WO2006010707A1 - A generic declarative authorization scheme for java - Google Patents
A generic declarative authorization scheme for java Download PDFInfo
- Publication number
- WO2006010707A1 WO2006010707A1 PCT/EP2005/053347 EP2005053347W WO2006010707A1 WO 2006010707 A1 WO2006010707 A1 WO 2006010707A1 EP 2005053347 W EP2005053347 W EP 2005053347W WO 2006010707 A1 WO2006010707 A1 WO 2006010707A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- application object
- application
- authorization
- object group
- policy
- Prior art date
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 192
- 238000000034 method Methods 0.000 claims abstract description 116
- 230000007613 environmental effect Effects 0.000 claims abstract description 30
- 230000009471 action Effects 0.000 claims description 25
- 230000008859 change Effects 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000007246 mechanism Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 244000035744 Hura crepitans Species 0.000 description 2
- 244000046052 Phaseolus vulgaris Species 0.000 description 2
- 235000010627 Phaseolus vulgaris Nutrition 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 235000006719 Cassia obtusifolia Nutrition 0.000 description 1
- 235000014552 Cassia tora Nutrition 0.000 description 1
- 244000201986 Cassia tora Species 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000008260 defense mechanism Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- VEMKTZHHVJILDY-UHFFFAOYSA-N resmethrin Chemical compound CC1(C)C(C=C(C)C)C1C(=O)OCC1=COC(CC=2C=CC=CC=2)=C1 VEMKTZHHVJILDY-UHFFFAOYSA-N 0.000 description 1
- 241000894007 species Species 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/12—Protecting executable software
- G06F21/121—Restricting unauthorised execution of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
Definitions
- the embodiments of the invention generally relate to software application de ⁇ velopment, and more particularly to Java -based security and authorization software application development systems and methods.
- Java available from Sun Mi ⁇ crosystems, Inc., Santa Clara, California, USA, is the most popular platform for component-based software and systems.
- Java ® security plays a key role in e-commerce enterprise systems. Security features are typically built into an application in an ad-hoc manner or integrated with an enterprise J2EE ® (Java ® 2 Platform Enterprise Edition), available from Sun Microsystems, Inc., Santa Clara, California, USA, application using container managed authentication and authorization. There are several reasons for such a situation. First, security must be handled by nearly all of the components of the application; however its integration in the software development is not centralized.
- Java ® Authentication and Authorization Service is a Java ® package that enables services to authenticate and enforce access controls on users.
- JAAS is a set of Java ® Application Program Interfaces (APIs) that can be used for two purposes: (1) for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an ap ⁇ plication, an applet, a bean, or a servlet; and (2) for authorization of users to determine if the authenticated user is allowed to access the resource (which can be the Java ® code or some object/entity accessed by the Java code), regardless of whether the code is running as an application, an applet, a bean, or a servlet.
- APIs Java ® Application Program Interfaces
- Java au ⁇ thentication is performed in a pluggable fashion. This permits Java applications to remain independent from the underlying authentication technologies. Moreover, new or updated technologies can be plugged in without requiring modifications to the ap ⁇ plication itself.
- Java uses three types of defense mechanisms: byte-code verifier, class loader, and security manager. In Java ® Version 1.0, applets operate in a "sandbox," which restricts the applet's ability to either affect the machine they are executed on or to obtain any sensitive information from it. As such, nothing much can be accessed locally. In later versions of Java , applets are allowed to escape the sandbox if the machine running it allows it to do so based on signing information.
- Java version 1.2 provides for policy based security architecture.
- the policy is defined by a set of permissions for code in various locations and by various signers. Permission allows access to certain actions on a certain resource. Usually, resource names and their associated actions are enumerated in a policy file.
- Figure 1 illustrates a typical policy file in Java ® .
- FIG. 2 illustrates a typical code for protecting a Java method using AccessController. The example illustrated in Figure 2 shows how a resource is protected by calling the AccessController before accessing the resource. i-The AccessController checks the requested permission with the application's current authorization policy. If any permission defined in the policy file implies the requested permission, the method "checkPermission" command simply returns; otherwise an Ac- cessControlException is initiated.
- JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. JAAS reliably and securely determines who is currently executing the Java code and whether it is allowed to do so. Moreover, JAAS implements a Java ® technology version of the standard Pluggable Authentication Modu Ie (PAM) framework. This permits Java applications to remain independent from the underlying authentication mechanism.
- PAM Pluggable Authentication Modu Ie
- JAAS includes two primary components: authentication and authorization.
- JAAS adds subject based policies to the Java ® version 2 security model. Permission is granted not only based on the CodeSource but also based on the user executing the code. For this the user is first authenticated.
- JAAS distribution contains various LoginModules implementations to retrieve the user id and password from the user.
- the LoginContext uses a login configuration file to determine which LoginModule to use for au ⁇ thentication.
- the Subject class is used to encapsulate the credentials of the au ⁇ thenticated user. A subject can have multiple identities called principals.
- each grant statement is associated with a principal.
- the AccessController For each principal associated with the subject, the AccessController obtains permissions from the PolicyFile and checks whether any permission implies the requested permission. Otherwise, the AccessController initiates an AccessControlException.
