Object security boundaries
First Claim
1. A method of defining security of a server application comprising a plurality of objects having methods to access the objects'"'"' functionality, the method comprising the steps of:
- at development of the server application, configuring security settings indicative of identities authorized to access the objects'"'"' methods, at least one of the methods for one of the objects having a different setting than another of the object'"'"'s methods, the security settings residing outside the objects;
at deployment of the server to a host computer system, importing the security settings to a central store in the host computer system;
at execution of the application on the host computer, responsive to a request of a client program, for access to a method of one of the objects, wherein the request is associated with an identity, checking the security settings in the central store to determine if the security settings indicate whether the associated identity is authorized to access the method, wherein the client program and the one object are executing in a same process; and
if the security settings indicate the associated identity is not authorized to access the method, denying access of the client program to the method.
1 Assignment
0 Petitions
Accused Products
Abstract
An object-based security framework provides for intra-process security boundaries. An application developer can define security settings declaratively at the object, interface, and method level using a graphical interface. When the application is deployed, the settings are placed into a central store and can be modified at a later time. At runtime, logic outside the application objects enforces the security boundaries, relieving the developer of having to incorporate security logic into the application. Changes to the security can be implemented by changing the settings without having to change the application objects. In addition to checking for identity, the security framework supports roles and enforces specified authentication levels. The integrity of an application'"'"'s security scheme is retained when the application is combined with another application in the framework.
131 Citations
7 Claims
-
1. A method of defining security of a server application comprising a plurality of objects having methods to access the objects'"'"' functionality, the method comprising the steps of:
-
at development of the server application, configuring security settings indicative of identities authorized to access the objects'"'"' methods, at least one of the methods for one of the objects having a different setting than another of the object'"'"'s methods, the security settings residing outside the objects;
at deployment of the server to a host computer system, importing the security settings to a central store in the host computer system;
at execution of the application on the host computer, responsive to a request of a client program, for access to a method of one of the objects, wherein the request is associated with an identity, checking the security settings in the central store to determine if the security settings indicate whether the associated identity is authorized to access the method, wherein the client program and the one object are executing in a same process; and
if the security settings indicate the associated identity is not authorized to access the method, denying access of the client program to the method. - View Dependent Claims (2, 3, 4)
-
-
5. A method of implementing a security scheme for a first application comprising a first set of objects to facilitate integration of the first application with a second application comprising a second set of objects, the method comprising:
-
collecting a set of security declarations for the first set of objects, wherein the security declarations indicate identities permitted to access methods of the first set of objects;
installing the first set of objects and the second set of objects on a computer;
executing on the computer at least a first object from the first set of objects and at least a second object from the second set of objects in a same process, wherein a call from the second object is associated with a user identity;
whenever the second object issues a call on a method of the first object, intercepting the call at a wrapper to check the user identity of the second object against the security declarations to determine if the user identity is permitted to access the method of the first object; and
rejecting the call as a result of determining the security declaration indicates the user identity is not permitted to access the method of the first object.
-
-
6. A computer-readable medium having stored thereon a data structure for representing a security scheme for an application comprising application objects, the data structure comprising:
-
a mapping of logical groups of users to methods of the application objects, wherein the mapping indicates which logical groups of users are permitted access to the methods, wherein the mapping of logical groups of users to methods is input from a graphical user interface at development time of the application and exportable to a host computer for installing the application on the host computer to enforce the security scheme; and
a mapping of logical groups of users to users recognized by the host computer, wherein the mapping of logical groups to users is input from a graphical user interface at deployment time of the application and is available at runtime to determine whether a particular user recognized by the host computer is a member of a particular one of the logical groups. - View Dependent Claims (7)
-
Specification