagnetic signals traveling over a computer network carrying information for causing a computer system to practice of the steps of:
- (a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification;
  
  (b) determining a caller of the instance method invocation identification;
  
  (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule;
  
  (d) associating the caller access control cache with a transaction;
  
  (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set;
  
  (f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance;
  
  (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set;
  
  (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification;
  
  (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction;
  
  (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context;
  
  (k) optimizing a query of the instance access control rule;
  
  (l) determining results from executing the optimized query of the instance access control rule;
  
  (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium;
  
  (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and
  
  (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.

18. A computer readable medium containing instructions for the practice of the steps of:
- (a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification;
  
  (b) determining a caller of the instance method invocation identification;
  
  (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule;
  
  (d) associating the caller access control cache with a transaction;
  
  (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set;
  
  (i) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance;
  
  (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set;
  
  (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification;
  
  (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction;
  
  (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context;
  
  (k) optimizing a query of the instance access control rule;
  
  (l) determining results from executing the optimized query of the instance access control rule;
  
  (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium;
  
  (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and
  
  (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Partners Healthcare System Incorporated
Original Assignee
Massachusetts General Hospital (Mass General Brigham, Inc.)
Inventors
Clark, Eugene Haskell

Application Number

US12/101,256
Publication Number

US 20080256030A1
Time in Patent Office

Days
Field of Search
US Class Current

707/2
CPC Class Codes

G06F 12/1416   by checking the object acce...

G06F 12/1458   by checking the subject acc...

G06F 21/6218   to a system of files or obj...

G06F 2209/542   Intercept

G06F 9/468   Specific access rights for ...

FINE-GRAINED AUTHORIZATION FRAMEWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

9 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

FINE-GRAINED AUTHORIZATION FRAMEWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

9 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links