- Figure 3 il ⁇ lustrates the typical policy for principal based authorization in JAAS.
- a container serves as an authorization boundary between the components it hosts and their callers.
- the container establishes the identity of the user of the calling code.
- Access to the called component an EJB (Enterprise JavaBeans , available from Sun Microsystems, Inc., Santa Clara, California, USA), or a web component, is determined by comparing the caller's security attributes with those required to access the called component.
- a deployer es ⁇ tablishes the container-enforced access control rules for a J2EE ® application.
- the deployer maps an application permission model, typically supplied by the application assembler, to mechanisms specific to the runtime environment.
- the deployment descriptor defines security roles and their associated access rights for various components.
- the deployer assigns security roles to specific callers to establish the access rights of users in the runtime environment. For example, a deployer can map a security role to a list of principal identities in the operational environment. Then, callers, authenticated with one of these identities, are assigned the privilege represented by the role.
- a J2EE container makes access control decisions before the dispatching method calls to a component. Thus, declarative access control can be assigned with the method's granularity.
- the J2EE ® container does not factor in the logic or state of the component in these access decisions.
- programmatic authorization is required to be performed by the code developer.
- a component can use two methods to perform fine-grained access control: EJBContextisCallerlnRole (for EJB components) and HttpServletRequesUsUserlnRole (for web components).
- EJBContextisCallerlnRole for EJB components
- HttpServletRequesUsUserlnRole for web components.
- a component uses these methods to determine whether a caller has been granted a privilege selected by the component based on the parameters of the call, the internal state of the component, or other factors such has runtime parameters.
- the declarative authorization is an external access control policy configured by the deployer whereas the programmatic authorization is through an internal policy embedded in the application by the component developer.
- the internal policy is more fine-grained whereas the external policy is more flexible.
- the external policy is transparent whereas the internal policy is buried in the application.
- "Employees can only access their own salary information” programmatic au ⁇ thorization is required, which cannot be changed in the future, if required.
- JAAS is built on top of the pre-existing security model of Java , which is CodeSource based and the plaintext format policy file implementation. JAAS implements authorization based on the class accessed by a certain component.
- the AccessController.checkPermission (Permission perm) is called to determine whether the caller has the authority to perform the action on the called CodeSource.
- the permission object perm represents the required access to a resource.
- the permission object can specify things such as name of the permission (which may indicate the resource on which access is required), action for which the resource is, accessed, etc.
- the permission class implements an implied method to be called by the Access- Controller to determine whether a granted permission implies the requested permission. For implementing class instance level authorization, one needs to have a new implementation of permissions having an object instance as one of its field. That object can be used in the implied method to decide autho ⁇ rizations.
- This abstract class is used for representing a collection of permission objects. This class can be implemented to have a desired manner of storing the granted permissions and comparing them with the requested permission to determine if any of the granted permissions implies a requested permission.
- java.security .Policy This is an abstract class for storing security policies in a Java ® application environment.
- the AccessController contacts the policy im ⁇ plementation to obtain the permissions for an authenticated subject on a CodeSource.
- the policy object consults its policy specification and returns an appropriate PermissionCollection object enumerating the permissions that are allowed.
- sun.security.provider.PolicyFile implementation is used for policy implementation.
- the LoginModule describes the interface implemented by the authentication provider. It retrieves the username and password(s) from the callbacks, which, by default, performs some user interaction.
- the LoginModule can be extended to delegate the au ⁇ thentication to some external adaptor.
- the Principal interface represents the abstract notion to be used to represent an entity such as an individual, an organization, a group, or a login id. Group, KerberosPrincipal, etc. are well known imple ⁇ mentations of Principal. By extending the Principal one can add custom properties to be used for authorization.
- JAAS does not support class instance level authorization; i.e., the authorization in JAAS is performed on the basis of the class name and not on the basis of a specific instance of the class.
- the specification for a web-based, self-service auction application may have the following requirement: "Any registered (authenticated) user can create an auction but only the user who created the auction may modify it.” This means that any user can execute the code written to create an auction class instance, but only the user who owns that instance may execute code designed to modify it.
- the user who created the auction instance will be the owner. What this implies is that people of the same role might have different access rights based on their attributes or the actions that they have performed in the past.
- this type of authorization cannot be supported using JAAS.
- JAAS authorization extends the existing Java ® security architecture that uses a security policy to specify what access rights are granted to the executing code.
- This security architecture as provided in the Java ® version 2 platform, is code-centric. That is, the permissions are granted based on code characteristics; i.e., where the code is coming from and whether it is digitally signed and if so, by whom.
- the java.security .Policy API handles principal-based queries, and the default policy imple ⁇ mentation supports principal-based grant entries.
- access control can now be based on which code is running, as well as who is running the code.
- JAAS does provide a mechanism to support instance level JAAS. This is ac ⁇ complished by extending some of the classes that are used by JAAS.
- the main drawback of this approach is that it is not extensible and it requires the creation of a new authorization class and a significant amount of rework if different kinds of authorizations in different domains are to be provided.
