Method for delegating access rights through executable access control program without delegating access rights not in a specification to any intermediary nor comprising server security
First Claim
1. In a computing system comprising a server, a client, and at least one intermediary, a method of processing an ultimate request to the server, the ultimate request being delivered to the server as the final request in a chain comprising at least two linked requests, the client and all the intermediaries each being associated with one linked request of the chain, the intermediary that delivers the ultimate request to the server being the final intermediary in the chain and being designated as the requestor, the method comprising the steps of:
- using the requestor to present to the server the ultimate request in conjunction with at least one executable access control program comprising at least one sequence of computer program instructions, the access control program being executable by a processor to express a specification of a set of access rights;
using the server to execute each access control program thus presented, each access control program being executed in a manner such that said access control program is prevented from compromising server security; and
if and only if the execution of each access control program thus presented is successful, using the server to execute the ultimate request in a manner consistent with the set of access rights, any access rights not in the set of access rights not being delegated to any intermediary nor being granted by the server.
6 Assignments
0 Petitions
Accused Products
Abstract
A method in which access control programs (ACPs) permit controlled delegation of access rights from clients to untrusted intermediaries. ACPs are programs that encode arbitrary specifications of delegated access rights. In the method, a client creates an ACP and associates it with a request to a server, the request being made through one or more intermediaries. When processing a request received from an intermediary, the server executes the access control program to determine whether or not to grant the request.
427 Citations
36 Claims
-
1. In a computing system comprising a server, a client, and at least one intermediary, a method of processing an ultimate request to the server, the ultimate request being delivered to the server as the final request in a chain comprising at least two linked requests, the client and all the intermediaries each being associated with one linked request of the chain, the intermediary that delivers the ultimate request to the server being the final intermediary in the chain and being designated as the requestor, the method comprising the steps of:
-
using the requestor to present to the server the ultimate request in conjunction with at least one executable access control program comprising at least one sequence of computer program instructions, the access control program being executable by a processor to express a specification of a set of access rights; using the server to execute each access control program thus presented, each access control program being executed in a manner such that said access control program is prevented from compromising server security; and if and only if the execution of each access control program thus presented is successful, using the server to execute the ultimate request in a manner consistent with the set of access rights, any access rights not in the set of access rights not being delegated to any intermediary nor being granted by the server. - View Dependent Claims (4, 9, 10, 11)
-
-
2. In a system comprising a client, a server, and one or more intermediaries that the client does not trust, a plurality of communications channels that connect the client, the server, and the intermediaries, one or more computing nodes, and a communications network, a method for performing a request issued by an intermediary to the server on behalf of the client, the method comprising the steps of:
-
using the client to create a client request; using the client to create an executable access control program, the access control program comprising at least one sequence of computer program instructions, the access control program being executable by a processor to express a specification of an arbitrary set of access rights to be delegated from the client to a first intermediary untrusted by the client, any access rights not in the set not being delegated to the first intermediary; using the client to associate the access control program with the client request; in response to the client request, using the first intermediary and zero or more additional intermediaries untrusted by the client to issue intermediary requests, all these intermediary requests being accompanied by the access control program; receiving a final intermediary request in the server; and using the server to execute the access control program in order to determine whether or not to grant the final intermediary request, the access control program being executed in a manner such that the access control program is prevented from compromising server security.
-
-
3. In a system comprising a client, a server, a number of intermediaries, the number being greater than or equal to one, a plurality of communications channels that connect the client, the server, and the intermediaries, and computing hardware to execute the client, server, and intermediaries and to support the communication channels, a method for performing a client request issued by the client to a first intermediary, the method comprising the steps of:
-
using the client to create the client request; using the client to create an executable access control program comprising at least one sequence of computer program instructions executable by a processor, the access control program being executable to express a specification of a set of access rights to be delegated from the client to the first intermediary, any access rights not in the set not being delegated to the first intermediary; using the client to associate the access control program with the client request; using the client and a communications channel from the client to the first intermediary to transmit the client request and its associated access control program from the client to the first intermediary; using the first intermediary to generate a first intermediary request; using the first intermediary and a communications channel to issue the first intermediary request and to transmit the access control program along with the first intermediary request thus issued; using the server to receive a service request and the access control program; using the server to make a determination whether the client approves the service request by performing a test that comprises the steps of; using the server to execute the access control program, the access control program being executed in a manner such that the access control program is prevented from compromising server security; and using the server to check a value returned by the access control program thus executed; and if and only if the determination thus made by the server is that the client approves the service request, using the server to execute the service request, and otherwise using the server to deny the service request. - View Dependent Claims (5, 6, 7, 8, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. In a system comprising a client, a server, a number of intermediaries, the number being greater than or equal to one, a plurality of communications channels that connect the client, the server, and the intermediaries, and computing hardware to execute the client, server, and intermediaries and to support the communication channels, a method for performing a client request issued by the client to a first intermediary, the method comprising the steps of:
-
using the client to create the client request; using the client to create an executable access control program, the access control program encoding a specification of a set of access rights to be delegated from the client to the first intermediary; using the client to digitally sign the access control program with a digital signature associated with the client; using the client to associate the access control program with the client request; using the client and a communications channel from the client to the first intermediary to transmit the client request and its associated access control program from the client to the first intermediary; using the first intermediary to generate a first intermediary request; using the first intermediary and a communications channel to issue the first intermediary request and to transmit the access control program along with the first intermediary request thus issued; using the server to receive a service request and the access control program; using the server to make a determination whether the client approves the service request by performing a test that comprises the steps of using the server to execute the access control program, and using the server to check a value returned by the access control program thus executed, performing an additional test comprising the step of using the server to verify that the access control program bears a digital signature that is authentic and that is the client'"'"'s, and performing two further additional tests of using the server to verify the identity of the first intermediary, and using the server to verify that the client has the rights that it purports to delegate via the access control program; and if and only if the determination thus made by the server is that the client approves the service request, using the server to execute the service request, and otherwise using the server to deny the service request.
