Mechanism for determining restrictions to impose on an implementation of a service

US 6,792,537 B1
Filed: 01/14/2000
Issued: 09/14/2004
Est. Priority Date: 11/22/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a system wherein an application requests an implementation of a particular service, a method for determining restrictions to impose on the implementation, comprising:

determining whether any permissions have been granted to the application requesting the implementation; and

in response to a determination that at least one permission has been granted to the application, processing said permission to derive a set of zero or more restrictions to impose on the implementation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mechanism for determining restrictions to impose on an implementation of a service is disclosed. When an application desires an implementation for a particular service, the application makes a request to a framework. The framework receives the request and, in response, determines what restrictions, if any, need to be imposed on the requested implementation. The restrictions are determined by determining whether any permissions have been granted to the application requesting the implementation, and if so, processing the permissions to derive a set of zero or more restrictions to impose on the implementation. The permissions are processed such that the set of restrictions is least restrictive. Once the restrictions are determined, the framework dynamically constructs the requested implementation. The requested implementation is constructed such that it incorporates a general implementation of the service, the restrictions, and enforcement logic for enforcing the restrictions on the general implementation. Once the requested implementation is constructed, it is provided to the application. Thereafter, the application invokes the requested implementation directly for services. Since the requested implementation incorporates the restrictions and enforcement logic for enforcing the restrictions, it will guarantee that the restrictions are enforced.

Citations

42 Claims

1. In a system wherein an application requests an implementation of a particular service, a method for determining restrictions to impose on the implementation, comprising:
- determining whether any permissions have been granted to the application requesting the implementation; and
  
  in response to a determination that at least one permission has been granted to the application, processing said permission to derive a set of zero or more restrictions to impose on the implementation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein said permission is processed such that said set of restrictions is least restrictive.
  - 3. The method of claim 1, further comprising:
4. The method of claim 3, wherein said default limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
5. The method of claim 1, wherein processing said permission comprises:
- determining whether said permission is an all-encompassing permission; and
  
  in response to a determination that said permission is an all-encompassing permission, providing an indication that the implementation is unrestricted.
6. The method of claim 1, wherein processing said permission comprises:
- determining whether said permission requires an exemption mechanism to be implemented; and
  
  in response to a determination that said permission does not require an exemption mechanism to be implemented, deriving said set of zero or more restrictions based upon said permission.
7. The method of claim 6, wherein deriving said restrictions comprises:
- determining whether said permission specifies a set of parameters; and
  
  in response to a determination that said permission specifies a set of parameters, deriving said set of zero or more restrictions based upon said parameters.
8. The method of claim 6, wherein deriving said restrictions comprises:
- determining whether said permission specifies a set of parameters; and
  
  in response to a determination that said permission does not specify a set of parameters, providing an indication that the implementation is unrestricted.
9. The method of claim 1, wherein processing said permission comprises:
- determining whether said permission requires a particular exemption mechanism to be implemented; and
  
  in response to a determination that said permission requires a particular exemption mechanism to be implemented, accessing a set of exempt limitations; and
  
  reconciling said permission and said exempt limitations to derive said set of zero or more restrictions.
10. The method of claim 9, wherein reconciling said permission and said exempt limitations comprises:
- determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation; and
  
  in response to a determination that said exempt limitations allow said particular exemption mechanism to be implemented with the implementation, deriving said set of zero or more restrictions based upon said exempt limitations.
11. The method of claim 9, wherein reconciling said permission and said exempt limitations comprises:
- determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation;
  
  in response to a determination that said exempt limitations do not allow said particular exemption mechanism to be implemented with the implementation, accessing a set of default limitations; and
  
  deriving said set of zero or more restrictions based upon said default limitations.
12. The method of claim 9, wherein said exempt limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
13. The method of claim 1, wherein determining whether any permissions have been granted to the application comprises:
- traversing a call stack to determine which application requested the implementation.
14. The method of claim 13, wherein determining whether any permissions have been granted to the application further comprises:
- authenticating the application.

15. In a system wherein an application requests an implementation of a particular service, an apparatus for determining restrictions to impose on the implementation, comprising:
- a mechanism for determining whether any permissions have been granted to the application requesting the implementation; and
  
  a mechanism for processing, in response to a determination that at least one permission has been granted to the application, said permission to derive a set of zero or more restrictions to impose on the implementation.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The apparatus of claim 15, wherein said permission is processed such that said set of restrictions is least restrictive.
  - 17. The apparatus of claim 15, further comprising:
18. The apparatus of claim 17, wherein said default limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
19. The apparatus of claim 15, wherein the mechanism for processing said permission comprises:
- a mechanism for determining whether said permission is an all-encompassing permission; and
  
  a mechanism for providing, in response to a determination that said permission is an all-encompassing permission, an indication that the implementation is unrestricted.
20. The apparatus of claim 15, wherein the mechanism for processing said permission comprises:
- a mechanism for determining whether said permission requires an exemption mechanism to be implemented; and
  
  a mechanism for deriving, in response to a determination that said permission does not require an exemption mechanism to be implemented, said set of zero or more restrictions based upon said permission.
21. The apparatus of claim 20, wherein the mechanism for deriving said restrictions comprises:
- a mechanism for determining whether said permission specifies a set of parameters; and
  
  a mechanism for deriving, in response to a determination that said permission specifies a set of parameters, said set of zero or more restrictions based upon said parameters.
22. The apparatus of claim 20, wherein the mechanism for deriving said restrictions comprises:
- a mechanism for determining whether said permission specifies a set of parameters; and
  
  a mechanism for providing, in response to a determination that said permission does not specify a set of parameters, an indication that the implementation is unrestricted.
23. The apparatus of claim 15, wherein the mechanism for processing said permission comprises:
- a mechanism for determining whether said permission requires a particular exemption mechanism to be implemented; and
  
