Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

System and method for server security and entitlement processing

a server and entitlement processing technology, applied in the field of server security mechanisms, can solve the problems of customer and system integrator frustration, security mechanism not suited to easy modification of rules, and little or no understanding

Inactive Publication Date: 2007-07-05
BEA SYST INC
View PDF42 Cites 25 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Benefits of technology

[0018] The invention is related generally to server security mechanisms, and specifically to an architecture that provides for server security and entitlement processing. A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes.
[0019] The invention also introduces the concept of entitlements that are used within an access context. As used in the context of this application, a “user” or a “client” may refer to the same thing—either a physical person, a hardware device or software application under control of the physical person, or a hardware device or software application operating under autonomous control without user intervention. The user (or client) is the entity which is trying to access a protected resource on the server. This protected resource may, for example, be a software application running on the server, a particular Web page or portion of a Web site, or a database etc.
[0020] When the user attempts to access the resource, the security service may determine the type of access request, the destination (protected resource), and the setting in which the request is made—hereinafter referred to as the access context or simply the context. From this information the security service can determine an “entitlement”, or a set of entitlements, for the user. Entitlements clearly denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.
[0021] To illustrate the capability, consider the following business example: The answer to the question “Can Dr. Smith update a patient's medical chart” is dependent upon the context in which the question is asked. In a permission-based authorization system, this context is absent since the resource is some instance of a ‘medical chart’ object, the request is to ‘update’, and the Subject is ‘Dr. Smith’. Consequently, if the answer rendered is ‘Yes’, then Dr. Smith could update any patient's medical chart. In a capabilities-based authorization system, it is possible to add the necessary context of who's the patient in question. Thus, the question can now be rephrased as “Can Dr. Smith update Jon Joe's medical chart?” In determining the answer to this question, we now need to know if Dr. Smith is Jon Joe's personal physician, or perhaps an attending physician at a medical center. Using a simple rotation we can represent the concept as follows:
[0022] In one embodiment, the invention comprises a security system for allowing a client to access a protected resource, comprising an application interface mechanism for receiving an access request from a client application to access a protected resource, and communicating said access request to a security service; a security service for making a decision to permit or deny said access request; and a resource interface for communicating permitted access requests to said protected resource.
[0023] In another embodiment the invention comprises a method of allowing a client to access a protected resource, comprising receiving at an application interface mechanism an access request from a client application to access a protected resource and communicating said access request to a security service; making a decision at said security service to permit or deny said access request; and communicating via a resource interface a permitted access request to said protected resource.

Problems solved by technology

There is little or no understanding of the manner in which the request is made, or the environmental setting in which a particular user may make a request to access a resource, and the security mechanism does not lend itself to easy modification of the rules to reflect new changes in business policy regarding security.
Customers and system integrators are frustrated with the fact that they are required to embed code that enforces business policy within applications.
Embedding this type of logic creates deployment problems, in that the application must be modified, tested, and re-deployed each time the business policies are changed.
Given the rate at which business policy changes, the current requirements for modification and re-deployment are unacceptable.
However, because it is based on a declarative scheme, the association of roles to principals is static.
In addition, the current Java 2 Enterprise Edition specification provides no means by which the context of a business request, such as the parameters of the request or the identity of the target, can be taken into account when determining the roles to be associated with a given principal.
The lack of a single mechanism through which to integration these new authorization capabilities, regardless of execution or resource container type, is a point of frustration with customers and system integrators.
This SPI realm has a number of limitations that limit it's ability to be used as a successful means to integrate 3rd-party authorization mechanisms, or new authorization capabilities being required by customers and system integrators.
One of the largest limitations with the current “realm” SPI is scope of enforcement.
While the realm could conceivably be updated to hold the definition of the authorization policies required to support protection of such resources, it is the other limitations that ultimately make the realm an unrealistic mechanism to address all the authorization requirements.
The current realm mechanism does not allow the point at which the decision is made to allow access to a protected resource to exist within the realm itself.
The complexities of providing a Java 2 Policy object that can also support the Java 2 sandbox rules is unacceptable to most vendors.
Yet another limitation is the Enforcement Mechanism Support of the current realm SPI.
This is counter to the capabilities of the leading 3rd-party authorization providers, the integration of which is being requested by customers and systems integrators on a daily basis.
Together, these limitations constrain the types of authorization providers that can be integrated with an enterprise application server without minimizing the value proposition of the provider.
There remains no current capability to obtain the context of the request in order to provide the rich authorization requested.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • System and method for server security and entitlement processing
  • System and method for server security and entitlement processing
  • System and method for server security and entitlement processing

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0035] An embodiment of the invention includes a security architecture that provides for server security and entitlement processing, that allows security and business logic plugins to be inserted into a security service hosted by a server, and that can be used to control access to one or more secured resources on that server, on another server within the security domain or realm, or between security realms. The security service acts as a focal point for security enforcement and access rights determination, and information used within one login process can flow automatically to other login processes, allowing for single sign or security enforcement.

[0036] Except for the new terms that are defined below, the terms used in this document are consistent with terminology as defined in standard texts on Java, Enterprise Java Beans, WebLogic Server, and other generally accepted security concepts. [0037] access control—the restriction of access to resources to prevent its unauthorized use. ...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

Description

CLAIM OF PRIORITY [0001] This application is a divisional of U.S. patent application Ser. No. 09 / 878,536, entitled “SYSTEM AND METHOD FOR SERVER SECURITY AND ENTITLEMENT PROCESSING,” by Paul B. Patrick, filed Jun. 11, 2001, which is hereby incorporated herein by reference.COPYRIGHT NOTICE [0002] A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure, as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever. FIELD OF THE INVENTION [0003] The invention is related generally to server security mechanisms, and specifically to an architecture for server security. BACKGROUND OF THE INVENTION [0004] Over the years the term “security” as applied to server technology, and particularly to e-commerce servers, has expanded to cover several aspects...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Applications(United States)
IPC IPC(8): H04L9/32G06F12/14G06F21/00G06F15/00G06F21/62H04L9/00
CPCG06F21/6245G06F2221/2145G06F2221/2141
Inventor PATRICK, PAUL
Owner BEA SYST INC
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products