- Another option for supporting instance level authorization is to use a custom authorization code which is coded as part of the application. Generally, this is the most widely used method to support the authorization technique and the major drawback of this is that it is not based on standards making it more difficult to apply in different applications. Furthermore, since the code is part of the application, it is difficult to maintain and because it is non- generic it generally cannot be reused in different domains.
- an embodiment of the invention provides a method of es ⁇ tablishing security and authorization policies for users accessing a resource, data, or code represented by any of software objects and applications, wherein the method comprises generating at least one application object group from an application object description document run on a data processor; creating an authorization policy for each application object group; sending a selected application object to an access controller; and establishing access control parameters at a time of deployment of a software ap ⁇ plication for users attempting to access the selected application object based on the au ⁇ thorization policy.
- the application object description document comprises an extensible Markup Language (XML) format.
- the method further comprises specifying environmental variables for the authorization policy and changing the authorization policy by modifying a declarative specification of the envi ⁇ ronmental variables and modifying constraints defined on attributes of an application object. Additionally, the method further comprises specifying the application object group using: any of a method and field parameter associated with the application object (and defining constraints on these method and field parameters); a pre ⁇ determined relationship among all application object groups; or predetermined grouping actions to parse the application object description document into the at least one application object group. Moreover, the method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.
- Another embodiment of the invention provides a method of controlling access to a software application, wherein the method comprises grouping application objects in the software application according to a grouping parameter; establishing a user profile for each class of user accessing the application objects; specifying an authorization policy comprising access control parameters for each of the grouped application objects; and matching the authorization policy with the user profile for a user attempting to access selected grouped application objects at a time of deployment of the software application, wherein in the step of grouping, the software application comprises an application object description document comprising the application objects, wherein the application object description document comprises an XML format.
- the method further comprises specifying environmental variables for the au ⁇ thorization policy and changing the authorization policy by modifying a declarative specification of the environmental variables and the grouping constraints.
- the grouping parameter comprises specifying the application objects using: any of a method and field parameter associated with the application objects; a pre ⁇ determined relationship among all application objects in the software application; or predetermined grouping actions to parse the resource, data or code represented by software application/objects into the at least one application object group.
- the method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.
- Another aspect of the invention provides a system for establishing security and au ⁇ thorization policies for users accessing a software application, wherein the system comprises means for generating at least one application object group from an ap- plication object description document run on a data processor; means for specifying an authorization policy for each application object group; means for sending a selected application object group to an access controller; and means for establishing access control parameters at a time of deployment of the software application for users attempting to access the selected application object group based on the authorization policy.
- Another embodiment of the invention provides a system for controlling access to a software object, wherein the system comprises an application object description document comprising at least one application object group; an authorization policy classifier adapted to specify an authorization policy for each the application object group; and an access controller adapted to establish access control parameters for users attempting to access a selected application object group based on the authorization policy at a time of deployment of the software object, wherein the application object description document comprises an XML format, and wherein the authorization policy comprises environmental variables.
- the system further comprises a generator routine adapted to change the authorization policy by modifying a declarative specification of the environmental variables and grouping rules.
- the ap ⁇ plication object group is specified using: any of a method and field parameter associated with the user selected application object; a predetermined relationship among all application object groups; or predetermined grouping actions to parse the application object description document into the at least one application object group.
- the authorization policy classifier is adapted to implement varied classes of authorization policies.
- another aspect of the invention provides a program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform a method of establishing security and authorization policies for users accessing a software application, wherein the method comprises generating at least one application object group from a application object description document run on a data processor; specifying an authorization policy for each application object group; sending a selected application object group to an access controller; and es ⁇ tablishing access control parameters at a time of deployment of the software ap ⁇ plication for users attempting to access the selected application object group based on the authorization policy.
- the authorization technique provided by the embodiments of the invention provides a method to fulfill authorization requirements without writing any new code, wherein a new authorization scenario can be obtained at deployment time by changing the declarative settings. Additionally, the embodiments of the invention provide a technique to: represent varied authorization requirements in an XML format; parse and generate object groups for authorization purposes using object constraints logic; add environmental variables as authorization parameters; define relationships between au ⁇ thenticated principals; implement a varied class of authorization policies using the same authorization policy provider; and group actions at deployment time.
- Figure 1 is a typical policy file for Java ® ;
- Figure 2 is a typical code for a protecting a Java ® method using AccessController
- Figure 3 is a typical policy for a principal based authorization in JAAS
- Figure 4 is a pseudocode for a protecting method using GenericPermission according to an embodiment of the invention
- Figure 5 is an authorization policy in a generic authorization according to an embodiment of the invention
- Figure 6 is a flow diagram illustrating a preferred method of an embodiment of the invention
- Figure 7(a) is a flow diagram illustrating a preferred method of an another embodiment of the invention
- Figure 7(b) is a flow diagram illustrating a preferred method of another aspect of the invention
- Figure 8 is a system block diagram according to an embodiment of the invention
- Figure 9 is a computer system diagram according to an embodiment of the invention.
- JAAS can be extended in a variety of ways to attain various authentication and authorization objectives.
- the generic authorization technique provided by the embodiments of the invention attains this flexibility by using the declarative au- thorization while keeping the high granularity of the programmatic authorization.
- the authorization technique provided by the embodiments of the invention provides capabilities of programmatic authorization using declarative speci ⁇ fications.
