Authority delegation with secure operating system queues

US 6,189,103 B1
Filed: 07/21/1998
Issued: 02/13/2001
Est. Priority Date: 07/21/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for delegating user authority in a distributed computer system, the method comprising the steps of:

associating an authenticated user of the distributed computer system with an executable task submitted for execution by the authenticated user, the authenticated user having security rights enforced in the computer system;

placing the executable task in an operating system queue;

transmitting the queued executable task to an authenticated queue server for execution, wherein the transmitting step comprises serializing classes stored in a first computer'"'"'s memory and sending the serialized classes to another computer'"'"'s memory; and

delegating user rights to the task by enforcing the authenticated user'"'"'s rights on the task.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and devices are provided for delegating security rights to Java servlets and other executable tasks by using secure operating system queues. In particular embodiments, the invention allows secure loading of Java servlets on a Novell NetWare server. The invention allows users to run servlets from various locations with the same rights, namely, the user'"'"'s rights. The servlet submitted by a given user runs in the context of that user'"'"'s rights. A system according to the invention verifies that the user has the right to submit the task to a given task queue; the queue is managed by the system, and the user is authenticated to the system. Queue servers which receive tasks from the queue and service them by executing the tasks are likewise authenticated by the system. When a queue server attempts to service a task in a queue, the system verifies that the queue server has rights to service that queue and that job. This two way verification—that a user has rights to submit the task, and that the queue server has rights to service the task—allows the user and the queue server to establish a trusted relationship using the operating system'"'"'s trusted queues. Moreover, existing user rights databases and access control systems can be used to determine and enforce rights and trust levels.

297 Citations

41 Claims

1. A method for delegating user authority in a distributed computer system, the method comprising the steps of:
- associating an authenticated user of the distributed computer system with an executable task submitted for execution by the authenticated user, the authenticated user having security rights enforced in the computer system;
  
  placing the executable task in an operating system queue;
  
  transmitting the queued executable task to an authenticated queue server for execution, wherein the transmitting step comprises serializing classes stored in a first computer'"'"'s memory and sending the serialized classes to another computer'"'"'s memory; and
  
  delegating user rights to the task by enforcing the authenticated user'"'"'s rights on the task.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the associating step comprises placing an identification of the user in the queue with the task.
  - 3. The method of claim 1, wherein the placing step comprises placing a Java servlet task in an operating system queue.
  - 4. The method of claim 1, wherein the placing step comprises placing a Java applet task in an operating system queue.
  - 5. The method of claim 1, wherein the placing step comprises placing a platform-independent application task in an operating system queue.
  - 6. The method of claim 1, wherein the placing step comprises placing a native code application task in an operating system queue.
  - 7. The method of claim 1, wherein the transmitting step comprises sending the queue server a resource locator identifying the location of executable code of the task.
  - 8. The method of claim 1, wherein the transmitting step comprises sending the queue server a stream of executable bytecodes.
  - 9. The method of claim 1, wherein the transmitting step comprises sending the queue server information across a network signal line.
  - 10. The method of claim 1, wherein the delegating step comprises executing at least part of the executable task and execution of the task is managed by the queue server.
  - 11. The method of claim 10, wherein the executing step comprises spawning a virtual machine to interpret bytecodes of the task.

12. A distributed computer system comprising:
- a user database correlating user identities with corresponding rights;
  
  an access control system for enforcing user rights by comparing the rights of a user seeking access to a system resource with the rights needed to access the resource and allowing access only if the user has sufficient rights;
  
  a user authentication system for authenticating users, the database and access control system and authentication system cooperating such that the access control system gives a user the rights corresponding to a user identity in the user database if the authentication system associates the user with that user identity;
  
  a secure queue that associates authenticated remote users with tasks they submit to the queue, the tasks containing executable code;
  
  an authenticated queue server for servicing the queue, the queue server capable of executing at least part of a task submitted to the queue; and
  
  an authority delegation system which associates a submitting remote user'"'"'s identity with a task submitted by the remote user, thereby permitting the access control system to enforce the identified remote user'"'"'s rights on the task while the task is being serviced by the queue server, wherein the authority delegation system maintains separate user and delegate identities and the access control system catalogs the task as a delegate of the identified user.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the user database comprises a directory service.
  - 14. The system of claim 12, wherein the access control system comprises access control lists.
  - 15. The system of claim 12, wherein the user authentication system comprises a credential checker for checking a credential issued by a certification authority.
  - 16. The system of claim 12, wherein the queue is managed by a network operating system.
  - 17. The system of claim 12, wherein the queue server comprises a Java virtual machine.
  - 18. The system of claim 12, wherein the user database and the access control system define roles, such that a user may assume different roles having different security rights while the user is logged in on a single user account.
  - 19. The system of claim 12, wherein a task submitted by a user is stored in a repository in a location identified by a resource locator.

