WO2006010707A1 - A generic declarative authorization scheme for java - Google Patents

Abstract

A method, system, and program storage device for establishing security and authorization policies for users accessing a software application, wherein the method comprises generating at least one application object group from an application object description document comprising an XML format run on a data processor; creating an authorization policy for each application object; sending a selected application object group to an access controller; and establishing access control parameters at a time of deployment of the software application for users attempting to access the selected application object group based on the authorization policy. The method further comprises specifying environmental variables for the authorization policy; changing the authorization policy by modifying a declarative specification of the environmental variables and modifying constraints defined on attributes of an application object; implementing varied classes of authorization policies using a same authorization policy classifier; and specifying the application object group using grouping parameters.

Description

Description

A GENERIC DECLARATIVE AUTHORIZATION SCHEME FOR

JAVA

Technical Field

[001] The embodiments of the invention generally relate to software application de¬ velopment, and more particularly to Java -based security and authorization software application development systems and methods. Background Art

[002] Security and authorization play very important roles in the development, deployment, and functioning of software systems. Java , available from Sun Mi¬ crosystems, Inc., Santa Clara, California, USA, is the most popular platform for component-based software and systems. Moreover, Java^® security plays a key role in e-commerce enterprise systems. Security features are typically built into an application in an ad-hoc manner or integrated with an enterprise J2EE^® (Java^® 2 Platform Enterprise Edition), available from Sun Microsystems, Inc., Santa Clara, California, USA, application using container managed authentication and authorization. There are several reasons for such a situation. First, security must be handled by nearly all of the components of the application; however its integration in the software development is not centralized. Second, there is a lack of a standard easy-to-use process for developing granular security. In J2EE^® systems, containers provide method-level security and role- based access control which may not be sufficient for many situations. Overall, the low- level of security development makes security implementation rigid and tightly coupled with the application.

[003] Java^® Authentication and Authorization Service (JAAS) is a Java^® package that enables services to authenticate and enforce access controls on users. In other words, JAAS is a set of Java^® Application Program Interfaces (APIs) that can be used for two purposes: (1) for authentication of users, to reliably and securely determine who is currently executing Java code, regardless of whether the code is running as an ap¬ plication, an applet, a bean, or a servlet; and (2) for authorization of users to determine if the authenticated user is allowed to access the resource (which can be the Java^® code or some object/entity accessed by the Java code), regardless of whether the code is running as an application, an applet, a bean, or a servlet. Typically, JAAS au¬ thentication is performed in a pluggable fashion. This permits Java applications to remain independent from the underlying authentication technologies. Moreover, new or updated technologies can be plugged in without requiring modifications to the ap¬ plication itself. [004] Java uses three types of defense mechanisms: byte-code verifier, class loader, and security manager. In Java^® Version 1.0, applets operate in a "sandbox," which restricts the applet's ability to either affect the machine they are executed on or to obtain any sensitive information from it. As such, nothing much can be accessed locally. In later versions of Java , applets are allowed to escape the sandbox if the machine running it allows it to do so based on signing information. To support flexible, fine gained access control, Java version 1.2 provides for policy based security architecture. The policy is defined by a set of permissions for code in various locations and by various signers. Permission allows access to certain actions on a certain resource. Usually, resource names and their associated actions are enumerated in a policy file. Figure 1 illustrates a typical policy file in Java^®.

[005] In Java version 2, two functions, earlier provided by the SecurityManager, namely establishment of security policy and enforcement of security policy, are separated. The java.security.Policy abstract class is used for establishing the security policy and the AccessController is used as the security enforcer. For backward compatibility, the Se¬ curityManager class still exists but it refers to the AccessController for its decisions. In java.policy, permissions are associated with the code-source. As such, it does not have user or role based permissions. Figure 2 illustrates a typical code for protecting a Java method using AccessController. The example illustrated in Figure 2 shows how a resource is protected by calling the AccessController before accessing the resource. i-The AccessController checks the requested permission with the application's current authorization policy. If any permission defined in the policy file implies the requested permission, the method "checkPermission" command simply returns; otherwise an Ac- cessControlException is initiated.

[006] As mentioned above, JAAS is a set of APIs that enable services to authenticate and enforce access controls upon users. JAAS reliably and securely determines who is currently executing the Java code and whether it is allowed to do so. Moreover, JAAS implements a Java^® technology version of the standard Pluggable Authentication Modu Ie (PAM) framework. This permits Java applications to remain independent from the underlying authentication mechanism.

