Controlling access to services between modular applications

US 6,138,235 A
Filed: 06/29/1998
Issued: 10/24/2000
Est. Priority Date: 06/29/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:

receiving the first computer program module;

determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service from the second computer program module;

if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with access to the service; and

allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a method and an apparatus for providing a first computer program module with the ability to access a service from a second computer program module. The method includes receiving the first computer program module--for example, at a third party computer system, and determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service. If so, the method provides the first computer program module with access to the service. A variation on this embodiment includes verifying that the first computer program module includes a chain of certificates establishing a chain of authorization for the service. This verification process includes verifying that a first certificate in the chain is signed by an entity that is originally authorized to confer access for the service, and verifying that subsequent certificates in the chain are signed by entities that have been delegated authorization to confer access for the service. In a further variation on the above embodiment, the act of providing the first computer program module with access to the service, includes providing the first computer program module with a permit that allows the first computer program module to perform a restricted set of operations on the service.

Citations

29 Claims

1. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
- receiving the first computer program module;
  
  determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service from the second computer program module;
  
  if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with access to the service; and
  
  allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the act of determining whether the first computer program module has been digitally signed by the authority having power to confer access for the service, includes using a public key associated with the service to verify that the first computer program module has been digitally signed by a corresponding private key for the service.
  - 3. The method of claim 1, wherein the act of determining whether the first computer program module has been digitally signed by the authority having power to confer access for the service, includes verifying that the first computer program module includes a chain of certificates establishing authorization for the service, a first certificate in the chain being signed by an entity that is originally authorized to confer access for the service, and subsequent certificates in the chain being signed by entities that have been delegated authorization to confer access for the service.
  - 4. The method of claim 1, wherein the act of providing the first computer program module access to the service, includes providing the first computer program module with a permit that allows the first computer program module to perform a restricted set of services.
  - 5. The method of claim 1, wherein the service is accessed through an object defined within an object oriented programming system.
  - 6. The method of claim 1, wherein the first computer program module includes a Java Archive file.
  - 7. The method of claim 1, wherein the first computer program module includes computer code and at least one digital certificate.
  - 8. The method of claim 1, wherein providing the first computer program module with access to the service allows the first computer program module to interact with the second computer program module.
  - 9. The method of claim 8, wherein the first computer program module originates from a first server and is transferred to a computer node for execution, and the second computer program module originates from a second server and is transferred to the computer node for execution.
  - 10. The method of claim 8, wherein the first server and the second server computer are separately located from the computer node.
  - 11. The method of claim 1, wherein the service includes a plurality of services.

12. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
- receiving the first computer program module;
  
  determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service by verifying that the first computer program module includes a chain of certificates establishing authorization for the service, a first certificate in the chain being signed by an entity that is originally authorized to confer access for the service, and subsequent certificates in the chain being signed by entities that have been delegated authorization to confer access for the service;
  
  if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with a permit that allows the first computer program module to perform a restricted set of services, including the service; and
  
  allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module;
  
  wherein allowing the first computer program module to access the service allows the first computer program module to interact with the second computer program module.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method of claim 12, wherein the service is accessed through an object defined within an object oriented programming system.
  - 14. The method of claim 12, wherein the first computer program module includes a Java Archive file.
  - 15. The method of claim 12, wherein the first computer program module originates from a first server and is transferred to a computer node for execution, and the second computer program module originates from a second server and is transferred to the computer node for execution.
  - 16. The method of claim 15, wherein the first server and the second server computer are separately located from the computer node.

17. A computer readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
- receiving the first computer program module;
  
  determining whether the first computer program module has been digitally signed by an authority having power to confer access for the service from the second computer program module;
  
  if the first computer program module has been digitally signed by the authority having power to confer access for the service, providing the first computer program module with access to the service; and
  
  allowing the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.

18. A method for providing a first computer program module with an ability to access a service from a second computer program module, comprising:
- a receiving means, for receiving the first computer program module;
  
  a verification means, for verifying that the first computer program module has been digitally signed by an authority having power to confer access for the service;
  
  an access means, for providing the first computer program module with access to the service if the first computer program module has been digitally signed by the authority having power to confer access for the service; and
  
  an execution means, that allows the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.

19. An apparatus that provides a first computer program module with an ability to access a service from a second computer program module, comprising:
- a computer node;
  
  a receiving mechanism, within the computer node, that receives the first computer program module;
  
  a verification mechanism, within the computer node, that verifies that the first computer program module has been digitally signed by an authority having power to confer access for the service;
  
  an access mechanism, within the computer node, that provides the first computer program module with access to the service if the first computer program module has been digitally signed by the authority having power to confer access for the service; and
  
  an execution mechanism, within the computer node, that allows the first computer program module and the second computer program module to run in the same address space on the same computing node, so that the first computer program module can access the service from the second computer program module.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The apparatus of claim 19, wherein the verification mechanism is configured to use a public key associated with the service to verify that the first computer program module has been digitally signed by a corresponding private key for the service.
  - 21. The apparatus of claim 19, wherein the verification mechanism is configured to verify that the first computer program module includes a chain of certificates establishing authorization for the service, a first certificate in the chain being signed by an entity that is originally authorized to confer access for the service, and subsequent certificates in the chain being signed by entities that have been delegated authorization to confer access for the service.
  - 22. The apparatus of claim 19, wherein the access mechanism is configured to provide the first computer program module with a permit that allows the first computer program module to perform a restricted set of services.
  - 23. The apparatus of claim 19, wherein the service is accessed through an object defined within an object oriented programming system.
  - 24. The apparatus of claim 19, wherein the first computer program module includes a Java Archive file.
  - 25. The apparatus of claim 19, wherein the first computer program module includes computer code and at least one digital certificate.
  - 26. The apparatus of claim 19, wherein the receiving mechanism is configured to transfer the first computer program module from a first server, and to transfer the second computer program module from a second server.
  - 27. The apparatus of claim 26, wherein the first server and the second server are separate from the computer node.
  - 28. The method of claim 26, wherein the service includes a plurality of services.

29. A computer readable storage medium containing a first computer program module which is able to access a service from a second computer program module, comprising:
- a computer code section, including computer code for execution on a computer node to carry out functions of the first computer program module; and
  
  a digital signature section, including a chain of certificates establishing authorization for the service, a first certificate in the chain being signed by an entity that is originally authorized to confer access for the service, and subsequent certificates in the chain being signed by entities that have been delegated authorization to confer access for the service, the digital signature section allowing the computer node to determine whether the computer program module has been granted authority to access the service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Goldstein, Theodore C., Lipkin, Efrem
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/106,567
Time in Patent Office

848 Days
Field of Search

380/255, 380/277, 380/282, 713/150, 713/155, 713/156, 713/169, 713/175, 713/176, 713/180, 713/200, 713/201
US Class Current

713/155
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/62   Protecting access to data v...

G06F 2221/2149   Restricted operating enviro...

G06F 9/468   Specific access rights for ...

Controlling access to services between modular applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to services between modular applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links