Post data processing

US 7,249,369 B2
Filed: 02/26/2001
Issued: 07/24/2007
Est. Priority Date: 07/10/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for matching a policy to a resource in an Access System, comprising:

receiving from a requestor a first HTTP POST request to access a first resource;

loading a first policy domain from a plurality of policy domains based on said first resource wherein said first policy domain comprises a logical grouping of a first set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the first policy domain not associated with a policy and at least one second level rule defining an access rule for an associated resource of the first set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;

choosing a first policy from the plurality of policies in the first policy domain by matching said first policy to said first resource based on POST data referenced by said first HTTP POST request;

authentication said first HTTP POST request based on said authentication rule of said first policy;

in response to authenticating said first HTTP POST request, authorizing said first HTTP POST request based on said first policy;

receiving from the requestor a second HTTP POST request to access a second resource;

loading a second policy domain from the plurality of policy domains based on said second resource wherein said second policy domain comprises a logical grouping of a second set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the second policy domain not associated with apolicy and at least one second level rule defining an access rule for an associated resource of the second set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;

choosing a second policy from the plurality of policies in the second policy domain by matching said second policy to said second resource based on POST data referenced by said second HTTP POST request;

in response to the associated rating of the authentication rule of the first policy being less than the associated rating of the authentication rule of the second policy, authenticating the second HTTP POST request based on said authentication rule of said second policy and authorizing said second HTTP POST request based on said second policy; and

in response to the associated rating of the authentication rule of the first policy being equal to or greater than the associated rating of the authentication rule of the second policy, authorizing said second HTTP POST request based on said second policy without authenticating the second HTTP POST request.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention matches sets of authentication, authorization, and auditing rules to resources in an Access System based on the contents of POST data received in HTTP POST requests. The system of the present invention receives a POST request and matches a set of rules to a resource using POST data referenced by the HTTP request. In one embodiment, the matching is performed by accessing required matching data. A portion of the POST data is selected and compared with the required data. If all of the required data is matched to the POST data, then the resource is successfully matched. The present invention further authorizes a user to access resources in an Access System based on the contents of POST data. An authorization rule is retrieved and authorization is performed using the POST data. If the authorization is successful, the system grants the user access to the resource.

Citations

21 Claims

1. A method for matching a policy to a resource in an Access System, comprising:
- receiving from a requestor a first HTTP POST request to access a first resource;
  
  loading a first policy domain from a plurality of policy domains based on said first resource wherein said first policy domain comprises a logical grouping of a first set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the first policy domain not associated with a policy and at least one second level rule defining an access rule for an associated resource of the first set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;
  
  choosing a first policy from the plurality of policies in the first policy domain by matching said first policy to said first resource based on POST data referenced by said first HTTP POST request;
  
  authentication said first HTTP POST request based on said authentication rule of said first policy;
  
  in response to authenticating said first HTTP POST request, authorizing said first HTTP POST request based on said first policy;
  
  receiving from the requestor a second HTTP POST request to access a second resource;
  
  loading a second policy domain from the plurality of policy domains based on said second resource wherein said second policy domain comprises a logical grouping of a second set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the second policy domain not associated with apolicy and at least one second level rule defining an access rule for an associated resource of the second set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;
  
  choosing a second policy from the plurality of policies in the second policy domain by matching said second policy to said second resource based on POST data referenced by said second HTTP POST request;
  
  in response to the associated rating of the authentication rule of the first policy being less than the associated rating of the authentication rule of the second policy, authenticating the second HTTP POST request based on said authentication rule of said second policy and authorizing said second HTTP POST request based on said second policy; and
  
  in response to the associated rating of the authentication rule of the first policy being equal to or greater than the associated rating of the authentication rule of the second policy, authorizing said second HTTP POST request based on said second policy without authenticating the second HTTP POST request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein:
    - said step of matching said first policy to said first resource comprises the steps of;
      
      accessing required policy matching data;
      
      selecting a portion of said POST data referenced by said first HTTP POST request;
      
      comparing said portion of POST data with said required policy matching data;
      
      repeating said steps of selecting and comparing for all portions of said POST data; and
      
      returning a successful match of said first policy to said first resource if all of said required policy matching data was matched to said POST data in said step of comparing.
  - 3. The method of claim 2, further comprising the steps of:
    - receiving a flag, said flag indicating whether said first HTTP POST request contains POST data;
      
      requesting said POST data if said first HTTP POST request does not contain POST data; and
      
