FINE-GRAINED AUTHORIZATION FRAMEWORK
First Claim
Patent Images
1. A method for controlling access to an instance method on an instance-specific basis comprising the steps of:
- (a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification;
(b) determining a caller of the instance method invocation identification;
(c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule;
(d) associating the caller access control cache with a transaction;
(e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set;
(f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance;
(g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set;
(h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification;
(i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction;
(j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context;
(k) optimizing a query of the instance access control rule;
(l) determining results from executing the optimized query of the instance access control rule;
(m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium;
(n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and
(o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for controlling access to an instance method on an instance-specific basis by intercepting an invocation of the instance method on an instance.
9 Citations
18 Claims
-
1. A method for controlling access to an instance method on an instance-specific basis comprising the steps of:
-
(a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification; (b) determining a caller of the instance method invocation identification; (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule; (d) associating the caller access control cache with a transaction; (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set; (f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance; (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set; (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification; (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction; (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context; (k) optimizing a query of the instance access control rule; (l) determining results from executing the optimized query of the instance access control rule; (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium; (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for controlling access to an instance method on an instance-specific basis comprising:
-
a caller access control cache associated with a caller, said caller access control cache including; an instance segment having a set of instance method invocation identifications; a grant segment having a grant set of said instance method invocation identifications; a deny segment having a deny set of said instance method invocation identifications; and a high/low segment including a set of non-overlapping instance identification ranges for each access control rule; an associater associating said caller access control cache with a transaction; an interceptor intercepting an instance method invocation having said instance method invocation identification; an access control engine; granting said access to the caller to said instance invoked by said instance method having said instance method invocation identification if said instance method invocation identification matches one of said set, or if said instance method invocation identification matches one of said grant set; adding said instance method invocation identification to said set if said instance method created an instance; denying said access to the caller to said instance invoked by said instance method having said instance method invocation identification if said instance method invocation identification matches one of said deny set; adding said instance method invocation identification to said deny segment if there are no more instance access control rules associated with said instance having said instance method invocation identification; adding said instance method invocation identification to said deny segment if said instance method invocation identification is within said high/low set for said instance access control rule and if said instance access control rule does not define a scope that matches the caller and an application context associated with said transaction; determining additional instance methods with which said instance access control rule is associated if there are more said instance access control rules associated with said instance, and if said instance method invocation identification is outside said high/low set for said instance access control rule, and if said instance access control rule defines said scope that matches the caller and said application context; optimizing an instance access control rule query by limiting results to ranges not present in said high/low segment; determining said results from executing the optimized instance access control rule query; storing said results and said additional instance methods in said grant segment and said high/low segment of said caller access control cache; granting said access to the caller to said instance invoked by the instance method having said instance method invocation identification if said instance method invocation identification matches an entry in said results; and denying said access to the caller if said instance method invocation identification matches no entry in said results. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A communication network comprising at least application server and at least one application client executing instructions to implement the steps of:
-
(a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification; (b) determining a caller of the instance method invocation identification; (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule; (d) associating the caller access control cache with a transaction; (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set; (f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the method invocation created a new instance; (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set; (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification; (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction; (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context; (k) optimizing a query of the instance access control rule; (l) determining results from executing the optimized query of the instance access control rule; (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium; (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.
-
-
17. An arrangement for embedding supplemental data in a signal embodied in electromagnetic signals traveling over a computer network carrying information for causing a computer system to practice of the steps of:
-
(a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification; (b) determining a caller of the instance method invocation identification; (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule; (d) associating the caller access control cache with a transaction; (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set; (f) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance; (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set; (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification; (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction; (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context; (k) optimizing a query of the instance access control rule; (l) determining results from executing the optimized query of the instance access control rule; (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium; (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.
-
-
18. A computer readable medium containing instructions for the practice of the steps of:
-
(a) intercepting an invocation of the instance method, having an instance method invocation identification, on an instance, having instance identification; (b) determining a caller of the instance method invocation identification; (c) associating the caller with a caller access control cache on a computer readable medium, the caller access control cache having an instance segment including a set of the instance method invocation identifications, the caller access control cache having a grant segment including a grant set of the instance method invocation identifications, the caller access control cache having a deny segment including a deny set of the instance method invocation identifications, the caller access control cache having a high/low segment including a set of ranges for the instance method invocation identifications for each access control rule; (d) associating the caller access control cache with a transaction; (e) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification if the instance method invocation identification matches one of the set, or if the instance method invocation identification matches one of the grant set; (i) adding the instance method invocation identification to the set and repeating steps (a) through (f) if the instance method invocation created a new instance; (g) denying, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (g) if the instance method invocation identification matches one of the deny set; (h) adding the instance method invocation identification to the deny segment and repeating step (g) if there are no more of the instance access control rules associated with the instance invoked by the instance method having the instance method invocation identification; (i) repeating step (h) if the instance method invocation identification is within the high/low set for the instance access control rule or if the instance access control rule does not define a scope that matches the caller and an application context associated with the transaction; (j) determining additional of the instance methods with which the instance access control rule is associated if there are more of the instance access control rules associated with the instance, and if the instance method invocation identification is outside the high/low set for the instance access control rule, and if the instance access control rule defines the scope that matches the caller and the application context; (k) optimizing a query of the instance access control rule; (l) determining results from executing the optimized query of the instance access control rule; (m) storing the results and additional of the instance methods with which the instance access control rule is associated in the grant segment and the high/low segment of the caller access control cache in the computer readable medium; (n) granting, to the caller, access to the instance invoked by the instance method having the instance method invocation identification and repeating steps (a) through (f) if the instance method invocation identification matches an entry in the results; and (o) repeating steps (h)-(n) if the instance method invocation identification matches no entry in the results.
-
Specification