- the embodiments of the invention extend JAAS so that au ⁇ thorization requirements can be fulfilled in a declarative manner rather than in a pro ⁇ grammatic manner.
- Each method which is required to be protected using authentication and authorization begins with a call to the constructor of the GenericPermission object having at least three parameters: the class to which the method belongs; the action the method wants to perform; and the object on which the method is called.
- Figure 4 il ⁇ lustrates the pseudocode for a protecting method using GenericPermission according to an aspect of the invention as described above.
- the authorization policy can be expressed in an XML fo ⁇ nat.
- an authorization policy for "any registered user can create an auction but only the user who created the auction is allowed to modify it” is written as shown in Figure 5.
- a JDK is configured for a proper authorization policy provider. This is accomplished by changing/adding auth.policy .provider in the Java.security file of the Java_home/jre/lib/security directory, where Java_home is the path where Java ® is installed in the system. Because the generic authorization covers a wide variety of authorization policies, even with the limitation that there can be only one authorization policy provider for a number of applications, each having its own au ⁇ thorization requirement, it can be run on the same machine without having to write separate code for each application.
- Figure 6 illustrates a method of establishing security and authorization policies for users accessing a resource, data or code represented by software objects/application, wherein the method comprises generating (101) at least one application object group from an application object description document run on a data processor; creating (103) an authorization policy for each application object; sending (105) the user selected application object to the access controller 208 of the system 200 (shown in Figure 8); and establishing (107) access control parameters at a time of deployment of a software application for users attempting to access the selected application object group based on the authorization policy.
- the application object description document comprises an XML format.
- the method further comprises specifying environmental variables for the authorization policy and changing the au ⁇ thorization policy by modifying a declarative specification of the environmental variables. Additionally, the method further comprises specifying the application object group using: any of a method and field parameter associated with the selected ap ⁇ plication object; a predetermined relationship among all application object groups; or predetermined grouping actions to parse the application object description document into the at least one application object group. Moreover, the method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.
- Figure 7(a) illustrates a method of controlling access to a resource, data or code represented by software objects/application, wherein the method comprises grouping (111) application objects in the software application according to a grouping parameter comprising one or more of object method call results, object field values, and environmental variables; es ⁇ tablishing (113) a user profile for each class of user accessing the application objects; specifying (115) an authorization policy comprising access control parameters for each of the grouped application objects; and matching (117) the authorization policy with the user profile for a user attempting to access selected grouped application objects at a time of deployment of the software application, wherein in the step of grouping (111), the software application comprises a application object description document comprising the application objects, wherein the application object description document comprises an XML format.
- the grouping parameter comprises specifying the application objects using: any of a method and field parameter associated with the application objects; a predetermined relationship among all ap ⁇ plication objects in the software application; or predetermined grouping actions to parse the user selected software object into the at least one application object group.
- the method further comprises specifying (119) environmental variables for the authorization policy and changing (121) the authorization policy by modifying a declarative specification of the environmental variables.
- the method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.
- the embodiments of the invention allow access to some security related and environmental variables such that policies can be dependent on these variables. This makes it possible to have policies such as "allow access to software application on weekdays to A whereas disallow on weekends.”
- Figure 8 illustrates a system 200 for controlling access to a software application, wherein the system 200 comprises a application object description document 202 comprising at least one application object group 204; an authorization policy classifier 206 adapted to specify an authorization policy for each application object group 204; and an access controller 208 adapted to establish access control parameters at a time of deployment of a software application for users 210 attempting to access a selected ap ⁇ plication object group 204 based on the authorization policy at a time of deployment of the software application, wherein the application object description document 202 comprises an XML format, and wherein the authorization policy comprises envi ⁇ ronmental variables.
- the system further comprises a generator routine 212 adapted to change the au ⁇ thorization policy by modifying a declarative specification of the environmental variables.
- the application object group 204 is specified using: any of a method and field parameter associated with the application object group 204; a predetermined relationship among all application object groups 204; or predetermined grouping actions to parse the application object description document 202 into the at least one application object group 204.
- the authorization policy classifier 206 is adapted to implement varied classes of authorization policies.
- the embodiments of the invention provide a technique to parse the object constraint logic (written in an XML file) and generate object groups for authorization purposes.
- object constraint logic written in an XML file
- authorization polices are written at class (code) level.
- the authorization policies are written with the granularity of object groups.
- Object groups are represented using the method/field of the object concerned.
- the methods provided by the invention define relationships between authenticated principals.
- authenticated principal when a user is authenticated, the user is represented by an object of type "Subject".
- Each subject can have multiple principles associated with it. These principals represent the different identities that the person can have. Hence, a person can be uniquely identified by his Name (which is one principal) or his social security number (which is another principal).
- policies such as "If the user (authenticated principal) is the manager of the owner of the object here the object might be about a leave application), then he is allowed to invoke the approval method" may be defined.
- the embodiments of the invention provide a technique that allows individuals to use JAAS to perform instance- level authorization (i.e., authorization which is dependant on the characteristics of the data object).Further this is performed in a declarative manner, which is more flexible than programmatic authorization. Moreover, using this setup, dynamic relationships between subjects can be used for authorization purposes.
