Mechanism for locating objects in a secure fashion
First Claim
1. In a distributed object computing system including clients and object servers, a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers, and an object server arranged to provide a target object, a computer-implemented method of allowing a client to invoke upon a target object in a secure fashion, the method comprising the steps of:
- receiving a call from the client by the ORB daemon process, the call to the ORB daemon process using a constructed object reference, the constructed object reference including an object server identifier, original security information and a security class identifier, the call to the ORB daemon process using a first security mechanism corresponding to the original security information contained in the constructed object reference;
determining that the client is authorized to communicate with the ORB daemon process;
retrieving security information specific to the object server that corresponds to the security class identifier contained in the constructed object reference;
returning to the client the retrieved object server security information that corresponds to the security class identifier, such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference.
2 Assignments
0 Petitions
Accused Products
Abstract
In a distributed object computing system, a client makes a call to a daemon process of a host computer in order to communicate with a target object in an object server process. This call uses a particular security mechanism to ensure a secure communication. The daemon process locates the object server and starts it if necessary. The object server provides the daemon process with a list or table of all the particular security mechanisms that it supports. Using a security class identifier provided by the client in the original call, the daemon process selects a particular security mechanism supported by the server, and then returns this new security mechanism along with the server'"'"'s port to the client. The client constructs a new object reference to the target object and then calls the target object directly using the new security mechanism. The new security mechanism may be different from the original security mechanism used to communicate with the daemon process. A foreign client from a different distributed system may also attempt to locate or invoke upon a target object using a similar technique for secure communication. In this situation, because the object reference may be unintelligible to the foreign client, the daemon process constructs a new object reference before sending it back to the foreign client. The client and object server may be on the same or different computers. The object reference data structure includes: a host field; a server identifier; a port field; an object key; a security information field; and a security class identifier.
-
Citations
26 Claims
-
1. In a distributed object computing system including clients and object servers, a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers, and an object server arranged to provide a target object, a computer-implemented method of allowing a client to invoke upon a target object in a secure fashion, the method comprising the steps of:
-
receiving a call from the client by the ORB daemon process, the call to the ORB daemon process using a constructed object reference, the constructed object reference including an object server identifier, original security information and a security class identifier, the call to the ORB daemon process using a first security mechanism corresponding to the original security information contained in the constructed object reference; determining that the client is authorized to communicate with the ORB daemon process; retrieving security information specific to the object server that corresponds to the security class identifier contained in the constructed object reference; returning to the client the retrieved object server security information that corresponds to the security class identifier, such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference. - View Dependent Claims (2, 3, 4)
-
-
5. A method as recited in claim I wherein the object server is located on the host computer and the client is located on a different computer.
-
6. In a distributed object computing system including clients and object servers, a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object, a computer-implemented method of using a client to invoke upon a target object in a secure fashion, the method comprising the steps of:
-
invoking on an original object reference indicative of the target object, the original object reference including an object server identifier, original security information and a security class identifier; constructing an ORB object reference for the ORB daemon using the original object reference; invoking a look up operation on the ORB object reference using the object server identifier and the security class identifier in order to locate the object server, the invocation using a first security mechanism corresponding to the original security information to confirm that the client is authorized to communicate with the object server; identifying security information specific to the object server that corresponds to the security class identifier in response to confirmation that the client is authorized to communicate with the object server; receiving from the ORB daemon by the client the identified security information that is specific to the object server and that corresponds to the security class identifier; replacing the original security information in the original object reference with the server specific security information in order to construct a modified object reference for the target object; and invoking on the modified object reference to communicate with the target object using a second security mechanism corresponding to the returned server specific security information. - View Dependent Claims (7, 8, 9, 10)
-
-
11. In a distributed object computing system including clients and object servers, a host computer including an object request broker daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object, a computer-implemented method of allowing a foreign client to invoke upon a target object in a secure fashion, the method comprising the steps of:
-
receiving an invocation from the client on an original object reference indicative of the target object, the original object reference including an object server identifier, original security information and a security class identifier, the invocation using a first security mechanism corresponding to the original security information to confirm that the foreign client is authorized to communicate with the ORB daemon process; invoking a look up operation within the ORB daemon process using the object server identifier and the security class identifier in order to locate the corresponding object server; retrieving security information specific to the object server that corresponds to the security class identifier; replacing within the ORB daemon process the original security information in the original object reference with the server specific security information in order to construct a modified object reference for the target object; and returning to the foreign client the modified object reference such that the foreign client is able to invoke upon the target object directly by using the modified object reference. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. An object reference data structure embodied in a computer-readable medium, the object reference data structure being arranged to allow a client to identify a target object on a host computer, the host computer including object servers associated with ports, the object reference data structure comprising:
-
a host field identifying the host computer, said host field being embodied in said computer-readable medium; a server identifier that identifies an object server of the host computer that includes the target object, said server identifier being embodied in said computer-readable medium; a port field identifying a port of the host computer through which the client may communicate with the object server, said port field being embodied in said computer-readable medium; an object key that uniquely identifies the target object within the object server, said object key being embodied in said computer-readable medium; a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object, said security information field being embodied in said computer-readable medium; and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications, said security class identifier being embodied in said computer-readable medium.
