Isolated persistent storage
First Claim
1. A computer readable-storage medium which stores a set of instructions which when executed by a computer system causes the computer system to perform a method for identifying an isolated persistent storage region in the computer system, the isolated persistent storage region being accessible by one or more applications, the method executed by the set of instructions comprising:
- receiving, at an isolating storage interface of the computer system, a first request to access the isolated persistent storage region of the computer system, wherein receiving the first request to access the isolated persistent storage region includes receiving the first request from a first requesting application via a first requesting component of the first requesting application;
preventing access to the isolated persistent storage region if access is not requested through the isolating storage interface, wherein preventing access to the isolated persistent storage region is accomplished by a security architecture of a runtime environment;
determining a first requesting component identity of the first requesting component that is used by the first requesting application to request access to the isolated persistent storage region;
determining a first requesting application identity of the first requesting application that is using the first requesting component to request access to the isolated persistent storage region; and
constructing a first path name to a first persistent storage location in a plurality of persistent storage locations in the isolated persistent storage region based on the first requesting component identity and the first requesting application identity, wherein access is only enabled to the first persistent storage location in the plurality of isolated persistent storage locations using the first path name, wherein at least one of a different requesting application and a different requesting component results in construction of a different path name, and wherein the different path name enables access only to a second persistent storage location in the plurality of persistent storage locations, wherein the constructing operation comprises;
determining an application identity type and an application name, based on the first requesting application identity;
determining a component identity type and a component name, based on the first requesting component identity; and
combining the application identity type, the application name, the component identity type, and the component name into the first path name to the first persistent storage location in the plurality of persistent storage locations in the isolated persistent storage region;
accessing the first persistent storage location in the plurality of persistent storage locations based on the path name;
wherein determining the first requesting component identity comprises;
identifying one or more possible component identities based on the first requesting component; and
selecting one of the possible component identities as the first requesting component identity;
receiving at the isolating storage interface of the computer system a second request to access the isolated persistent storage region, wherein receiving the second request to access the isolated persistent storage region includes receiving the second request from a second requesting application, wherein the second requesting application uses a second requesting component to access the isolated persistent storage region, and wherein the second request from the second requesting application is received at the isolating storage interface via the second requesting component;
determining a second requesting component identity of the second requesting component that is used by the second requesting application to request access to the isolated persistent storage region;
determining a second requesting application identity of the second requesting application that is using the second requesting component to request access to the isolated persistent storage region; and
constructing a second path name to a second persistent storage location in the isolated persistent storage region based on the second requesting component identity and the second requesting application identity;
wherein the second persistent storage location is accessible only through the second path name and is not accessible from any other path name.
2 Assignments
0 Petitions
Accused Products
Abstract
An isolated persistent storage object accesses an isolated persistent storage region using identities of the application, an underlying component of the application, and optionally the user. Direct access to the isolated persistent storage region is available only to the isolated persistent storage object and is unavailable to other components. Accordingly, other components access the isolated persistent storage region through the isolated persistent storage object, which determines the specific location (e.g., specified by an internally constructed path name) and performs the access operation on behalf of the calling component. The application identity and the component identity are converted to typed identity names for use in the construction of the path name.
50 Citations
10 Claims
-
1. A computer readable-storage medium which stores a set of instructions which when executed by a computer system causes the computer system to perform a method for identifying an isolated persistent storage region in the computer system, the isolated persistent storage region being accessible by one or more applications, the method executed by the set of instructions comprising:
-
receiving, at an isolating storage interface of the computer system, a first request to access the isolated persistent storage region of the computer system, wherein receiving the first request to access the isolated persistent storage region includes receiving the first request from a first requesting application via a first requesting component of the first requesting application; preventing access to the isolated persistent storage region if access is not requested through the isolating storage interface, wherein preventing access to the isolated persistent storage region is accomplished by a security architecture of a runtime environment; determining a first requesting component identity of the first requesting component that is used by the first requesting application to request access to the isolated persistent storage region; determining a first requesting application identity of the first requesting application that is using the first requesting component to request access to the isolated persistent storage region; and constructing a first path name to a first persistent storage location in a plurality of persistent storage locations in the isolated persistent storage region based on the first requesting component identity and the first requesting application identity, wherein access is only enabled to the first persistent storage location in the plurality of isolated persistent storage locations using the first path name, wherein at least one of a different requesting application and a different requesting component results in construction of a different path name, and wherein the different path name enables access only to a second persistent storage location in the plurality of persistent storage locations, wherein the constructing operation comprises; determining an application identity type and an application name, based on the first requesting application identity; determining a component identity type and a component name, based on the first requesting component identity; and combining the application identity type, the application name, the component identity type, and the component name into the first path name to the first persistent storage location in the plurality of persistent storage locations in the isolated persistent storage region; accessing the first persistent storage location in the plurality of persistent storage locations based on the path name; wherein determining the first requesting component identity comprises; identifying one or more possible component identities based on the first requesting component; and selecting one of the possible component identities as the first requesting component identity; receiving at the isolating storage interface of the computer system a second request to access the isolated persistent storage region, wherein receiving the second request to access the isolated persistent storage region includes receiving the second request from a second requesting application, wherein the second requesting application uses a second requesting component to access the isolated persistent storage region, and wherein the second request from the second requesting application is received at the isolating storage interface via the second requesting component; determining a second requesting component identity of the second requesting component that is used by the second requesting application to request access to the isolated persistent storage region; determining a second requesting application identity of the second requesting application that is using the second requesting component to request access to the isolated persistent storage region; and constructing a second path name to a second persistent storage location in the isolated persistent storage region based on the second requesting component identity and the second requesting application identity;
wherein the second persistent storage location is accessible only through the second path name and is not accessible from any other path name. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
Specification