UNIFIED ACCESS CONTROL SYSTEM AND METHOD FOR COMPOSED SERVICES IN A DISTRIBUTED ENVIRONMENT

US 20090276840A1
Filed: 04/29/2009
Published: 11/05/2009
Est. Priority Date: 04/30/2008
Status: Active Grant

First Claim

Patent Images

1. A computer device implemented method of providing a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification, the method comprising the steps of:

acquiring a first role of a user in a first composed service by a role acquiring component of a computing system device;

sending an invoking request by a processing unit of the first composed service to a second composed service;

receiving the first role of the user in the first composed service and predefined role-role mapping relationships by a role determining component in response to the invoking request of the first composed service to the second composed service;

determining a second role of the user in the second composed service by the role determining component according to the first role of the user in the first composed service and the predefined role-role mapping relationships; and

sending the determined role in the second composed service by a role sending component to the second composed service, thereby providing unified access without requiring repeated input of security certification.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, a computer device implemented method, and a computer readable article of manufacture for executing a computer implemented method for a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification. The method includes the steps of: acquiring a first role of a user in a first composed service; sending an invoking request by a processing unit of the first composed service to a second composed service; receiving the first role of the user in the first composed service and predefined role-role mapping relationships, and determining a second role of the user in the second composed service by a role determining component; and then sending the determined role in the second composed service by a role sending component to the second composed service, thereby providing unified access without requiring repeated input of security certification.

57 Citations

View as Search Results

20 Claims

1. A computer device implemented method of providing a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification, the method comprising the steps of:
- acquiring a first role of a user in a first composed service by a role acquiring component of a computing system device;
  
  sending an invoking request by a processing unit of the first composed service to a second composed service;
  
  receiving the first role of the user in the first composed service and predefined role-role mapping relationships by a role determining component in response to the invoking request of the first composed service to the second composed service;
  
  determining a second role of the user in the second composed service by the role determining component according to the first role of the user in the first composed service and the predefined role-role mapping relationships; and
  
  sending the determined role in the second composed service by a role sending component to the second composed service, thereby providing unified access without requiring repeated input of security certification.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method as described in claim 1, further comprising the step of:
    - verifying an identity and the first role of the user in the first composed service in response to an access request of the user to the first composed service.
  - 3. The method as described in claim 2, wherein said verifying an identity and the first role of the user in the first composed service in response to an access request of the user to the first composed service comprises the step of:
    - checking the identity and the first role of the user based on user identity information and user role assignment information respectively, wherein the user identity information includes a user identifier and a corresponding login password, and the user role assignment information includes the user identifier and a corresponding role.
  - 4. The method as described in claim 2, further comprising the steps of:
    - generating a token containing role information of the user in the first composed service in response to the user passing the identity and role verification;
      
      transferring the token to the first composed service;
      
      saving a copy of the generated token; and
      
      setting a status of the token to be active.
  - 5. The method as described in claim 4, wherein the token further includes a token identifier, the user identifier and the login password.
  - 6. The method as described in claim 5, wherein said determining the second role of the user in a second composed service according to the first role of the user in the first composed service and predefined role-role mapping relationships comprises the steps of:
    - receiving the token identifier sent by the second composed service, and querying the saved token copy corresponding to the token identifier, wherein the token identifier is sent to the second composed service when the first composed service requests to invoke the second composed service;
      
      checking the status of the token according to the queried token copy;
      
      reading the first role information from the token copy if the status of the token is active; and
      
      determining the second role of the user in the second composed service by matching the read role information and the role-role mapping relationships.
  - 7. The method as described in claim 4, further comprising the step of:
    - setting the status of the token to be inactive in response to the user logging off the first composed service or time expiring.
  - 8. The method as described in claim 7, further comprising the steps of:
    - confirming that the user has a right for the access and generating a new token in response to the user request to access the first composed service again;
      
      updating the copy of the original token by using a copy of the new token; and
      
      re-setting a token status of the new token to be active.

