Policy processing model

US 7,730,138 B2
Filed: 07/14/2004
Issued: 06/01/2010
Est. Priority Date: 07/14/2004
Status: Active Grant

First Claim

Patent Images

1. A method implemented in a Web services environment used for exchanging messages within a distributed system, the method for processing policies that include a plurality of policy assertions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy assertions, the method comprising acts of:

receiving a message at a Web service engine, the message being an outgoing message and having been sent by a sending application of a sender to a receiving endpoint or a receiver, the sender and the receiver being external to, and separate from, the Web service engine, and the application configured to exchange messages in a distributed system; and

prior to receipt of the message by the receiver, and at the Web service engine disposed between the sender and the receiver;

accessing a policy document that is specific to the application sending the message received at the Web service engine, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document;

after identifying the plurality of objects identified in the policy document, generating at least one assertion handler for each object, which assertion handlers are software entities that include executable code configured to determine whether the received message can satisfy requirements described by the plurality of policy assertions included in the policy document generated by the developer of the application; and

using the at least one assertion handler to determine whether the received message satisfies the requirements described by the policy document;

evaluating the at least one assertion handler to determine whether the received message can be modified using a first compiled policy to satisfy the requirements described by the policy document, the first compiled policy being formatted from the evaluated at least one assertion handler, wherein the first compiled policy is stored for applying to messages with similar endpoint destination and message types, and wherein when one or more of the at least one assertion handlers used to modify the received message are determined to be no longer capable of changing the message to conform to the requirements, an error is returned to the sending application;

after evaluating the at least one assertion handler to determine whether the received message can be modified using the first compiled policy, evaluating one or more of the plurality of assertion handlers to determine whether the message can be modified to satisfy the requirements described by the policy document, and by using a second compiled policy for modifying the message to satisfy the requirements, wherein the second compiled policy is formatted from the one or more one assertion handlers evaluated to determine whether the message can be modified using the second compiled policy; and

discarding of the received message when the message fails to satisfy or cannot be modified to satisfy such requirements of the policy document.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Example embodiments provide for processing policies that include policy assertions associated with incoming or outgoing messages of an application in a distributed system, without having to have code within the application for executing the policy assertions. When a message is received by a Web service engine, a policy document associated with an application may be accessed for identifying objects corresponding to policy assertions within the policy document. The objects identified can then be used to generate assertion handlers, which are software entities that include executable code configured to determine if messages can satisfy requirements described by the policy assertions.

Citations

27 Claims

1. A method implemented in a Web services environment used for exchanging messages within a distributed system, the method for processing policies that include a plurality of policy assertions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy assertions, the method comprising acts of:
- receiving a message at a Web service engine, the message being an outgoing message and having been sent by a sending application of a sender to a receiving endpoint or a receiver, the sender and the receiver being external to, and separate from, the Web service engine, and the application configured to exchange messages in a distributed system; and
  
  prior to receipt of the message by the receiver, and at the Web service engine disposed between the sender and the receiver;
  
  accessing a policy document that is specific to the application sending the message received at the Web service engine, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document;
  
  after identifying the plurality of objects identified in the policy document, generating at least one assertion handler for each object, which assertion handlers are software entities that include executable code configured to determine whether the received message can satisfy requirements described by the plurality of policy assertions included in the policy document generated by the developer of the application; and
  
  using the at least one assertion handler to determine whether the received message satisfies the requirements described by the policy document;
  
  evaluating the at least one assertion handler to determine whether the received message can be modified using a first compiled policy to satisfy the requirements described by the policy document, the first compiled policy being formatted from the evaluated at least one assertion handler, wherein the first compiled policy is stored for applying to messages with similar endpoint destination and message types, and wherein when one or more of the at least one assertion handlers used to modify the received message are determined to be no longer capable of changing the message to conform to the requirements, an error is returned to the sending application;
  
  after evaluating the at least one assertion handler to determine whether the received message can be modified using the first compiled policy, evaluating one or more of the plurality of assertion handlers to determine whether the message can be modified to satisfy the requirements described by the policy document, and by using a second compiled policy for modifying the message to satisfy the requirements, wherein the second compiled policy is formatted from the one or more one assertion handlers evaluated to determine whether the message can be modified using the second compiled policy; and
  
  discarding of the received message when the message fails to satisfy or cannot be modified to satisfy such requirements of the policy document.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the policy document includes one or more policy identifiers for pointing to one or more of the plurality of objects.
  - 3. The method of claim 1, wherein the plurality of assertion handlers are configured in series to determine whether the received message satisfies the requirements described by the plurality of policy assertions corresponding to the plurality of objects.
  - 4. The method of claim 1, further comprising the act of:
    - determining whether the message is either outgoing or incoming from the application; and
      
      based on the determination, validating or enforcing the plurality of policy assertions by processing the received message though the corresponding plurality of assertion handlers.
  - 5. The method of claim 1, wherein the plurality of policy assertions include security policies that provide one or more of security token propagation, message integrity and message confidentiality though one or more of a signature, encryption, token, and username/password credentials.
  - 6. The method of claim 1, wherein the plurality of policy assertions include one or more of a message age requirement that specifies the acceptable time period the received message should be received by or a visibility requirement that specifies one or more portions of the received message be able to be processed by an intermediary or endpoint.
  - 7. The method of claim 1, wherein at least one of the plurality of objects is within the policy document.
  - 8. The method of claim 1, wherein the Web service engine receives messages, validates and enforces policies for a plurality of applications.
  - 9. The method of claim 1, wherein the policy document is an eXtensible Markup Language (XML) WS-Policy or WS-Security document.

