Identifying attribute propagation for multi-tier processing
First Claim
1. A method for propagating attributes comprising:
- receiving a request to perform a processing operation, the request including an attribute indicative of an initiator of the request;
determining a processing unit associated with the request, the processing unit operable to service the request;
identifying a processing operation performed by the determined processing unit for satisfying the request;
matching the processing operation to the request by identifying a processing unit common to the request and the processing operation, the common processing unit identified by intercepting a system call to receive the request and a system call to perform the processing operation; and
mapping the common processing unit associated with the request to the processing operation being performed to service the request.
3 Assignments
0 Petitions
Accused Products
Abstract
A multi-tier attribute tracking mechanism provides the ability to identify the end user credentials and other client information and attributes and assign them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (so called “server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using so-called kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests. With this matching, the database requests can be tagged with the user credentials which are known through the application request.
68 Citations
28 Claims
-
1. A method for propagating attributes comprising:
-
receiving a request to perform a processing operation, the request including an attribute indicative of an initiator of the request; determining a processing unit associated with the request, the processing unit operable to service the request; identifying a processing operation performed by the determined processing unit for satisfying the request; matching the processing operation to the request by identifying a processing unit common to the request and the processing operation, the common processing unit identified by intercepting a system call to receive the request and a system call to perform the processing operation; and mapping the common processing unit associated with the request to the processing operation being performed to service the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. An encoded set of processor based instructions for performing a method of user identification via attribute propagation comprising:
-
receiving, from a user, a request to perform an application function; extracting an attribute from the request; intercepting an inbound system call to service the request by an interprocess communication (IPC) portal; determining, from the intercepted system call, a processing unit assigned to service the request; watching operations performed by the assigned processing unit to capture database access attempts by the assigned processing unit; intercepting an outbound system call to access the database by the assigned processing unit; mapping the processing unit to the extracted attribute in the inbound system call; associating the attribute to the access made by the assigned processing unit; and logging the association of the database access request to the mapped attribute. - View Dependent Claims (16, 17)
-
-
18. A data security device for tracking database access attempts comprising:
-
a monitor operable to receive an application request to perform an application function, the application request including an attribute; a thread table operable to determine a processing unit associated with the application request, the processing unit operable to service the application request; an interface to an interception layer operable to identify a database call performed by the determined processing unit for satisfying the application request via database access; and a mapper operable to map the attribute to the database calls caused when servicing the request by identifying a processing unit common to the application request and database call, the common processing unit identified by intercepting a system call to receive the request and a system call to send the database call, the correlator further operable to employ the thread table to map the common processing unit with the attribute included in the application request. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. A computer program product having a computer readable medium operable to store computer program logic embodied in computer program code encoded thereon for tracking database access comprising:
-
computer program code for receiving a request to access a database, the request including a user identifier; computer program code for determining a computing unit associated with the request, the computing unit operable to service the request; computer program code for identifying a database call performed by the determined computing unit for satisfying the request via database access; and computer program code for correlating the computing unit with the user identifier to identify the user responsible for the database access. - View Dependent Claims (27, 28)
-
Specification