Remote interface for policy decisions governing access control

US 7,594,256 B2
Filed: 06/26/2003
Issued: 09/22/2009
Est. Priority Date: 06/26/2003
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to resources, said method comprising:

receiving, by a server, a first request for a resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor;

referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said resource and based on said first requestor identify information;

receiving, by said server, said first policy decision from said remote source, wherein said first policy decision is for said first requestor;

storing said first policy decision for said resource in local memory, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor identified by said second requestor identifying information;

receiving, subsequent to said first request, a second request for access to said resource, said second request comprising said first requestor identifying information;

evaluating said second request using said first policy decision in said local memory;

receiving a notification from said remote source of a change in said policy definition, said notification identifying said first policy decision;

marking said first policy decision based on said notification, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said resource;

receiving, subsequent to said second request, a third request for access to said resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor;

evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated;

receiving, by said server and subsequent to said third request, a fourth request for said resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor;

identifying, by said server in response to said fourth request, said first policy decision as marked;

referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision;

receiving, by said server, said third policy decision from said remote source; and

evaluating said fourth request based on said third policy decision.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems thereof for controlling access to resources are described. When a user attempts to access a resource via a remote interface such as a Web server, the request is initially evaluated by a source of policy definitions such as a policy server. This source returns a policy decision to the remote interface. The policy decision is stored in memory by the remote interface. The remote interface can then evaluate subsequent requests from the user for the resource using the stored policy decision instead of having to communicate again with the source for the policy decision. Enhancements to this approach are also described. Accordingly, policy definitions and decisions are more efficiently implemented.

50 Citations

View as Search Results

12 Claims

1. A method of controlling access to resources, said method comprising:
- receiving, by a server, a first request for a resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor;
  
  referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said resource and based on said first requestor identify information;
  
  receiving, by said server, said first policy decision from said remote source, wherein said first policy decision is for said first requestor;
  
  storing said first policy decision for said resource in local memory, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor identified by said second requestor identifying information;
  
  receiving, subsequent to said first request, a second request for access to said resource, said second request comprising said first requestor identifying information;
  
  evaluating said second request using said first policy decision in said local memory;
  
  receiving a notification from said remote source of a change in said policy definition, said notification identifying said first policy decision;
  
  marking said first policy decision based on said notification, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said resource;
  
  receiving, subsequent to said second request, a third request for access to said resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor;
  
  evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated;
  
  receiving, by said server and subsequent to said third request, a fourth request for said resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor;
  
  identifying, by said server in response to said fourth request, said first policy decision as marked;
  
  referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision;
  
  receiving, by said server, said third policy decision from said remote source; and
  
  evaluating said fourth request based on said third policy decision.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 wherein said resource is affiliated with another resource, and wherein further a fourth policy decision for said other resource is received from said remote source and stored in said local memory.
  - 3. The method of claim 1 wherein a period of time said first policy decision is valid is also received from said remote source and stored locally.
  - 4. The method of claim 1 wherein a condition associated with said first policy definition is also received from said remote source and stored locally, wherein said condition is enforced locally.

5. A method of controlling access to resources, said method comprising:
- receiving, by a server, a first request for access to a first resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor;
  
  referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said first resource and based on said first requestor identify information;
  
  receiving, by said server, from said remote source said first policy decision for said first resource, wherein said first policy decision is for said first requestor;
  
  storing said first policy decision in local memory, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor;
  
  receiving a second request for access to said first resource, said second request comprising said first requestor identifying information;
  
  evaluating said second request using said first policy decision in said local memory;
  
  receiving a notification from said remote source of a change in said policy definition, said notification identifying said first resource;
  
  marking said first policy decision based on said notification and said first policy decision associated with said first resource, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said first resource;
  
  receiving a third request for access to said first resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor;
  
  evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated;
  
  receiving, by said server, a fourth request for said first resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor;
  
  identifying, by said server in response to said fourth request, said first policy decision as unmarked;
  
  referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision;
  
  receiving, by said server, said third policy decision from said remote source; and
  
  evaluating said fourth request based on said third policy decision.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5 wherein said first resource is affiliated with another resource, wherein a fourth policy decision for said other resource is received from said remote source and stored in said local memory.
  - 7. The method of claim 5 further comprising:
    - receiving information that identifies a period of time said first policy decision is valid.
  - 8. The method of claim 5 further comprising:
    - receiving from said remote source a condition associated with said first policy definition, wherein said condition is enforced locally.