- the policy is defined in terms of the relationship (manager) between the authenticated principals.
- an authorization provider is configured in a Java. security file of java_home/jre/lib/security.
- JVM Java ® Virtual Machine
- the generic authorization covers a wide variety of authorization policies, even with the limitation that there can be only one authorization policy provider, a number of applications, each having its own authorization requirement, can be run on the same JVM.
- this file can have different authorization rules for different applications. Each authorization rule will be defined in terms of the application objects specific to that application.
- the authorization infrastructure will use the single authorization file.
- varied classes of authorization policies can be implemented using the same authorization policy provider.
- the embodiments of the invention further provide a method to group actions at deployment time.
- Actions can be grouped to provide different authorization re ⁇ quirements for different groups of actions.
- At deployment time it can be decided that the same authorization will be used for, 'read' and 'search' actions, for example. This is accomplished as the authorization policy is stored in the authorization XML file.
- the above-described grouping of actions can be accomplished.
- the embodiments of the invention provide a method to fulfill authorization re ⁇ quirements without having to write any new code.
- a new authorization scenario can be obtained at deployment time by changing the declarative settings. This is accomplished as indicated above, simply by changing the XML.
- the embodiments of the invention provide a new policy, which does not require changes to the code. Since au ⁇ thorization requirements are expressed in XML rather than integrating them with the application, authorization settings can be changed by simply changing the XML (rather than code changes).
- a user principal is permitted access to a certain Java ® object if it has certain characteristics represented using the returned value of certain "Java ® bean-like" methods such as getOwner, getManager, etc.
- the embodiments of the invention further include a method to represent varied au ⁇ thorization requirements in an XML format.
- the format includes specifying objects using some field or method calling on the Java object, specifying principals using re ⁇ lationships, and grouping actions.
- the embodiments of the invention also represent en ⁇ vironmental variables such as time, day, etc. in the XML format and define au ⁇ thorization policies on these variables. This is particularly advantageous because by including a number of methods to identify objects in the XML format, the em ⁇ bodiments of the invention produce a wide variety of options for authorization settings. These options include: field value and method return value for Java ® objects, principal and relationships among them, and environmental variables, among others.
- the embodiments of the invention can change the authorization policy at deployment time, which can make use of the JAAS standard. In other words, the advantages of JAAS are obtained by and instance-level authorization without making use of programmatic au ⁇ thorization.
- the embodiments of the invention provide a generic permission class, which has a constructor that allows the passing of the object on which the authorization is to be checke ⁇ and/or the object which is making the access request.
- a Permission object is required for checking the permission using an access controller.
- the Permission class is extended using GenericPermission so that object, on which the permission is asked, is a parameter of the Permission object passed to the access controller 208.
- the access controller 208 can decide on an authorization based on the object passed on to it. This aspect is used to provide authorization rules based on the characteristics of the particular instance of application object on which the authorization decision is to be made.
- the au ⁇ thorization policy is independent of the instance of the application object and the policy is the same for all instances of the application object of the same category.
- the embodiments of the invention provide a generic policy file that allows the use of environmental variables, allows the representation of dynamic method calls using reflection, and allows the representation of expressions, predicated logic, etc.
- the embodiments of the invention provide a format to write authorization re- quirements.
- the format includes specifying objects using some field or method call on the Java object, specifying principals using relationships, and grouping actions.
- the embodiments of the invention also represent environmental variables such as time, day, etc. in the XML format and define authorization policies on these variables.
- the embodiments of the invention provide a Policy File imple ⁇ mentation that parses the generic policy file, understands the syntax of the Generic Policy File, and creates a GenericPermissionCollection out of the Generic Policy File based on the past user Object, user Principal/user Subject, and user code. This is ac ⁇ complished by using a new type of GenericPermission class, whereby a different type of policy file implementation is used. Accordingly, the embodiments of the invention understand the general format of the Generic Policy File, but do not necessarily understand the object constraint logic specified in the policy file. However, the imple ⁇ mentation creates a GenericPermission class using the policy file. As such, the Gener ⁇ icPermission class, as described earlier, understands the object constraint logic specified in the policy file.
- the embodiments of the invention use of a GenericPermission class that uses the policy file and understands the declarative specification of the policy language and is capable to get values of environmental variables, evaluate expressions and predicate logic, and uses Java reflection to obtain run-time parameter values.
- the embodiments of the invention understand the logic written in the generic XML a based policy file.
- the embodiments of the invention provide a GenericPermission Collec tion class that stores a collection of the GenericPermission and calls the implied method of GenericPermission, which is capable of understanding the Generic Policy File.
- the embodiments of the invention define a generic collection of permissions that take the object as one of the parameters, which works in a JAAS en ⁇ vironment in accordance with JAAS specifications.
- the embodiments of the invention provide a Java ® based policy, which provides access control or an au ⁇ thorization defined in an XML format.
- Environmental variables are specified declaratively in an XML format to define authorization parameters of an authorization policy for Java ® .
- the XML is application independent and the use of declarative variables permits the generic authorization by defining the Java ® parameters of class, method, and object in XML.
- Several different policies are described in XML and the policies are declared as environmental variables. To change authorization policies, a declaration of an environmental variable is modified.
