Authorization framework

US 8,806,637 B2
Filed: 06/11/2007
Issued: 08/12/2014
Est. Priority Date: 06/11/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving a request to access a resource of a computer system storing a first plurality of authorization plugin modules;

obtaining, by the computer system, a configuration identifying a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules by accessing a configuration file identifying the second plurality of authorization plugin modules;

executing, by the computer system, each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions;

obtaining, by the computer system, an authorization policy specifying logic to determine whether to grant the request based on the plurality of authorization decisions by accessing a policy database comprising a plurality of authorization policies; and

determining, by the computer system, whether to grant the request using the logic specified in the authorization policy and the plurality of authorization decisions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide an authorization framework that can accept one or more pluggable authorization modules and the final authorization decision can be a collective decision of these modules based on some criteria. The authorization framework of the present invention can be used by an application to call upon one or more pluggable authorization modules, which can be configured externally by some mechanism, to make individual authorization decisions. The overall authorization decision by the authorization framework is cumulative decision of the individual modules based on some criteria that can be configured. Each pluggable authorization module can be configured to perform its own authorization decision making process that can be different from those of the other modules.

16 Citations

View as Search Results

14 Claims

1. A method comprising:
- receiving a request to access a resource of a computer system storing a first plurality of authorization plugin modules;
  
  obtaining, by the computer system, a configuration identifying a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules by accessing a configuration file identifying the second plurality of authorization plugin modules;
  
  executing, by the computer system, each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions;
  
  obtaining, by the computer system, an authorization policy specifying logic to determine whether to grant the request based on the plurality of authorization decisions by accessing a policy database comprising a plurality of authorization policies; and
  
  determining, by the computer system, whether to grant the request using the logic specified in the authorization policy and the plurality of authorization decisions.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein at least one of the second plurality of authorization plugin modules is configured by an external mechanism.
  - 3. The method of claim 1, wherein the authorization policy is defined in extensible access control markup language.
  - 4. The method of claim 1, wherein the authorization policy implements a Java™
    - authorization contract for containers.
  - 5. The method of claim 1, wherein a first authorization plugin module exchanges information with a second authorization plugin module using a protocol selected by an external mechanism.
  - 6. The method of claim 1, wherein determining whether to grant the request comprises a cumulative decision of the plurality of authorization decisions.

7. An apparatus comprising:
- data storage to store a first plurality of authorization plugin modules; and
  
  a server coupled to the data storage to;
  
  receive a request to access a resource;
  
  obtain a configuration identifying a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules by accessing a configuration file identifying the second plurality of authorization plugin modules;
  
  execute each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions;
  
  obtain an authorization policy specifying logic to determine whether to grant the request based on the plurality of authorization decisions by accessing a policy database comprising a plurality of authorization policies; and
  
  determine whether to grant the request using the logic specified in the authorization policy and the plurality of authorization decisions.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14)
- - 8. The apparatus of claim 7, wherein the authorization policy is based on a set of rules.
  - 9. The apparatus of claim 7, wherein determining whether to grant the request is based on the contents of an object.
  - 10. The apparatus of claim 7, wherein determining whether to grant the request is based on an editable file that associates the second plurality of authorization plugin modules with a calling application that provided the request.
  - 11. The apparatus of claim 7, wherein determining whether to grant the request comprises combining the plurality of authorization decisions.
  - 12. The apparatus of claim 7, wherein the authorization policy is defined in extensible access control markup language.
  - 13. The apparatus of claim 7, wherein the authorization policy implements a Java™
    - authorization contract for containers.
  - 14. The apparatus of claim 7, wherein a first authorization plugin module communicates with a second authorization plugin module using a protocol selected by an external mechanism.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Saldhana, Anil J.
Primary Examiner(s)
LEWIS, LISA C

Application Number

US11/761,175
Publication Number

US 20080307506A1
Time in Patent Office

2,619 Days
Field of Search

726/4
US Class Current

726/24
CPC Class Codes

H04L 63/105 Multiple levels of security

H04L 63/20 for managing network securi...

Authorization framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

16 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Authorization framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links