Role passing and persistence mechanism for a container

US 8,161,173 B1
Filed: 03/30/2005
Issued: 04/17/2012
Est. Priority Date: 03/30/2005
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method, comprising:

calling, by a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols;

interacting, by the first adaptor using the first connection protocol, with a first client to establish a first session in response to a first successful authentication, wherein the first client implements the first connection protocol;

receiving, by a role persistence mechanism of the web server after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism,wherein the first role information identifies a first set of one or more roles of the first client, andwherein the first request is the first passing of any role information between the first client and the web server for the first session;

using, by the role persistence mechanism in response to the first request, the first role information to associate the first set of one or more roles with the first session in a persistent manner;

calling, by a second adaptor of the plurality of adaptors, the authentication function of the web server to authenticate a second user identification and password information, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols which is different from the first connection protocol;

interacting, by the second adaptor using the second connection protocol, with a second client to establish a second session in response to a second successful authentication, wherein the second client implements the second connection protocol;

receiving, by the role persistence mechanism, a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism;

using, by the role persistence mechanism in response to the second request, the second role information to associate a second set of one or more roles with the second session in the persistent manner;

receiving, by a hosted service of the web server, a service request for the hosted service from the first client;

providing, by the role persistence mechanism of the web server, the first role information to the hosted service;

in response to determining that the first client has privileges to access the hosted service based on the first role information, providing the hosted service to the first client;

receiving, by the role persistence mechanism, a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism, andwherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client andusing, by the role persistence mechanism in response to the third request, the third role information to associate the third set of one or more roles with the first session in the persistent manner,wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A role passing and persistence mechanism that implements role-based access control at a container level is disclosed. In one implementation, the role passing and persistence mechanism provides one or more RBAC services. Functions provided by the role passing and persistence mechanism include role validating, role persisting and role administration. The role passing and persistence mechanism is used to persist role information for a session between a client and a container for any type of client. No matter which adaptor a client uses to connect to the container, the role passing and persistence mechanism provides a uniform method of passing role information to the container such that persisted role information can be used by any service hosted by the container after the session is established and the role information has been persisted.

Citations

14 Claims

1. A computer-implemented method, comprising:
- calling, by a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols;
  
  interacting, by the first adaptor using the first connection protocol, with a first client to establish a first session in response to a first successful authentication, wherein the first client implements the first connection protocol;
  
  receiving, by a role persistence mechanism of the web server after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism,wherein the first role information identifies a first set of one or more roles of the first client, andwherein the first request is the first passing of any role information between the first client and the web server for the first session;
  
  using, by the role persistence mechanism in response to the first request, the first role information to associate the first set of one or more roles with the first session in a persistent manner;
  
  calling, by a second adaptor of the plurality of adaptors, the authentication function of the web server to authenticate a second user identification and password information, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols which is different from the first connection protocol;
  
  interacting, by the second adaptor using the second connection protocol, with a second client to establish a second session in response to a second successful authentication, wherein the second client implements the second connection protocol;
  
  receiving, by the role persistence mechanism, a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism;
  
  using, by the role persistence mechanism in response to the second request, the second role information to associate a second set of one or more roles with the second session in the persistent manner;
  
  receiving, by a hosted service of the web server, a service request for the hosted service from the first client;
  
  providing, by the role persistence mechanism of the web server, the first role information to the hosted service;
  
  in response to determining that the first client has privileges to access the hosted service based on the first role information, providing the hosted service to the first client;
  
  receiving, by the role persistence mechanism, a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism, andwherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client andusing, by the role persistence mechanism in response to the third request, the third role information to associate the third set of one or more roles with the first session in the persistent manner,wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the first request from the first client comprises a session identifier associated with the first session and the first session and the first set of one or more roles.
  - 3. The method of claim 1, wherein associating comprises:
    - validating that the first set of one or more roles is allowed to be associated with the first session.
  - 4. The method of claim 3, wherein the first request from the first client comprises role-user associated information, and wherein validating comprises:
    - validating a role in the first set of one or more roles; and
      
      validating the role-user association information.
  - 5. The method of claim 1, wherein the first API call is received by the role persistence mechanism from the first client and not from the first adaptor.

