Dynamic identity switching
First Claim
1. A method comprising:
- receiving, by a computer system, an invocation by a web application acting as a web service client of a web service, the invocation comprising a first property representing a first identity using the web application and a second property representing a second identity declared to be propagateable in web service invocations, the web service to execute a task using the second identity;
determining, by the computer, a set of one or more switching rules using the first identity and the second identity in the invocation of the web service,verifying, by the computer system, that a switch from the first identity to the second identity is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object;
including, by the computer system, the second identity in the second property in a service request to the web service when the switch is permitted, wherein including the second identity in the service request includes storing the second identity in a subject field of the service request; and
communicating, by the computer system, the service request to the web service.
1 Assignment
0 Petitions
Accused Products
Abstract
Techniques are disclosed for dynamically switching user identity when generating a web service request by receiving, at a client application, an invocation of a web service, the invocation associated with a first authenticated user identity of a first user, identifying a second user identity, verifying that a switch from the first user identity to the second user identity is permitted by switching rules, including the second user identity in a service request when the switch is permitted, and communicating the service request to the web service. The switching rules can include associations between initial user identities and permitted user identities. Verifying that a switch is permitted can include searching the associations for an entry having an initial user identity that matches the first authenticated user identity and a new user identity that matches the second user identity, wherein the switch is permitted when the entry is found.
26 Citations
14 Claims
-
1. A method comprising:
-
receiving, by a computer system, an invocation by a web application acting as a web service client of a web service, the invocation comprising a first property representing a first identity using the web application and a second property representing a second identity declared to be propagateable in web service invocations, the web service to execute a task using the second identity; determining, by the computer, a set of one or more switching rules using the first identity and the second identity in the invocation of the web service, verifying, by the computer system, that a switch from the first identity to the second identity is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object; including, by the computer system, the second identity in the second property in a service request to the web service when the switch is permitted, wherein including the second identity in the service request includes storing the second identity in a subject field of the service request; and communicating, by the computer system, the service request to the web service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory machine-readable medium storing a series of instructions executable by a processor of a computer system, the non-transitory computer-readable medium comprising:
-
instructions that cause the processor to receive an invocation by a web application acting as a web service client of a web service, the invocation comprising a first property representing a first identity of using the web application and a second property representing a second identity declared to be propagateable in web service invocations, the web service to execute a task using the second identity; instructions that cause the processor to determine a set of one or more switching rules using the first identity and the second identity in the invocation of the web service; instructions that cause the processor to verify that a switch from the first identity to the second identity is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object; instructions that cause the processor to the second identity in the second property in a service request to the web service when the switch is permitted, wherein the instructions that cause the processor to include the second identity in the service request include instructions that cause the processor to store the second identity in a subject field of the service request; and instructions that cause the processor to communicate the service request to the web service. - View Dependent Claims (11, 12, 13)
-
-
14. A system for dynamically switching between identities of different entities to request web services, the system comprising:
-
a hardware processor; and a non-transitory memory configured to store a set of instructions which when executed by the processor configured the processor to; receive an invocation by a web application acting as a web service client of a web service, the invocation comprising a first property representing a first identity using the web application and a second property representing a second identity declared to be propagateable in web service invocations, the web service to execute a task using the second identity; determine a set of one or more switching rules using the first identity and the second identity in the invocation of the web service; verify that a switch from the first identity to the second identity is permitted by applying the set of one or more switching rules and determining that the web application is a permitted application in accordance with a permission object; include the second identity in the second property in a service request to the web service when the switch is permitted, wherein including the second identity in the service request includes storing the second identity in a subject field of the service request; and communicate the service request to the web service.
-
Specification