System and method for server security and entitlement processing
First Claim
1. A security system for allowing a client to access a protected resource through an application container, the security system comprising:
- the application container, which provides services for a protected resource, wherein the application container delegates authorization decisions to a security service by passing an access request and a callback handler to the security service when the application container receives the access request for a protected resource from the client;
context information, wherein the context information comprises one or more parameter values describing the access request, identity of the protected resource, and profile information describing the client;
the security service for making a decision to permit or deny the access request, wherein a plurality of security plug-ins that implement an access decision interface are plugged into the security service, and wherein the plurality of security plug-ins use the callback handler to request the context information from the application container for the access request, and wherein the plurality of security plug-ins determine roles for which the client is entitled, and wherein association of the client to roles is computed dynamically at runtime, and wherein each of the plurality of security plug-ins determines a contributory decision selected from a group comprising;
permit, deny, and abstain, and wherein depending on output from each security plug-in the security service determines entitlements for the client to use with the protected resource; and
the security service is located at a first computer, and the protected resource is located either at the first computer or at a second computer.
2 Assignments
0 Petitions
Accused Products
Abstract
A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.
308 Citations
18 Claims
-
1. A security system for allowing a client to access a protected resource through an application container, the security system comprising:
-
the application container, which provides services for a protected resource, wherein the application container delegates authorization decisions to a security service by passing an access request and a callback handler to the security service when the application container receives the access request for a protected resource from the client; context information, wherein the context information comprises one or more parameter values describing the access request, identity of the protected resource, and profile information describing the client; the security service for making a decision to permit or deny the access request, wherein a plurality of security plug-ins that implement an access decision interface are plugged into the security service, and wherein the plurality of security plug-ins use the callback handler to request the context information from the application container for the access request, and wherein the plurality of security plug-ins determine roles for which the client is entitled, and wherein association of the client to roles is computed dynamically at runtime, and wherein each of the plurality of security plug-ins determines a contributory decision selected from a group comprising;
permit, deny, and abstain, and wherein depending on output from each security plug-in the security service determines entitlements for the client to use with the protected resource; andthe security service is located at a first computer, and the protected resource is located either at the first computer or at a second computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of allowing a client to access a protected resource through an application container, the method comprising:
-
receiving at the application container, which provides services to the resources it contains, an access request from the client to access the protected resource; communicating the access request from the application container to a security service with the access request and a callback handler, wherein the application container delegates authorization decisions to the security service by passing the access request and the callback handler to the security service when the application container receives the access request for the protected resource from the client; making a decision at the security service to permit or deny the access request, wherein a plurality of security plug-ins that implement an access decision interface are plugged into the security service; using the callback handler at each security plug-in to request context information from the application container for the access request, wherein the context information comprises one or more parameter values describing the access request, identity of the protected resource, and profile information describing the client; determining entitlements for the client to use with the protected resource depending on output from each security plug-in, wherein the plurality of security plug-ins determine roles for which the client is entitled, and wherein the association of the client to roles is computed dynamically at runtime, and wherein each of the plurality of security plug-ins determines a contributory decision selected from a group comprising;
permit, deny, and abstain; andcommunicating a permitted access request to the protected resource. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
Specification