- each application can have a different policy and can be specified declaratively in an XML format when the user logs in with a particular username and password.
- FIG. 9 A representative hardware environment for practicing the embodiments of the invention is depicted in Figure 9.
- the system comprises at least one processor or central processing unit (CPU) 10.
- the CPUs 10 are interconnected via system bus 12 to various devices such as a random access memory (RAM) 14, read-only memory (ROM) 16, and an input/output (I/O) adapter 18.
- RAM random access memory
- ROM read-only memory
- I/O input/output
- the I/O adapter 18 can connect to peripheral devices, such as disk units 11 and tape drives 13, or other program storage devices that are readable by the system.
- the system can read the inventive instructions on the program storage devices and follow these instructions to execute the methodology of the embodiments of the invention.
- the system further includes a user interface adapter 19 that connects a keyboard 15, mouse 17, speaker 24, microphone 22, and/or other user interface devices such as a touch screen device (not shown) to the bus 12 to gather user input.
- a communication adapter 20 connects the bus 12 to a data processing network 25, and a display adapter 21 connects the bus 12 to a display device 23 which may be embodied as an output device such as a monitor, printer, or transmitter, for example.
- the authorization technique provided by the embodiments of the invention provides a method to fulfill authorization requirements without writing any new code, wherein a new authorization scenario can be obtained at deployment time by changing the declarative settings.
- the embodiments of the invention provide a technique to: represent varied authorization requirements in an XML format; parse and generate object groups for authorization purposes using object constraints logic; add environmental variables as authorization parameters; define relationships between au ⁇ thenticated principals; implement a varied class of authorization policies using the same authorization policy provider; and group actions at deployment time.
- the em ⁇ bodiments of the invention are useful for all Java applications in J2EE /non-J2EE environments. Moreover, the environments described herein applies to all the J2EE ® / non-J2EE ® applications.
Abstract
Description
Claims
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2007523057A JP2008508583A (en) | 2004-07-30 | 2005-07-13 | Method, system, and program storage device for establishing security and authorization policies for users accessing software applications |
EP05758441A EP1774422A1 (en) | 2004-07-30 | 2005-07-13 | A generic declarative authorization scheme for java |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/909,107 US7669226B2 (en) | 2004-07-30 | 2004-07-30 | Generic declarative authorization scheme for Java |
US10/909,107 | 2004-07-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006010707A1 true WO2006010707A1 (en) | 2006-02-02 |
Family
ID=35160040
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2005/053347 WO2006010707A1 (en) | 2004-07-30 | 2005-07-13 | A generic declarative authorization scheme for java |
Country Status (6)
Country | Link |
---|---|
US (1) | US7669226B2 (en) |
EP (1) | EP1774422A1 (en) |
JP (1) | JP2008508583A (en) |
KR (1) | KR100968303B1 (en) |
CN (1) | CN1989472A (en) |
WO (1) | WO2006010707A1 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008165456A (en) * | 2006-12-28 | 2008-07-17 | Hitachi Ltd | Ic card system, and method for the same |
Families Citing this family (45)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040268139A1 (en) * | 2003-06-25 | 2004-12-30 | Microsoft Corporation | Systems and methods for declarative client input security screening |
US7657746B2 (en) * | 2005-04-22 | 2010-02-02 | Microsoft Corporation | Supporting statements for credential based access control |
US8078740B2 (en) * | 2005-06-03 | 2011-12-13 | Microsoft Corporation | Running internet applications with low rights |
US8635660B2 (en) * | 2005-12-06 | 2014-01-21 | Oracle International Corporation | Dynamic constraints for query operations |
US7945960B2 (en) | 2005-12-06 | 2011-05-17 | Oracle International Corporation | Dynamic conditional security policy extensions |
US20070240194A1 (en) * | 2006-03-28 | 2007-10-11 | Hargrave Bentley J | Scoped permissions for software application deployment |
US20070288989A1 (en) * | 2006-06-09 | 2007-12-13 | Nokia Corporation | Method, electronic device, apparatus, system and computer program product for updating an electronic device security policy |
US8185737B2 (en) | 2006-06-23 | 2012-05-22 | Microsoft Corporation | Communication across domains |
US8201215B2 (en) * | 2006-09-08 | 2012-06-12 | Microsoft Corporation | Controlling the delegation of rights |
US7814534B2 (en) | 2006-09-08 | 2010-10-12 | Microsoft Corporation | Auditing authorization decisions |
US8095969B2 (en) | 2006-09-08 | 2012-01-10 | Microsoft Corporation | Security assertion revocation |
US20080066158A1 (en) * | 2006-09-08 | 2008-03-13 | Microsoft Corporation | Authorization Decisions with Principal Attributes |
US8060931B2 (en) | 2006-09-08 | 2011-11-15 | Microsoft Corporation | Security authorization queries |
