Object security boundaries
First Claim
1. A method for providing security services to a secured object residing in a process and called from a calling object residing in the process, the method comprising:
- interposing security logic between the secured object and the calling object to monitor calls directed to the secured object;
responsive to a call directed to the secured object by the calling object, wherein an identity is associated with the call, automatically executing the security logic to evaluate the associated identity; and
selectively blocking the call as a result of evaluating the associated identity with the security logic to enforce a security boundary between the calling object and the secured object.
2 Assignments
0 Petitions
Accused Products
Abstract
An object-based security framework provides for intra-process security boundaries. An application developer can define security settings declaratively at the object, interface, and method level using a graphical interface. When the application is deployed, the settings are placed into a central store and can be modified at a later time. At runtime, logic outside the application objects enforces the security boundaries, relieving the developer of having to incorporate security logic into the application. Changes to the security can be implemented by changing the settings without having to change the application objects. In addition to checking for identity, the security framework supports roles and enforces specified authentication levels. The integrity of an application'"'"'s security scheme is retained when the application is combined with another application in the framework.
-
Citations
24 Claims
-
1. A method for providing security services to a secured object residing in a process and called from a calling object residing in the process, the method comprising:
-
interposing security logic between the secured object and the calling object to monitor calls directed to the secured object;
responsive to a call directed to the secured object by the calling object, wherein an identity is associated with the call, automatically executing the security logic to evaluate the associated identity; and
selectively blocking the call as a result of evaluating the associated identity with the security logic to enforce a security boundary between the calling object and the secured object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
determining an authentication level of the call, wherein the authentication level is indicative of confidence in the accuracy of the associated identity; and
during the executing step, evaluating the authentication level with the security logic.
-
-
4. The method of claim 1 wherein the security logic compares the associated identity with a list of identities in a central store to determine whether to block the call, wherein the central store resides outside the secured object and is generated from settings specified through a graphical user interface.
-
5. The method of claim 1 wherein the security logic is a security policy invoked by a wrapper interposed between the calling object and the secured object when the secured object is instantiated.
-
6. The method of claim 1 wherein the security logic is a security policy invoked by a wrapper interposed between the calling object and the secured object when a reference to the secured object is unmarshaled.
-
7. The method of claim 1 wherein the call invokes a method on the secured object and the security logic compares the associated identity with a list of identities permitted to access the method to determine whether to block the call.
-
8. The method of claim 7 wherein calls by any identity are permitted to the calling object.
-
9. In a computer system executing a program in a process, wherein calls from the program are associated with an identity, a method of enforcing a security boundary within the process comprising:
-
maintaining a security settings store comprising security settings for a secured object executing in the process, the security settings indicative of which identities are authorized to access the secured object;
before allowing access to the secured object by the program, consulting the store with logic outside the secured object and outside the program to determine if the associated identity is authorized to access the secured object; and
blocking access to the object with the logic if the store does not indicate the associated identity is authorized to access the object. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
at development time of the application, defining access to methods of the object in terms of logical classes of users;
at deployment time of the application, binding the logical classes of users to identities recognized by the host computer system to generate at least some of the security settings in the security settings store.
-
-
12. The method of claim 9 wherein
the store indicates a minimum acceptable authentication level for the secured object; -
a call to the secured object has an associated authentication level; and
the blocking step blocks access to the secured object whenever the associated authentication level is insufficient to satisfy the minimum acceptable authentication level.
-
-
13. The method of claim 9 wherein
the program accesses the secured object through an invoked interface to the object, the store comprises settings indicative of which identities are authorized to access particular interfaces to the secured object; - and
the blocking step blocks access to the object as a result of determining the store indicates the associated identity is not authorized to access the invoked interface to the object.
- and
-
14. The method of claim 9 wherein
the client program accesses the secured object through a called method of an interface to the object, the store comprises settings indicative of which identities are authorized to access particular methods of the secured object; - and
the blocking step blocks access to the object as a result of determining the store indicates the associated identity is not authorized to access the called method of the interface to the object.
- and
-
15. The method of claim 9 further comprising:
placing a wrapper between the client program and the secured object to redirect calls to the secured object to the wrapper, wherein the blocking step is performed by the wrapper.
-
16. The method of claim 9 further comprising:
collecting at least some of the security settings in the store through a graphical interface depicting the secured object.
-
17. A method of enforcing a per-method security boundary within a process in a computer system, the method comprising:
-
maintaining at the computer system a central security settings store comprising security settings for a first secured object having a plurality of methods, the security settings indicative of which user identities are permitted to access the methods, wherein a first method of the methods has different security settings than a second method of the methods and at least some of the security settings in the security settings store are configurable using a graphical user interface depicting the first object and the first object'"'"'s methods;
creating the first object in the process;
creating a second object in the process;
interposing a wrapper between the first object and the second object to redirect a second object'"'"'s call to the first object to the wrapper, wherein the call is associated with a user identity;
upon receiving the call to the first object, invoking a security policy with the wrapper to perform a security check upon receiving the call, wherein the security check comprises consulting the security settings;
store to determine if the user identity associated with the second object is permitted to access the first object; and
as a result of the security check choosing between forwarding the call to the first object if the security settings store indicates the user identity is permitted to access the first object and blocking the call if the security settings store indicates the user identity is not permitted to access the first object.
-
-
18. An object-based security framework for providing a security boundary between a secured object executing in a process and a program calling the secured object, wherein the program is executing in the process and calls from the program are associated with an identity, the security framework comprising:
-
a store for maintaining security settings indicative of an authorized set of identities authorized to call the secured object;
a wrapper operative to selectively forward calls to the secured object and further operative to invoke logic for monitoring calls to the secured object to enforce an intra-process security boundary between the secured object and the program by consulting the store to block calls to the secured object from the calling program if the associated identity is not in the authorized set of identities authorized to call the secured object;
an activator operative to execute responsive to a request to create the secured object and interpose the wrapper between the program and the secured object to redirect calls to the secured object to the wrapper. - View Dependent Claims (19, 20, 21, 22, 23)
calls to the secured object have an associated authentication level indicative of confidence in the identity'"'"'s accuracy; the central store comprises a minimum acceptable authentication level for the secured object; and
the security policy blocks calls to the secured object from the calling program if the associated authentication level does not satisfy the minimum acceptable authentication level.
-
-
21. The framework of claim 18 wherein the activator is one of a plurality of activators in an activation chain, the activator invoked by an object activation service.
-
22. The framework of claim 18 wherein the security policy is a replaceable object employing a predefined interface convention for receiving events.
-
23. The framework of claim 18 wherein security boundaries are selectively placed between a first object and a second object whenever the first object and the second object are members of different applications.
-
24. A method of providing a requesting client program with a reference to an object of a requested class to enforce a security boundary between the client program and the object transparently to the client program and the object, wherein a call from the client program is associated with an identity, the method comprising:
-
instantiating an instance of an object of the requested class in a same process as the client program;
acquiring an interface to the instance of the object; and
interposing a security policy between the client program and the interface of the object by providing the client program with a reference to a wrapper operative to invoke the security policy transparently to the client program, wherein the wrapper automatically invokes the security policy to selectively block calls to the interface based on the identity associated with the client program.
-
Specification