Enforcement of conditional policy attachments

US 9,003,478 B2
Filed: 08/28/2012
Issued: 04/07/2015
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

detecting, by a computer system, occurrence at a web service endpoint of a runtime event;

updating, by the computer system, a runtime context component maintained for the web service endpoint based on the runtime event prior to evaluating one or more policies with respect to the web service endpoint and the runtime event, the runtime context component specifying a set of data regarding a current context within a runtime environment of the web service endpoint that includes information relevant to the runtime event;

identifying, by the computer system, a web service policy whose metadata indicates attachment to the web service endpoint;

determining, by the computer system, whether the web service policy is to be attached to the web service endpoint using the runtime context component and a constraint expression associated with web service policy being dependent on one or more runtime values specified by the runtime context component, the determining comprising evaluating the constraint expression in view of the one or more runtime values specified by the runtime context component;

enforcing, by the computer system, the web service policy at the web service endpoint with respect to the detected runtime event when the web service policy is determined to be attached to the web service endpoint based on satisfying the constraint expression; and

ignoring, by the computer system, the metadata indicating attachment of the web service policy at the web service endpoint when the web service policy is determined not to be attached to the web service endpoint based on failing to satisfying the constraint expression.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context.

103 Citations

View as Search Results

19 Claims

1. A method comprising:
- detecting, by a computer system, occurrence at a web service endpoint of a runtime event;
  
  updating, by the computer system, a runtime context component maintained for the web service endpoint based on the runtime event prior to evaluating one or more policies with respect to the web service endpoint and the runtime event, the runtime context component specifying a set of data regarding a current context within a runtime environment of the web service endpoint that includes information relevant to the runtime event;
  
  identifying, by the computer system, a web service policy whose metadata indicates attachment to the web service endpoint;
  
  determining, by the computer system, whether the web service policy is to be attached to the web service endpoint using the runtime context component and a constraint expression associated with web service policy being dependent on one or more runtime values specified by the runtime context component, the determining comprising evaluating the constraint expression in view of the one or more runtime values specified by the runtime context component;
  
  enforcing, by the computer system, the web service policy at the web service endpoint with respect to the detected runtime event when the web service policy is determined to be attached to the web service endpoint based on satisfying the constraint expression; and
  
  ignoring, by the computer system, the metadata indicating attachment of the web service policy at the web service endpoint when the web service policy is determined not to be attached to the web service endpoint based on failing to satisfying the constraint expression.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein the runtime event is the reception of an incoming message at the web service endpoint.
  - 3. The method of claim 2 wherein updating the runtime context component comprises:
    - extracting one or more pieces of data from the incoming message; and
      
      updating the runtime context component with the extracted pieces of data.
  - 4. The method of claim 3 wherein the one or more pieces of data include an HTTP header of the incoming message, and identification of a sender of the incoming message, or a portion of a payload of the incoming message.
  - 5. The method of claim 2 wherein the one or more runtime values include a transport-level characteristic of the incoming message, a payload characteristic of the incoming message, or a system-level characteristic of an application server hosting the web service endpoint.
  - 6. The method of claim 5 wherein a transport-level characteristic of the incoming message includes an HTTP header of the incoming message.
  - 7. The method of claim 5 wherein a payload characteristic of the incoming message includes an identification of a user associated with the incoming message.
  - 8. The method of claim 5 wherein a system-level characteristic of the application server includes a server performance metric.
  - 9. The method of claim 1 wherein the constraint expression is a Boolean expression comprising a set of one or more Boolean functions grouped by zero or more logical operators.
  - 10. The method of claim 1 wherein the web service policy comprises a set of assertions, and wherein enforcing the web service policy comprises enforcing each assertion in the set of assertions.
  - 11. The method of claim 10 wherein the set of assertions relates to security or management-related behaviors of the web service endpoint.
  - 12. The method of claim 11 wherein at least one assertion in the set of assertions relates to user authentication at the web service endpoint.
  - 13. The method of claim 1 wherein the web service endpoint corresponds to a port of a Service-Oriented Architecture (SOA) application.

