Securing resource stores with claims-based security
First Claim
1. At a computer system, a method for providing secure access to resources in a resource store, the method comprising:
- an act of receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store;
an act of referring to a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session;
an act of referring to a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information;
determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information;
determining that the specified resource type is an accessibly resource type for the session;
an act of determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and
an act of performing the requested operation for any secured resources of the specified type contained in the resource store.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods, systems, and computer program products are provided for securing resource stores with claims-based security. From policy information, a resource store populates a security table of permissions. The permissions authorize resource access based on received claims. Sessions submit claims to the resource store. The resource store accumulates claims for a session into a claims list. From the claims list and the security table, the resource store filters out a subset of metadata including resource IDs for resources the session is authorized to access. Since the metadata corresponds to the session, any application using the session is given similar access to resources at the resource store.
-
Citations
15 Claims
-
1. At a computer system, a method for providing secure access to resources in a resource store, the method comprising:
-
an act of receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store; an act of referring to a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session; an act of referring to a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information; determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information; determining that the specified resource type is an accessibly resource type for the session; an act of determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and an act of performing the requested operation for any secured resources of the specified type contained in the resource store. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer system, comprising:
-
at least one hardware processor; and a physical storage medium storing computer-executable instructions which, when executed by the processor, implement a method for providing secure access to resources in a resource store, wherein the method includes; the computer system receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store; the computer system obtaining data from a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session; the computer system obtaining data from a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information; the computer system determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information; the computer system determining that the specified resource type is an accessibly resource type for the session; the computer system determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and the computer system performing the requested operation for any secured resources of the specified type contained in the resource store. - View Dependent Claims (7, 8, 9, 10)
-
-
11. A storage device storing computer-executable instructions which, when executed by a computing processor, implement a method for providing secure access to resources in a resource store, wherein the method includes:
-
a computing system receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store; the computing system accessing a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session; the computing system accessing a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information; the computer system determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information; the computer system determining that the specified resource type is an accessibly resource type for the session; the computing system determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and the computing system performing the requested operation for any secured resources of the specified type contained in the resource store. - View Dependent Claims (12, 13, 14, 15)
-
Specification