[007] JAAS includes two primary components: authentication and authorization. JAAS adds subject based policies to the Java^® version 2 security model. Permission is granted not only based on the CodeSource but also based on the user executing the code. For this the user is first authenticated. JAAS distribution contains various LoginModules implementations to retrieve the user id and password from the user. The LoginContext uses a login configuration file to determine which LoginModule to use for au¬ thentication. The Subject class is used to encapsulate the credentials of the au¬ thenticated user. A subject can have multiple identities called principals. In the JAAS policy file each grant statement is associated with a principal. For each principal associated with the subject, the AccessController obtains permissions from the PolicyFile and checks whether any permission implies the requested permission. Otherwise, the AccessController initiates an AccessControlException. Figure 3 il¬ lustrates the typical policy for principal based authorization in JAAS.

[008] In J2EE architecture, a container serves as an authorization boundary between the components it hosts and their callers. The container establishes the identity of the user of the calling code. Access to the called component, an EJB (Enterprise JavaBeans , available from Sun Microsystems, Inc., Santa Clara, California, USA), or a web component, is determined by comparing the caller's security attributes with those required to access the called component. In declarative authorization, a deployer es¬ tablishes the container-enforced access control rules for a J2EE^® application. The deployer maps an application permission model, typically supplied by the application assembler, to mechanisms specific to the runtime environment. The deployment descriptor defines security roles and their associated access rights for various components. The deployer assigns security roles to specific callers to establish the access rights of users in the runtime environment. For example, a deployer can map a security role to a list of principal identities in the operational environment. Then, callers, authenticated with one of these identities, are assigned the privilege represented by the role. A J2EE container makes access control decisions before the dispatching method calls to a component. Thus, declarative access control can be assigned with the method's granularity.

[009] The J2EE^® container does not factor in the logic or state of the component in these access decisions. To do that, programmatic authorization is required to be performed by the code developer. A component can use two methods to perform fine-grained access control: EJBContextisCallerlnRole (for EJB components) and HttpServletRequesUsUserlnRole (for web components). A component uses these methods to determine whether a caller has been granted a privilege selected by the component based on the parameters of the call, the internal state of the component, or other factors such has runtime parameters. However, there is a trade-off between the declarative and programmatic authorization. The declarative authorization is an external access control policy configured by the deployer whereas the programmatic authorization is through an internal policy embedded in the application by the component developer. The internal policy is more fine-grained whereas the external policy is more flexible. Moreover, the external policy is transparent whereas the internal policy is buried in the application. For example, to provide the authorization policy, "Employees can only access their own salary information," programmatic au¬ thorization is required, which cannot be changed in the future, if required. Moreover, JAAS is built on top of the pre-existing security model of Java , which is CodeSource based and the plaintext format policy file implementation. JAAS implements authorization based on the class accessed by a certain component. However, this may not be sufficient for an enterprise application, whereby one may wish to use the custom security repositories, like LDAP (Lightweight Directory Access Protocol) with JAAS. Further, in business-to-business electronic commerce a pricing contract may have different access control policies than another contract. The spec¬ ification for a self-service auction application might have the requirement that "any registered user can create an auction but only the user who created the auction is allowed to modify it." Thus, many Java^® applications are required to extend JAAS to satisfy its authorization requirements. Because of pluggable features of JAAS, one can write his/her own implementation of various authentication and authorization sub- modules to change the default behavior of JAAS. For the authorization requirements il¬ lustrated in the above examples, one may need to change the default implementations of one or more of the following:

• java.security .Permission: The AccessController.checkPermission (Permission perm) is called to determine whether the caller has the authority to perform the action on the called CodeSource. The permission object perm represents the required access to a resource. The permission object can specify things such as name of the permission (which may indicate the resource on which access is required), action for which the resource is, accessed, etc. The permission class implements an implied method to be called by the Access- Controller to determine whether a granted permission implies the requested permission. For implementing class instance level authorization, one needs to have a new implementation of permissions having an object instance as one of its field. That object can be used in the implied method to decide autho¬ rizations.

• java.security.PermissionCollection: This abstract class is used for representing a collection of permission objects. This class can be implemented to have a desired manner of storing the granted permissions and comparing them with the requested permission to determine if any of the granted permissions implies a requested permission.

