Priority assignments for policy attachments

US 9,088,571 B2
Filed: 08/28/2012
Issued: 07/21/2015
Est. Priority Date: 09/30/2011
Status: Active Grant

First Claim

Patent Images

1. A method for controlling execution behavior of policy subjects, the method comprising:

retrieving, by a computer system, policy attachment information identifying a plurality of web service policies whose policy attachment metadata indicate attachment at runtime to a policy subject, wherein the policy attachment information comprises, for each web service policy in the plurality of web service polices, an identifier of the web service policy, a scope at which the web service policy is attached to the policy subject at runtime, and a priority value;

determining, by the computer system, an ordering of each web service policy in the plurality of web service policies based on the priority value of the web service policy and the scope at which the web service policy is attached to the policy subject;

determining, by the computer system, that a first web service policy in the plurality of web service policies is given precedence over a second web service policy in the plurality of web service policies based on the determined ordering, wherein attachment of the first web service policy and the second web service policy at the policy subject conflict;

adding, by the computer system, the first web service policy to an effective policy set of the policy subject, the effective policy set comprising policies enforced at the policy subject at runtime; and

performing one or more actions that control execution behavior of the policy subject based the effective policy set.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a priority value can be assigned to each policy attached to a policy subject via the policy'"'"'s corresponding policy attachment metadata file. These priority values can be taken into account when determining whether one policy should be given precedence over another, conflicting policy attached to the same policy subject. In certain embodiments, as part of this determination, the priority value of a policy can be given greater weight than the scope at which the policy is attached.

Citations

20 Claims

1. A method for controlling execution behavior of policy subjects, the method comprising:
- retrieving, by a computer system, policy attachment information identifying a plurality of web service policies whose policy attachment metadata indicate attachment at runtime to a policy subject, wherein the policy attachment information comprises, for each web service policy in the plurality of web service polices, an identifier of the web service policy, a scope at which the web service policy is attached to the policy subject at runtime, and a priority value;
  
  determining, by the computer system, an ordering of each web service policy in the plurality of web service policies based on the priority value of the web service policy and the scope at which the web service policy is attached to the policy subject;
  
  determining, by the computer system, that a first web service policy in the plurality of web service policies is given precedence over a second web service policy in the plurality of web service policies based on the determined ordering, wherein attachment of the first web service policy and the second web service policy at the policy subject conflict;
  
  adding, by the computer system, the first web service policy to an effective policy set of the policy subject, the effective policy set comprising policies enforced at the policy subject at runtime; and
  
  performing one or more actions that control execution behavior of the policy subject based the effective policy set.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 wherein the policy attachment information is retrieved from one or more policy attachment metadata files associated with the policy subject.
  - 3. The method of claim 2 wherein the one or more policy attachment metadata files include a local policy attachment (LPA) metadata file and a global policy attachment (GPA) metadata file.
  - 4. The method of claim 1:
    - wherein determining the ordering of each of the plurality of web service policies comprises determining a first dimension of organized by scope and a second dimension organized by priority value, and wherein each intersection between the first and second dimensions identifies a web service policy in the plurality of web service policies; and
      
      wherein determining that the first web service policy is given precedence over the second web service policy comprises traversing the ordering along the first dimension representing scope and the second dimension representing priority.
  - 5. The method of claim 1 wherein the first web service policy has a higher priority value than the second web service policy, and wherein the first web service policy is attached at a higher scope level than the second web service policy.
  - 6. The method of claim 1 wherein the first web service policy has the same priority value as the second web service policy, and wherein the first web service policy is attached at a lower scope level than the second web service policy.
  - 7. The method of claim 1 wherein the first and second web service policies conflict due to having identical policy types.
  - 8. The method of claim 7 wherein the first and second web service policies are both authentication policies.
  - 9. The method of claim 1 wherein the second web service policy is not added to the effective policy set.
  - 10. The method of claim 1 wherein the policy subject is a web service endpoint, and wherein the application hosting the policy subject is a Service-Oriented Architecture (SOA) application.
  - 11. The method of claim 1 wherein determining, by the computer system, that the first web service policy is given precedence over the second web service policy comprises traversing the ordering along a first dimension representing priority and a second dimension representing scope.

