Policy processing model
First Claim
1. A method implemented in a Web services environment used for exchanging messages within a distributed system, the method for processing policies that include a plurality of policy assertions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy assertions, the method comprising acts of:
- receiving a message at a Web service engine, the message being an outgoing message and having been sent by a sending application of a sender to a receiving endpoint or a receiver, the sender and the receiver being external to, and separate from, the Web service engine, and the application configured to exchange messages in a distributed system; and
prior to receipt of the message by the receiver, and at the Web service engine disposed between the sender and the receiver;
accessing a policy document that is specific to the application sending the message received at the Web service engine, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document;
after identifying the plurality of objects identified in the policy document, generating at least one assertion handler for each object, which assertion handlers are software entities that include executable code configured to determine whether the received message can satisfy requirements described by the plurality of policy assertions included in the policy document generated by the developer of the application; and
using the at least one assertion handler to determine whether the received message satisfies the requirements described by the policy document;
evaluating the at least one assertion handler to determine whether the received message can be modified using a first compiled policy to satisfy the requirements described by the policy document, the first compiled policy being formatted from the evaluated at least one assertion handler, wherein the first compiled policy is stored for applying to messages with similar endpoint destination and message types, and wherein when one or more of the at least one assertion handlers used to modify the received message are determined to be no longer capable of changing the message to conform to the requirements, an error is returned to the sending application;
after evaluating the at least one assertion handler to determine whether the received message can be modified using the first compiled policy, evaluating one or more of the plurality of assertion handlers to determine whether the message can be modified to satisfy the requirements described by the policy document, and by using a second compiled policy for modifying the message to satisfy the requirements, wherein the second compiled policy is formatted from the one or more one assertion handlers evaluated to determine whether the message can be modified using the second compiled policy; and
discarding of the received message when the message fails to satisfy or cannot be modified to satisfy such requirements of the policy document.
2 Assignments
0 Petitions
Accused Products
Abstract
Example embodiments provide for processing policies that include policy assertions associated with incoming or outgoing messages of an application in a distributed system, without having to have code within the application for executing the policy assertions. When a message is received by a Web service engine, a policy document associated with an application may be accessed for identifying objects corresponding to policy assertions within the policy document. The objects identified can then be used to generate assertion handlers, which are software entities that include executable code configured to determine if messages can satisfy requirements described by the policy assertions.
-
Citations
27 Claims
-
1. A method implemented in a Web services environment used for exchanging messages within a distributed system, the method for processing policies that include a plurality of policy assertions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy assertions, the method comprising acts of:
-
receiving a message at a Web service engine, the message being an outgoing message and having been sent by a sending application of a sender to a receiving endpoint or a receiver, the sender and the receiver being external to, and separate from, the Web service engine, and the application configured to exchange messages in a distributed system; and prior to receipt of the message by the receiver, and at the Web service engine disposed between the sender and the receiver; accessing a policy document that is specific to the application sending the message received at the Web service engine, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document; after identifying the plurality of objects identified in the policy document, generating at least one assertion handler for each object, which assertion handlers are software entities that include executable code configured to determine whether the received message can satisfy requirements described by the plurality of policy assertions included in the policy document generated by the developer of the application; and using the at least one assertion handler to determine whether the received message satisfies the requirements described by the policy document; evaluating the at least one assertion handler to determine whether the received message can be modified using a first compiled policy to satisfy the requirements described by the policy document, the first compiled policy being formatted from the evaluated at least one assertion handler, wherein the first compiled policy is stored for applying to messages with similar endpoint destination and message types, and wherein when one or more of the at least one assertion handlers used to modify the received message are determined to be no longer capable of changing the message to conform to the requirements, an error is returned to the sending application; after evaluating the at least one assertion handler to determine whether the received message can be modified using the first compiled policy, evaluating one or more of the plurality of assertion handlers to determine whether the message can be modified to satisfy the requirements described by the policy document, and by using a second compiled policy for modifying the message to satisfy the requirements, wherein the second compiled policy is formatted from the one or more one assertion handlers evaluated to determine whether the message can be modified using the second compiled policy; and discarding of the received message when the message fails to satisfy or cannot be modified to satisfy such requirements of the policy document. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method implemented in a Web services environment used for exchanging messages within a distributed system, the method for processing policies that includes a plurality of policy assertions that make up one or more policy expressions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy expressions, the method comprising acts of:
-
receiving a message at a Web service engine, the message being an outgoing message having been sent by a sending application to a receiving endpoint of a receiver, the sending application being a part of a sending computing system and the Web service engine being external to the sending computing system and the receiver, and the sending application being configured to exchange messages in a distributed system; and at the Web service engine disposed between the sending computing system and the receiver, and after receipt of the message by the Web service engine that is external to the sending application and prior to receipt of the message by the receiver; accessing a policy document that is specific to the application sending the message received at the Web service engine and stored in a policy store along with other policies specific to other applications, the policy document including a plurality of policy expressions combined by one or more policy operators and having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document, the policy assertions being in the form of declarative statements and being combined using one or more logical operators to form a policy expression, and wherein the policy document includes policy identifiers for pointing to policy objects stored in an object store outside the policy store; after identifying the plurality of objects stored outside the policy document and in the object store, generating a policy model using a plurality of assertion handlers, which are software entities that include executable code configured to determine whether the received message can satisfy the requirements described by the policy expression included in the policy document generated by the developer of the application; and using the assertion handlers to