• java.security .Policy: This is an abstract class for storing security policies in a Java^® application environment. The AccessController contacts the policy im¬ plementation to obtain the permissions for an authenticated subject on a CodeSource. The policy object consults its policy specification and returns an appropriate PermissionCollection object enumerating the permissions that are allowed. By default, sun.security.provider.PolicyFile implementation is used for policy implementation. By having different implementation one can change the way policies are written (for example, LDAP or software ap¬ plications) or additional parameters on which the authorization depends.

• javax.security.auth.spi.LoginModule: The LoginModule describes the interface implemented by the authentication provider. It retrieves the username and password(s) from the callbacks, which, by default, performs some user interaction. The LoginModule can be extended to delegate the au¬ thentication to some external adaptor.

• java.security .Principal: The Principal interface represents the abstract notion to be used to represent an entity such as an individual, an organization, a group, or a login id. Group, KerberosPrincipal, etc. are well known imple¬ mentations of Principal. By extending the Principal one can add custom properties to be used for authorization.

[011] However, one of the limitations of JAAS is that it does not support class instance level authorization; i.e., the authorization in JAAS is performed on the basis of the class name and not on the basis of a specific instance of the class. For example, the specification for a web-based, self-service auction application may have the following requirement: "Any registered (authenticated) user can create an auction but only the user who created the auction may modify it." This means that any user can execute the code written to create an auction class instance, but only the user who owns that instance may execute code designed to modify it. Usually, the user who created the auction instance will be the owner. What this implies is that people of the same role might have different access rights based on their attributes or the actions that they have performed in the past. Unfortunately, this type of authorization cannot be supported using JAAS.

[012] JAAS authorization extends the existing Java^® security architecture that uses a security policy to specify what access rights are granted to the executing code. This security architecture, as provided in the Java^® version 2 platform, is code-centric. That is, the permissions are granted based on code characteristics; i.e., where the code is coming from and whether it is digitally signed and if so, by whom. With the in¬ tegration of JAAS into the Java 2 SDK (Software Development Kit), the java.security .Policy API handles principal-based queries, and the default policy imple¬ mentation supports principal-based grant entries. Thus, access control can now be based on which code is running, as well as who is running the code.

[013] JAAS does provide a mechanism to support instance level JAAS. This is ac¬ complished by extending some of the classes that are used by JAAS. However, the main drawback of this approach is that it is not extensible and it requires the creation of a new authorization class and a significant amount of rework if different kinds of authorizations in different domains are to be provided. Another option for supporting instance level authorization is to use a custom authorization code which is coded as part of the application. Generally, this is the most widely used method to support the authorization technique and the major drawback of this is that it is not based on standards making it more difficult to apply in different applications. Furthermore, since the code is part of the application, it is difficult to maintain and because it is non- generic it generally cannot be reused in different domains.

[014] Therefore, due to the drawbacks and limitations of the conventional approaches, there remains a need for a more universally applicable JAAS-based authorization solution, which can be applied to different domains without requiring any new code. Writing new code for a new authorization requirement makes it difficult to change au¬ thorization settings at deployment time. Thus, what is needed is the flexibility of a declarative authorization with the high granularity of programmatic authorization. Disclosure of Invention

[015] In view of the foregoing, an embodiment of the invention provides a method of es¬ tablishing security and authorization policies for users accessing a resource, data, or code represented by any of software objects and applications, wherein the method comprises generating at least one application object group from an application object description document run on a data processor; creating an authorization policy for each application object group; sending a selected application object to an access controller; and establishing access control parameters at a time of deployment of a software ap¬ plication for users attempting to access the selected application object based on the au¬ thorization policy. In the step of generating, the application object description document comprises an extensible Markup Language (XML) format. The method further comprises specifying environmental variables for the authorization policy and changing the authorization policy by modifying a declarative specification of the envi¬ ronmental variables and modifying constraints defined on attributes of an application object. Additionally, the method further comprises specifying the application object group using: any of a method and field parameter associated with the application object (and defining constraints on these method and field parameters); a pre¬ determined relationship among all application object groups; or predetermined grouping actions to parse the application object description document into the at least one application object group. Moreover, the method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.

