Role passing and persistence mechanism for a container
First Claim
1. A computer-implemented method, comprising:
- calling, by a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols;
interacting, by the first adaptor using the first connection protocol, with a first client to establish a first session in response to a first successful authentication, wherein the first client implements the first connection protocol;
receiving, by a role persistence mechanism of the web server after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism,wherein the first role information identifies a first set of one or more roles of the first client, andwherein the first request is the first passing of any role information between the first client and the web server for the first session;
using, by the role persistence mechanism in response to the first request, the first role information to associate the first set of one or more roles with the first session in a persistent manner;
calling, by a second adaptor of the plurality of adaptors, the authentication function of the web server to authenticate a second user identification and password information, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols which is different from the first connection protocol;
interacting, by the second adaptor using the second connection protocol, with a second client to establish a second session in response to a second successful authentication, wherein the second client implements the second connection protocol;
receiving, by the role persistence mechanism, a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism;
using, by the role persistence mechanism in response to the second request, the second role information to associate a second set of one or more roles with the second session in the persistent manner;
receiving, by a hosted service of the web server, a service request for the hosted service from the first client;
providing, by the role persistence mechanism of the web server, the first role information to the hosted service;
in response to determining that the first client has privileges to access the hosted service based on the first role information, providing the hosted service to the first client;
receiving, by the role persistence mechanism, a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors,wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism, andwherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client andusing, by the role persistence mechanism in response to the third request, the third role information to associate the third set of one or more roles with the first session in the persistent manner,wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session.
2 Assignments
0 Petitions
Accused Products
Abstract
A role passing and persistence mechanism that implements role-based access control at a container level is disclosed. In one implementation, the role passing and persistence mechanism provides one or more RBAC services. Functions provided by the role passing and persistence mechanism include role validating, role persisting and role administration. The role passing and persistence mechanism is used to persist role information for a session between a client and a container for any type of client. No matter which adaptor a client uses to connect to the container, the role passing and persistence mechanism provides a uniform method of passing role information to the container such that persisted role information can be used by any service hosted by the container after the session is established and the role information has been persisted.
-
Citations
14 Claims
-
1. A computer-implemented method, comprising:
-
calling, by a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols; interacting, by the first adaptor using the first connection protocol, with a first client to establish a first session in response to a first successful authentication, wherein the first client implements the first connection protocol; receiving, by a role persistence mechanism of the web server after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism, wherein the first role information identifies a first set of one or more roles of the first client, and wherein the first request is the first passing of any role information between the first client and the web server for the first session; using, by the role persistence mechanism in response to the first request, the first role information to associate the first set of one or more roles with the first session in a persistent manner; calling, by a second adaptor of the plurality of adaptors, the authentication function of the web server to authenticate a second user identification and password information, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols which is different from the first connection protocol; interacting, by the second adaptor using the second connection protocol, with a second client to establish a second session in response to a second successful authentication, wherein the second client implements the second connection protocol; receiving, by the role persistence mechanism, a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism; using, by the role persistence mechanism in response to the second request, the second role information to associate a second set of one or more roles with the second session in the persistent manner; receiving, by a hosted service of the web server, a service request for the hosted service from the first client; providing, by the role persistence mechanism of the web server, the first role information to the hosted service; in response to determining that the first client has privileges to access the hosted service based on the first role information, providing the hosted service to the first client; receiving, by the role persistence mechanism, a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism, and wherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client and using, by the role persistence mechanism in response to the third request, the third role information to associate the third set of one or more roles with the first session in the persistent manner, wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer-implemented method, comprising:
-
calling, using a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols; interacting with the first adaptor using the first connection protocol to establish a first session in response to a first successful authentication; receiving a first session identifier that uniquely identifies the first session to the web server; after receiving the first session identifier, sending, by a client, a first request comprising first role information directly to a role persistence mechanism of the web server via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first adaptor is bypassed when transmitting the first request to the role persistence mechanism, wherein the first role information identifies a first set of one or more roles of the first client, and wherein the first request is the first passing of any role information between the client and the web server for the first session; requesting, through the first session, a first service hosted by the web server, wherein the web server provides the first service if the first set of one or more roles associated with the first session has sufficient privileges to access the service; after requesting, through the first session, the first service hosted by the webserver, sending a second request comprising second role information directly to the role persistence mechanism of the webserver via a second API call without using any of the plurality of connection protocols supported by plurality of adaptors, wherein the first adaptor is bypassed when transmitting the second request to the role persistence mechanism, and wherein second request is to change the first set of one or more roles of the client to a third set of one or more roles of the client; and requesting, through the first session, a second service hosted by the web server, wherein the web server provides the second service if the second set of one or more roles associated with the first session has sufficient privileges to access the service.
