Generic security infrastructure for COM based systems
First Claim
1. A method of providing access control to perform a user requested operation during a session in a COM based computer application system having multiple users and servers, comprising:
- a security server validating a user to log in to the system for the session by verifying user entered authenticating parameters;
a security server generating a single unique user security context number that represents the validated user for the session;
storing the single unique user security context number;
user requesting access to perform an operation on a server in the system during the session by passing the single unique user security context number;
if access control information for the user is not in the server, then obtaining the access control information for the user;
storing the access control information for the user security context in the security client'"'"'s cache; and
performing the user requested operation on the server during the session based on the access control information and the single unique user security context number;
wherein the single unique user security context number, without exchanging itself for a different context number, allows access to data on multiple servers, or operations to be performed by multiple servers;
when a server comes up first, its security agent registering with the security server passing the server name and machine name on which the server is executing,the security server upon validation of the server credentials, generating a unique server security context,the security server passing the unique server security context asynchronously to the server which is being registered, by creating a security monitor component whose ClassId is known and which is housed inside the server;
passing a unique server security context number of the server to another server in the system to perform another operation, when the user requested operation requires performing further operation on the other server;
checking if the access control information for the first server is present in the local cache of the security agent, if not present fetching it from the security server;
the security agent validating the request to use the other server by checking the access control information for the passed in server security context, verifying the passed unique server security context number against the stored access control information of the server in the other server;
granting full permission to all server security context, thereby making the further security check faster;
performing the other requested operation on the other server based on the outcome of validating the request to use the other server during the session; and
repeating the passing, validating, and performing steps when the user requested operation further requires using other servers in the system during the session until the user logs off from the session.
1 Assignment
0 Petitions
Accused Products
Abstract
The present invention provides a generic technique to perform access control check for data access and/or for doing an operation in a COM based system comprised of multiple servers and having multiple users. A unique user security context number is generated after validating the user for a session, based on user entered authentication parameters. The generation of the security context numbers and the fetching of the access control information from storage medium is managed by a central security server. The generated unique user security context number is then used throughout the session to check for access permission for data access and/or to perform an operation requested by the user during the session.
-
Citations
16 Claims
-
1. A method of providing access control to perform a user requested operation during a session in a COM based computer application system having multiple users and servers, comprising:
-
a security server validating a user to log in to the system for the session by verifying user entered authenticating parameters; a security server generating a single unique user security context number that represents the validated user for the session; storing the single unique user security context number; user requesting access to perform an operation on a server in the system during the session by passing the single unique user security context number; if access control information for the user is not in the server, then obtaining the access control information for the user; storing the access control information for the user security context in the security client'"'"'s cache; and performing the user requested operation on the server during the session based on the access control information and the single unique user security context number; wherein the single unique user security context number, without exchanging itself for a different context number, allows access to data on multiple servers, or operations to be performed by multiple servers; when a server comes up first, its security agent registering with the security server passing the server name and machine name on which the server is executing, the security server upon validation of the server credentials, generating a unique server security context, the security server passing the unique server security context asynchronously to the server which is being registered, by creating a security monitor component whose ClassId is known and which is housed inside the server; passing a unique server security context number of the server to another server in the system to perform another operation, when the user requested operation requires performing further operation on the other server; checking if the access control information for the first server is present in the local cache of the security agent, if not present fetching it from the security server; the security agent validating the request to use the other server by checking the access control information for the passed in server security context, verifying the passed unique server security context number against the stored access control information of the server in the other server; granting full permission to all server security context, thereby making the further security check faster; performing the other requested operation on the other server based on the outcome of validating the request to use the other server during the session; and repeating the passing, validating, and performing steps when the user requested operation further requires using other servers in the system during the session until the user logs off from the session. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
Specification