[016] Another embodiment of the invention provides a method of controlling access to a software application, wherein the method comprises grouping application objects in the software application according to a grouping parameter; establishing a user profile for each class of user accessing the application objects; specifying an authorization policy comprising access control parameters for each of the grouped application objects; and matching the authorization policy with the user profile for a user attempting to access selected grouped application objects at a time of deployment of the software application, wherein in the step of grouping, the software application comprises an application object description document comprising the application objects, wherein the application object description document comprises an XML format. The method further comprises specifying environmental variables for the au¬ thorization policy and changing the authorization policy by modifying a declarative specification of the environmental variables and the grouping constraints. In the step of grouping, the grouping parameter comprises specifying the application objects using: any of a method and field parameter associated with the application objects; a pre¬ determined relationship among all application objects in the software application; or predetermined grouping actions to parse the resource, data or code represented by software application/objects into the at least one application object group. The method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.

[017] Another aspect of the invention provides a system for establishing security and au¬ thorization policies for users accessing a software application, wherein the system comprises means for generating at least one application object group from an ap- plication object description document run on a data processor; means for specifying an authorization policy for each application object group; means for sending a selected application object group to an access controller; and means for establishing access control parameters at a time of deployment of the software application for users attempting to access the selected application object group based on the authorization policy.

[018] Another embodiment of the invention provides a system for controlling access to a software object, wherein the system comprises an application object description document comprising at least one application object group; an authorization policy classifier adapted to specify an authorization policy for each the application object group; and an access controller adapted to establish access control parameters for users attempting to access a selected application object group based on the authorization policy at a time of deployment of the software object, wherein the application object description document comprises an XML format, and wherein the authorization policy comprises environmental variables. The system further comprises a generator routine adapted to change the authorization policy by modifying a declarative specification of the environmental variables and grouping rules. According to the system, the ap¬ plication object group is specified using: any of a method and field parameter associated with the user selected application object; a predetermined relationship among all application object groups; or predetermined grouping actions to parse the application object description document into the at least one application object group. Moreover, the authorization policy classifier is adapted to implement varied classes of authorization policies.

[019] Additionally, another aspect of the invention provides a program storage device readable by computer, tangibly embodying a program of instructions executable by the computer to perform a method of establishing security and authorization policies for users accessing a software application, wherein the method comprises generating at least one application object group from a application object description document run on a data processor; specifying an authorization policy for each application object group; sending a selected application object group to an access controller; and es¬ tablishing access control parameters at a time of deployment of the software ap¬ plication for users attempting to access the selected application object group based on the authorization policy.

[020] The authorization technique provided by the embodiments of the invention provides a method to fulfill authorization requirements without writing any new code, wherein a new authorization scenario can be obtained at deployment time by changing the declarative settings. Additionally, the embodiments of the invention provide a technique to: represent varied authorization requirements in an XML format; parse and generate object groups for authorization purposes using object constraints logic; add environmental variables as authorization parameters; define relationships between au¬ thenticated principals; implement a varied class of authorization policies using the same authorization policy provider; and group actions at deployment time.

[021] These and other aspects of the embodiments of the invention will be better ap¬ preciated and understood when considered in conjunction with the following de¬ scription and the accompanying drawings. It should be understood, however, that the following descriptions, while indicating preferred embodiments of the invention and numerous specific details thereof, are given by way of illustration and not of limitation. Brief Description of the Drawings

[022] The embodiments of the invention will be better understood from the following detailed description with reference to the drawings, in which:

[023] Figure 1 is a typical policy file for Java^®;

[024] Figure 2 is a typical code for a protecting a Java^® method using AccessController;

[025] Figure 3 is a typical policy for a principal based authorization in JAAS;

[026] Figure 4 is a pseudocode for a protecting method using GenericPermission according to an embodiment of the invention; [027] Figure 5 is an authorization policy in a generic authorization according to an embodiment of the invention; [028] Figure 6 is a flow diagram illustrating a preferred method of an embodiment of the invention; [029] Figure 7(a) is a flow diagram illustrating a preferred method of an another embodiment of the invention; [030] Figure 7(b) is a flow diagram illustrating a preferred method of another aspect of the invention; [031] Figure 8 is a system block diagram according to an embodiment of the invention; and [032] Figure 9 is a computer system diagram according to an embodiment of the invention.

Best Mode for Carrying Out the Invention

[033] The embodiments of the invention and the various features and advantageous details thereof are explained more fully with reference to the non-limiting em¬ bodiments that are illustrated in the accompanying drawings and detailed in the following description. It should be noted that the features illustrated in the drawings are not necessarily drawn to scale. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments of the invention. The examples used herein are intended merely to facilitate an un¬ derstanding of ways in which the embodiments of the invention may be practiced and to further enable those of skill in the art to practice the embodiments of the invention. Accordingly, the examples should not be construed as limiting the scope of the em¬ bodiments of the invention.