US20080065899A1 (en) * | 2006-09-08 | 2008-03-13 | Microsoft Corporation | Variable Expressions in Security Assertions |
US8656503B2 (en) | 2006-09-11 | 2014-02-18 | Microsoft Corporation | Security language translations with logic resolution |
US8938783B2 (en) | 2006-09-11 | 2015-01-20 | Microsoft Corporation | Security language expressions for logic resolution |
US7877812B2 (en) * | 2007-01-04 | 2011-01-25 | International Business Machines Corporation | Method, system and computer program product for enforcing privacy policies |
WO2008128030A1 (en) * | 2007-04-12 | 2008-10-23 | Massachusetts General Hospital | Fine-grained authorization framework |
US10019570B2 (en) | 2007-06-14 | 2018-07-10 | Microsoft Technology Licensing, Llc | Protection and communication abstractions for web browsers |
KR100938559B1 (en) | 2007-11-20 | 2010-01-22 | 고려대학교 산학협력단 | System of access control for XML node and Method thereof |
JP2009187542A (en) * | 2008-01-10 | 2009-08-20 | Nec Corp | Request processing system, request processing method, and request processing program |
US8850409B2 (en) * | 2008-05-21 | 2014-09-30 | Optumsoft, Inc. | Notification-based constraint set translation to imperative execution |
US20090299862A1 (en) * | 2008-06-03 | 2009-12-03 | Microsoft Corporation | Online ad serving |
US9524344B2 (en) * | 2008-06-03 | 2016-12-20 | Microsoft Corporation | User interface for online ads |
US20090327869A1 (en) * | 2008-06-27 | 2009-12-31 | Microsoft Corporation | Online ad serving |
US8181230B2 (en) * | 2008-06-30 | 2012-05-15 | International Business Machines Corporation | System and method for adaptive approximating of a user for role authorization in a hierarchical inter-organizational model |
US20100043049A1 (en) * | 2008-08-15 | 2010-02-18 | Carter Stephen R | Identity and policy enabled collaboration |
US8381279B2 (en) * | 2009-02-13 | 2013-02-19 | Microsoft Corporation | Constraining a login to a subset of access rights |
US8762505B2 (en) | 2010-06-14 | 2014-06-24 | Microsoft Corporation | Definition configuration and administration of distributed server systems through structured data model |
US9582407B2 (en) * | 2011-02-25 | 2017-02-28 | International Business Machines Corporation | Security role testing using an embeddable container and properties object |
US8732811B2 (en) * | 2011-03-28 | 2014-05-20 | Canon Kabushiki Kaisha | Systems and methods for implementing security services |
US9215235B1 (en) | 2011-05-23 | 2015-12-15 | Palo Alto Networks, Inc. | Using events to identify a user and enforce policies |
US9660992B1 (en) | 2011-05-23 | 2017-05-23 | Palo Alto Networks, Inc. | User-ID information propagation among appliances |
US10560478B1 (en) | 2011-05-23 | 2020-02-11 | Palo Alto Networks, Inc. | Using log event messages to identify a user and enforce policies |
US8677447B1 (en) * | 2011-05-25 | 2014-03-18 | Palo Alto Networks, Inc. | Identifying user names and enforcing policies |
US9053337B2 (en) | 2011-06-07 | 2015-06-09 | Blackberry Limited | Methods and devices for controlling access to a computing resource by applications executable on a computing device |
US8763080B2 (en) | 2011-06-07 | 2014-06-24 | Blackberry Limited | Method and devices for managing permission requests to allow access to a computing resource |
US8650550B2 (en) | 2011-06-07 | 2014-02-11 | Blackberry Limited | Methods and devices for controlling access to computing resources |
US9009473B2 (en) | 2011-10-13 | 2015-04-14 | International Business Machines Corporation | Providing consistent cryptographic operations across several applications |
US9009472B2 (en) | 2011-10-13 | 2015-04-14 | International Business Machines Corporation | Providing consistent cryptographic operations |
US9116716B2 (en) | 2012-06-24 | 2015-08-25 | Veerai Bharatia | Systems and methods for declarative applications |
US9098269B2 (en) * | 2013-01-04 | 2015-08-04 | Microsoft Technology Licensing, Llc | System and method to ensure resource access safety with immutable object types |
US10749690B2 (en) | 2017-03-10 | 2020-08-18 | Samsung Electronics Co., Ltd. | System and method for certificate authority for certifying accessors |
WO2019127468A1 (en) * | 2017-12-29 | 2019-07-04 | 华为技术有限公司 | Grouped application using same key for sharing data |
US10992680B2 (en) * | 2018-06-29 | 2021-04-27 | Sap Se | Authorization client management in a distributed computing environment |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030130953A1 (en) * | 2002-01-09 | 2003-07-10 | Innerpresence Networks, Inc. | Systems and methods for monitoring the presence of assets within a system and enforcing policies governing assets |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6202066B1 (en) * | 1997-11-19 | 2001-03-13 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role/group permission association using object access type |
JP3546787B2 (en) * | 1999-12-16 | 2004-07-28 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Access control system, access control method, and storage medium |
CA2306933A1 (en) | 2000-04-28 | 2001-10-28 | Ibm Canada Limited-Ibm Canada Limitee | Method for data access code generation |
US7089584B1 (en) * | 2000-05-24 | 2006-08-08 | Sun Microsystems, Inc. | Security architecture for integration of enterprise information system with J2EE platform |
