Conflict resolution when identical policies are attached to a single policy subject

US 8,914,843 B2
Filed: 03/31/2012
Issued: 12/16/2014
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a computer system, a first policy attachment metadata file attaching a first web service policy to a policy subject at run-time;

receiving, at the computer system, a second policy attachment metadata file attaching a second policy to the policy subject at design-time;

determining, by the computer system, whether the first web service policy attached to the policy subject via the first policy attachment metadata file is identical to the second web service policy attached to the policy subject via the second policy attachment metadata file based on one or more predefined rules related to policy configuration properties when having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time; and

generating, by the computer system, information causing the first web service policy attached via the first policy attachment metadata file or the second web service policy attached via the second policy attachment metadata file to be selectively enforced at the policy subject based on a determination that the first web service policy and the second web service policy are identical and that having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a single policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a determination can be made whether two conflicting policies that are attached to a single policy subject are identical. This determination can be based on, e.g., a Uniform Resource Identifier (URI) that is used to identify the policies in their respective policy attachment metadata files, as well as any policy configuration properties. If the two conflicting policies are determined to be identical, the policy attachment metadata for one of the policies can be considered valid, while the policy attachment metadata for the other, duplicate policy can be ignored. In this manner, validation errors arising from duplicate policy attachments can be avoided.

192 Citations

View as Search Results

18 Claims

1. A method comprising:
- receiving, at a computer system, a first policy attachment metadata file attaching a first web service policy to a policy subject at run-time;
  
  receiving, at the computer system, a second policy attachment metadata file attaching a second policy to the policy subject at design-time;
  
  determining, by the computer system, whether the first web service policy attached to the policy subject via the first policy attachment metadata file is identical to the second web service policy attached to the policy subject via the second policy attachment metadata file based on one or more predefined rules related to policy configuration properties when having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time; and
  
  generating, by the computer system, information causing the first web service policy attached via the first policy attachment metadata file or the second web service policy attached via the second policy attachment metadata file to be selectively enforced at the policy subject based on a determination that the first web service policy and the second web service policy are identical and that having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1 wherein if the first web service policy and the second web service policy are not determined to be identical, causing neither the first web service policy nor the second web service policy to be enforced at the policy subject.
  - 3. The method of claim 1 wherein the first web service policy is of a first policy type, and wherein the second web service policy is of a second policy type that conflicts with the first policy type.
  - 4. The method of claim 1 wherein the first web service policy and the second web service policy are both authentication policies.
  - 5. The method of claim 1 wherein the policy subject is a web service endpoint of a Service-Oriented Architecture (SOA) application.
  - 6. The method of claim 5 wherein the first web service policy and the second web service policy each define one or more security or management-related assertions, and wherein enforcing the first web service policy or the second web service policy at the web service endpoint comprises enforcing the one or more security or management-related assertions.
  - 7. The method of claim 1 wherein the first policy attachment metadata file includes a first policy reference identifying the first web service policy, and wherein the second policy attachment metadata includes a second policy reference identifying the second web service policy.
  - 8. The method of claim 7 wherein the first and second policy references are Uniform Resource Identifiers (URIs).
  - 9. The method of claim 8 further comprising determining whether the first web service policy is identical to the second web service policy based on comparing their respective URIs.
  - 10. The method of claim 9 wherein the first policy attachment metadata file further includes first configuration override information usable when enforcing the first web service policy and the second policy attachment metadata file further includes second configuration override information usable when enforcing the second web service policy.
  - 11. The method of claim 10 wherein the first configuration override information and the second configuration override information each comprise a plurality of name-value pairs.
  - 12. The method of claim 10 wherein determining whether the first web service policy is identical to the second web service policy further comprises comparing the first configuration override information to the second configuration override information.

13. A non-transitory computer-readable medium having stored thereon program code executable by a computer system, the non-transitory computer-readable medium comprising:
- program code that causes the computer system to receive a first policy attachment metadata file attaching a first web service policy to a policy subject at run-time;
  
  program code that causes the computer system to receive a second policy attachment metadata file attaching a second policy to the policy subject at design-time;
  
  program code that causes the computer system to determine whether the first web service policy attached to the policy subject via the first policy attachment metadata file is identical to the second web service policy attached to the policy subject via the second policy attachment metadata file based on one or more predefined rules related to policy configuration properties when having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time; and
  
  program code that causes the computer system to generate information causing the first web service policy attached via the first policy attachment metadata file or the second web service policy attached via the second policy attachment metadata file to be selectively enforced at the policy subject based on a determination that the first web service policy and the second web service policy are identical and that having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time.
- View Dependent Claims (14, 15)
- - 14. The non-transitory computer-readable medium of claim 13 wherein the first policy attachment metadata file includes a first uniform resource identifier (URI) identifying the first web service policy, wherein the second policy attachment metadata includes a second URI identifying the second web service policy, and wherein the program code that causes the computer system to determine whether the first web service policy is identical to the second web service policy comprises program code that causes the computer system to compare the first URI to the second URI.
  - 15. The non-transitory computer-readable medium of claim 13 wherein the first policy attachment metadata file further includes first configuration override information usable when enforcing the first web service policy, wherein the second policy attachment metadata file further includes second configuration override information usable when enforcing the second web service policy, and wherein the program code that causes the computer system to determine whether the first web service policy is identical to the second web service policy comprises program code that causes the computer system to compare the first configuration override information to the second configuration override information.

16. A system comprising:
- a hardware processor configured to;
  
  receive a first policy attachment metadata file attaching a first web service policy to a policy subject at run-time;
  
  receive a second policy attachment metadata file attaching a second policy to the policy subject at design-time;
  
  determine whether the first web service policy attached to the policy subject via the first policy attachment metadata file is identical to the second web service policy attached to the policy subject via the second policy attachment metadata file based on one or more predefined rules related to policy configuration properties when having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time; and
  
  generate information causing the first web service policy attached via the first policy attachment metadata file or the second web service policy attached via the second policy attachment metadata file to be selectively enforced at the policy subject based on a determination that the first web service policy and the second web service policy are identical and that having the first web service policy attached to the policy subject at run-time conflicts with having the second web service policy attached to the policy subject at design-time.
- View Dependent Claims (17, 18)
- - 17. The system of claim 16 wherein the first policy attachment metadata file includes a first uniform resource identifier (URI) identifying the first web service policy, wherein the second policy attachment metadata includes a second URI identifying the second web service policy, and wherein to determine whether the first web service policy is identical to the second web service policy the processor is configured to compare the first URI to the second URI.
  - 18. The system of claim 16 wherein the first policy attachment metadata file further includes first configuration override information usable when enforcing the first web service policy, wherein the second policy attachment metadata file further includes second configuration override information usable when enforcing the second web service policy, and wherein to determine whether the first web service policy is identical to the second web service policy the processor is configured to compare the first configuration override information to the second configuration override information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Bryan, Jeffrey Jason, Kavantzas, Nickolas
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
GIDDINS, NELSON S

Application Number

US13/436,940
Publication Number

US 20130086627A1
Time in Patent Office

990 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 41/0246   Exchanging or transporting ...

H04L 41/0873   Checking configuration conf...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Conflict resolution when identical policies are attached to a single policy subject

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

192 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Conflict resolution when identical policies are attached to a single policy subject

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

192 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links