[034] As mentioned, there remains a need for a more universally applicable Java^®-based software application development technique, which can be applied to different domains without requiring significant changes to the authorization setup. The em¬ bodiments of the invention address^' this need by providing generic, low-level,

(5) extensible security to Java applications based on JAAS standards. Referring now to the drawings, and more particularly to Figures 4 through 9, there are shown preferred embodiments of the invention.

[035] As described above, JAAS can be extended in a variety of ways to attain various authentication and authorization objectives. However, for various extensions one may need to write code to implement or extend various JAAS interfaces and classes re¬ spectively. As such, this makes it difficult to change the security settings at the time of deployment of the application. Thus, the generic authorization technique provided by the embodiments of the invention attains this flexibility by using the declarative au- thorization while keeping the high granularity of the programmatic authorization.

[036] Accordingly, the authorization technique provided by the embodiments of the invention provides capabilities of programmatic authorization using declarative speci¬ fications. Specifically, the embodiments of the invention extend JAAS so that au¬ thorization requirements can be fulfilled in a declarative manner rather than in a pro¬ grammatic manner. Each method which is required to be protected using authentication and authorization begins with a call to the constructor of the GenericPermission object having at least three parameters: the class to which the method belongs; the action the method wants to perform; and the object on which the method is called. Figure 4 il¬ lustrates the pseudocode for a protecting method using GenericPermission according to an aspect of the invention as described above.

[037] As illustrated in Figure 5, the authorization policy can be expressed in an XML foπnat. For example, an authorization policy for "any registered user can create an auction but only the user who created the auction is allowed to modify it" is written as shown in Figure 5. Similarly, having different authorization policies for different pricing contracts, permissions are based on {idname="getContractID", idtype="method", idvalue="ibm-sun"] parameters.

[038] For generic authorization, a JDK is configured for a proper authorization policy provider. This is accomplished by changing/adding auth.policy .provider in the Java.security file of the Java_home/jre/lib/security directory, where Java_home is the path where Java^® is installed in the system. Because the generic authorization covers a wide variety of authorization policies, even with the limitation that there can be only one authorization policy provider for a number of applications, each having its own au¬ thorization requirement, it can be run on the same machine without having to write separate code for each application.

[039] Figure 6 illustrates a method of establishing security and authorization policies for users accessing a resource, data or code represented by software objects/application, wherein the method comprises generating (101) at least one application object group from an application object description document run on a data processor; creating (103) an authorization policy for each application object; sending (105) the user selected application object to the access controller 208 of the system 200 (shown in Figure 8); and establishing (107) access control parameters at a time of deployment of a software application for users attempting to access the selected application object group based on the authorization policy. In the step of generating (101), the application object description document comprises an XML format. The method further comprises specifying environmental variables for the authorization policy and changing the au¬ thorization policy by modifying a declarative specification of the environmental variables. Additionally, the method further comprises specifying the application object group using: any of a method and field parameter associated with the selected ap¬ plication object; a predetermined relationship among all application object groups; or predetermined grouping actions to parse the application object description document into the at least one application object group. Moreover, the method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.

[040] Another embodiment of the invention is illustrated in Figure 7(a), which illustrates a method of controlling access to a resource, data or code represented by software objects/application, wherein the method comprises grouping (111) application objects in the software application according to a grouping parameter comprising one or more of object method call results, object field values, and environmental variables; es¬ tablishing (113) a user profile for each class of user accessing the application objects; specifying (115) an authorization policy comprising access control parameters for each of the grouped application objects; and matching (117) the authorization policy with the user profile for a user attempting to access selected grouped application objects at a time of deployment of the software application, wherein in the step of grouping (111), the software application comprises a application object description document comprising the application objects, wherein the application object description document comprises an XML format.

[041] Furthermore, in the step of grouping (111), the grouping parameter comprises specifying the application objects using: any of a method and field parameter associated with the application objects; a predetermined relationship among all ap¬ plication objects in the software application; or predetermined grouping actions to parse the user selected software object into the at least one application object group. As shown in Figure 7(b), the method further comprises specifying (119) environmental variables for the authorization policy and changing (121) the authorization policy by modifying a declarative specification of the environmental variables. The method further comprises implementing varied classes of authorization policies using a same authorization policy classifier.

