Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes
First Claim
Patent Images
1. A system, comprising:
- a processor; and
a storage device coupled to the processor and storing an executable web service, an executable web security service, and an executable data dictionary, all executable by the processor, the data dictionary implementing an instance of a hierarchical class tree that includes a plurality of class and data objects;
wherein the data dictionary receives a portion of a hierarchical class tree comprising client segments from another system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein said web service cannot access said data objects without the use of the web security service and without the received hierarchical class tree portion;
wherein the data dictionary attaches the received portion to its own hierarchical class tree instance at a boundary node that is replaced with an identity node of the received portion, the identity node identifying ownership of the received portion;
wherein, upon executing the web service, the processor generates an access request for a data object identified by the received portion and invokes the web security service to access the security profile information to validate the access request; and
wherein, upon executing the invoked web security service, the processor, before transmitting the access request across a network, validates the access request using a security profile associated with said request performing at least three verifications;
a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; and
wherein the processor transmits the access request based on the web security service, via the processor, successfully performing each of the first, second, and third verifications.
1 Assignment
0 Petitions
Accused Products
Abstract
A policy directed, security-centric model driven architecture is described to secure internal web services, such as those implementing service-oriented architecture (SOA), and external web services such as those hosted on a cloud computing platform. A distributed data dictionary hosted across multiple dictionary engines and operating in conjunction with web security services are used to embed security profiles in web services messages and to validate messages that contain such security profiles.
-
Citations
9 Claims
-
1. A system, comprising:
-
a processor; and a storage device coupled to the processor and storing an executable web service, an executable web security service, and an executable data dictionary, all executable by the processor, the data dictionary implementing an instance of a hierarchical class tree that includes a plurality of class and data objects; wherein the data dictionary receives a portion of a hierarchical class tree comprising client segments from another system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein said web service cannot access said data objects without the use of the web security service and without the received hierarchical class tree portion; wherein the data dictionary attaches the received portion to its own hierarchical class tree instance at a boundary node that is replaced with an identity node of the received portion, the identity node identifying ownership of the received portion; wherein, upon executing the web service, the processor generates an access request for a data object identified by the received portion and invokes the web security service to access the security profile information to validate the access request; and wherein, upon executing the invoked web security service, the processor, before transmitting the access request across a network, validates the access request using a security profile associated with said request performing at least three verifications;
a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; andwherein the processor transmits the access request based on the web security service, via the processor, successfully performing each of the first, second, and third verifications. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A system, comprising:
-
a processor; and a storage device coupled to the processor and storing an executable web service, an executable web security service, and an executable data dictionary, all executable by the processor, the data dictionary implementing an instance of a hierarchical class tree that includes a plurality of class and data objects; wherein the data dictionary receives a request for a targeted portion of the hierarchical class tree instance from another system hosting a peer data dictionary instance, said targeted portion includes an identity node that identifies the ownership of the targeted portion and class definitions and security profile information that specifies restrictions on use of data objects identified by the targeted portion; wherein the data dictionary transmits the targeted portion of the hierarchical class tree to the other system for attachment of the targeted portion to the hierarchical class tree instance of the other system at a boundary node, wherein the boundary node is replaced with an identity node identifying ownership of the objects contained in the targeted portion; wherein, upon execution by the processor, the web service receives an incoming message and, in response, invokes the web security service to validate the incoming message and wherein the web service cannot access said data objects without the use of the web security service and without the hierarchical class tree; wherein, upon execution by the processor, the web security service validates the incoming message by performing at least three verifications including a first verification to determine whether the web service is authorized to receive the incoming message, a second verification to determine whether any data targeted by the message is permitted to be accessed by the web service, and a third verification to determine whether an entity that provided the message was permitted to provide the message; and wherein, upon all of said verifications being successfully performed, the web service generates a response message and again invokes the web security service to validate the response message, before it is transmitted to the entity, by performing at least three verifications including a fourth verification to determine whether the web service is authorized to transmit the response message, a fifth verification to determine whether any data included in the response message is permitted to be accessed by the web service, and a sixth verification to determine whether the entity is permitted to receive the response message; and wherein the processor transmits the response message to said entity based on the web security service, via the processor, successfully performing each of the fourth, fifth, and sixth verifications. - View Dependent Claims (7, 8)
-
-
9. A method, comprising:
-
requesting, by a client data dictionary, a portion of a hierarchical class tree including client segments from another system hosting a peer data dictionary instance; receiving the requested portion, the received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein said web service cannot access said data objects without the use of the web security service and without the received hierarchical class tree portion; attaching the requested portion to a boundary node; replacing the boundary node with an identity node that identifies ownership of the received portion; and generating an access request, by a web service, for a data object identified by the received and attached portion; invoking, by the web service, a web security service based on the generated request to validate the access request by performing at least three verifications;
a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; andtransmitting the access request based on the web security service successfully performing each of the first, second, and third verifications.
-
Specification