-
-
19. A computer apparatus for use in allowing a client to communicate with a target object on a host computer within a distributed object system, the host computer including object servers associated with ports, the computer apparatus comprising:
-
a processing unit; an input/output device coupled to the central processing unit; a mass storage device in communication with the central processing unit; and a storage device in communication with the central processing unit, the memory device including an object reference data structure having a host field identifying the host computer, a server identifier that identifies an object server of the host computer that includes the target object;
a port field identifying a port of the host computer through which the client may communicate with the object server;
an object key that uniquely identifies the target object within the object server;
a security information field that indicates a particular security mechanism to be used for secure communications between the client and the target object, and a security class identifier that specifies a single security information out of a plurality of security informations to be used for secure communications.
-
-
20. An object request broker computer program embodied in a computer-readable medium for use in brokering a call from a client to a target object on a host computer within a distributed object system, said object request broker computer program being arranged to execute on computer hardware of said distributed object system, the host computer including object servers associated with ports, the object request broker computer program comprising:
-
a computer process embodied in a computer-readable medium arranged to execute on said host computer and adapted to receive the call from the client in response to the client invoking upon an object reference indicative of the target object, the object reference including a host field identifying the host computer, a server identifier that identifies an object server of the host computer that includes the target object, a port field identifying a port of the host computer through which the client may communicate with the object server, an object key that uniquely identifies the target object within the object server a security information field that indicates the first security information to be used for secure communications between the client and the target object, and a security class identifier that specifies the first security information out of a plurality of security informations to be used for secure communications; and a transport mechanism embodied in a computer-readable medium and adapted to transport the call from the client to the target object in a secure fashion using a first security information included in the object reference, said transport mechanism being further adapted to transport information from the target object to the client in a secure fashion using the first security information included in the object reference. - View Dependent Claims (21, 22)
-
-
23. A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for allowing a client to invoke upon a target object in a secure fashion within a distributed object computing system, the distributed object computing system including clients, object servers, and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object, the computer program product comprising computer-readable program code for effecting the following steps within the computing system:
-
receiving a call from the client by the ORB daemon process, the call to the ORB daemon process using a constructed object reference, the constructed object reference including an object server identifier, original security information and a security class identifier, the call to the ORB daemon process using a first security mechanism corresponding to the original security information; determining that the client is authorized to communicate with the ORB daemon process; retrieving security information specific to the object server that corresponds to the security class identifier; returning to the client the retrieved object server security information that corresponds to the security class identifier, such that the client is then able to modify the constructed object reference using the retrieved object server security information to provide a modified object reference and thereby be able to invoke on the target object using the modified object reference. - View Dependent Claims (24)
-
-
25. A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for allowing a foreign client to invoke upon a target object in a secure fashion within a distributed object computing system, the distributed object computing system including clients, object servers, and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object, the computer program product comprising computer-readable program code for effecting the following steps within the computing system:
-
receiving an invocation from the client on an original object reference indicative of the target object, the original object reference including an object server identifier, original security information and a security class identifier, the invocation using a first security mechanism corresponding to the original security information to confirm that the foreign client is authorized to communicate with the ORB daemon process; invoking a look up operation within the ORB daemon process using the object server identifier and the security class identifier in order to locate the corresponding object server; retrieving security information specific to the object server that corresponds to the security class identifier; replacing within the ORB daemon process the original security information in the original object reference with the server specific security information in order to construct a modified object reference for the target object; and returning to the foreign client the modified object reference such that the foreign client is able to invoke upon the target object directly by using the modified object reference.
-
-
26. A computer program product comprising a computer-usable medium having computer-readable program code embodied thereon for using a client to invoke upon a target object in a secure fashion within a distributed object computing system, the distributed object computing system including clients, object servers, and a host computer including an object request broker (ORB) daemon process arranged to assist in the location of object servers and at least one object server arranged to provide at least one target object, the computer program product comprising computer-readable program code for effecting the following steps within the computing system:
-
invoking on an original object reference indicative of the target object, the original object reference including an object server identifier, original security information and a security class identifier; constructing an ORB object reference for the ORB daemon using the original object reference; invoking a look up operation on the ORB object reference using the object server identifier and the security class identifier in order to locate the object server, the invocation using a first security mechanism corresponding to the original security information to confirm that the client is authorized to communicate with the object server; identifying security information specific to the object server that corresponds to the security class identifier in response to confirmation that the client is authorized to communicate with the object server; receiving from the ORB daemon by the client the identified security information that is specific to the object server and that corresponds to the security class identifier; replacing the original security information in the original object reference with the server specific security information in order to construct a modified object reference for the target object; and invoking on the modified object reference to communicate with the target object using a second security mechanism corresponding to the returned server specific security information.
-
Specification