9. A unified access control computer device system for providing a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification, the system comprising:
- a role acquiring component for acquiring a first role of a user in a first composed service;
  
  a processing unit of the first composed service for sending an invoking request to a second composed service;
  
  a role determining component for determining a second role of the user in a second composed service according to the first role of the user in the first composed service and predefined role-role mapping relationships, in response to an invoking request of the first composed service to the second composed service; and
  
  a role sending component for sending the determined second role in the second composed service to the second composed service, thereby providing unified access without requiring repeated input of security certification.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The system as described in claim 9, further comprising:
    - a service registration component for registering the composed services which use the system to perform security verification;
      
      a role management component for managing the roles in the registered composed services; and
      
      a mapping list management component for creating and managing a mapping list recording the role-role mapping relationships.
  - 11. The system as described in claim 10, further comprising:
    - a security verification component for verifying an identity and the first role of the user in the first composed service in response to an access request of the user to the first composed service.
  - 12. The system as described in claim 11, wherein the security verification component checks the identity and the first role of the user based on user identity information and user role assignment information, wherein the user identity information includes a user identifier and a login password, and the user role assignment information includes the user identifier and the user role assignment information.
  - 13. The system as described in claim 10, wherein the role management component assigns special roles having higher priorities other than the priority of an ordinary user role to users in advance, and assigns an ordinary user role to a user without the special role when the user requests to access the service for the first time.
  - 14. The system as described in claim 11, further comprising:
    - a token management component for generating a token containing the first role information of the user in the first composed service in response to the user passing the identity verification and the role verification, transferring the token to the first composed service, and saving a copy of the generated token and setting a status of the token to be active.
  - 15. The system as described in claim 14, wherein the token further includes a token identifier, the user identifier and the login password.
  - 16. The system as described in claim 15, wherein the token management component receives the token identifier sent by the second composed service, queries a saved token copy corresponding to the token identifier, and reads the role information from the token copy, wherein the token identifier is sent to the second composed service when the first composed service requests to invoke the second composed service.
  - 17. The system as described in claim 16, wherein the role determining component queries the role-role mapping list according to the role information read by the token management component to determine the second role of the user in the second composed service.
  - 18. The system as described in claim 10, further comprising:
    - a user management component for, when the user requests to access any of the composed services registered in the service registration component, recording data resources of the user to indicate which database the user is from.
  - 19. The system as described in claim 10, further comprising:
    - a user group management component for establishing a static user group or dynamic user group definition according to the user'"'"'s request.

20. A computer readable article of manufacture tangibly embodying computer readable instructions for executing a computer implemented method of providing a unified access control for a plurality of composed services in a distributed computing environment without requiring repeated input of security certification, the method comprising the steps of:
- acquiring a first role of a user in a first composed service by a role acquiring component of a computing system device;
  
  sending an invoking request by a processing unit of the first composed service to a second composed service;
  
  receiving the first role of the user in the first composed service and predefined role-role mapping relationships by a role determining component in response to the invoking request of the first composed service to the second composed service;
  
  determining a second role of the user in the second composed service by the role determining component according to the first role of the user in the first composed service and the predefined role-role mapping relationships; and
  
  sending the determined role in the second composed service by a role sending component to the second composed service, thereby providing unified access without requiring repeated input of security certification.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Zhu, Jun, Wang, Li, Wang, Jian, Cao, Bao Hua

Granted Patent

US 8,769,653 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

H04L 9/3213 using tickets or tokens, e....

H04L 9/3226 using a predetermined code,...

UNIFIED ACCESS CONTROL SYSTEM AND METHOD FOR COMPOSED SERVICES IN A DISTRIBUTED ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

UNIFIED ACCESS CONTROL SYSTEM AND METHOD FOR COMPOSED SERVICES IN A DISTRIBUTED ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links