Securing resource stores with claims-based security

US 8,453,217 B2
Filed: 11/02/2011
Issued: 05/28/2013
Est. Priority Date: 04/30/2008
Status: Active Grant

First Claim

Patent Images

1. At a computer system, a method for providing secure access to resources in a resource store, the method comprising:

an act of receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store;

an act of referring to a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session;

an act of referring to a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information;

determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information;

determining that the specified resource type is an accessibly resource type for the session;

an act of determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and

an act of performing the requested operation for any secured resources of the specified type contained in the resource store.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products are provided for securing resource stores with claims-based security. From policy information, a resource store populates a security table of permissions. The permissions authorize resource access based on received claims. Sessions submit claims to the resource store. The resource store accumulates claims for a session into a claims list. From the claims list and the security table, the resource store filters out a subset of metadata including resource IDs for resources the session is authorized to access. Since the metadata corresponds to the session, any application using the session is given similar access to resources at the resource store.

Citations

15 Claims

1. At a computer system, a method for providing secure access to resources in a resource store, the method comprising:
- an act of receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store;
  
  an act of referring to a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session;
  
  an act of referring to a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information;
  
  determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information;
  
  determining that the specified resource type is an accessibly resource type for the session;
  
  an act of determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and
  
  an act of performing the requested operation for any secured resources of the specified type contained in the resource store.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method as recited in claim 1, wherein the act of receiving a request over a session connected to the resource store comprises an act of receive a request form an application that is utilizing the session.
  - 3. The method as recited in claim 1, wherein the act of referring to a claims list for the session comprises an act of referring to a claims list that includes claims from an operating system ID token.
  - 4. The method as recited in claim 1, wherein the act of referring to a security table at the resources store comprises an act of referring to a security table that is formatted in accordance with a base table for storing security information, the base table being stored at the resource store.
  - 5. The method as recited in claim 1, wherein an act of performing the requested operation for any secured resources of the specified type contained in the resource store comprises an act of performing one or more of reading a resource and updating a resource in the resource store.

6. A computer system, comprising:
- at least one hardware processor; and
  
  a physical storage medium storing computer-executable instructions which, when executed by the processor, implement a method for providing secure access to resources in a resource store, wherein the method includes;
  
  the computer system receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store;
  
  the computer system obtaining data from a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session;
  
  the computer system obtaining data from a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information;
  
  the computer system determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information;
  
  the computer system determining that the specified resource type is an accessibly resource type for the session;
  
  the computer system determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and
  
  the computer system performing the requested operation for any secured resources of the specified type contained in the resource store.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The computer system as recited in claim 6, wherein said receiving a request over a session connected to the resource store comprises an act of receive a request form an application that is utilizing the session.
  - 8. The computer system as recited in claim 6, wherein said obtaining data from a claims list for the session comprises an act of referring to a claims list that includes claims from an operating system ID token.
  - 9. The computer system as recited in claim 6, wherein said obtaining data from a security table at the resources store comprises an act of referring to a security table that is formatted in accordance with a base table for storing security information, the base table being stored at the resource store.
  - 10. The computer system as recited in claim 6, wherein said performing the requested operation for any secured resources of the specified type contained in the resource store comprises an act of performing one or more of reading a resource and updating a resource in the resource store.

11. A storage device storing computer-executable instructions which, when executed by a computing processor, implement a method for providing secure access to resources in a resource store, wherein the method includes:
- a computing system receiving a request over a session connected to the resource store, the request to perform an operation on secured resources of a specified resource type contained in the resource store;
  
  the computing system accessing a claims list for the session, the claims list including claims for the connection accumulated from one or more previously received security tokens, each claim asserting identify information for the session;
  
  the computing system accessing a security table at the resources store, the security table containing permissions for accessing secured resources contained in the resource store, the permissions defining secured operations that are authorized for secured resources contained in the resource store based on received identity information;
  
  the computer system determining accessible resource types for the session based upon the claims for the connection, the permissions in the security table, and the received identity information;
  
  the computer system determining that the specified resource type is an accessibly resource type for the session;
  
  the computing system determining from the permissions that the session is authorized to perform the requested operation on secured resources of the specified resource type based on the accumulated claims contained in the claims list, wherein determining from the permissions that the session is authorized to perform the requested operation comprises determining that an application using the session is authorized to perform the requested operation based on the application using the session to communicate with the resource store; and
  
  the computing system performing the requested operation for any secured resources of the specified type contained in the resource store.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The storage device as recited in claim 11, wherein said receiving a request over a session connected to the resource store comprises an act of receive a request form an application that is utilizing the session.
  - 13. The storage device as recited in claim 11, wherein said accessing a claims list for the session comprises an act of referring to a claims list that includes claims from an operating system ID token.
  - 14. The storage device as recited in claim 11, wherein said accessing a security table at the resources store comprises an act of referring to a security table that is formatted in accordance with a base table for storing security information, the base table being stored at the resource store.
  - 15. The storage device as recited in claim 11, wherein said performing the requested operation for any secured resources of the specified type contained in the resource store comprises an act of performing one or more of reading a resource and updating a resource in the resource store.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Bloesch, Anthony Christopher
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
HOLMES, ANGELA R

Application Number

US13/287,421
Publication Number

US 20120047561A1
Time in Patent Office

573 Days
Field of Search

726/1, 726 4- 5, 707/781, 709/229
US Class Current

726/4
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2141 Access rights, e.g. capabil...

Securing resource stores with claims-based security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Securing resource stores with claims-based security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links