Invalid policy detection

US 7,664,828 B2
Filed: 02/20/2004
Issued: 02/16/2010
Est. Priority Date: 02/20/2004
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a policy at a client from a host, the policy including a number of assertions for the client to comply with in order to access one or more resources via the host, wherein the policy is cached at the client, and wherein the client is configured to generate policy digests;

determining, at the client, that the client is complying with at least one assertion;

generating a policy digest at the client for the cached policy by reading each of the at least one assertions from the policy, assigning a respective bit value to each of the at least one assertions, and writing each respective bit value to a bit vector, the policy digest identifying the at least one assertion; and

sending a message from the client to the host to access a resource via the host, the message including the policy digest.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Implementations are described and claimed herein to detect an invalid policy that may reside in a cache at a client. An expired policy is removed from cache and a current policy is requested. Otherwise the cached policy may be used. The client indicates which policy it is using by generating a policy digest, including, in compressed form, one or more assertions. If the host determines the policy digest is invalid, the host issues an invalid digest fault. If the policy digest is valid, but the assertions included in the policy digest are invalid, the host issues an invalid policy fault. In either case, the client is notified that the cached policy is no longer valid and that a current policy should be requested.

Citations

36 Claims

1. A method comprising:
- receiving a policy at a client from a host, the policy including a number of assertions for the client to comply with in order to access one or more resources via the host, wherein the policy is cached at the client, and wherein the client is configured to generate policy digests;
  
  determining, at the client, that the client is complying with at least one assertion;
  
  generating a policy digest at the client for the cached policy by reading each of the at least one assertions from the policy, assigning a respective bit value to each of the at least one assertions, and writing each respective bit value to a bit vector, the policy digest identifying the at least one assertion; and
  
  sending a message from the client to the host to access a resource via the host, the message including the policy digest.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein generating the policy digest includes generating a hash of the cached policy.
  - 3. The method of claim 1, wherein generating the policy digest includes encoding the bit vector, the bit vector identifying selected assertions from the cached policy.
  - 4. The method of claim 1, wherein generating the policy digest includes generating a hash of the cached policy if the cached policy is normalized.
  - 5. The method of claim 1, further comprising:
    - incrementing a counter at the client each time the cached policy is used; and
      
      removing the cached policy from a cache at the client when the counter exceeds a limit value.
  - 6. The method of claim 1, further comprising:
    - incrementing a counter at the client for the cached policy when a fault is received at the client in response to using the cached policy; and
      
      removing the cached policy from a cache at the client when the counter exceeds a limit value.
  - 7. The method of claim 1, further comprising logging a diagnostic event at the client when a fault is received at the client to identify a system problem.

8. A method comprising:
- sending a policy from a host to a client, the policy including a number of assertions for the client to comply with in order to access one or more resources via the host, and wherein the host is configured to implement a host messaging module;
  
  extracting a policy digest from a message received at the host from the client, the policy digest indicating that the client is complying with at least one assertion of the number of assertions of the policy in order to access the one or more resources via the host and the policy digest including a bit vector identifying the at least one assertion;
  
  returning, by the host, an invalid digest fault to the client when a length of the bit vector is not valid; and
  
  determining, by the host, whether the at least one assertion is valid when the length of the bit vector is valid.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further comprising issuing a fault at the host for the client if the policy digest identifies an invalid policy.
  - 10. The method of claim 8, further comprising decoding the policy digest at the host.
  - 11. The method of claim 8, further comprising decoding the bit vector at the host.
  - 12. The method of claim 8, further comprising reading an assertion from the policy digest at the host.
  - 13. The method of claim 8, further comprising reading a row hash of the policy at the host.

14. A system comprising:
- a processing unit; and
  
  a system memory accessible to the processing unit, the system memory including;
  
  a message processor to;
  
  receive a message from a client to access a resource; and
  
  extract a policy digest from the message, the policy digest indicating that the client is complying with one or more of a number of assertions of a policy in order to access one or more resources via the system and the policy digest including a bit vector identifying the one or more assertions; and
  
  a fault generator to;
  
  return an invalid digest fault to the client when a length of the bit vector is not valid; and
  
  determine whether the one or more assertions are valid when the length of the bit vector is valid.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the message processor is configured to decode the policy digest.
  - 16. The system of claim 14, wherein the fault generator is configured to return an invalid policy fault to the client when at least one of the one or more assertions specified in the policy digest is invalid.
  - 17. The system of claim 14, wherein the policy digest is a row hash of a normalized policy.
  - 18. The system of claim 14, wherein the policy digest identifies at least one selected assertion.

