System and method for dynamic security configuration in a multitenant application server environment

US 10,523,709 B2
Filed: 09/25/2015
Issued: 12/31/2019
Est. Priority Date: 09/26/2014
Status: Active Grant

First Claim

Patent Images

1. A system for supporting dynamic security configuration in a multitenant application server environment, comprising:

one or more computers, including an application server environment executing thereon, and a domain for execution of software applications;

wherein the application server environment provides a plurality of partitions,wherein each partition provides an administrative and runtime subdivision of the domain, that can be associated with a tenant, andwherein the application server environment provides a plurality of realms associated with the plurality of partitions, including that each particular partition is associated with a particular security realm that is used with the particular partition and associated with one or more attributes; and

wherein the system enables configuration changes to be made for partition level security, by associating one or more listeners with the attributes of the security realm, that detect changes to the attributes, wherein each listener listens for changes to a specific attribute, and whereupon changes to the attributes being detected for the particular partition, a determination is made whether to restart one or both of the security realm associated with the particular partition, or a server hosting the particular partition, including;

upon determining that the changes to the attributes are all dynamic changes, then applying the changes to the security realm for the particular partition, without restarting either the security realm associated with the particular partition or the server hosting the particular partition; and

upon a particular listener determining an associated attribute change is non-dynamic, then directing the system whether to restart one or both of;

(a) the security realm associated with the particular partition, or(b) the server hosting the particular partition,to apply the attribute change, and cause the particular partition to be restarted with the changed attributes.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In accordance with an embodiment, described herein is a system and method for supporting dynamic security configuration in a multitenant application server environment. Common configuration changes required for partition level security can be made without requiring a server restart, such as for example, adding a new security realm for a partition; deleting an existing realm; changing the configuration on an existing realm; adding or removing a security provider to a realm; or changing the configuration of a security provider. In accordance with an embodiment, also described herein is a system and method for supporting dynamic reconfiguration in a multitenant application server environment. Attributes of partition management components, for example managed beans (MBeans) and child MBeans contained within a partition, can be made dynamic and annotated accordingly, so that a restart of servers is not required for configuration changes to those attributes for a particular partition.

20 Citations

View as Search Results

20 Claims

1. A system for supporting dynamic security configuration in a multitenant application server environment, comprising:
- one or more computers, including an application server environment executing thereon, and a domain for execution of software applications;
  
  wherein the application server environment provides a plurality of partitions,wherein each partition provides an administrative and runtime subdivision of the domain, that can be associated with a tenant, andwherein the application server environment provides a plurality of realms associated with the plurality of partitions, including that each particular partition is associated with a particular security realm that is used with the particular partition and associated with one or more attributes; and
  
  wherein the system enables configuration changes to be made for partition level security, by associating one or more listeners with the attributes of the security realm, that detect changes to the attributes, wherein each listener listens for changes to a specific attribute, and whereupon changes to the attributes being detected for the particular partition, a determination is made whether to restart one or both of the security realm associated with the particular partition, or a server hosting the particular partition, including;
  
  upon determining that the changes to the attributes are all dynamic changes, then applying the changes to the security realm for the particular partition, without restarting either the security realm associated with the particular partition or the server hosting the particular partition; and
  
  upon a particular listener determining an associated attribute change is non-dynamic, then directing the system whether to restart one or both of;
  
  (a) the security realm associated with the particular partition, or(b) the server hosting the particular partition,to apply the attribute change, and cause the particular partition to be restarted with the changed attributes.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the configuration changes include at least one of:
    - adding a new security realm for a partition;
      
      deleting an existing security realm;
      
      changing configuration on an existing security realm;
      
      adding or removing a security provider to a security realm;
      
      orchanging configuration of a security provider.
  - 3. The system of claim 1, wherein the system includes a dynamic security configuration adjudicator that operates with the one or more listeners to apply new values of an attribute to impacted objects or to replace security configuration instances.
  - 4. The system of claim 3, wherein upon a particular listener detecting an associated attribute change, the dynamic security configuration adjudicator determines whether to restart the partition security realm to apply the attribute change.
  - 5. The system of claim 1, wherein each partition can include one or more resource groups.
  - 6. The system of claim 1, further comprising at least one of a console or other interface that enables specification of partition security settings for the one or more partitions.
  - 7. The system of claim 1, whereupon a particular attribute being changed and an associated listener determining it cannot handle the attribute change dynamically, the security realm is restarted by bringing up a new realm and shutting down the old realm.
  - 8. The system of claim 1, wherein if any changes within the security realm are determined to be non-dynamic, then the dynamic security configuration adjudicator directs the system to automatically restart the security realm for the partition, to apply those changes.
  - 9. The system of claim 1, wherein each partition security realm is associated with a configuration component that enables attributes of the security realm to be annotated as being dynamic attributes or non-dynamic attributes, and wherein the configuration component and its annotations are used to determine whether changes to particular security realm attributes are dynamic changes or non-dynamic changes.

