Method and apparatus for sharing a security context between different sessions on a database server

US 6,986,060 B1
Filed: 05/23/2000
Issued: 01/10/2006
Est. Priority Date: 05/23/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for sharing a security context for a given application client between different applications associated with the given application client on a database server, comprising:

receiving a request at the database server through a database session between the database server and an application on a database client;

looking up an identifier for the given application client that identifies a client of the application, wherein the identifier for the given application client identifies a user of the application that is sending the request to the database server, the identifier having been previously associated with the database session;

using the identifier to look up the security context for the given application client within a storage area associated with the database server;

wherein the security context includes attributes related to the given application client;

wherein only applications associated with the given application client will receive the security context for the given client;

receiving the security context for the given application client from the database client;

inserting the security context into the storage area associated with the database server so that the security context can be indexed by the identifier for the given application client;

performing a database operation to satisfy the request;

wherein performing the database operation involves enforcing access rights associated with the security context; and

allowing the given application client to use the same security context through a second application and a second database session by;

receiving a second request at the database server through the second database session with the second application, looking up the identifier for the given application client, the identifier having been previously associated with the second database session, and using the identifier to look up the security context for the given application client within the storage area associated with the database server.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system for sharing a security context between different sessions on a database server. The system operates by receiving a request at the database server through a database session between the database server and an application on a database client. The system looks up an identifier for an application client that was previously associated with the database session. The system uses this identifier to look up the security context containing attributes related to the application client within a storage area associated with the database server. Next, the system performs a database operation to satisfy the request and in doing so enforces access rights associated with the security context. In one embodiment of the present invention, the request includes a database query directed to a database on the database server. In one embodiment of the present invention, performing the database operation involves modifying the database query to enforce access rights associated with the security context. In one embodiment of the present invention, the identifier for the application client identifies a user of the application that is sending the request to the database server. In one embodiment of the present invention, the database client is an application server that is sending the request to the database server, and the identifier for the application client identifies an application session between the application on the application server and the client of the application.

84 Citations

View as Search Results

18 Claims

1. A method for sharing a security context for a given application client between different applications associated with the given application client on a database server, comprising:
- receiving a request at the database server through a database session between the database server and an application on a database client;
  
  looking up an identifier for the given application client that identifies a client of the application, wherein the identifier for the given application client identifies a user of the application that is sending the request to the database server, the identifier having been previously associated with the database session;
  
  using the identifier to look up the security context for the given application client within a storage area associated with the database server;
  
  wherein the security context includes attributes related to the given application client;
  
  wherein only applications associated with the given application client will receive the security context for the given client;
  
  receiving the security context for the given application client from the database client;
  
  inserting the security context into the storage area associated with the database server so that the security context can be indexed by the identifier for the given application client;
  
  performing a database operation to satisfy the request;
  
  wherein performing the database operation involves enforcing access rights associated with the security context; and
  
  allowing the given application client to use the same security context through a second application and a second database session by;
  
  receiving a second request at the database server through the second database session with the second application, looking up the identifier for the given application client, the identifier having been previously associated with the second database session, and using the identifier to look up the security context for the given application client within the storage area associated with the database server.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the request includes a database query directed to a database on the database server.
  - 3. The method of claim 2, wherein performing the database operation involves modifying the database query to enforce access rights associated with the security context.
  - 4. The method of claim 1,wherein the database client is an application server that is sending the request to the database server;
    - and wherein the identifier for the given application client identifies an application session between the application on the application server and the client of the application.
  - 5. The method of claim 4, further comprising:
    - receiving a request from the application to change the application session associated with the database session; and
      
      changing the application session associated with the database session.
  - 6. The method of claim 4, further comprising facilitating connection pooling by periodically changing the application session associated with the database session in order to channel requests associated with multiple application sessions through the database session.

7. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for sharing a security context for a given application client between different applications associated with the given application client on a database server, the method comprising:
- receiving a request at the database server through a database session between the database server and an application on a database client;
  
  looking up an identifier for the given application client that identifies a client of the application, wherein the identifier for the given application client identifies a user of the application that is sending the request to the database server, the identifier having been previously associated with the database session;
  
  using the identifier to look up the security context for the given application client within a storage area associated with the database server;
  
  wherein the security context includes attributes related to the given application client;
  
  wherein only applications associated with the given application client will receive the security context for the given client;
  
  receiving the security context for the given application client from the database client;
  
  inserting the security context into the storage area associated with the database server so that the security context can be indexed by the identifier for the given application client;
  
  performing a database operation to satisfy the request;
  
  wherein performing the database operation involves enforcing access rights associated with the security context; and
  
  allowing the given application client to use the same security context through a second application and a second database session by;
  
  receiving a second request at the database server through the second database session with the second application, looking up the identifier for the given application client, the identifier having been previously associated with the second database session, and using the identifier to look up the security context for the given application client within the storage area associated with the database server.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The computer-readable storage medium of claim 7, wherein the request includes a database query directed to a database on the database server.
  - 9. The computer-readable storage medium of claim 8, wherein performing the database operation involves modifying the database query to enforce access rights associated with the security context.
  - 10. The computer-readable storage medium of claim 7,wherein the database client is an application server that is sending the request to the database server;
    - and wherein the identifier for the given application client identifies an application session between the application on the application server and the client of the application.
  - 11. The computer-readable storage medium of claim 10, wherein the method further comprises:
    - receiving a request from the application to change the application session associated with the database session; and
      
      changing the application session associated with the database session.
  - 12. The computer-readable storage medium of claim 10, wherein the method further comprises facilitating connection pooling by periodically changing the application session associated with the database session in order to channel requests associated with multiple application sessions through the database session.

13. An apparatus that facilitates sharing a security context for a given application client between different applications associated with the given application client on a database server, comprising:
- a receiving mechanism that is configured to receive a request at the database server through a database session between the database server and an application on a database client;
  
  wherein the receiving mechanism is further configured to receive the security context for the given application client from the database client;
  
  wherein the receiving mechanism is further configured to receive a second request at the database server through a second database session between the database server and a second application;
  
  a lookup mechanism that is configured to look up an identifier for an given application client that identifies a client of the application, wherein the identifier for the given application client identifies a user of the application that is sending the request to the database server, the identifier having been previously associated with the database session;
  
  wherein the lookup mechanism is configured to use the identifier to look up the security context for the given application client within a storage area associated with the database server;
  
  wherein the lookup mechanism is further configured to look up the identifier for the given application client, the identifier having been previously associated with the second database session;
  
  wherein the lookup mechanism is further configured to use the identifier to look up the security context for the given application client within the storage area associated with the database server;
  
  wherein the security context includes attributes related to the given application client;
  
  wherein only applications associated with the given application client will receive the security context for the given client;
  
  a security context initialization mechanism that is configured to insert the security context into the storage area associated with the database server so that the security context can be indexed by the identifier for the given application client; and
  
  a database engine that is configured to perform a database operation to satisfy the request;
  
  wherein performing the database operation involves enforcing access rights associated with the security context.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The apparatus of claim 13, wherein the request includes a database query directed to a database on the database server.
  - 15. The apparatus of claim 13, wherein the database engine is configured to perform the database operation by modifying the database query to enforce access rights associated with the security context.
  - 16. The apparatus of claim 13,wherein the database client is an application server that is sending the request to the database server;
    - and wherein the identifier for the given application client identifies an, application session between the application on the application server and the client of the application.
  - 17. The apparatus of claim 16, wherein the receiving mechanism is additionally configured to receive a request from the application to change the application session associated with the database session;
    - andfurther comprising a changing mechanism that is configured to change the application session associated with the database session in response to the request.
  - 18. The apparatus of claim 17, wherein the changing mechanism is further configured to facilitate connection pooling by periodically changing the application session associated with the database session in order to channel requests associated with multiple application sessions through the database session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Wong, Daniel ManHung
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US09/577,220
Time in Patent Office

2,058 Days
Field of Search

713/150, 713164-168, 713/175, 713/176, 713200-202, 709217-219, 709/223, 709225-229, 709/235, 707/1, 707/9, 707/10, 707/100, 714/47, 379/9.04
US Class Current

726/26
CPC Class Codes

G06F 21/6227 where protection concerns t...

Y10S 707/99939 Privileged access

Method and apparatus for sharing a security context between different sessions on a database server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for sharing a security context between different sessions on a database server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others