20. A computer storage medium having a configuration that represents data and instructions which will cause at least a portion of a computer system to perform method steps for delegating authority from a user, the method comprising the steps of:
- providing a secure queue that associates remote users with tasks they submit to the queue;
  
  placing in the queue an executable task submitted by an authenticated remote user, the authenticated remote user having security rights which are enforced by an access control system, the executable task identifying executable code;
  
  executing at least part of the executable code of the task, execution of the code being managed by the queue server; and
  
  delegating user rights to the task by enforcing the authenticated remote user'"'"'s rights on the task during its execution, wherein the delegating step maintains separate remote user and delegate task identities.
- View Dependent Claims (21, 22)
- - 21. The configured storage medium of claim 20, wherein the providing step provides a queue managed by a network operating system.
  - 22. The configured storage medium of claim 20, wherein the placing step comprises placing a platform-independent task in an operating system queue.

23. A method for delegating user authority in a distributed computer system, the method comprising the steps of:
- associating an authenticated user of the distributed computer system with an executable task submitted for execution by the authenticated user, the authenticated user having security rights enforced in the computer system;
  
  placing the executable task in an operating system queue;
  
  transmitting the queued executable task to an authenticated queue server for execution; and
  
  delegating user rights to the task by enforcing the authenticated user'"'"'s rights on the task, wherein the delegating step maintains separate remote user and delegate task identities.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 24. The method of claim 23, wherein the associating step comprises placing an identification of the user in the queue with the task.
  - 25. The method of claim 23, wherein the placing step comprises placing a Java servlet task in an operating system queue.
  - 26. The method of claim 23, wherein the placing step comprises placing a Java applet task in an operating system queue.
  - 27. The method of claim 23, wherein the placing step comprises placing a platform-independent application task in an operating system queue.
  - 28. The method of claim 23, wherein the placing step comprises placing a native code application task in an operating system queue.
  - 29. The method of claim 23, wherein the transmitting step comprises serializing classes stored in a first computer'"'"'s memory and sending the serialized classes to another computer'"'"'s memory.
  - 30. The method of claim 23, wherein the transmitting step comprises sending the queue server a resource locator identifying the location of executable code of the task.
  - 31. The method of claim 23, wherein the transmitting step comprises sending the queue server a stream of executable bytecodes.
  - 32. The method of claim 23, wherein the transmitting step comprises sending the queue server information across a network signal line.
  - 33. The method of claim 23, wherein the delegating step comprises executing at least part of the executable task and execution of the task is managed by the queue server.
  - 34. The method of claim 33, wherein the executing step comprises spawning a virtual machine to interpret bytecodes of the task.

35. A distributed computer system comprising:
- a user database correlating user identities with corresponding rights;
  
  an access control system for enforcing user rights by comparing the rights of a user seeking access to a system resource with the rights needed to access the resource and allowing access only if the user has sufficient rights;
  
  a user authentication system for authenticating users, the database and access control system and authentication system cooperating such that the access control system gives a user the rights corresponding to a user identity in the user database if the authentication system associates the user with that user identity;
  
  a secure queue that associates authenticated remote users with tasks they submit to the queue, the tasks containing executable code;
  
  an authenticated queue server for servicing the queue, the queue server capable of executing at least part of a task submitted to the queue; and
  
  an authority delegation system which associates a submitting remote user'"'"'s identity with a task submitted by the remote user, thereby permitting the access control system to enforce the identified remote user'"'"'s rights on the task while the task is being serviced by the queue server;
  
  wherein the user database and the access control system define roles, such that a user may assume different roles having different security rights while the user is logged in on a single user account.
- View Dependent Claims (36, 37, 38, 39, 40, 41)
- - 36. The system of claim 35, wherein the user database comprises a directory service.
  - 37. The system of claim 35, wherein the access control system comprises access control lists.
  - 38. The system of claim 35, wherein the user authentication system comprises a credential checker for checking a credential issued by a certification authority.
  - 39. The system of claim 35, wherein the queue is managed by a network operating system.
  - 40. The system of claim 35, wherein the queue server comprises a Java virtual machine.
  - 41. The system of claim 35, wherein a task submitted by a user is stored in a repository in a location identified by a resource locator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Echols, Grant G, Nevarez, Carlos A
Primary Examiner(s)
Beausoleil, Robert
Assistant Examiner(s)
Bonzo, Bryce P.

Application Number

US09/119,896
Time in Patent Office

938 Days
Field of Search

713/201, 713/202, 713/200
US Class Current

726/5
CPC Class Codes

G06F 21/128   involving web programs, i.e...

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/168   above the transport layer

Authority delegation with secure operating system queues

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

297 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Authority delegation with secure operating system queues

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

297 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links