  a mechanism for accessing, in response to a determination that said permission requires a particular exemption mechanism to be implemented, a set of exempt limitations; and
  
  a mechanism for reconciling said permission and said exempt limitations to derive said set of zero or more restrictions.
24. The apparatus of claim 23, wherein the mechanism for reconciling said permission and said exempt limitations comprises:
- a mechanism for determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation; and
  
  a mechanism for deriving, in response to a determination that said exempt limitations allow said particular exemption mechanism to be implemented with the implementation, said set of zero or more restrictions based upon said exempt limitations.
25. The apparatus of claim 23, wherein the mechanism for reconciling said permission and said exempt limitations comprises:
- a mechanism for determining whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation;
  
  a mechanism for accessing, in response to a determination that said exempt limitations do not allow said particular exemption mechanism to be implemented with the implementation, a set of default limitations; and
  
  a mechanism for deriving said set of zero or more restrictions based upon said default limitations.
26. The apparatus of claim 23, wherein said exempt limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
27. The apparatus of claim 15, wherein the mechanism for determining whether any permissions have been granted to the application comprises:
- a mechanism for traversing a call stack to determine which application requested the implementation.
28. The apparatus of claim 27, wherein the mechanism for determining whether any permissions have been granted to the application further comprises:
- a mechanism for authenticating the application.

29. A computer readable medium having stored thereon instructions which, when executed by one or more processors, cause the one or more processors to determine restrictions to impose on an implementation of a particular service requested by an application, said computer readable medium comprising:
- instructions for causing one or more processors to determine whether any permissions have been granted to the application requesting the implementation; and
  
  instructions for causing one or more processors to process, in response to a determination that at least one permission has been granted to the application, said permission to derive a set of zero or more restrictions to impose on the implementation.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 30. The computer readable medium of claim 29, wherein said permission is processed such that said set of restrictions is least restrictive.
  - 31. The computer readable medium of claim 29, further comprising:
32. The computer readable medium of claim 31, wherein said default limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
33. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to process said permission comprises:
- instructions for causing one or more processors to determine whether said permission is an all-encompassing permission; and
  
  instructions for causing one or more processors to provide, in response to a determination that said permission is an all-encompassing permission, an indication that the implementation is unrestricted.
34. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to process said permission comprises:
- instructions for causing one or more processors to determine whether said permission requires an exemption mechanism to be implemented; and
  
  instructions for causing one or more processors to derive, in response to a determination that said permission does not require an exemption mechanism to be implemented, said set of zero or more restrictions based upon said permission.
35. The computer readable medium of claim 34, wherein the instructions for causing one or more processors to derive said restrictions comprises:
- instructions for causing one or more processors to determine whether said permission specifies a set of parameters; and
  
  instructions for causing one or more processors to derive, in response to a determination that said permission specifies a set of parameters, said set of zero or more restrictions based upon said parameters.
36. The apparatus of claim 34, wherein the instructions for causing one or more processors to derive said restrictions comprises:
- instructions for causing one or more processors to determine whether said permission specifies a set of parameters; and
  
  instructions for causing one or more processors to provide, in response to a determination that said permission does not specify a set of parameters, an indication that the implementation is unrestricted.
37. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to process said permission comprises:
- instructions for causing one or more processors to determine whether said permission requires a particular exemption mechanism to be implemented; and
  
  instructions for causing one or more processors to access, in response to a determination that said permission requires a particular exemption mechanism to be implemented, a set of exempt limitations; and
  
  instructions for causing one or more processors to reconcile said permission and said exempt limitations to derive said set of zero or more restrictions.
38. The computer readable medium of claim 37, wherein the instructions for causing one or more processors to reconcile said permission and said exempt limitations comprises:
- instructions for causing one or more processors to determine whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation; and
  
  instructions for causing one or more processors to derive, in response to a determination that said exempt limitations allow said particular exemption mechanism to be implemented with the implementation, said set of zero or more restrictions based upon said exempt limitations.
39. The computer readable medium of claim 37, wherein the instructions for causing one or more processors to reconcile said permission and said exempt limitations comprises:
- instructions for causing one or more processors to determine whether said exempt limitations allow said particular exemption mechanism to be implemented with the implementation;
  
  instructions for causing one or more processors to access, in response to a determination that said exempt limitations do not allow said particular exemption mechanism to be implemented with the implementation, a set of default limitations; and
  
  instructions for causing one or more processors to derive said set of zero or more restrictions based upon said default limitations.
40. The computer readable medium of claim 37, wherein said exempt limitations are derived by merging multiple jurisdiction policies and extracting therefrom the most restrictive limitations.
41. The computer readable medium of claim 29, wherein the instructions for causing one or more processors to determine whether any permissions have been granted to the application comprises:
- instructions for causing one or more processors to traverse a call stack to determine which application requested the implementation.
42. The computer readable medium of claim 41, wherein the instructions for causing one or more processors to determine whether any permissions have been granted to the application further comprises:
- instructions for causing one or more processors to authenticate the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Luehe, Jan, Liu, Sharon S.
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/483,246
Time in Patent Office

1,705 Days
Field of Search

713/182, 713/168, 713/200, 713/201
US Class Current

713/182
CPC Class Codes

G06F 21/445   by mutual authentication, e...

G06F 21/52   during program execution, e...

G06F 21/604   Tools and structures for ma...

G06F 21/6236   between heterogeneous systems

G06F 2211/007   Encryption, En-/decode, En-...

G06F 2221/2107   File encryption

Mechanism for determining restrictions to impose on an implementation of a service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanism for determining restrictions to impose on an implementation of a service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links