12. A non-transitory computer-readable medium having stored thereon program code executable by a computer system, the program code comprising:
- code that causes the computer system to retrieve policy attachment information identifying a plurality of web service policies whose policy attachment metadata indicate attachment at runtime to a policy subject, wherein the policy attachment information comprises, for each web service policy in the plurality of web service polices, an identifier of the web service policy, a scope at which the web service policy is attached to the policy subject at runtime, and a priority value;
  
  code that causes the computer system to determine an ordering of each web service policy in the plurality of web service policies based on the priority value of the web service policy and the scope at which the web service policy is attached to the policy subject;
  
  code that causes the computer system to that a first web service policy in the plurality of web service policies is given precedence over a second web service policy in the plurality of web service policies based on the determined ordering, wherein attachment of the first web service policy and the second web service policy at the policy subject conflict;
  
  code that causes the computer system to add the first web service policy to an effective policy set of the policy subject, the effective policy set comprising policies enforced at the policy subject at runtime; and
  
  code that causes the computer system to perform one or more actions that control execution behavior of the policy subject based the effective policy set.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory computer-readable medium of claim 12:
    - wherein the code that causes the computer system to determine the ordering of each of the plurality of web service policies comprises code that causes the computer system to determine a first dimension of organized by scope and a second dimension organized by priority value, and wherein each intersection between the first and second dimensions identifies a web service policy in the plurality of web service policies; and
      
      wherein the code that causes the computer system to determine that the first web service policy is given precedence over the second web service policy comprises code that causes the computer system to traverse the ordering along the first dimension representing scope and the second dimension representing priority.
  - 14. The non-transitory computer-readable medium of claim 12 wherein the first web service policy has a higher priority value than the second web service policy, and wherein the first web service policy is attached at a higher scope level than the second web service policy.
  - 15. The non-transitory computer-readable medium of claim 12 wherein the first web service policy has the same priority value as the second web service policy, and wherein the first web service policy is attached at a lower scope level than the second web service policy.
  - 16. The non-transitory computer-readable medium of claim 12 wherein the code that causes the processor to determine that the first web service policy is given precedence over the second web service policy comprises code that causes the processor to traverse the ordering along a first dimension representing priority and a second dimension representing scope.

17. A system comprising:
- a hardware processor configured to;
  
  retrieve policy attachment information identifying a plurality of web service policies whose policy attachment metadata indicate attachment at runtime to a policy subject, wherein the policy attachment information comprises, for each web service policy in the plurality of web service polices, an identifier of the web service policy, a scope at which the web service policy is attached to the policy subject at runtime, and a priority value;
  
  determine an ordering of each web service policy in the plurality of web service policies based on the priority value of the web service policy and the scope at which the web service policy is attached to the policy subject;
  
  determine that a first web service policy in the plurality of web service policies is given precedence over a second web service policy in the plurality of web service policies based on the determined ordering, wherein attachment of the first web service policy and the second web service policy at the policy subject conflict;
  
  add the first web service policy to an effective policy set of the policy subject, the effective policy set comprising policies enforced at the policy subject at runtime; and
  
  perform one or more actions that control execution behavior of the policy subject based the effective policy set.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17:
    - wherein to determine the ordering of each of the plurality of web service policies the processor is configured to determine a first dimension of organized by scope and a second dimension organized by priority value, and wherein each intersection between the first and second dimensions identifies a web service policy in the plurality of web service policies; and
      
      wherein to determine that the first web service policy is given precedence over the second web service policy the processor is configured to traverse the ordering along the first dimension representing scope and the second dimension representing priority.
  - 19. The system of claim 17 wherein the first web service policy has a higher priority value than the second web service policy, and wherein the first web service policy is attached at a higher scope level than the second web service policy.
  - 20. The system of claim 17 wherein the first web service policy has the same priority value as the second web service policy, and wherein the first web service policy is attached at a lower scope level than the second web service policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Bryan, Jeffrey Jason, Kavantzas, Nickolas
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Giddins, Nelson Scott

Application Number

US13/596,525
Publication Number

US 20130086240A1
Time in Patent Office

1,057 Days
Field of Search

726/1
US Class Current

1/1
CPC Class Codes

H04L 41/0246   Exchanging or transporting ...

H04L 41/0873   Checking configuration conf...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Priority assignments for policy attachments

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Priority assignments for policy attachments

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links