Two phase intermediate query security using access control
First Claim
1. In a networked client-server computer system having a plurality of users of the client-server system and including software performing database queries via a database management system (DBMS) for users of the system, a method of two-phase query security, the method comprising:
- receiving by the client system a query string from one of the plurality of users, the query string including references to database objects;
transforming the received query string by the client system to an intermediate query string;
performing a first phase query security by the client system including;
identifying the referenced database objects; and
inserting a security marker into the intermediate query string for each respective identified database object, thereby forming respective pairs of query parts and marker parts;
transferring the intermediate query string, including the query parts and the marker parts, to the server system;
performing access control checks in a second phase query security by the server system on the inserted security markers in the intermediate query string; and
replacing each of the inserted security markers in the second phase query security by the server system with a corresponding security check string to enforce access control.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system and article of manufacture for two phase intermediate query security using access control. A networked client-server computer system having a plurality of users of the client-server system and including software performing database queries via a DBMS for users of the system implements the method. The method includes receiving a query string from one of the users by the client system, the query string including references to database objects. The received query string is transformed by the client system to an intermediate query string, and a first phase query security is performed by the client system including identifying the referenced database objects and inserting a security marker into the intermediate query string for each respective identified database object, and sending the intermediate query string to the server system. Access control checks are performed by the server system on the inserted security markers in the intermediate query string, and the inserted security markers are replaced with corresponding DBMS code to enforce access control.
-
Citations
15 Claims
-
1. In a networked client-server computer system having a plurality of users of the client-server system and including software performing database queries via a database management system (DBMS) for users of the system, a method of two-phase query security, the method comprising:
-
receiving by the client system a query string from one of the plurality of users, the query string including references to database objects; transforming the received query string by the client system to an intermediate query string; performing a first phase query security by the client system including; identifying the referenced database objects; and inserting a security marker into the intermediate query string for each respective identified database object, thereby forming respective pairs of query parts and marker parts; transferring the intermediate query string, including the query parts and the marker parts, to the server system; performing access control checks in a second phase query security by the server system on the inserted security markers in the intermediate query string; and replacing each of the inserted security markers in the second phase query security by the server system with a corresponding security check string to enforce access control. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A client-server computer system having a plurality of users of the system comprising a networked client-server computer system having a plurality of users of the network system and including software performing database queries via a database management system (DBMS) for users of the system, including:
-
a client system for receiving user queries; a server system for resolving the user queries; a communication network connecting the client system and the server system; client-side software running on the client system, including; means for transforming a received query into an intermediate query string; means for identifying database objects included in the received query; means for inserting a security marker into the intermediate query string for each identified database object, thereby forming respective pairs of query parts and marker parts; means for sending the intermediate query string, including the query parts and the marker parts, to the server system; and means for receiving a resolved query from the server system; server-side software running on the server system, including; means for performing access control checks on each of the inserted security markers in a received query string; means for replacing each of the inserted security markers in the received intermediate query string with respective security check strings for enforcing access control; means for submitting the received intermediate query string to a DBMS; means for receiving a query response from the DBMS; and means for returning the query response to the client system; a database connected to the server system; and a DBMS running on the server system for accessing the database and resolving received query strings and returning a resolved query response. - View Dependent Claims (7, 8, 9, 10)
-
-
11. An article of computer-readable media having contents that cause a client-server computer system having a plurality of users of the network, and including software running on the client-server computer system, performing database queries via a database management system (DBMS) for users of the system to perform the computer-implemented steps of:
-
receiving by the client system a query string from one of the plurality of users, the query string including references to database objects; transforming the received query string by the client system to an intermediate query string; performing a first phase query security by the client system including; identifying the referenced database objects; and inserting a security marker into the intermediate query string for each respective identified database object, thereby forming respective pairs of query parts and marker parts; transferring the intermediate query string, including the query parts and the marker parts, to the server system; performing access control checks in a second phase query security by the server system on the inserted security markers in the intermediate query string; and replacing each of the inserted security markers in the second phase query security by the server system with a corresponding security check string to enforce access control. - View Dependent Claims (12, 13, 14, 15)
-
Specification