Controlling access to services between modular applications
First Claim
1. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
- receiving the first computer program module;
determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service from the second computer program module;
if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with access to the service; and
allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.
2 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides a method and an apparatus for providing a first computer program module with the ability to access a service from a second computer program module. The method includes receiving the first computer program module--for example, at a third party computer system, and determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service. If so, the method provides the first computer program module with access to the service. A variation on this embodiment includes verifying that the first computer program module includes a chain of certificates establishing a chain of authorization for the service. This verification process includes verifying that a first certificate in the chain is signed by an entity that is originally authorized to confer access for the service, and verifying that subsequent certificates in the chain are signed by entities that have been delegated authorization to confer access for the service. In a further variation on the above embodiment, the act of providing the first computer program module with access to the service, includes providing the first computer program module with a permit that allows the first computer program module to perform a restricted set of operations on the service.
-
Citations
29 Claims
-
1. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
-
receiving the first computer program module; determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service from the second computer program module; if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with access to the service; and allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
-
receiving the first computer program module; determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service by verifying that the first computer program module includes a chain of certificates establishing authorization for the service, a first certificate in the chain being signed by an entity that is originally authorized to confer access for the service, and subsequent certificates in the chain being signed by entities that have been delegated authorization to confer access for the service; if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with a permit that allows the first computer program module to perform a restricted set of services, including the service; and allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module; wherein allowing the first computer program module to access the service allows the first computer program module to interact with the second computer program module. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computer readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
-
receiving the first computer program module; determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service from the second computer program module; if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with access to the service; and allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.
-
-
18. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
-
a receiving means, for receiving the first computer program module; a verification means, for verifying that the first computer program module has been digitally signed by an authority having power to confer access for the service; an access means, for providing the first computer program module with access to the service if the first computer program module has been digitally signed by the authority having power to confer access for the service; and an execution means, that allows the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.
-
-
19. An apparatus that provides a first computer program module with an ability to access a service from a second computer program module, comprising:
-
a computer node; a receiving mechanism, within the computer node, that receives the first computer program module; a verification mechanism, within the computer node, that verifies that the first computer program module has been digitally signed by an authority having power to confer access for the service; an access mechanism, within the computer node, that provides the first computer program module with access to the service if the first computer program module has been digitally signed by the authority having power to confer access for the service; and an execution mechanism, within the computer node, that allows the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A computer readable storage medium containing a first computer program module which is able to access a service from a second computer program module, comprising:
-
a computer code section, including computer code for execution on a computer node to carry out functions of the first computer program module; and a digital signature section, including a chain of certificates establishing authorization for the service, a first certificate in the chain being signed by an entity that is originally authorized to confer access for the service, and subsequent certificates in the chain being signed by entities that have been delegated authorization to confer access for the service, the digital signature section allowing the computer node to determine whether the computer program module has been granted authority to access the service.
-
Specification