Provisioning aggregated services in a distributed computing environment
First Claim
1. A computer-implemented method of provisioning an aggregated service in a computing network, comprising steps of:
- obtaining credentials of a user who requests to access an aggregated service;
locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service;
analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service;
allowing the user to access the aggregated service only if the analyzing step has a successful result; and
programmatically relaying identity information obtained by invoking one or more of the identity functions among at least two of the sub-services of the aggregated service.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products are disclosed for provisioning software resources used with aggregated web services. The disclosed techniques enable heterogeneous identity systems to be joined in the dynamic, run-time web services integration environment. Authentication and authorization may now be performed for the aggregated service, as well as for its sub-services. SOAP (“Simple Object Access Protocol”) messages, as an example, may be used to relay identity information among distributed services, whereby credentials may be specified in the SOAP message header to accompany a service request specified in the SOAP message body.
85 Citations
15 Claims
-
1. A computer-implemented method of provisioning an aggregated service in a computing network, comprising steps of:
-
obtaining credentials of a user who requests to access an aggregated service; locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service; analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service; allowing the user to access the aggregated service only if the analyzing step has a successful result; and programmatically relaying identity information obtained by invoking one or more of the identity functions among at least two of the sub-services of the aggregated service. - View Dependent Claims (2, 3, 4, 6, 7, 11, 12)
-
-
5. A computer-implemented method of provisioning an aggregated service in a computing network, comprising steps of:
-
locating, in a network-accessible registry, a service description document specifying a provisioning interface for an aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service, wherein one or more operations of at least one of the sub-services is access-protected; obtaining, for at least one of the access-protected operations, operation-specific credentials of a user who requests to access the aggregated service; and controlling access to each of at least one of the access-protected operations, further comprising the steps of; analyzing the obtained operation-specific credentials by invoking one of more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user can access the access-protected operation; and allowing the user to access the access-protected operation only if the step of analyzing the obtained operation-specific credentials determines that the user can access the access-protected operation. - View Dependent Claims (8)
-
-
9. A system for provisioning an aggregated service in a computing network, comprising:
-
means for obtaining credentials of a user who requests to access an aggregated service; means for locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service, wherein the service description document is specified in a Web Services Description Language (“
WSDL”
) markup language;means for analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service; and means for allowing the user to access the aggregated service only if the means for analyzing has a successful result.
-
-
10. A computer program product for provisioning an aggregated service in a computing network, the computer program product embodied on one or more computer-readable media and comprising:
-
computer-readable program code for obtaining credentials of a user who requests to access an aggregated service; computer-readable program code for locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service; computer-readable program code for analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service, wherein an implementation of at least one of the sub-services is located dynamically, at run-time; and computer-readable program code for allowing the user to access the aggregated service only if the computer-readable program code for analyzing has a successful result.
-
-
13. A computer-implemented method for provisioning an aggregated service in a computing network, comprising steps of:
-
obtaining credentials of a user who requests to access an aggregated service; locating, in a network-accessible registry, a service description document specifying a provisioning interface for the aggregated service, the aggregated service comprising an aggregation of a plurality of sub-services and the provisioning interface specifying how to invoke identity functions of the aggregated service, wherein; at least two of the sub-services each have associated therewith an identity system for access control thereto; at least two of the associated identity systems are heterogeneous; and at least one selected one of the identity functions of the aggregated service enables dynamically joining at least two of the heterogeneous identity systems; analyzing the obtained credentials by invoking one or more of the identity functions, according to the specification thereof in the provisioning interface, to determine whether the user is authenticated for, and/or is authorized for, accessing the aggregated service; and allowing the user to access the aggregated service only if the analyzing step determines that the user is authenticated for, and/or is authorized for, accessing the aggregated service. - View Dependent Claims (14, 15)
-
Specification