      receiving said POST data.
  - 4. The method of claim 2, wherein:
    - said authentication rule of said first policy specifies a challenge method for verifying user identities to authenticate users for resources matched to said first policy.
  - 5. The method of claim 2, wherein:
    - said first policy comprises a first policy authorization rule for granting user access to a subset of resources in said Access System.
  - 6. The method of claim 2, wherein:
    - said first policy comprises a policy auditing rule specifying a set of information logged in response to an access system event pertaining to resources matched to said first policy.
  - 7. The method of claim 1, wherein:
    - said step of matching said second policy to said second resource comprises the steps of;
      
      accessing required policy matching data;
      
      selecting a portion of said POST data referenced by said second HTTP POST request;
      
      comparing said portion of POST data with said required policy matching data;
      
      repeating said steps of selecting and comparing for all portions of said POST data; and
      
      returning a successful match of said second policy to said second resource if all of said required policy matching data was matched to said POST data in said step of comparing.
  - 8. The method of claim 7, further comprising the steps of:
    - receiving a flag, said flag indicating whether said second HTTP POST request contains POST data;
      
      requesting said POST data if said second HTTP POST request does not contain POST data; and
      
      receiving said POST data.
  - 9. The method of claim 7, wherein:
    - said authentication rule of said second policy specifies a challenge method for verifying user identities to authenticate users for resources matched to said second policy.
  - 10. The method of claim 7, wherein:
    - said second policy comprises a second policy authorization rule for granting user access to a subset of resources in said Access System.
  - 11. The method of claim 7, wherein:
    - said second policy comprises a policy auditing rule specifying a set of information logged in response to an access system event pertaining to resources matched to said second policy.

12. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method for matching a policy to a resource in an Access System, the method comprising:
- receiving from a requestor a first HTTP POST request to access a first resource;
  
  loading a first policy domain from a plurality of policy domains based on said first resource wherein said first policy domain comprises a logical grouping of a first set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the first policy domain not associated with a policy and at least one second level rule defining an access rule for an associated resource of the first set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;
  
  choosing a first policy from the plurality of policies in the first policy domain by matching said first policy to said first resource based on POST data referenced by said first HTTP POST request;
  
  authentication said first HTTP POST request based on said authentication rule of said first policy;
  
  in response to authenticating said first HTTP POST request, authorizing said first HTTP POST request based on said first policy;
  
  receiving from the requestor a second HTTP POST request to access a second resource;
  
  loading a second policy domain from the plurality of policy domains based on said second resource wherein said second policy domain comprises a logical grouping of a second set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the second policy domain not associated with a policy and at least one second level rule defining an access rule for an associated resource of the second set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;
  
  choosing a second policy from the plurality of policies in the second policy domain by matching said second policy to said second resource based on POST data referenced by said second HTTP POST request;
  
  in response to the associated rating of the authentication rule of the first policy being less than the associated rating of the authentication rule of the second policy, authenticating the second HTTP POST request based on said authentication rule of said second policy and authorizing said second HTTP POST request based on said second policy; and
  
  in response to the associated rating of the authentication rule of the first policy being equal to or greater than the associated rating of the authentication rule of the second policy, authorizing said second HTTP POST request based on said second policy without authenticating the second HTTP POST request.
- View Dependent Claims (13, 14, 15, 16)
- - 13. One or more processor readable storage devices according to claim 12, wherein:
    - said step of matching said first policy to said first resource comprises the steps of;
      
      accessing required policy matching data;
      
      selecting a portion of said POST data referenced by said first HTTP POST request;
      
      comparing said portion of POST data with said required policy matching data;
      
      repeating said steps of selecting and comparing for all portions of said POST data; and
      
      returning a successful match of said first policy to said first resource if all of said required policy matching data was matched to said POST data in said step of comparing.
  - 14. One or more processor readable storage devices according to claim 13, wherein said method further comprises the steps of:
    - receiving a flag, said flag indicating whether said first HTTP POST request contains POST data;
      
      requesting said POST data if said first HTTP POST request does not contain POST data; and
      
      receiving said POST data.
  - 15. One or more processor readable storage devices according to claim 12, wherein:
    - said step of matching said second policy to said secondt resource comprises the steps of;
      
      accessing required policy matching data;
      
      selecting a portion of said POST data referenced by said second HTTP POST request;
      
      comparing said portion of POST data with said required policy matching data;
      
      repeating said steps of selecting and comparing for all portions of said POST data; and
      
      returning a successful match of said second policy to said second resource if all of said required policy matching data was matched to said POST data in said step of comparing.
  - 16. One or more processor readable storage devices according to claim 15, wherein said method further comprises the steps of:
    - receiving a flag, said flag indicating whether said second HTTP POST request contains POST data;
      
      requesting said POST data if said second HTTP POST request does not contain POST data; and
      
      receiving said POST data.

