Authentication and authorization in a multi-tier relational database management system
First Claim
1. A method of enabling a middle-tier server to perform database operations on behalf of a client in a multi-tier relational database system, wherein the multi-tier relational database system includes said database server, a plurality of clients, and a set of one or more middle-tier servers, the method comprising:
- establishing a first session at a database server in the multi-tier relational database system from a first middle-tier server, wherein during said first session said first middle-tier server may perform database operations for one of the set of middle-tier servers;
providing a credential to said first middle-tier server from said database server;
granting said first middle-tier server a first set of privileges on said database server for use in said first session;
establishing a second session at said database server from said first middle-tier server on behalf of a first client, wherein said establishing a second session comprises;
receiving from said first middle-tier server an identity of said first client; and
receiving said credential from said first middle-tier server;
wherein said first middle-tier server may perform database operations for said first client in said second session; and
granting a second set of privileges for use by said first middle-tier server on behalf of said first client in said second session;
wherein said first middle-tier server is configured to switch between said first session and said second session.
3 Assignments
0 Petitions
Accused Products
Abstract
A method is provided for ensuring effective and accurate authentication and authorization in an N-tier relational database management system. An N-tier relational database management system comprises a set of clients, one or more data servers and one or more middle-tier servers through which the clients may access the data servers. A method is provided for enabling a middle-tier server to connect to a data server and perform database operations on behalf of a client while promoting the ability to ensure the middle-tier server does not exceed its authorized privileges or roles. In this method a middle-tier server first establishes a session with the data server using the middle-tier server'"'"'s own identity (e.g., username) and verification (e.g., password). The middle-tier server may be granted limited roles when acting under its own identity in order to prevent it from performing unauditable or unaccountable operations on behalf of clients. The middle-tier server receives from the data server a credential that it provides when it needs to operate on behalf of a client. In this method, after the middle-tier server establishes its own session and receives a credential, it may then establish a session with the data server using the identity (e.g., username) of a client. Instead of storing and using the client'"'"'s password, however, the middle-tier server presents the credential to the data server as verification of its authorization to access the database. The middle-tier server may then switch between clients'"'"' sessions and its own session to perform database operations.
392 Citations
22 Claims
-
1. A method of enabling a middle-tier server to perform database operations on behalf of a client in a multi-tier relational database system, wherein the multi-tier relational database system includes said database server, a plurality of clients, and a set of one or more middle-tier servers, the method comprising:
-
establishing a first session at a database server in the multi-tier relational database system from a first middle-tier server, wherein during said first session said first middle-tier server may perform database operations for one of the set of middle-tier servers;
providing a credential to said first middle-tier server from said database server;
granting said first middle-tier server a first set of privileges on said database server for use in said first session;
establishing a second session at said database server from said first middle-tier server on behalf of a first client, wherein said establishing a second session comprises;
receiving from said first middle-tier server an identity of said first client; and
receiving said credential from said first middle-tier server;
wherein said first middle-tier server may perform database operations for said first client in said second session; and
granting a second set of privileges for use by said first middle-tier server on behalf of said first client in said second session;
wherein said first middle-tier server is configured to switch between said first session and said second session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
receiving from said first middle-tier server a request for a set of privileges for said first client for use in said second session; and
determining whether said requested privileges are authorized for said first client.
-
-
12. The method of claim 1, wherein said granting a second set of privileges comprises:
consulting an authorization server to identify one or more privileges authorized for said first client.
-
13. The method of claim 1, further comprising auditing a database operation performed by said first middle-tier server for said first client during said second session.
-
14. A method of connecting a client to a database server through one or more middle-tier servers in a multi-tier relational database system, comprising:
-
authenticating a first database client at a first authentication server in a multi-tier relational database system;
receiving a connection from said first client at a first middle-tier server;
receiving at said first middle-tier server an identity of said first client provided by said first authentication server;
authenticating said first middle-tier server to a first database server at a second authentication server;
receiving at said first database server an identity of said first middle-tier server from said second authentication server;
establishing a first session on said first database server for said first middle-tier server during which said first middle-tier server may perform database operations on behalf of a middle-tier server;
granting a first set of privileges for said first middle-tier server for use in said first session;
providing said first middle-tier server a credential from said first database server;
receiving at said first database server said identity of said first client and said credential;
establishing a second session on said first database server for said first middle-tier server under said identity of said first client, wherein during said second session said first middle-tier server may perform database operations on behalf of said first client; and
granting a second set of privileges for use by said middle-tier server under the identity of said first client in said second session. - View Dependent Claims (15, 16, 17, 18)
-
-
19. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of enabling a middle-tier server to perform database operations on behalf of a client in a multi-tier relational database system, wherein the multi-tier relational database system includes said database server, a plurality of clients, and a set of one or more middle-tier servers, the method comprising:
-
establishing a first session at a database server in the multi-tier relational database system from a first middle-tier server, wherein during said first session said first middle-tier server may perform database operations for one of the set of middle-tier servers;
providing a credential to said first middle-tier server from said database server;
granting said first middle-tier server a first set of privileges on said database server for use in said first session;
establishing a second session at said database server from said first middle-tier server on behalf of a first client, wherein said establishing a second session comprises;
receiving from said first middle-tier server an identity of said first client; and
receiving said credential from said first middle-tier server;
wherein said first middle-tier server may perform database operations for said first client in said second session; and
granting a second set of privileges for use by said first middle-tier server on behalf of said first client in said second session;
wherein said first middle-tier server is configured to switch between said first session and said second session.
-
-
20. A multi-tier relational database system, comprising:
-
a database server configured to store data;
a plurality of clients configured to access said data via one or more middle-tier servers; and
a first middle-tier server configured to access said data on behalf of said clients;
wherein said first middle-tier server establishes a first connection with said database server and receives a credential from said database server and wherein said middle-tier server establishes a second connection to said database server for a first client using said credential in place of a password of said first client; and
wherein said middle-tier server auditably accesses said data with different sets of privileges in said first connection and said second connection. - View Dependent Claims (21, 22)
a first authentication server configured to authenticate said first client for said first middle-tier server; and
a second authentication server configured to authenticate said first middle-tier server for said database server.
-
-
22. The multi-tier relational database system of claim 20, further comprising an authorization server coupled to said database server, wherein said authorization server is configured to identify privileges authorized for one of said first client and said first middle-tier server.
Specification