6. A computer-implemented method, comprising:
- calling, using a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols;
  
  interacting with the first adaptor using the first connection protocol to establish a first session in response to a first successful authentication;
  
  receiving a first session identifier that uniquely identifies the first session to the web server;
  
  after receiving the first session identifier, sending, by a client, a first request comprising first role information directly to a role persistence mechanism of the web server via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first adaptor is bypassed when transmitting the first request to the role persistence mechanism,wherein the first role information identifies a first set of one or more roles of the first client, andwherein the first request is the first passing of any role information between the client and the web server for the first session;
  
  requesting, through the first session, a first service hosted by the web server, wherein the web server provides the first service if the first set of one or more roles associated with the first session has sufficient privileges to access the service;
  
  after requesting, through the first session, the first service hosted by the webserver, sending a second request comprising second role information directly to the role persistence mechanism of the webserver via a second API call without using any of the plurality of connection protocols supported by plurality of adaptors,wherein the first adaptor is bypassed when transmitting the second request to the role persistence mechanism, andwherein second request is to change the first set of one or more roles of the client to a third set of one or more roles of the client; and
  
  requesting, through the first session, a second service hosted by the web server, wherein the web server provides the second service if the second set of one or more roles associated with the first session has sufficient privileges to access the service.

7. A non-transitory machine readable storage medium comprising instructions which, when executed by one or more processors, cause the one or more processors to implement the operations of:
- calling, using a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols;
  
  interacting with the first adaptor using the first connection protocol to establish a first session in response to a first successful authentication;
  
  receiving a first session identifier that uniquely identifies the first session to the web server;
  
  after receiving the first session identifier, sending, by a client, a first request comprising first role information directly to the a role persistence mechanism of the web server via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first adaptor is bypassed when transmitting the first request to the role persistence mechanism,wherein the first role information identifies a first set of one or more roles of the first client, andwherein the first request is the first passing of any role information between the client and the web server for the first session;
  
  requesting, through the first session, a first service hosted by the web server, wherein the web server provides the first service if the first set of one or more roles associated with the first session has sufficient privileges to access the service;
  
  after requesting, through the first session, the first service hosted by the webserver, sending a second request comprising second role information directly to the role persistence mechanism of the webserver via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first adaptor is bypassed when transmitting the second request to the role persistence mechanism, andwherein second request is to change the first set of one or more roles of the client to a third set of one or more roles of the client; and
  
  requesting, through the first session, a second service hosted by the web server, wherein the web server provides the second service if the second set of one or more roles associated with the first session has sufficient privileges to access the service.

8. A computer system comprising:
- memory comprising executable software instructions; and
  
  one or more processors configured to execute the software instructions to implement;
  
  a web server for hosting one or more services, wherein the web server supports a plurality of connection protocols;
  
  a first adaptor container comprising a first adaptor of a plurality of adaptors within the web server, wherein the first adaptor implements a first connection protocol of the plurality of connection protocols;
  
  a second adaptor container comprising a second adaptor of the plurality of adaptors within the web server, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols; and
  
  a role persistence mechanism container comprising a role persistence mechanism within the web server;
  
  wherein the first adaptor calls an authentication function of the web server to authenticate a first user identification and password information using the first connection protocol;
  
  wherein the first adaptor interacts with a first client to establish a first session in response to a first successful authentication, the first client implementing the first connection protocol;
  
  wherein the role persistence mechanism receives, after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism,wherein the first role information identifies a first set of one or more roles of the first client, andwherein the first request is the first passing of any role information between the first client and the web server for the first session;
  
  wherein the role persistence mechanism, in response to the request, uses the first role information to associate the first set of one or more roles with the first session in a persistent manner;
  
