Identifying attribute propagation for multi-tier processing
First Claim
1. A computer-implemented method for propagating attributes comprising:
- receiving a request to perform a processing operation at a computer system including an operating system, the request including an attribute indicative of an initiator of the request;
determining a processing thread associated with the request via the operating system, the processing thread operable to service the request;
identifying a processing operation performed by the determined processing thread for satisfying the request;
matching the processing operation to the request by identifying the processing thread common to the request and the processing operation, the common processing thread identified by intercepting in relation to an incoming port of the computer system a system call of the operating system to receive the request and intercepting in relation to an outgoing port of the computer system a system call of the operating system to perform the processing operation; and
mapping the common processing thread associated with the request to the processing operation being performed to service the request.
3 Assignments
0 Petitions
Accused Products
Abstract
A multi-tier attribute tracking mechanism identifies end user credentials and other client information and attributes and assigns them to database requests in an application server architecture. Disclosed configurations identify the processing unit, or thread, assigned by the operating system to service the incoming request from the user at the application tier. A matching of users to threads allows successive thread activity to be mapped back to the initiating user. Conventional interception of database access attempts at the application level (“server taps,” or staps) identified only the database user (the account in the database) and associated connection as the responsible user. By intercepting, or “tapping” the access request at the operating system level (using kernel taps, or “ktaps”), the mechanism matches which application requests map to which database requests. With this matching, the database requests can be tagged with the user credentials which are known through the application request.
-
Citations
27 Claims
-
1. A computer-implemented method for propagating attributes comprising:
-
receiving a request to perform a processing operation at a computer system including an operating system, the request including an attribute indicative of an initiator of the request; determining a processing thread associated with the request via the operating system, the processing thread operable to service the request; identifying a processing operation performed by the determined processing thread for satisfying the request; matching the processing operation to the request by identifying the processing thread common to the request and the processing operation, the common processing thread identified by intercepting in relation to an incoming port of the computer system a system call of the operating system to receive the request and intercepting in relation to an outgoing port of the computer system a system call of the operating system to perform the processing operation; and mapping the common processing thread associated with the request to the processing operation being performed to service the request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A computer program product having a computer readable memory device storing an encoded set of processor based instructions that when executed by said processor perform a method of user identification via attribute propagation comprising:
-
receiving, from a user, a request to perform a function of an application; extracting an attribute from the request; intercepting in relation to an incoming port of the processor an inbound system call to service the request by an interprocess communication (IPC) portal; determining, from the intercepted system call, a processing thread assigned to service the request; watching operations performed by the assigned processing thread to capture database access attempts by the assigned processing thread; intercepting in relation to an outgoing port of the processor an outbound system call to access the database by the assigned processing thread; mapping the processing thread to the extracted attribute in the inbound system call; associating the attribute to the access made by the assigned processing thread; and logging the association of the database access attempt to the mapped attribute. - View Dependent Claims (16, 17)
-
-
18. A data security device for tracking database access attempts comprising:
a computer system comprising; an operating system; a monitor operable to receive an application request to perform an application function, the application request including an attribute; a thread table operable to determine a processing thread associated with the application request, the processing thread operable to service the application request; an interface to an interception layer operable to identify a database call performed by the determined processing thread for satisfying the application request via database access; and a mapper operable to map the attribute to the database calls caused when servicing the request by identifying the processing thread common to the application request and database call, the common processing thread identified by intercepting in relation to an incoming port of the computer system a system call of the operating system to receive the request and intercepting in relation to an outgoing port of the computer system a system call of the operating system to send the database call, the mapper further operable to employ the thread table to map the common processing thread with the attribute included in the application request. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
26. A computer program product having a computer readable memory device storing computer program logic embodied in computer program code encoded thereon for tracking database access comprising:
-
computer program code for receiving at a computer system with an operating system a request to access a database, the request including a user identifier; computer program code for determining a thread associated with the request, the thread operable to service the request; computer program code for identifying a database call performed by the determined thread for satisfying the request via database access; computer program code for matching the database call to the request by identifying a thread common to the request and the database call, the common thread identified by intercepting in relation to an incoming port of the computer system a system call of the operating system to receive the request and intercepting in relation to an outgoing port of the computer system a system call of the operating system to perform the database access; and computer program code for correlating the identified thread with the user identifier to identify the user responsible for the database access. - View Dependent Claims (27)
-
Specification