10. A method implemented in a Web services environment used for exchanging messages within a distributed system, the method for processing policies that includes a plurality of policy assertions that make up one or more policy expressions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy expressions, the method comprising acts of:
- receiving a message at a Web service engine, the message being an outgoing message having been sent by a sending application to a receiving endpoint of a receiver, the sending application being a part of a sending computing system and the Web service engine being external to the sending computing system and the receiver, and the sending application being configured to exchange messages in a distributed system; and
  
  at the Web service engine disposed between the sending computing system and the receiver, and after receipt of the message by the Web service engine that is external to the sending application and prior to receipt of the message by the receiver;
  
  accessing a policy document that is specific to the application sending the message received at the Web service engine and stored in a policy store along with other policies specific to other applications, the policy document including a plurality of policy expressions combined by one or more policy operators and having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document, the policy assertions being in the form of declarative statements and being combined using one or more logical operators to form a policy expression, and wherein the policy document includes policy identifiers for pointing to policy objects stored in an object store outside the policy store;
  
  after identifying the plurality of objects stored outside the policy document and in the object store, generating a policy model using a plurality of assertion handlers, which are software entities that include executable code configured to determine whether the received message can satisfy the requirements described by the policy expression included in the policy document generated by the developer of the application; and
  
  using the assertion handlers to determine whether the received message can be modified using a compiled policy document to satisfy the requirements described by the policy document, which comprises;
  
  evaluating at least one assertion handler for at least one of the plurality of policy expressions to determine whether the message can be changed to meet the requirements of the corresponding policy expression, wherein one or more of those assertion handlers determined to be configured to change the message are formatted to form a first compiled policy from the policy model for changing the received message to meet the requirements described by the policy expressions;
  
  storing the first compiled policy for application to other messages of similar message types and endpoint destination;
  
  determining that one or more of the assertion handlers determined to be configured to change the received message are no longer capable of changing the message to conform to the requirements described by corresponding policy assertions and, in response, returning an error to the application; and
  
  evaluating one or more of the plurality of assertion handlers to determine whether the message can be changed to meet the requirements, wherein those assertion handlers that are determined to be configured to change the message are formatted to form a second compiled policy from the policy model for changing the received message to meet the requirements; and
  
  discarding the received message when the message fails to satisfy, or is not able to be modified to satisfy, such requirements of the policy document.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10, wherein the one or more logical operators are one or more of a usage qualifier, policy operator or policy preference.
  - 12. The method of claim 10, further comprising the act of:
    - determining whether the message is either outgoing or incoming from the application; and
      
      based on the determination, validating or enforcing the policy expression by processing the received message though the corresponding one or more assertion handlers.
  - 13. The method of claim 10, wherein one or more of the plurality of policy assertions are security policies that provide one or more of security token propagation, message integrity and message confidentiality though one or more of a signature, encryption, token, and username/password credentials.
  - 14. The method of claim 10, wherein one or more of the plurality of policy assertions are one or more of a message age requirement that specifies the acceptable time period the received message should be received by or a visibility requirement that specifies one or more portions of the received message be able to be processed by an intermediary or endpoint.
  - 15. The method of claim 10, wherein at least one of the plurality of objects is within the policy document.
  - 16. The method of claim 10, wherein the Web service engine receives messages, validates and enforces policies for a plurality of applications.
  - 17. The method of claim 10, wherein the policy document is an eXtensible Markup Language (XML)WS-Policy or WS-Security document.

18. A computer program product used in a Web services environment that exchanges messages within a distributed system, the computer program product for implementing a method of processing policies that include a plurality of policy assertions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy assertions, the computer program product comprising one or more computer readable storage media having stored thereon computer executable instructions that, when executed by a processor, can cause the distributed computing system to perform the following:
- receive a message at a Web service engine, the message being an outgoing message and having been sent by a sending application of a sender to a receiving endpoint of a receiver, the sender and the receiver being external to, and separate from, the Web service engine, the application being configured to exchange messages in a distributed system; and
  
  prior to receipt of the message by the receiver, and at the Web service engine disposed between the sender and the receiver;
  
  access a policy document that is specific to the application sending the message received at the Web service engine, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document;
  
  after identifying the plurality of objects identified in the policy document, generate at least one assertion handler for each object, which assertion handlers are software entities that include executable code configured to determine whether the received message can satisfy requirements described by the plurality of policy assertions included in the policy document generated by the developer of the application; and
  
