METHODS AND APPARATUS FOR ACCESS CONTROL IN SERVICE-ORIENTED COMPUTING ENVIRONMENTS

US 20080256357A1
Filed: 04/12/2007
Published: 10/16/2008
Est. Priority Date: 04/12/2007
Status: Active Grant

First Claim

Patent Images

1. In a service-oriented environment comprising a plurality of services, a method for authenticating a client, the method comprising the steps:

invoking at least one service of the plurality of services;

associating state information with the at least one service invoked; and

using the state information to authenticate a client with at least one service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Improved access control techniques for use in a service-oriented computing environment are disclosed. For example, one method for authenticating a client in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. At least one service of the plurality of services is invoked. State information is associated with the at least one service invoked. The state information is used to authenticate a client with at least one service. Further, a method for access control in a service-oriented environment, wherein the service-oriented environment includes a plurality of services, includes the following steps. A rule specification language is provided. At least one rule is specified using the rule specification language. A verification is performed to determine whether or not the client satisfies the at least one rule. The client is granted access to a service when the client satisfies the at least one rule.

Citations

20 Claims

1. In a service-oriented environment comprising a plurality of services, a method for authenticating a client, the method comprising the steps:
- invoking at least one service of the plurality of services;
  
  associating state information with the at least one service invoked; and
  
  using the state information to authenticate a client with at least one service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein at least a portion of the state information associated with the service invocation is stored in the form of a composite principle.
  - 3. The method of claim 1, wherein at least a portion of the state information associated with the service invocation is stored in the form of an audit/logging service.
  - 4. The method of claim 1, wherein the client is authenticated using at least one policy stored in a policy database.
  - 5. The method of claim 1, wherein the client is authenticated based on an access control decision.
  - 6. The method of claim 5, wherein the access control decision is made in accordance with at least one temporal predicate on at least one composite principle.
  - 7. The method of claim 5, wherein the access control decision is made in accordance with at least one scoped access control rule.
  - 8. The method of claim 5, wherein the access control decision is made in accordance with at least one role translation.
  - 9. The method of claim 5, wherein the access control decision is made in accordance with at least one scoped role.
  - 10. The method of claim 5, wherein the access control decision is made in accordance with a rule specification language.
  - 11. The method of claim 5, wherein the access control decision is made in accordance with at least one Boolean predicate.
  - 12. The method of claim 5, wherein the access control decision is made in accordance with at least one constraint.
  - 13. The method of claim 12, wherein the at least one constraint comprises one or more of a role constraint, a privilege constraint, a Boolean constraint, a separation of duty constraint and a scope constraint.
  - 14. An article of manufacture for authenticating a client in a service-oriented environment comprising a plurality of services, the article comprising a computer readable storage medium containing one or more computer programs, which when executed implement the steps of claim 1.

15. In a service-oriented environment comprising at least one service, a method for access control, the method comprising the steps of:
- providing a rule specification language;
  
  specifying at least one rule using the rule specification language;
  
  verifying whether a client satisfies the at least one rule; and
  
  granting the client access to a service if the client satisfies the at least one rule.
- View Dependent Claims (16, 17, 18)
- - 16. The method of claim 15, wherein said rule specification language supports at least one of:
    - a temporal predicate on at least one composite principle;
      
      a scoped access control rule;
      
      a role translation;
      
      a scoped role, a Boolean predicate;
      
      a temporal constraint;
      
      a role constraint;
      
      a privilege constraint;
      
      a Boolean constraint;
      
      a separation of duty constraint, and a scope constraint.
  - 17. The method of claim 15, wherein said rule specification language is based on pure-past linear temporal logic.
  - 18. An article of manufacture for authenticating a client in a service-oriented environment comprising a plurality of services, the article comprising a computer readable storage medium containing one or more computer programs, which when executed implement the steps of claim 15.

19. Apparatus for authenticating a client in a service-oriented environment comprising a plurality of services, the apparatus comprising:
- a memory; and
  
  at least one processor coupled to the memory and operative to;
  
  (i) invoke at least one service of the plurality of services;
  
  (ii) associate state information with the at least one service invoked; and
  
  (iii) use the state information to authenticate a client with at least one service.

20. Apparatus for access control in a service-oriented environment comprising a plurality of services, the apparatus comprising:
- a memory; and
  
  at least one processor coupled to the memory and operative to;
  
  (i) provide a rule specification language;
  
  (ii) specify at least one rule using the rule specification language;
  
  (iii) verify whether a client satisfies the at least one rule; and
  
  (iv) grant the client access to a service if the client satisfies the at least one rule.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kyndryl Incorporated (Kyndryl Holdings, Inc.)
Original Assignee
International Business Machines Corporation
Inventors
Yin, Jian, Iyengar, Arun Kwangil, Mikalsen, Thomas A., Rouvellou, Isabelle Marie, Srivalso, Mudhakar

Granted Patent

US 8,977,845 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2119   Authenticating web pages, e...

H04L 63/102   Entity profiles

METHODS AND APPARATUS FOR ACCESS CONTROL IN SERVICE-ORIENTED COMPUTING ENVIRONMENTS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND APPARATUS FOR ACCESS CONTROL IN SERVICE-ORIENTED COMPUTING ENVIRONMENTS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links