  wherein the second adaptor calls the authentication function of the web server to authenticate a second user identification and password information using the second connection protocol;
  
  wherein the second adaptor interacts with a second client to establish a second session in response to a second successful authentication, the second client implementing the second connection protocol;
  
  wherein the role persistence mechanism receives a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism;
  
  wherein the role persistence mechanism, in response to the request, associates the set of one or more roles with the second session in the persistent manner;
  
  wherein a hosted server of the web server receives a service request for a hosted service of the one or more services from the first client;
  
  wherein the role persistence mechanism provides the first role information to the hosted service;
  
  wherein, in response to determining that the first client has privileges to access the hosted service based on the first role information, the hosted service is provided to the first client;
  
  wherein the role persistence mechanism receives a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism, andwherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client;
  
  wherein the role persistence mechanism in response to the third request uses the third role information to associate the third set of one or more roles with the first session in the persistent manner; and
  
  wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session.
- View Dependent Claims (9)
- - 9. The computer system of claim 8, wherein the role persistence mechanism is a service hosted by the web server.

10. A non-transitory machine readable storage medium comprising instructions which, when executed by one or more processors, cause the one or more processors to perform the operations of:
- calling, by a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols;
  
  interacting, by the first adaptor using the first connection protocol, with a first client to establish a first session in response to a first successful authentication, wherein the first client implements the first connection protocol of the plurality of connection protocols;
  
  receiving, by a role persistence mechanism of the web server after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism,wherein the first role information identifies a first set of one or more roles of the first client, andwherein the first request is the first passing of any role information between the first client and the web server for the first session;
  
  using, by the role persistence mechanism in response to the first request, the first role information to associate the first set of one or more roles with the first session in a persistent manner;
  
  calling, by a second adaptor of the plurality of adaptors, the authentication function of the web server to authenticate a second user identification and password information, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols which is different from the first connection protocol;
  
  interacting, by the second adaptor using the second connection protocol, with a second client to establish a second session in response to a second successful authentication, wherein the second client implements the second connection;
  
  receiving, by the role persistence mechanism, a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism;
  
  using, by the role persistence mechanism in response to the second request, the second role information to associate a second set of one or more roles with the second session in the persistent manner;
  
  receiving, by a hosted service of the web server, a service request for the hosted service from the first client;
  
  providing, by the role persistence mechanism of the web server, the first role information to the hosted service;
  
  in response to determining that the first client has privileges to access the hosted service based on the first role information, providing the hosted service to the first client;
  
  receiving, by the role persistence mechanism, a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism,wherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client andusing, by the role persistence mechanism in response to the third request, the third role information to associate the third set of one or more roles with the first session in the persistent manner,wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The non-transitory machine readable storage medium of claim 10, wherein the first request from the first client comprises a session identifier associated with the first session and the first set of one or more roles.
  - 12. The non-transitory machine readable storage medium of claim 10, wherein associating comprises:
    - validating that the first set of one or more roles is allowed to be associated with the first session.
  - 13. The non-transitory machine readable storage medium of claim 12, wherein the first request from the first client comprises role-user association information, and wherein validating comprises:
    - validating a role in the first set of one or more roles; and
      
      validating the role-user association information.
  - 14. The non-transitory machine readable storage medium of claim 10, wherein the first API call is received by the role persistence mechanism from the first client and not from the first adaptor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
Mishra, Anshuman, Kumar, Subramanya, Taylor, Brandon E.
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
LINDSEY, MATTHEW S

Application Number

US11/095,806
Time in Patent Office

2,575 Days
Field of Search

None
US Class Current

709/229
CPC Class Codes

G06F 21/62   Protecting access to data v...

G06F 21/6236   between heterogeneous systems

G06F 21/6281   at program execution time, ...

G06F 9/468   Specific access rights for ...

Role passing and persistence mechanism for a container

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Role passing and persistence mechanism for a container

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links