WO2002046893A1 (en) * | 2000-12-04 | 2002-06-13 | Kent Ridge Digital Labs | A method and apparatus for providing xml document encryption |
US7392546B2 (en) * | 2001-06-11 | 2008-06-24 | Bea Systems, Inc. | System and method for server security and entitlement processing |
US7240365B2 (en) * | 2002-09-13 | 2007-07-03 | Sun Microsystems, Inc. | Repositing for digital content access control |
US7546633B2 (en) * | 2002-10-25 | 2009-06-09 | Microsoft Corporation | Role-based authorization management framework |
US7404203B2 (en) * | 2003-05-06 | 2008-07-22 | Oracle International Corporation | Distributed capability-based authorization architecture |
US7788489B2 (en) * | 2003-05-06 | 2010-08-31 | Oracle International Corporation | System and method for permission administration using meta-permissions |
US7461395B2 (en) * | 2003-05-06 | 2008-12-02 | Oracle International Corporation | Distributed capability-based authorization architecture using roles |
-
2004
- 2004-07-30 US US10/909,107 patent/US7669226B2/en not_active Expired - Fee Related
-
2005
- 2005-07-13 KR KR1020077001797A patent/KR100968303B1/en not_active IP Right Cessation
- 2005-07-13 JP JP2007523057A patent/JP2008508583A/en active Pending
- 2005-07-13 CN CNA2005800251456A patent/CN1989472A/en active Pending
- 2005-07-13 WO PCT/EP2005/053347 patent/WO2006010707A1/en active Application Filing
- 2005-07-13 EP EP05758441A patent/EP1774422A1/en not_active Withdrawn
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030130953A1 (en) * | 2002-01-09 | 2003-07-10 | Innerpresence Networks, Inc. | Systems and methods for monitoring the presence of assets within a system and enforcing policies governing assets |
Non-Patent Citations (2)
Title |
---|
BURT C C ET AL: "Model driven security: unification of authorization models for fine-grain access control", ENTERPRISE DISTRIBUTED OBJECT COMPUTING CONFERENCE, 2003. PROCEEDINGS. SEVENTH IEEE INTERNATIONAL 16-19 SEPT. 2003, PISCATAWAY, NJ, USA,IEEE, 16 September 2003 (2003-09-16), pages 159 - 171, XP010659489, ISBN: 0-7695-1994-6 * |
HASHII B ET AL: "Supporting reconfigurable security policies for mobile programs", COMPUTER NETWORKS, ELSEVIER SCIENCE PUBLISHERS B.V., AMSTERDAM, NL, vol. 33, no. 1-6, June 2000 (2000-06-01), pages 77 - 93, XP004304760, ISSN: 1389-1286 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008165456A (en) * | 2006-12-28 | 2008-07-17 | Hitachi Ltd | Ic card system, and method for the same |
Also Published As
Publication number | Publication date |
---|---|
US7669226B2 (en) | 2010-02-23 |
EP1774422A1 (en) | 2007-04-18 |
KR20070040376A (en) | 2007-04-16 |
KR100968303B1 (en) | 2010-07-08 |
CN1989472A (en) | 2007-06-27 |
JP2008508583A (en) | 2008-03-21 |
US20060026667A1 (en) | 2006-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7669226B2 (en) | Generic declarative authorization scheme for Java | |
US7594112B2 (en) | Delegated administration for a distributed security system | |
Wonohoesodo et al. | A role based access control for web services | |
US20090205018A1 (en) | Method and system for the specification and enforcement of arbitrary attribute-based access control policies | |
US6941471B2 (en) | Security policy applied to common data security architecture | |
US6574736B1 (en) | Composable roles | |
US7644432B2 (en) | Policy inheritance through nested groups | |
US7434257B2 (en) | System and methods for providing dynamic authorization in a computer system | |
EP1988486B1 (en) | Virtualized federated role provisioning | |
US20070006325A1 (en) | Method, system and computer program for controlling access to resources in web applications | |
US20030033539A1 (en) | Mobile code security architecture in an application service provider environment | |
US20050097353A1 (en) | Policy analysis tool | |
KR20010040979A (en) | Stack-based access control | |
US20050097352A1 (en) | Embeddable security service module | |
US20050257245A1 (en) | Distributed security system with dynamic roles | |
Burt et al. | Model driven security: unification of authorization models for fine-grain access control | |
US20050251852A1 (en) | Distributed enterprise security system | |
US20020138727A1 (en) | System and process for enhancing method calls of special purpose object-oriented programming languages to have security attributes for access control | |
Giuri | Role-based access control on the Web using Java | |
Ziebermayr et al. | Web service authorization framework | |
Bruckner et al. | A Framework for Creating Policy-agnostic Programming Languages. | |
Nagaratnam et al. | Role-based Protection and Delegation for Mobile Object Environments | |
Gupta et al. | A generic XACML based declarative authorization scheme for Java: Architecture and implementation | |
Lu | Enforcing Ponder Policies using Kava | |
Phillips et al. | Safety and liveness for an rbac/mac security model |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1020077001797 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200580025145.6 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007523057 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005758441 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 888/CHENP/2007 Country of ref document: IN |
|
WWP | Wipo information: published in national office |
Ref document number: 2005758441 Country of ref document: EP |