19. A system comprising:
- a processor; and
  
  a memory accessible to the processor, the memory including;
  
  a digest generator to;
  
  generate a policy digest based on one or more policies received at a client from a host, the one or more policies each specifying at least one assertion that the client must comply with in order to access a resource via the host; and
  
  place a bit vector in a header of a message to access a particular resource of the host, the bit vector including one bit for each assertion of a particular policy and including one bit for each assertion of an additional policy referenced by the particular policy.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The system of claim 19, further comprising a messaging module to encode the policy digest.
  - 21. The system of claim 19, further comprising a cache including the one or more policies.
  - 22. The system of claim 19, wherein the policy digest is a row hash of a normalized policy.
  - 23. The system of claim 19, wherein the policy digest identifies at least one assertion selected by the client.

24. One or more computer-readable storage media encoding a computer program for executing on a computer system a computer process, the computer process comprising:
- receiving a policy at a client from a host, the policy including a number of assertions for the client to comply with in order to access one or more resources via the host, and wherein the policy is cached at the client;
  
  determining, at the client, that the client is complying with at least one assertion;
  
  generating a policy digest at the client for the cached policy, the policy digest identifying the at least one assertion the client is complying with;
  
  sending a message from the client to the host, the message including a request to access a particular resource via the host and the message including the policy digest;
  
  receiving a fault at the client from the host, the fault indicating that the policy is invalid;
  
  removing the policy from a cache at the client in response to receiving the fault; and
  
  sending a request from the client to the host for a valid policy after removing the policy from the cache.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The one or more computer-readable storage media of claim 24 wherein the computer process further comprises generating a hash of the cached policy.
  - 26. The one or more computer-readable storage media of claim 24 wherein the computer process further comprises encoding a bit vector of the cached policy.
  - 27. The one or more computer-readable storage media of claim 24 wherein the computer process further comprises reading an assertion from the policy, assigning a bit value to the assertion, and writing the bit value to a bit vector.
  - 28. The one or more computer-readable storage media of claim 24 wherein the computer process further comprises generating a row hash of the cached policy if the cached policy is normalized.
  - 29. The one or more computer-readable storage media of claim 24, wherein the computer process further comprises:
    - incrementing a counter each time the cached policy is used; and
      
      removing the cached policy from a cache at the client when the counter exceeds a limit value.
  - 30. The one or more computer-readable storage media of claim 24 wherein the computer process further comprises:
    - incrementing a counter for the cached policy when the fault is received at the client in response to using the cached policy; and
      
      removing the cached policy from the cache at the client when the counter exceeds a limit value.
  - 31. The one or more computer-readable storage media of claim 24 wherein the computer process further comprises triggering a diagnostic event when the fault is received at the client.

32. One or more computer-readable storage media encoding a computer program for executing on a computer system a computer process, the computer process comprising:
- extracting at a host a policy digest included in a message from a client, the policy digest indicating that the client is complying with an assertion required to access a resource via the host, the assertion is associated with a policy, and the policy digest includes a bit vector identifying the assertion;
  
  returning, by the host, an invalid digest fault to the client when a length of the bit vector is not valid; and
  
  determining, by the host, whether the assertion is valid when the length of the bit vector is valid.
- View Dependent Claims (33, 34, 35, 36)
- - 33. The one or more computer-readable storage media of claim 32 wherein the computer process further comprises decoding the policy digest.
  - 34. The one or more computer-readable storage media of claim 32 wherein the computer process further comprises decoding the bit vector.
  - 35. The one or more computer-readable storage media of claim 32 wherein the computer process further comprises reading the assertion from the policy digest.
  - 36. The one or more computer-readable storage media of claim 32 wherein the computer process further comprises reading a row hash of the policy if the policy is normalized.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Levin, David, Lee, Alfred IV, Schlimmer, Jeffrey C., Lovering, Bradford H., Christensen, Erik B.
Primary Examiner(s)
Portka; Gary J

Application Number

US10/783,776
Publication Number

US 20050198326A1
Time in Patent Office

2,188 Days
Field of Search

None
US Class Current

709/217
CPC Class Codes

H04L 67/5682 Policies or rules for updat...

Invalid policy detection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Invalid policy detection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links