9. A computer-usable medium having computer-readable program code embodied therein for causing a computer system to perform a method of controlling access to resources, said method comprising:
- receiving, by a server, a first request for a first resource, said first request comprising a first requestor identifying information, wherein said first requestor identifying information identifies a first requestor;
  
  referring, by said server, said first request to a remote source, wherein said remote source evaluates said first request in response to said referring to generate a first policy decision, wherein said first policy decision is based on a policy definition governing access to said first resource and based on said first requestor identify information;
  
  receiving, by said server, said first policy decision from said remote source, wherein said first policy decision is for said first requestor;
  
  storing in local memory said first policy decision for said first resource, wherein said local memory further comprises a second policy decision, wherein said second policy decision is based on a second requestor identifying information, and wherein said second policy decision is for a second requestor;
  
  receiving, subsequent to said first request, a second request for access to said first resource, said second request comprising said first requestor identifying information;
  
  evaluating said second request using said first policy decision stored in said local memory;
  
  receiving a notification from said remote source of a change in said policy definition, said notification identifying said first policy decision;
  
  marking said first policy decision based on said notification, wherein said marking identifies that an updated policy decision must be requested when a subsequent request from said first requestor is received for said first resource;
  
  receiving, subsequent to said second request, a third request for access to said first resource, said third request comprising said second requestor identifying information, wherein said second requestor identifying information identifies said second requestor;
  
  evaluating said third request using said second policy decision in said local memory based on said second policy decision being unmarked, wherein said first policy decision is marked and said second policy decision is unmarked in local memory when said third request is evaluated;
  
  receiving, by said server and subsequent to said third request, a fourth request for said first resource after said third request is received, said fourth request comprising said first requestor identifying information, wherein said fourth requestor identifying information identifies said first requestor;
  
  identifying, by said server in response to said fourth request, said first policy decision as marked;
  
  referring, by said server, said fourth request to said remote source based on said first policy decision being marked, wherein said remote source evaluates said fourth request in response to said referring to generate a third policy decision;
  
  receiving, by said server, said third policy decision from said remote source; and
  
  evaluating said fourth request based on said third policy decision.
- View Dependent Claims (10, 11, 12)
- - 10. The computer-usable medium of claim 9 wherein said first resource is affiliated with another resource, wherein a fourth policy decision for said other resource is received from said remote source and stored in said local memory.
  - 11. The computer-usable medium of claim 9 wherein a period of time said first policy decision is valid is also received from said remote source and stored locally.
  - 12. The computer-usable medium of claim 9 wherein a condition associated with said first policy definition is also received from said remote source and stored locally, wherein said condition is enforced locally.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation), Xerox Corporation (Xerox Holdings Corp.)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Cui, Hua, Ranganathan, Aravindan, Luo, Ping, Bhat, Shivaram, Arumugam, Dilli Dorai Minnal
Primary Examiner(s)
Moazzami; Nasser G
Assistant Examiner(s)
JOHNSON, CARLTON

Application Number

US10/608,882
Publication Number

US 20050021978A1
Time in Patent Office

2,280 Days
Field of Search

713/182, 726/1
US Class Current

726/1
CPC Class Codes

G06F 21/6227 where protection concerns t...

H04L 63/102 Entity profiles

Remote interface for policy decisions governing access control

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

50 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Remote interface for policy decisions governing access control

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links