SYSTEM AND METHOD FOR DYNAMIC ROLE ASSOCIATION

US 20080256610A1
Filed: 06/19/2008
Published: 10/16/2008
Est. Priority Date: 06/11/2001
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a security service that makes decisions to permit or deny access requests;

an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passing the access request and a callback handler to the security service; and

a plurality of security plug-ins at the security provider that use the callback handler to request context information describing the access request, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain;

wherein the security service determines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

43 Citations

View as Search Results

19 Claims

1. A system, comprising:
- a security service that makes decisions to permit or deny access requests;
  
  an application container that receives an access request for a protected resource from a client and delegates authorization decisions to the security service by passing the access request and a callback handler to the security service; and
  
  a plurality of security plug-ins at the security provider that use the callback handler to request context information describing the access request, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain;
  
  wherein the security service determines entitlements for the client to use with the protected resource based on the access decisions from the plurality of security plug-ins.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1 wherein the security service further includes an access controller for transferring the access request to the plurality of security plug-ins, and for combining the access decisions into an overall decision by the security service to permit or deny the access request.
  - 3. The system of claim 1 wherein one or more of the plurality of the security plug-ins represent a business function related authorization policy.
  - 4. The system of claim 1 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 5. The system of claim 1 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 6. The system of claim 1 wherein late binding of principals to roles at runtime occurs just prior to an authorization decision for the protected resource regardless of whether the principal-to-role association is statically defined or dynamically computed.
  - 7. The system of claim 1, wherein computation of a role occurs immediately before an authorization decision for the protected resource.

8. A method, comprising:
- receiving at an application container an access request from a client to access a protected resource;
  
  communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service;
  
  using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request;
  
  determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain;
  
  making a decision at the security service to permit or deny the access request; and
  
  communicating a permitted access request to the protected resource.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8 wherein one or more of the plurality of the security plug-ins represent a business function related access policy.
  - 10. The method of claim 8 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 11. The method of claim 8 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 12. The method of claim 8 wherein late binding of principals to roles at runtime occurs just prior to an authorization decision for the protected resource regardless of whether the principal-to-role association is statically defined or dynamically computed.
  - 13. The method of claim 8, wherein computation of a role occurs immediately before an authorization decision for the protected resource.

14. A computer readable storage medium storing instructions, the instructions comprising:
- receiving at an application container an access request from a client to access a protected resource;
  
  communicating the access request from the application container to a security service with the access request and a callback handler, wherein a plurality of security plug-ins are plugged into the security service;
  
  using the callback handler at each of the plurality of security plug-ins to request context information from the application container for the access request;
  
  determining entitlements for the client to use with the protected resource depending on output from each of the plurality of security plug-ins, wherein each of the plurality of security plug-ins determines an access decision, wherein one or more access decisions can be an abstain;
  
  making a decision at the security service to permit or deny the access request; and
  
  communicating a permitted access request to the protected resource.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer readable storage medium of claim 14 wherein one or more of the plurality of the security plug-ins represent a business function related access policy.
  - 16. The computer readable storage medium of claim 14 wherein a deny or abstain by any one of the plurality of security plug-ins causes the security service to deny the access request.
  - 17. The computer readable storage medium of claim 14 wherein an abstain by any one of the plurality of security plug-ins does not cause the security service to deny the access request.
  - 18. The computer readable storage medium of claim 14 wherein late binding of principals to roles at runtime occurs just prior to an authorization decision for the protected resource regardless of whether the principal to role association is statically defined or dynamically computed.
  - 19. The computer readable storage medium of claim 14, wherein computation of a role occurs immediately before an authorization decision for the protected resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Patrick, Paul

Granted Patent

US 7,823,189 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/6245   Protecting personal data, e...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

SYSTEM AND METHOD FOR DYNAMIC ROLE ASSOCIATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR DYNAMIC ROLE ASSOCIATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links