Modular enterprise authorization solution
First Claim
1. A method for authorizing a request for a component within an application, comprising:
- providing a first interface for directly calling a plurality of provider modules that are for implementing authorization, the provider modules are directly callable through the first interface by supplemental authorization code to provide a granular level of authorization;
providing a second interface that is directly callable by supplemental authorization code, a call to the second interface allows one or more of the plurality of provider modules to be specified, the second interface invokes at least the specified provider module or modules to provide authorization;
receiving an authorization request at an external authorization system from supplemental authorization code inside an application, the authentication request is received either at the first interface or the second interface, the authorization request requests authorization to perform an operation on a component within the application, the external authorization system located external to the application;
determining whether a role is authorized to perform the requested operation on the application component by the external authorization system, the determining includes retrieving a rule which specifies one or more operations that one or more roles are allowed to perform on the application component;
configuring a token in response to said step of determining, the token indicating the authorization for the requested operation on the application component; and
providing the token to said application.
2 Assignments
0 Petitions
Accused Products
Abstract
An authorization framework located external to an application may be invoked to determine user authorization for a requested application component. Small amounts of supplemental authentication code are added to application code to invoke provider modules within the authentication framework. The provider modules perform authorization functions outside of the application and return authorization results to the application. The functions include determining a user role, determining the permissions associated with the user role, comparing the role permissions to the security defined on the requested application component by a rule, and returning an authorization state to the authentication framework. The supplemental authentication code may invoke one or more providers through provider interfaces that translate requests to a particular provider. Using the provider based authorization framework, authorization for an application component is achieved externally without hard-coding authorization code within the application itself.
-
Citations
20 Claims
-
1. A method for authorizing a request for a component within an application, comprising:
-
providing a first interface for directly calling a plurality of provider modules that are for implementing authorization, the provider modules are directly callable through the first interface by supplemental authorization code to provide a granular level of authorization; providing a second interface that is directly callable by supplemental authorization code, a call to the second interface allows one or more of the plurality of provider modules to be specified, the second interface invokes at least the specified provider module or modules to provide authorization; receiving an authorization request at an external authorization system from supplemental authorization code inside an application, the authentication request is received either at the first interface or the second interface, the authorization request requests authorization to perform an operation on a component within the application, the external authorization system located external to the application; determining whether a role is authorized to perform the requested operation on the application component by the external authorization system, the determining includes retrieving a rule which specifies one or more operations that one or more roles are allowed to perform on the application component; configuring a token in response to said step of determining, the token indicating the authorization for the requested operation on the application component; and providing the token to said application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17, 18, 19)
-
-
9. A computer storage device having processor readable code embodied on said computer storage device, said processor readable code for programming one or more processors to perform a method comprising:
-
adding first supplemental authorization code to an application, the application having a plurality of application components within the application, the supplemental authorization code associated with a first of the application components, said adding includes adding, to the application, a rule name, rule provider module name, and code for sending the rule name and rule provider module name in a message to an external authorization system; adding second supplemental authorization code to the application, the second supplemental authorization code associated with a second of the application components, said adding includes adding, to the application, code for directly calling the rule provider module name in a message to the external authorization system; receiving a request for the first application component at the application; invoking the external authorization system by the first supplemental authorization code to determine whether the request for the first application component is authorized, the external authorization system located external to the application; receiving authorization results from the external authorization system by the first supplemental authorization code of the application; receiving a request for the second application component at the application; invoking the rule provider module in the external authorization system by the second supplemental authorization code directly calling the rule provider module; and receiving results from the rule provider module by the second supplemental authorization code. - View Dependent Claims (10, 11, 12)
-
-
13. A method for providing authorization, comprising:
-
storing role data in a role provider and rule data in a rule provider, the role provider and rule provider are included in a set of providers, the role data associated with a user of an application and the rule data associated with a resource within the application, the set of one or more providers included in an external authorization system located external to the application; providing a form authorization module that provides authorization support for smart clients, the form authorization module starts authorization for a web page when invoked by supplemental authorization code within an application; providing a web authorization module that provides authorization support for web clients, the web authorization module starts authorization for a web page when invoked by supplemental authorization code within an application; receiving an authorization request for the resource from supplemental authorization code within the application, the supplemental authorization code is associated with the resource, the authorization request identifies a user name, the role provider, the rule provider, and a rule name, the authorization request is received through a set of provider interfaces included in the external authorization system; accessing the role data by the set of providers in response to the authorization request received through the set of provider interfaces; accessing the rule data by the set of providers in response to the authorization request received through the set of provider interfaces; determining an authorization state from the accessed role data and rule data; and providing the authorization state to the application. - View Dependent Claims (14, 15, 16, 20)
-
Specification