System and method for dynamic role association

US 7,823,189 B2
Filed: 06/19/2008
Issued: 10/26/2010
Est. Priority Date: 06/11/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A system, comprising:

a computer including a computer readable medium and processor operating thereon;

a security service that makes decisions to permit or deny access requests;

an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passingthe access request, anda callback handler to the security service; and

a plurality of security plug-ins at the security service that use the callback handler to request context information from the application container describing the access request;

wherein the system dynamically associates one or more roles with the client, for the purposes of the access request, at runtime based on the context information, before an authorization decision for the protected resource is determined by the security service;

wherein each of the plurality of security plug-ins determines an access decision based on the context information; and

wherein the security service thendetermines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins, anduses the one or more roles associated with that client for the purposes of that access request to make the authorization decision.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

71 Citations

View as Search Results

16 Claims

1. A system, comprising:
- a computer including a computer readable medium and processor operating thereon;
  
  a security service that makes decisions to permit or deny access requests;
  
  an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passingthe access request, anda callback handler to the security service; and
  
  a plurality of security plug-ins at the security service that use the callback handler to request context information from the application container describing the access request;
  
  wherein the system dynamically associates one or more roles with the client, for the purposes of the access request, at runtime based on the context information, before an authorization decision for the protected resource is determined by the security service;
  
  wherein each of the plurality of security plug-ins determines an access decision based on the context information; and
  
  wherein the security service thendetermines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins, anduses the one or more roles associated with that client for the purposes of that access request to make the authorization decision.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1 wherein the security service further includes an access controller for transferring the access request to the plurality of security plug-ins, and for combining the access decisions into an overall decision by the security service to permit or deny the access request.
  - 3. The system of claim 1 wherein one or more of the plurality of the security plug-ins represent a business function related authorization policy.
  - 4. The system of claim 1 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 5. The system of claim 1 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 6. The system of claim 1, wherein computation of a role occurs immediately before an authorization decision for the protected resource.

7. A method, comprising:
- receiving at an application container an access request from a client to access a protected resource;
  
  communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service;
  
  using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request;
  
  dynamically associating one or more roles with the client, for the purposes of the access request, at runtime based on the context information before an authorization decision for the protected resource is determined by the security service;
  
  determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins;
  
  determining an access decision by each of the plurality of security plug-ins based on the context information;
  
  making the authorization decision, using the one or more roles associated with that client for the purposes of that access request, at the security service to permit or deny the access request; and
  
  if the authorization decision is to permit the access request, then communicating a permitted access request to the protected resource.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The method of claim 7 wherein one or more of the plurality of the security plug-ins represent a business function related access policy.
  - 9. The method of claim 7 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 10. The method of claim 7 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 11. The method of claim 7, wherein computation of a role occurs immediately before an authorization decision for the protected resource.

12. A non-transitory computer readable storage medium storing instructions, the instructions causing a computer to perform a method of:
- receiving at an application container an access request from a client to access a protected resource;
  
  communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service;
  
  using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request;
  
  dynamically associating one or more roles with the client, for the purposes of the access request, at runtime based on the context information before an authorization decision for the protected resource is determined by the security service;
  
  determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins;
  
  determining an access decision by each of the plurality of security plug-ins based on the context information;
  
  making the authorization decision, using the one or more roles associated with that client for the purposes of that access request, at the security service to permit or deny the access request; and
  
  if the authorization decision is to permit the access request, then communicating a permitted access request to the protected resource.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory computer readable storage medium of claim 12 wherein one or more of the plurality of the security plug-ins represent a business function related access policy.
  - 14. The non-transitory computer readable storage medium of claim 12 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 15. The non-transitory computer readable storage medium of claim 12 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 16. The non-transitory computer readable storage medium of claim 12, wherein computation of a role occurs immediately before an authorization decision for the protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Patrick, Paul B.
Primary Examiner(s)
Pich; Ponnoreay

Application Number

US12/142,451
Publication Number

US 20080256610A1
Time in Patent Office

859 Days
Field of Search

None
US Class Current

726/2
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

System and method for dynamic role association

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

71 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamic role association

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links