-
-
7. A non-transitory machine readable storage medium comprising instructions which, when executed by one or more processors, cause the one or more processors to implement the operations of:
-
calling, using a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols; interacting with the first adaptor using the first connection protocol to establish a first session in response to a first successful authentication; receiving a first session identifier that uniquely identifies the first session to the web server; after receiving the first session identifier, sending, by a client, a first request comprising first role information directly to the a role persistence mechanism of the web server via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first adaptor is bypassed when transmitting the first request to the role persistence mechanism, wherein the first role information identifies a first set of one or more roles of the first client, and wherein the first request is the first passing of any role information between the client and the web server for the first session; requesting, through the first session, a first service hosted by the web server, wherein the web server provides the first service if the first set of one or more roles associated with the first session has sufficient privileges to access the service; after requesting, through the first session, the first service hosted by the webserver, sending a second request comprising second role information directly to the role persistence mechanism of the webserver via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first adaptor is bypassed when transmitting the second request to the role persistence mechanism, and wherein second request is to change the first set of one or more roles of the client to a third set of one or more roles of the client; and requesting, through the first session, a second service hosted by the web server, wherein the web server provides the second service if the second set of one or more roles associated with the first session has sufficient privileges to access the service.
-
-
8. A computer system comprising:
-
memory comprising executable software instructions; and one or more processors configured to execute the software instructions to implement; a web server for hosting one or more services, wherein the web server supports a plurality of connection protocols; a first adaptor container comprising a first adaptor of a plurality of adaptors within the web server, wherein the first adaptor implements a first connection protocol of the plurality of connection protocols; a second adaptor container comprising a second adaptor of the plurality of adaptors within the web server, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols; and a role persistence mechanism container comprising a role persistence mechanism within the web server; wherein the first adaptor calls an authentication function of the web server to authenticate a first user identification and password information using the first connection protocol; wherein the first adaptor interacts with a first client to establish a first session in response to a first successful authentication, the first client implementing the first connection protocol; wherein the role persistence mechanism receives, after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism, wherein the first role information identifies a first set of one or more roles of the first client, and wherein the first request is the first passing of any role information between the first client and the web server for the first session; wherein the role persistence mechanism, in response to the request, uses the first role information to associate the first set of one or more roles with the first session in a persistent manner; wherein the second adaptor calls the authentication function of the web server to authenticate a second user identification and password information using the second connection protocol; wherein the second adaptor interacts with a second client to establish a second session in response to a second successful authentication, the second client implementing the second connection protocol; wherein the role persistence mechanism receives a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism; wherein the role persistence mechanism, in response to the request, associates the set of one or more roles with the second session in the persistent manner; wherein a hosted server of the web server receives a service request for a hosted service of the one or more services from the first client; wherein the role persistence mechanism provides the first role information to the hosted service; wherein, in response to determining that the first client has privileges to access the hosted service based on the first role information, the hosted service is provided to the first client; wherein the role persistence mechanism receives a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism, and wherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client; wherein the role persistence mechanism in response to the third request uses the third role information to associate the third set of one or more roles with the first session in the persistent manner; and wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session. - View Dependent Claims (9)
-
-
10. A non-transitory machine readable storage medium comprising instructions which, when executed by one or more processors, cause the one or more processors to perform the operations of:
-
calling, by a first adaptor of a plurality of adaptors of a web server, an authentication function of the web server to authenticate a first user identification and password information, wherein the web server supports a plurality of connection protocols and the first adaptor implements a first connection protocol of the plurality of connection protocols; interacting, by the first adaptor using the first connection protocol, with a first client to establish a first session in response to a first successful authentication, wherein the first client implements the first connection protocol of the plurality of connection protocols; receiving, by a role persistence mechanism of the web server after establishing the first session, a first request comprising first role information directly from the first client via a first application programming interface (API) call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first client bypasses the first adaptor when transmitting the first request to the role persistence mechanism, wherein the first role information identifies a first set of one or more roles of the first client, and wherein the first request is the first passing of any role information between the first client and the web server for the first session; using, by the role persistence mechanism in response to the first request, the first role information to associate the first set of one or more roles with the first session in a persistent manner; calling, by a second adaptor of the plurality of adaptors, the authentication function of the web server to authenticate a second user identification and password information, wherein the second adaptor implements a second connection protocol of the plurality of connection protocols which is different from the first connection protocol; interacting, by the second adaptor using the second connection protocol, with a second client to establish a second session in response to a second successful authentication, wherein the second client implements the second connection; receiving, by the role persistence mechanism, a second request comprising second role information directly from the second client via a second API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the second client bypasses the second adaptor when transmitting the second request to the role persistence mechanism; using, by the role persistence mechanism in response to the second request, the second role information to associate a second set of one or more roles with the second session in the persistent manner; receiving, by a hosted service of the web server, a service request for the hosted service from the first client; providing, by the role persistence mechanism of the web server, the first role information to the hosted service; in response to determining that the first client has privileges to access the hosted service based on the first role information, providing the hosted service to the first client; receiving, by the role persistence mechanism, a third request comprising third role information directly from the first client via a third API call without using any of the plurality of connection protocols supported by the plurality of adaptors, wherein the first client bypasses the first adaptor when transmitting the third request to the role persistence mechanism, wherein the third request is to change the first set of one or more roles of the first client to a third set of one or more roles of the first client and using, by the role persistence mechanism in response to the third request, the third role information to associate the third set of one or more roles with the first session in the persistent manner, wherein, after the third set of one or more roles is associated with the first session, at least one hosted service uses the third role information to determine whether the first client has privileges to access the at least one hosted service during the first session. - View Dependent Claims (11, 12, 13, 14)
-
Specification