17. An apparatus, comprising:
- a communication interface;
  
  one or more storage devices; and
  
  one or more processors in communication with said one or more storage devices and said conmmnication interface, said one or more processors programmed to perform a method for matching a policy to a resource in an Access System by;
  
  receiving from a requestor a first HTTP POST request to access a first resource;
  
  loading a first policy domain from a plurality of policy domains based on said first resource wherein said first policy domain comprises a logical grouping of a first set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the first policy domain not associated with a policy and at least one second level rule defining an access rule for an associated resource of the first set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;
  
  choosing a first policy from the plurality of policies in the first policy domain by matching said first policy to said first resource based on POST data referenced by said first HTTP POST request;
  
  authentication said first HTTP POST request based on said authentication rule of said first policy;
  
  in response to authenticating said first HTTP POST request, authorizing said first HTTP POST request based on said first policy;
  
  receiving from the requestor a second HTTP POST request to access a second resource;
  
  loading a second policy domain from the plurality of policy domains based on said second resource wherein said second policy domain comprises a logical grouping of a second set of resources and a plurality of policies, each policy of the plurality of policies comprising a plurality of access rules including at least one first level rule defining a default access rule for resources of the second policy domain not associated with a policy and at least one second level rule defining an access rule for an associated resource of the second set of resources, wherein each access rule includes an authentication rule having an associated rating indicting a relative strength of the authentication rule;
  
  choosing a second policy from the plurality of policies in the second policy domain by matching said second policy to said second resource based on POST data referenced by said second HTTP POST request;
  
  in response to the associated rating of the authentication rule of the first policy being less than the associated rating of the authentication rule of the second policy, authenticating the second HTTP POST request based on said authentication rule of said second policy and authorizing said second HTTP POST request based on said second policy; and
  
  in response to the associated rating of the authentication rule of the first policy being equal to or greater than the associated rating of the authentication rule of the second policy, authorizing said second HTTP POST request based on said second policy without authenticating the second HTTP POST request.
- View Dependent Claims (18, 19, 20, 21)
- - 18. An apparatus according to claim 17, wherein:
    - said step of matching said first policy to said first resource comprises the steps of;
      
      accessing required policy matching data;
      
      selecting a portion of said POST data referenced by said first HTTP POST request;
      
      comparing said portion of POST data with said required policy matching data;
      
      repeating said steps of selecting and comparing for all portions of said POST data; and
      
      returning a successful match of said first policy to said first resource if all of said required policy matching data was matched to said POST data in said step of comparing.
  - 19. An apparatus according to claim 18, wherein said method further includes the steps of:
    - receiving a flag, said flag indicating whether said first HTTP POST request contains POST data;
      
      requesting said POST data if said first HTTP POST request does not contain POST data; and
      
      receiving said POST data.
  - 20. An apparatus according to claim 17, wherein:
    - said step of matching said second policy to said second resource comprises the steps of;
      
      accessing required policy matching data;
      
      selecting a portion of said POST data referenced by said second HTTP POST request;
      
      comparing said portion of POST data with said required policy matching data;
      
      repeating said steps of selecting and comparing for all portions of said POST data; and
      
      returning a successful match of said second policy to said second resource if all of said required policy matching data was matched to said POST data in said step of comparing.
  - 21. An apparatus according to claim 20, wherein said method further includes the steps of:
    - receiving a flag, said flag indicating whether said second HTTP POST request contains POST data;
      
      requesting said POST data if said second HTTP POST request does not contain POST data; and
      
      receiving said POST data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Knouse, Charles W., Thiyagarajan, Lakshmi Velandai
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Gyorfi; Tom

Application Number

US09/793,196
Publication Number

US 20020120599A1
Time in Patent Office

2,339 Days
Field of Search

713/155, 713/168, 713/201, 707/6, 707/1, 705/64, 709/217, 709/230, 726 1- 4, 726/21
US Class Current

726/1
CPC Class Codes

G06F 16/9535   Search customisation based ...

G06F 16/955   using information identifie...

G06F 16/958   Organisation or management ...

G06F 21/62   Protecting access to data v...

H04L 2463/102   applying security measure f...

H04L 61/4523   using lightweight directory...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Post data processing

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Post data processing

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links