Controlling computer program extensions in a network device
First Claim
1. A data processing apparatus, comprising:
- a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto;
one or more processors;
a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface;
a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program;
logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
creating and storing one or more default program security permissions;
receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions;
wherein the one or more user extension security permissions are different from the one or more default program security permissions;
testing whether each of the one or more user extension security permissions defined by a user conflicts with the default program security permissions;
creating and storing only each of the one or more user extension security permissions that does not conflict with the default program security permissions;
receiving a request from one of the user program extensions to access a resource of the apparatus or the network;
permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions;
wherein the user-defined security policy comprises one or more extensible markup language (XML) documents each comprising one or more permission definitions each comprising a permission type, permission name, and one or more actions, and wherein each of the permission definitions is associated in the user-defined security policy with a codebase identifier.
1 Assignment
0 Petitions
Accused Products
Abstract
A network infrastructure element such as a packet data router or switch hosts an application program and one or more user program extensions to the application program. Logic in the network element is configured to perform creating and storing one or more default program security permissions; receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions; creating and storing only each of the one or more user extension security permissions that do not conflict with the default program security permissions; receiving a request from one of the user program extensions to access a resource of the apparatus or the network; permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions.
65 Citations
13 Claims
-
1. A data processing apparatus, comprising:
-
a plurality of network interfaces that are coupled to a data network for receiving one or more packets therefrom and sending one or more packets thereto; one or more processors; a switching system coupled to the one or more processors and packet forwarding logic, wherein the switching system and packet forwarding logic are configured to receive packets on a first network interface, determine a second network interface on which to send the packets, and to send the packets on the second network interface; a computer-readable storage medium having stored thereon an application program and one or more user program extensions to the application program; logic comprising one or more stored sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform; creating and storing one or more default program security permissions; receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions; wherein the one or more user extension security permissions are different from the one or more default program security permissions; testing whether each of the one or more user extension security permissions defined by a user conflicts with the default program security permissions; creating and storing only each of the one or more user extension security permissions that does not conflict with the default program security permissions; receiving a request from one of the user program extensions to access a resource of the apparatus or the network; permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions; wherein the user-defined security policy comprises one or more extensible markup language (XML) documents each comprising one or more permission definitions each comprising a permission type, permission name, and one or more actions, and wherein each of the permission definitions is associated in the user-defined security policy with a codebase identifier. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A machine-implemented method, comprising:
-
creating and storing one or more default program security permissions in a network infrastructure device that is coupled to a network and that hosts an application program and one or more user program extensions to the application program; receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions; wherein the one or more user extension security permissions are different from the one or more default program security permissions; testing whether each of the one or more user extension security permissions defined by a user conflicts with the default program security permissions; creating and storing only each of the one or more user extension security permissions that does not conflict with the default program security permissions; receiving in the network infrastructure device a request from one of the user program extensions to access a resource of the apparatus or the network; permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions; wherein the method is performed by one or more processors; wherein the user-defined security policy comprises one or more extensible markup language (XML) documents each comprising one or more permission definitions each comprising a permission type, permission name, and one or more actions, and wherein each of the permission definitions is associated in the user-defined security policy with a codebase identifier. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A non-transitory computer-readable storage medium storing instructions which when executed by one or more processors, cause the one or more processors to perform:
-
creating and storing one or more default program security permissions in a network infrastructure device that is coupled to a network and that hosts an application program and one or more user program extensions to the application program; receiving a user-defined security policy that defines one or more user extension security permissions for the one or more user program extensions; wherein the one or more user extension security permissions are different from the one or more default program security permissions; testing whether each of the one or more user extension security permissions defined by a user conflicts with the default program security permissions; creating and storing each of the one or more user extension security permissions that does not conflict with the default program security permissions; receiving in the network infrastructure device a request from one of the user program extensions to access a resource of the apparatus or the network; permitting the request to access the resource or the network only when the access does not violate the user extension security permissions and the default program security permissions; wherein the user-defined security policy comprises one or more extensible markup language (XML) documents each comprising one or more permission definitions each comprising a permission type, permission name, and one or more actions, and wherein each of the permission definitions is associated in the user-defined security policy with a codebase identifier.
-
Specification