Policy directed security-centric model driven architecture to secure client and cloud hosted web service enabled processes
First Claim
Patent Images
1. A non-transitory storage device containing software that, when executed by a processor, causes the processor to:
- implement a data dictionary that implements an instance of a hierarchical class tree that includes a plurality of class and data objects;
receive a portion of a hierarchical class tree comprising client segments from an external system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein the machine instructions preclude the processor from accessing the data objects without the use of the web security service and without the received hierarchical class tree portion;
attach the received portion to the instance of the hierarchical class tree;
receive an access request from a web service for a data object identified by the received portion;
validate the access request form the web service using the security profile information associated with the requested data object and by performing at least three verifications;
a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; and
transmit the access request based on successful completion of the first, second, and third verifications.
1 Assignment
0 Petitions
Accused Products
Abstract
A policy directed, security-centric model driven architecture is described to secure internal web services, such as those implementing service-oriented architecture (SOA), and external web services such as those hosted on a cloud computing platform. A distributed data dictionary hosted across multiple dictionary engines and operating in conjunction with web security services are used to embed security profiles in web services messages and to validate messages that contain such security profiles.
49 Citations
7 Claims
-
1. A non-transitory storage device containing software that, when executed by a processor, causes the processor to:
-
implement a data dictionary that implements an instance of a hierarchical class tree that includes a plurality of class and data objects; receive a portion of a hierarchical class tree comprising client segments from an external system hosting a peer data dictionary instance, said received portion includes class definitions and security profile information that specifies restrictions on use of data objects identified by the received portion and wherein the machine instructions preclude the processor from accessing the data objects without the use of the web security service and without the received hierarchical class tree portion; attach the received portion to the instance of the hierarchical class tree; receive an access request from a web service for a data object identified by the received portion; validate the access request form the web service using the security profile information associated with the requested data object and by performing at least three verifications;
a first verification to determine whether the web service is authorized to send the access request, a second verification to determine whether the data object requested is permitted to be requested by the web service, and a third verification to determine whether a web service intended to receive the access request is authorized to receive the access request; andtransmit the access request based on successful completion of the first, second, and third verifications. - View Dependent Claims (2, 3, 4)
-
-
5. A non-transitory storage device containing software that, when executed by a processor, causes the processor to:
-
implement a data dictionary that implements an instance of a hierarchical class tree that includes a plurality of class and data objects; receive a request for a targeted portion of the hierarchical class tree, the targeted portion includes an identity node that identifies the ownership of the targeted portion and class definitions and security profile information that specifies restrictions on use of data objects identified by the targeted portion; transmit the targeted portion of the hierarchical class tree; validate an incoming message from a web service requesting access to a data object to permit a web service to access the data object, the data object not being accessible unless the message is validated and the hierarchical class tree is used, the validation including at least three verifications including a first verification to determine whether the web service is authorized to receive the incoming message, a second verification to determine whether any data targeted by the message is permitted to be accessed by the web service, and a third verification to determine whether an entity that provided the message was permitted to provide the message; and upon all of the verifications being successfully performed, receive a response message and validate the response message, before it is transmitted, by performing at least three verifications including a fourth verification to determine whether the web service is authorized to transmit the response message, a fifth verification to determine whether any data included in the response message is permitted to be accessed by the web service, and a sixth verification to determine whether the entity is permitted to receive the response message; and transmit the response message to the entity based on successfully performing each of the fourth, fifth, and sixth verifications. - View Dependent Claims (6, 7)
-
Specification