System and method for server security and entitlement processing

US 7,392,546 B2
Filed: 06/11/2001
Issued: 06/24/2008
Est. Priority Date: 06/11/2001
Status: Expired due to Term

First Claim

Patent Images

1. A security system for allowing a client to access a protected resource through an application container, the security system comprising:

the application container, which provides services for a protected resource, wherein the application container delegates authorization decisions to a security service by passing an access request and a callback handler to the security service when the application container receives the access request for a protected resource from the client;

context information, wherein the context information comprises one or more parameter values describing the access request, identity of the protected resource, and profile information describing the client;

the security service for making a decision to permit or deny the access request, wherein a plurality of security plug-ins that implement an access decision interface are plugged into the security service, and wherein the plurality of security plug-ins use the callback handler to request the context information from the application container for the access request, and wherein the plurality of security plug-ins determine roles for which the client is entitled, and wherein association of the client to roles is computed dynamically at runtime, and wherein each of the plurality of security plug-ins determines a contributory decision selected from a group comprising;

permit, deny, and abstain, and wherein depending on output from each security plug-in the security service determines entitlements for the client to use with the protected resource; and

the security service is located at a first computer, and the protected resource is located either at the first computer or at a second computer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

308 Citations

18 Claims

1. A security system for allowing a client to access a protected resource through an application container, the security system comprising:
- the application container, which provides services for a protected resource, wherein the application container delegates authorization decisions to a security service by passing an access request and a callback handler to the security service when the application container receives the access request for a protected resource from the client;
  
  context information, wherein the context information comprises one or more parameter values describing the access request, identity of the protected resource, and profile information describing the client;
  
  the security service for making a decision to permit or deny the access request, wherein a plurality of security plug-ins that implement an access decision interface are plugged into the security service, and wherein the plurality of security plug-ins use the callback handler to request the context information from the application container for the access request, and wherein the plurality of security plug-ins determine roles for which the client is entitled, and wherein association of the client to roles is computed dynamically at runtime, and wherein each of the plurality of security plug-ins determines a contributory decision selected from a group comprising;
  
  permit, deny, and abstain, and wherein depending on output from each security plug-in the security service determines entitlements for the client to use with the protected resource; and
  
  the security service is located at a first computer, and the protected resource is located either at the first computer or at a second computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The security system of claim 1 wherein the application container of claim 1 reads an application deployment description and registers the application deployment description within the security service.
  - 3. The security system of claim 2 wherein the application container is a Web Application container.
  - 4. The security system of claim 1 wherein the security service further includes an access controller for transferring the access request to the plurality of security plug-ins, and for combining the contributory decisions into an overall decision by the security service to permit or deny the access request.
  - 5. The security system of claim 1 wherein one or more of the plurality of the security plug-ins represent a business function related authorization policy.
  - 6. The security system of claim 1 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 7. The security system of claim 1 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 8. The security system of claim 1 wherein the security service further includes security plug-ins that implement an audit interface for auditing the determinations of the plurality of access requests.
  - 9. The security system of claim 1, wherein computation of a dynamic role occurs immediately before an authorization decision for the protected resource.

10. A method of allowing a client to access a protected resource through an application container, the method comprising:
- receiving at the application container, which provides services to the resources it contains, an access request from the client to access the protected resource;
  
  communicating the access request from the application container to a security service with the access request and a callback handler, wherein the application container delegates authorization decisions to the security service by passing the access request and the callback handler to the security service when the application container receives the access request for the protected resource from the client;
  
  making a decision at the security service to permit or deny the access request, wherein a plurality of security plug-ins that implement an access decision interface are plugged into the security service;
  
  using the callback handler at each security plug-in to request context information from the application container for the access request, wherein the context information comprises one or more parameter values describing the access request, identity of the protected resource, and profile information describing the client;
  
  determining entitlements for the client to use with the protected resource depending on output from each security plug-in, wherein the plurality of security plug-ins determine roles for which the client is entitled, and wherein the association of the client to roles is computed dynamically at runtime, and wherein each of the plurality of security plug-ins determines a contributory decision selected from a group comprising;
  
  permit, deny, and abstain; and
  
  communicating a permitted access request to the protected resource.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10 wherein the application container of claim 18 reads an application deployment description and registers the deployment description within the security service.
  - 12. The method of claim 11 wherein the application container is a Web Application container.
  - 13. The method of claim 10 further comprising:
    - transferring, via an access controller, the access request to the plurality of security plug-ins, and combining the contributory decisions into an overall decision by the security service to permit or deny the access request.
  - 14. The method of claim 10 wherein one or more of the plurality of the security plug-ins represent a business function related access policy.
  - 15. The method of claim 10 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 16. The method of claim 10 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 17. The method of claim 10 further comprising:
    - auditing the determinations of the plurality of access decision mechanisms.
  - 18. The security system of claim 10, wherein computation of a dynamic role occurs immediately before an authorization decision for the protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Patrick, Paul
Primary Examiner(s)
Vu; Kimyen
Assistant Examiner(s)
Pich; Ponnoreay

Application Number

US09/878,536
Publication Number

US 20020188869A1
Time in Patent Office

2,570 Days
Field of Search

707 1- 10, 709200-203, 709212-234, 709238-246, 710/1, 710 8- 14, 710 15- 19, 711/147, 711150- 52, 711154-155, 711163-164, 717100-103, 726 2- 4, 726 26- 29
US Class Current

726/26
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

System and method for server security and entitlement processing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

308 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for server security and entitlement processing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

308 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links