14. A non-transitory computer-readable medium having stored thereon program code executable by a computer system, the program code comprising:
- code that causes the computer system to detect occurrence at a web service endpoint of a runtime event;
  
  code that causes the computer system to update a runtime context component maintained for the web service endpoint based on the runtime event prior to evaluating one or more policies with respect to the web service endpoint and the runtime event, the runtime context component specifying a set of data regarding a current context within a runtime environment of the web service endpoint that includes information relevant to the runtime event;
  
  code that causes the computer system to identifying a web service policy whose metadata indicates attachment to the web service endpoint;
  
  code that causes the computer system to determine whether the web service policy is to be attached to the web service endpoint using the runtime context component and a constraint expression associated with web service policy being dependent on one or more runtime values specified by the runtime context component, the determining comprising evaluating the constraint expression in view of the one or more runtime values specified by the runtime context component;
  
  code that causes the computer system to enforce the web service policy at the web service endpoint with respect to the detected runtime event when the web service policy is determined to be attached to the web service endpoint based on satisfying the constraint expression; and
  
  code that causes the computer system to ignore the metadata indicating attachment of the web service policy at the web service endpoint when the web service policy is determined not to be attached to the web service endpoint based on failing to satisfying the constraint expression.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The non-transitory computer readable medium of claim 14 wherein the code that causes the computer system to update the runtime context component maintained for the web service endpoint comprises:
    - code that causes the computer system to receive an incoming message;
      
      code that causes the computer system to extract one or more pieces of data from the incoming message, the one or more pieces of data associated with an HTTP header of the incoming message, identification of a sender of the incoming message, a portion of a payload of the incoming message, transport-level characteristic of the incoming message, or a payload characteristic of the incoming message; and
      
      updating the runtime context component with the extracted pieces of data and a system-level characteristic of an application server hosting the web service endpoint.
  - 16. The non-transitory computer readable medium of claim 14 further comprising code that causes the computer system to receive the constraint expression as a Boolean expression comprising a set of one or more Boolean functions grouped by zero or more logical operators.
  - 17. The non-transitory computer readable medium of claim 14 further comprising code that causes the computer system to enforcing each assertion in a set of assertions specified within the web service policy.
  - 18. The non-transitory computer readable medium of claim 17 wherein the set of assertions relates to security or management-related behaviors of the web service endpoint or user authentication at the web service endpoint.

19. A system comprising:
- a hardware processor; and
  
  a non-transitory memory storing a set of instructions which when executed by the processor configure the processor to;
  
  detect occurrence at a web service endpoint of a runtime event;
  
  update a runtime context component maintained for the web service endpoint based on the runtime event prior to evaluating one or more policies with respect to the web service endpoint and the runtime event, the runtime context component specifying a set of data regarding a current context within a runtime environment of the web service endpoint that includes information relevant to the runtime event;
  
  identify a web service policy whose metadata indicates attachment to the web service endpoint;
  
  determine whether the web service policy is to be attached to the web service endpoint using the runtime context component and a constraint expression associated with web service policy being dependent on one or more runtime values specified by the runtime context component, the determining comprising evaluating the constraint expression in view of the one or more runtime values specified by the runtime context component;
  
  enforce the web service policy at the web service endpoint with respect to the detected runtime event when the web service policy is determined to be attached to the web service endpoint based on satisfying the constraint expression; and
  
  ignore the metadata indicating attachment of the web service policy at the web service endpoint when the web service policy is determined not to be attached to the web service endpoint based on failing to satisfying the constraint expression.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Kavantzas, Nickolas, Bryan, Jeffrey Jason, Zhao, Cecilia
Primary Examiner(s)
Mehedi, Morshed
Assistant Examiner(s)
CHANG, KENNETH W

Application Number

US13/596,545
Publication Number

US 20130086184A1
Time in Patent Office

952 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 41/0246   Exchanging or transporting ...

H04L 41/0873   Checking configuration conf...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Enforcement of conditional policy attachments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

103 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Enforcement of conditional policy attachments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

103 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others