Access check system utilizing cached access permissions
First Claim
1. A machine-readable program storage device, embodying instructions executable by a computer to perform method steps for providing access to a plurality of resources in a file system to a plurality of users, where access to said resources is controlled by said network server and each of said plurality of users send requests to a network server for permission to access at least one of said plurality of resources, said method comprising:
- first step of receiving a first resource request by said network server from a requesting user that is among said plurality of users, wherein said requesting user requests access to a requested resource from among said plurality of resources absent any authentication-processing of said resource request by said requesting user;
determining by said network server that said requesting user has permission to access said requested resource based only on a user-name of said requesting user;
generating an access-permission for said requesting user in response to successfully determining that said requesting user has permission to access said requested resource;
storing said access-permission in an access-cache accessible to said network server, wherein said access-cache contains n>
2 of the last access-permissions generated and absent any access-permission information stored by said requesting user;
first step of providing access to said requested resource by said requesting user in response to successfully determining that said requesting user has permission to access said requested resource;
second step of receiving a second resource request by said network server from said requesting user to access said requested resource, wherein said second resource request contains identical user identifying information as said first resource request;
retrieving said access-permission stored in said access-cache by said network server, wherein said access-permission corresponds only to said user-name of said requesting user and said step of retrieving occurs only in response to receipt of said second resource request alone absent any other identifier of said requesting user beyond said user-name, and wherein said second resource request necessitates the same access-permission as said access-permission stored in said access-cache; and
second step of providing access to said requested resource by said requesting user in response to said retrieving step.
2 Assignments
0 Petitions
Accused Products
Abstract
An access-check system for a network server comprises an access-cache for storing access-permissions generated by the server in response to resource access requests. The system retrieves the appropriate access-permission from the access-cache in response to receipt of a request necessitating the same access-permission as already generated for an earlier processed request. A user-token cache is also employed to assign a unique user-token, to be used in the access-cache, to each user logged on to the server. Changes made to the user-token cache are reflected in the access-cache by removing from the access-cache those entries containing the changed user-token. Changes made to an access control list are reflected in the access-cache by removing from the access-cache those entries containing the server resource with which the changed access control list is associated.
-
Citations
24 Claims
-
1. A machine-readable program storage device, embodying instructions executable by a computer to perform method steps for providing access to a plurality of resources in a file system to a plurality of users, where access to said resources is controlled by said network server and each of said plurality of users send requests to a network server for permission to access at least one of said plurality of resources, said method comprising:
-
first step of receiving a first resource request by said network server from a requesting user that is among said plurality of users, wherein said requesting user requests access to a requested resource from among said plurality of resources absent any authentication-processing of said resource request by said requesting user; determining by said network server that said requesting user has permission to access said requested resource based only on a user-name of said requesting user; generating an access-permission for said requesting user in response to successfully determining that said requesting user has permission to access said requested resource; storing said access-permission in an access-cache accessible to said network server, wherein said access-cache contains n>
2 of the last access-permissions generated and absent any access-permission information stored by said requesting user;first step of providing access to said requested resource by said requesting user in response to successfully determining that said requesting user has permission to access said requested resource; second step of receiving a second resource request by said network server from said requesting user to access said requested resource, wherein said second resource request contains identical user identifying information as said first resource request; retrieving said access-permission stored in said access-cache by said network server, wherein said access-permission corresponds only to said user-name of said requesting user and said step of retrieving occurs only in response to receipt of said second resource request alone absent any other identifier of said requesting user beyond said user-name, and wherein said second resource request necessitates the same access-permission as said access-permission stored in said access-cache; and second step of providing access to said requested resource by said requesting user in response to said retrieving step. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method operational in a network server for providing access to at least one of a plurality of resources in a file system where access to said at least one of said plurality of resources is controlled by said network server and each of a plurality of users send requests to said network server for permission to access said resources, said method comprising:
-
first step of receiving a first resource request by said network server from a requesting user that is among said plurality of users, wherein said requesting user requests access to a requested one of said plurality of resources; determining, based only on a publicly known user-name of said requesting user in response to said first resource request, that said requesting user has permission to access said requested one of said plurality of resources; generating, in response to successfully determining that said requesting user has permission to access said requested resource, an access-permission; storing said access-permission in an access-cache accessible to said network server wherein said access cache contains the last n access-permissions generated, where n is a positive integer greater than 2; first step of providing access to said requested resource by said requesting user in response to successfully determining that said requesting user has permission to access said requested resource; second step of receiving a second resource request from said requesting user to access said requested resource; retrieving one of said last n access-permissions stored in said access-cache by said network server based only on said publicly known user-name of said requesting user, in response to receipt of said second resource request wherein said second resource request by said requesting user necessitates the same access-permission as said access-permission stored in said access-cache; and second step of providing access to said requested resource for said requesting user in response to said retrieving step.
-
-
24. An apparatus operational in a network server for providing access to at least one of a plurality of resources in a file system where access to said at least one of a plurality of resources is controlled by said network server and each of a plurality of users send requests to said network server for permission to access said at least one of a plurality of resources, said apparatus comprising:
-
first means for receiving a first resource request by said network server from a requesting user that is among said plurality of users, wherein said requesting user requests access to a requested resource from among said plurality of resources absent any authentication-processing of said resource request by said requesting user; means for determining by said network server that said requesting user has permission to access said requested resource based only on a publicly known user-name of said requesting user; means for generating an access-permission for said requesting user in response to successfully determining that said requesting user has permission to access said requested resource; means for storing said access-permission in an access-cache accessible only to said network server, wherein said access cache contains n>
2 of the last access-permissions generated;first means for providing access to said requested resource by said requesting user in response to successfully determining that said requesting user has permission to access said requested resource; second means for receiving a second resource request from said requesting user to access said requested resource, wherein said second resource request contains identical user identifying information as said first resource request; means for retrieving said access-permission stored in said access-ache by said network server, wherein said access-permission corresponds only to said user-name of said requesting user and said means for retrieving occurs only in response to receipt of said second resource request alone absent any other identifier of said requesting user beyond said user-name, and wherein said second resource request necessitates the same access-permission as said access-permission stored in said access-cache; and second means for providing access to said requested resource by said requesting user in response to said retrieving step.
-
Specification