10. A method for supporting dynamic security configuration in a multitenant application server environment, comprising:
- providing, at one or more computers, including an application server environment executing thereon,a domain for execution of software applications; and
  
  a plurality of partitions,wherein each partition provides an administrative and runtime subdivision of the domain, that can be associated with a tenant, andwherein the application server environment provides a plurality of realms associated with the plurality of partitions, including that each particular partition is associated with a particular security realm that is used with the particular partition and associated with one or more attributes; and
  
  wherein configuration changes for partition level security are made, by associating one or more listeners with the attributes of the security realm, that detect changes to the attributes, wherein each listener listens for changes to a specific attribute, and whereupon changes to the attributes being detected for the particular partition, a determination is made whether to restart one or both of the security realm associated with the particular partition, or a server hosting the particular partition, including;
  
  upon determining that the changes to the attributes are all dynamic changes, then applying the changes to the security realm for the particular partition, without restarting either the security realm associated with the particular partition or the server hosting the particular partition; and
  
  upon a particular listener determining an associated attribute change is non-dynamic, then directing whether one or both of;
  
  (a) the security realm associated with the particular partition, or(b) the server hosting the particular partition,is to be restarted, to apply the attribute change, and cause the particular partition to be restarted with the changed attributes.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein the configuration changes include at least one of:
    - adding a new security realm for a partition;
      
      deleting an existing security realm;
      
      changing configuration on an existing security realm;
      
      adding or removing a security provider to a security realm;
      
      orchanging configuration of a security provider.
  - 12. The method of claim 10, further comprising providing a dynamic security configuration adjudicator that operates with the one or more listeners to apply new values of an attribute to impacted objects or to replace security configuration instances.
  - 13. The method of claim 12, wherein upon a particular listener detecting an associated attribute change, the dynamic security configuration adjudicator determines whether to restart the partition security realm to apply the attribute change.
  - 14. The method of claim 10, wherein each partition can include one or more resource groups.
  - 15. The method of claim 10, further comprising providing at least one of a console or other interface that enables specification of partition security settings for the one or more partitions.
  - 16. The method of claim 10, wherein each partition security realm is associated with a configuration component that enables attributes of the security realm to be annotated as being dynamic attributes or non-dynamic attributes, and wherein the configuration component and its annotations are used to determine whether changes to particular security realm attributes are dynamic changes or non-dynamic changes.

17. A non-transitory computer readable storage medium, including instructions stored thereon which when read and executed by one or more computers cause the one or more computers to perform the steps comprising:
- providing an application server environment, together witha domain for execution of software applications; and
  
  a plurality of partitions,wherein each partition provides an administrative and runtime subdivision of the domain, that can be associated with a tenant, andwherein the application server environment provides a plurality of realms associated with the plurality of partitions, including that each particular partition is associated with a particular security realm that is used with the particular partition and associated with one or more attributes; and
  
  wherein configuration changes for partition level security are made, by associating one or more listeners with the attributes of the security realm, that detect changes to the attributes, wherein each listener listens for changes to a specific attribute, and whereupon changes to the attributes being detected for the particular partition, a determination is made whether to restart one or both of the security realm associated with the particular partition, or the server hosting the particular partition, including;
  
  upon determining that the changes to the attributes are all dynamic changes, then applying the changes to the security realm for the particular partition, without restarting either the security realm associated with the particular partition or a server hosting the particular partition; and
  
  upon a particular listener determining an associated attribute change is non-dynamic, then directing whether one or both of;
  
  (a) the security realm associated with the particular partition, or(b) the server hosting the particular partition,is to be restarted, to apply the attribute change, and cause the particular partition to be restarted with the changed attributes.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer readable storage medium of claim 17, wherein the configuration changes include at least one of:
    - adding a new security realm for a partition;
      
      deleting an existing security realm;
      
      changing configuration on an existing security realm;
      
      adding or removing a security provider to a security realm;
      
      orchanging configuration of a security provider.
  - 19. The non-transitory computer readable storage medium of claim 17, further comprising providing a dynamic security configuration adjudicator that operates with the one or more listeners to apply new values of an attribute to impacted objects or to replace security configuration instances.
  - 20. The non-transitory computer readable storage medium of claim 19, wherein upon a particular listener detecting an associated attribute change, the dynamic security configuration adjudicator determines whether to restart the partition security realm to apply the attribute change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Bower, Peter
Primary Examiner(s)
Gee, Jason K
Assistant Examiner(s)
Torres-Diaz, Lizbeth

Application Number

US14/866,644
Publication Number

US 20160094583A1
Time in Patent Office

1,558 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 9/44505   Configuring for program ini...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/5077   Logical partitioning of res...

H04L 41/0836   to enhance reliability, e.g...

H04L 41/12   Discovery or management of ...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System and method for dynamic security configuration in a multitenant application server environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for dynamic security configuration in a multitenant application server environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links