determine whether the received message can be modified using a compiled policy document to satisfy the requirements described by the policy document, which comprises; evaluating at least one assertion handler for at least one of the plurality of policy expressions to determine whether the message can be changed to meet the requirements of the corresponding policy expression, wherein one or more of those assertion handlers determined to be configured to change the message are formatted to form a first compiled policy from the policy model for changing the received message to meet the requirements described by the policy expressions; storing the first compiled policy for application to other messages of similar message types and endpoint destination; determining that one or more of the assertion handlers determined to be configured to change the received message are no longer capable of changing the message to conform to the requirements described by corresponding policy assertions and, in response, returning an error to the application; and evaluating one or more of the plurality of assertion handlers to determine whether the message can be changed to meet the requirements, wherein those assertion handlers that are determined to be configured to change the message are formatted to form a second compiled policy from the policy model for changing the received message to meet the requirements; and discarding the received message when the message fails to satisfy, or is not able to be modified to satisfy, such requirements of the policy document. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A computer program product used in a Web services environment that exchanges messages within a distributed system, the computer program product for implementing a method of processing policies that include a plurality of policy assertions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy assertions, the computer program product comprising one or more computer readable storage media having stored thereon computer executable instructions that, when executed by a processor, can cause the distributed computing system to perform the following:
-
receive a message at a Web service engine, the message being an outgoing message and having been sent by a sending application of a sender to a receiving endpoint of a receiver, the sender and the receiver being external to, and separate from, the Web service engine, the application being configured to exchange messages in a distributed system; and prior to receipt of the message by the receiver, and at the Web service engine disposed between the sender and the receiver; access a policy document that is specific to the application sending the message received at the Web service engine, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document; after identifying the plurality of objects identified in the policy document, generate at least one assertion handler for each object, which assertion handlers are software entities that include executable code configured to determine whether the received message can satisfy requirements described by the plurality of policy assertions included in the policy document generated by the developer of the application; and use the at least one assertion handler to determine whether the received message satisfies the requirements described by the policy document; evaluate the at least one assertion handler to determine whether the received message can be modified using first a compiled policy to satisfy the requirements described by the policy document, the first compiled policy being formatted from the evaluated at least one assertion handler, wherein the first compiled policy is stored for applying to messages with similar endpoint destination and message types, and wherein when one or more of the at least one assertion handlers used to modify the received message are determined to be no longer capable of changing the message to conform to the requirements, an error is returned to the sending application; after evaluating the at least one assertion handler to determine whether the received message can be modified using the first complied policy, evaluate one or more of the plurality of assertion handlers to determine whether the message can be modified to satisfy the requirements described by the policy document, and by using a second compiled policy for modifying the message to satisfy the requirements, wherein the second compiled policy is formatted from the one or more one assertion handlers evaluated to determine whether the message can be modified using the second compiled policy; and discard the received message to the receiving endpoint when the message fails to satisfy, or is not able to be modified to satisfy, the requirements of the policy document. - View Dependent Claims (19, 20, 21, 22)
-
-
23. A computer program product used in a Web services environment that exchanges messages in a distributed system, the computer program product for implementing a method of processing policies that includes a plurality of policy assertions that make up one or more policy expressions associated with incoming or outgoing messages of an application, without having to have code within the application for executing the one or more policy expressions, the computer program product comprising one or more computer readable storage media having stored thereon computer executable instructions that, when executed by a processor, can cause the distributed computing system to perform the following:
-
receive a SOAP message at a Web service engine, the message having been sent by a sending application of a sending computing system and to a receiving endpoint of a receiving computing system, the sending computing system and the receiving computing system being external to, and separate from, the Web service engine, and the application being configured to exchange messages in a distributed system; and at the Web service engine disposed between the sending computing system and the receiving computing system, and after receipt of the message by the Web service engine that is external to the sending application and prior to receipt of the message by the receiving endpoint; access an XML policy document that is specific to the application sending the message received at the Web service engine and stored in a policy store along with other policies specific to other applications, the policy document having been generated by the developer of the application sending the message received at the Web service engine and for identifying a plurality of objects corresponding to a plurality of policy assertions included in the policy document, the policy assertions being in the form of declarative statements including at least requirements regarding a type of security token, digital signature, encoding, visibility to intermediate systems, message age, and SOAP message version for the message received at the Web service engine from the application, the policy assertions being combined using one or more logical operators to form a policy expression requiring each of the policy assertions be met by the message received at the Web service engine from the application, and the policy document including policy identifiers for pointing to policy objects stored in an object store outside the policy store; after identifying the plurality of objects stored outside the policy document and in the object store, generate a policy model using a plurality of assertion handlers, which are software entities that include executable code configured to determine whether the received message can satisfy the requirements described by the policy expression included in the policy document generated by the developer of the application, wherein determining whether the received message can satisfy the requirements described by the policy expression included in the policy document includes; determine whether the received message satisfies each of the requirements described by the policy expression included in the policy document; and when the received message does not satisfy any of the requirements described by the policy expression included in the policy document, determine whether the assertion handlers can modify the received message to satisfy each of the requirements described by the policy expression included in the policy document; and discard the received message when the received message fails to satisfy any of the requirements described by the policy expression included in the policy document, and the received message has not been able to be modified using a compiled policy document to satisfy each of the requirements described by the policy expression included in the policy document. - View Dependent Claims (24, 25, 26, 27)
-
Specification