  use the at least one assertion handler to determine whether the received message satisfies the requirements described by the policy document;
  
  evaluate the at least one assertion handler to determine whether the received message can be modified using first a compiled policy to satisfy the requirements described by the policy document, the first compiled policy being formatted from the evaluated at least one assertion handler, wherein the first compiled policy is stored for applying to messages with similar endpoint destination and message types, and wherein when one or more of the at least one assertion handlers used to modify the received message are determined to be no longer capable of changing the message to conform to the requirements, an error is returned to the sending application;
  
  after evaluating the at least one assertion handler to determine whether the received message can be modified using the first complied policy, evaluate one or more of the plurality of assertion handlers to determine whether the message can be modified to satisfy the requirements described by the policy document, and by using a second compiled policy for modifying the message to satisfy the requirements, wherein the second compiled policy is formatted from the one or more one assertion handlers evaluated to determine whether the message can be modified using the second compiled policy; and
  
  discard the received message to the receiving endpoint when the message fails to satisfy, or is not able to be modified to satisfy, the requirements of the policy document.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The computer program product of claim 18, wherein the policy document includes one or more policy identifiers for pointing to one or more of the plurality of objects.
  - 20. The computer program product of claim 18, further comprising computer executable instructions that can cause the distributed computing system to perform the following:
    - determine whether the message is either outgoing or incoming from the application; and
      
      based on the determination, validate or enforcing the plurality of policy assertions by processing the received message though the corresponding plurality of assertion handlers.
  - 21. The computer program product of claim 18, wherein at least one of the plurality of objects is within the policy.
  - 22. The computer program product of claim 18, wherein the Web service engine receives messages, validates and enforces policies for a plurality of applications.

23. A computer program product used in a Web services environment that exchanges messages in a distributed system, the computer program product for implementing a method of processing policies that includes a plurality of policy assertions that make up one or more policy expressions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy expressions, the computer program product comprising one or more computer readable storage media having stored thereon computer executable instructions that, when executed by a processor, can cause the distributed computing system to perform the following:
- receive a SOAP message at a Web service engine, the message having been sent by a sending application of a sending computing system and to a receiving endpoint of a receiving computing system, the sending computing system and the receiving computing system being external to, and separate from, the Web service engine, and the application being configured to exchange messages in a distributed system; and
  
  at the Web service engine disposed between the sending computing system and the receiving computing system, and after receipt of the message by the Web service engine that is external to the sending application and prior to receipt of the message by the receiving endpoint;
  
  access an XML policy document that is specific to the application sending the message received at the Web service engine and stored in a policy store along with other policies specific to other applications, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document, the policy assertions being in the form of declarative statements including at least requirements regarding a type of security token, digital signature, encoding, visibility to intermediate systems, message age, and SOAP message version for the message received at the Web service engine from the application, the policy assertions being combined using one or more logical operators to form a policy expression requiring each of the policy assertions be met by the message received at the Web service engine from the application, and the policy document including policy identifiers for pointing to policy objects stored in an object store outside the policy store;
  
  after identifying the plurality of objects stored outside the policy document and in the object store, generate a policy model using a plurality of assertion handlers, which are software entities that include executable code configured to determine whether the received message can satisfy the requirements described by the policy expression included in the policy document generated by the developer of the application, wherein determining whether the received message can satisfy the requirements described by the policy expression included in the policy document includes;
  
  determine whether the received message satisfies each of the requirements described by the policy expression included in the policy document; and
  
  when the received message does not satisfy any of the requirements described by the policy expression included in the policy document, determine whether the assertion handlers can modify the received message to satisfy each of the requirements described by the policy expression included in the policy document; and
  
  discard the received message when the received message fails to satisfy any of the requirements described by the policy expression included in the policy document, and the received message has not been able to be modified using a compiled policy document to satisfy each of the requirements described by the policy expression included in the policy document.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The computer program product of claim 23, wherein the one or more logical operators are one or more of a usage qualifier, policy operator or policy preference.
  - 25. The computer program product of claim 23, further comprising computer executable instructions that can cause the distributed computing system to perform the following:
    - determine whether the message is either outgoing or incoming from the application; and
      
      based on the determination, validate or enforcing the policy expression by processing the received message though the corresponding one or more assertion handlers.
  - 26. The computer program product of claim 23, wherein at least one of the plurality of objects is within the policy document.
  - 27. The computer program product of claim 23, wherein the Web service engine receives messages, validates and enforces policies for a plurality of applications.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wilson, Hervey O., Ballinger, Keith W., Mukherjee, Vick B.
Primary Examiner(s)
Follansbee; John
Assistant Examiner(s)
Daftuar; Saket K

Application Number

US10/892,007
Publication Number

US 20060041636A1
Time in Patent Office

2,148 Days
Field of Search

709/218, 709206-207
US Class Current

709/206
CPC Class Codes

H04L 67/51   Discovery or management the...

H04L 67/56   Provisioning of proxy servi...

H04L 67/5682   Policies or rules for updat...

Policy processing model

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Policy processing model

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links