System and method for dynamic role association
First Claim
1. A system, comprising:
- a computer including a computer readable medium and processor operating thereon;
a security service that makes decisions to permit or deny access requests;
an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passingthe access request, anda callback handler to the security service; and
a plurality of security plug-ins at the security service that use the callback handler to request context information from the application container describing the access request;
wherein the system dynamically associates one or more roles with the client, for the purposes of the access request, at runtime based on the context information, before an authorization decision for the protected resource is determined by the security service;
wherein each of the plurality of security plug-ins determines an access decision based on the context information; and
wherein the security service thendetermines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins, anduses the one or more roles associated with that client for the purposes of that access request to make the authorization decision.
1 Assignment
0 Petitions
Accused Products
Abstract
A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.
71 Citations
16 Claims
-
1. A system, comprising:
-
a computer including a computer readable medium and processor operating thereon; a security service that makes decisions to permit or deny access requests; an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passing the access request, and a callback handler to the security service; and a plurality of security plug-ins at the security service that use the callback handler to request context information from the application container describing the access request; wherein the system dynamically associates one or more roles with the client, for the purposes of the access request, at runtime based on the context information, before an authorization decision for the protected resource is determined by the security service; wherein each of the plurality of security plug-ins determines an access decision based on the context information; and wherein the security service then determines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins, and uses the one or more roles associated with that client for the purposes of that access request to make the authorization decision. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method, comprising:
-
receiving at an application container an access request from a client to access a protected resource; communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service; using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request; dynamically associating one or more roles with the client, for the purposes of the access request, at runtime based on the context information before an authorization decision for the protected resource is determined by the security service; determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins; determining an access decision by each of the plurality of security plug-ins based on the context information; making the authorization decision, using the one or more roles associated with that client for the purposes of that access request, at the security service to permit or deny the access request; and if the authorization decision is to permit the access request, then communicating a permitted access request to the protected resource. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A non-transitory computer readable storage medium storing instructions, the instructions causing a computer to perform a method of:
-
receiving at an application container an access request from a client to access a protected resource; communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service; using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request; dynamically associating one or more roles with the client, for the purposes of the access request, at runtime based on the context information before an authorization decision for the protected resource is determined by the security service; determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins; determining an access decision by each of the plurality of security plug-ins based on the context information; making the authorization decision, using the one or more roles associated with that client for the purposes of that access request, at the security service to permit or deny the access request; and if the authorization decision is to permit the access request, then communicating a permitted access request to the protected resource. - View Dependent Claims (13, 14, 15, 16)
-
Specification