-
-
27. In a system comprising a client, a server, a number of intermediaries, the number being greater than or equal to one, a plurality of communications channels that connect the client, the server, and the intermediaries, and computing hardware to execute the client, server, and intermediaries and to support the communication channels, and additionally comprising an authentication server, an additional communications channel between the authentication server and the client, and computing hardware to execute the authentication server and the additional communications channel, a method for performing a client request issued by the client to a first intermediary, the method comprising the steps of:
-
using the client to create the client request; using the client to create an executable access control program, the access control program encoding a specification of a set of access rights to be delegated from the client to the first intermediary; using the client to associate the access control program with the client request; using the client to request an authentication ticket; using the additional communications channel to transmit the request for the authentication ticket to the authentication server; using the authentication server to issue an authentication ticket; using the additional communications channel to transmit the authentication ticket to the client; using the client and a communications channel from the client to the first intermediary to transmit the client request and its associated access control program from the client to the first intermediary; using the first intermediary to generate a first intermediary request; using the first intermediary and a communications channel to issue the first intermediary request and to transmit the access control program along with the first intermediary request thus issued; using the server to receive a service request and the access control program; using the server to make a determination whether the client approves the service request by performing a test that comprises the steps of using the server to execute the access control program, and using the server to check a value returned by the access control program thus executed; and if and only if the determination thus made by the server is that the client approves the service request, using the server to execute the service request, and otherwise using the server to deny the service request. - View Dependent Claims (28, 29, 30)
-
-
31. In a system comprising a client, a server, a number of intermediaries, the number being greater than or equal to one, a plurality of communications channels that connect the client, the server, and the intermediaries, and computing hardware to execute the client, server, and intermediaries and to support the communication channels, a method for performing a client request issued by the client to a first intermediary, the method comprising the steps of:
-
using the client to create the client request; using the client to create an executable access control program, the access control program encoding a specification of a set of access rights to be delegated from the client to the first intermediary; using the client to associate the access control program with the client request; using the client and a communications channel from the client to the first intermediary to transmit the client request and its associated access control program from the client to the first intermediary; using the first intermediary to generate a first intermediary request; using the first intermediary and a communications channel to issue the first intermediary request and to transmit the access control program along with the first intermediary request thus issued; using the server to receive a service request and the access control program; using the server to make a determination whether the client approves the service request by performing a test that comprises the steps of using the server to execute the access control program, and using the server to check a value returned by the access control program thus executed; if and only if the determination thus made by the server is that the client approves the service request, using the server to execute the service request, and otherwise using the server to deny the service request; using the client to designate a revocation object at the server associated with a right to be delegated that is encoded in the specification of the access control program; if and only if the server executes the service request, using the server to test for the existence of the revocation object thus designated; and if and only if the server finds that the revocation object exists, using the server to grant the delegated right associated with the revocation object, and otherwise using the server to deny the delegated right associated with the revocation object. - View Dependent Claims (32, 33, 34, 35)
-
-
36. In a distributed file system comprising a plurality of nodes, each node comprising a processor and memory, a plurality of processes including at least one client, at least one file server, and at least one intermediary, each process executing on its own unique node, and a plurality of communications channels that connect the processes to one another, a method for performing a client request issued by the client to the intermediary, the method comprising the steps of:
-
using the client to create the client request; using the client to create an executable access control program, the access control program encoding a specification of a set of access rights to be delegated from the client to the intermediary; using the client to digitally sign the access control program; using the client to associate the access control program thus digitally signed with the client request; using the client and a communications channel from the client to the intermediary to transmit the client request and its associated access control program from the client to the intermediary; using the intermediary to generate an intermediary request; using the intermediary and a communications channel to issue the intermediary request and to transmit the access control program along with the intermediary request thus issued; using the server to receive a service request and the access control program; using the server to make a determination whether the access control program is valid by performing a test that comprises the steps of; using the server to verify that the access control program bears a digital signature that is authentic and that is the client'"'"'s; using the server to verify the identity of the first intermediary; and using the server to verify that the client has the rights that it purports to delegate via the access control program; if and only if the server thus determines that the access control program is valid, using the server to make a determination whether the client approves the service request by performing a test that comprises the steps of; using the server to execute the access control program; and using the server to check a value returned by the access control program thus executed; and if and only if the determination thus made by the server is that the client approves the service request, using the server to execute the service request, and otherwise using the server to deny the service request.
-
Specification