Authorization framework
First Claim
1. A method comprising:
- receiving a request to access a resource of a computer system storing a first plurality of authorization plugin modules;
obtaining, by the computer system, a configuration identifying a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules by accessing a configuration file identifying the second plurality of authorization plugin modules;
executing, by the computer system, each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions;
obtaining, by the computer system, an authorization policy specifying logic to determine whether to grant the request based on the plurality of authorization decisions by accessing a policy database comprising a plurality of authorization policies; and
determining, by the computer system, whether to grant the request using the logic specified in the authorization policy and the plurality of authorization decisions.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments of the present invention provide an authorization framework that can accept one or more pluggable authorization modules and the final authorization decision can be a collective decision of these modules based on some criteria. The authorization framework of the present invention can be used by an application to call upon one or more pluggable authorization modules, which can be configured externally by some mechanism, to make individual authorization decisions. The overall authorization decision by the authorization framework is cumulative decision of the individual modules based on some criteria that can be configured. Each pluggable authorization module can be configured to perform its own authorization decision making process that can be different from those of the other modules.
16 Citations
14 Claims
-
1. A method comprising:
-
receiving a request to access a resource of a computer system storing a first plurality of authorization plugin modules; obtaining, by the computer system, a configuration identifying a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules by accessing a configuration file identifying the second plurality of authorization plugin modules; executing, by the computer system, each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions; obtaining, by the computer system, an authorization policy specifying logic to determine whether to grant the request based on the plurality of authorization decisions by accessing a policy database comprising a plurality of authorization policies; and determining, by the computer system, whether to grant the request using the logic specified in the authorization policy and the plurality of authorization decisions. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus comprising:
-
data storage to store a first plurality of authorization plugin modules; and a server coupled to the data storage to; receive a request to access a resource; obtain a configuration identifying a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules by accessing a configuration file identifying the second plurality of authorization plugin modules; execute each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions; obtain an authorization policy specifying logic to determine whether to grant the request based on the plurality of authorization decisions by accessing a policy database comprising a plurality of authorization policies; and determine whether to grant the request using the logic specified in the authorization policy and the plurality of authorization decisions. - View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
-
Specification