[042] According to the method of writing the authorization policies, the embodiments of the invention allow access to some security related and environmental variables such that policies can be dependent on these variables. This makes it possible to have policies such as "allow access to software application on weekdays to A whereas disallow on weekends."

[043] Figure 8 illustrates a system 200 for controlling access to a software application, wherein the system 200 comprises a application object description document 202 comprising at least one application object group 204; an authorization policy classifier 206 adapted to specify an authorization policy for each application object group 204; and an access controller 208 adapted to establish access control parameters at a time of deployment of a software application for users 210 attempting to access a selected ap¬ plication object group 204 based on the authorization policy at a time of deployment of the software application, wherein the application object description document 202 comprises an XML format, and wherein the authorization policy comprises envi¬ ronmental variables.

[044] The system further comprises a generator routine 212 adapted to change the au¬ thorization policy by modifying a declarative specification of the environmental variables. According to the system 200, the application object group 204 is specified using: any of a method and field parameter associated with the application object group 204; a predetermined relationship among all application object groups 204; or predetermined grouping actions to parse the application object description document 202 into the at least one application object group 204. Moreover, the authorization policy classifier 206 is adapted to implement varied classes of authorization policies.

[045] The embodiments of the invention provide a technique to parse the object constraint logic (written in an XML file) and generate object groups for authorization purposes. Conventionally, in JAAS, authorization polices are written at class (code) level. Conversely, according to the embodiments of the invention, the authorization policies are written with the granularity of object groups. Object groups are represented using the method/field of the object concerned. For example, suppose, there is a class called "contract", in JAAS, all contracts will have,.same authorization properties whereas, in generic authorization provided by the embodiments of the invention, a user may be allowed to update a contract with "Sun^®" (Sun^® is a registered trademark of Sun Mi¬ crosystems, Inc., Santa Clara, California, USA) but may not be allowed to update a contract for "Microsoft^®" (Microsoft^® is a registered trademark of Microsoft Corporation, Redmond, Washington, USA). In JAAS, authorization on an application object is not dependant on the characteristics of that application object. Hence, all of the application objects have the same authorization rules. To avoid this, custom au¬ thorization is typically performed in the conventional approaches. Conversely, the em¬ bodiments of the invention provide a technique that allows individuals to use JAAS to perform instance-level authorization (i.e., authorization which is dependant on the characteristics of the data object).

[046] The methods provided by the invention define relationships between authenticated principals. Conventionally, in JAAS, when a user is authenticated, the user is represented by an object of type "Subject". Each subject can have multiple principles associated with it. These principals represent the different identities that the person can have. Hence, a person can be uniquely identified by his Name (which is one principal) or his social security number (which is another principal). However, using the XML based representation provided by the embodiments of the invention, policies such as "If the user (authenticated principal) is the manager of the owner of the object here the object might be about a leave application), then he is allowed to invoke the approval method" may be defined. Again, this is advantageous because the embodiments of the invention provide a technique that allows individuals to use JAAS to perform instance- level authorization (i.e., authorization which is dependant on the characteristics of the data object).Further this is performed in a declarative manner, which is more flexible than programmatic authorization. Moreover, using this setup, dynamic relationships between subjects can be used for authorization purposes. In this example, the policy is defined in terms of the relationship (manager) between the authenticated principals.

[047] Next, the embodiments of the invention provide a method by which varied classes of authorization policies can be implemented using the same authorization policy provider. An authorization provider is configured in a Java. security file of java_home/jre/lib/security. For a Java^® Virtual Machine (JVM), it is configured by changing the property auth.policy.provider of the java.security file. Since the generic authorization covers a wide variety of authorization policies, even with the limitation that there can be only one authorization policy provider, a number of applications, each having its own authorization requirement, can be run on the same JVM. As the em¬ bodiments of the invention have a single XML authorization file, this file can have different authorization rules for different applications. Each authorization rule will be defined in terms of the application objects specific to that application. Moreover, the authorization infrastructure will use the single authorization file. Hence, varied classes of authorization policies can be implemented using the same authorization policy provider.

[048] The embodiments of the invention further provide a method to group actions at deployment time. Actions can be grouped to provide different authorization re¬ quirements for different groups of actions. At deployment time it can be decided that the same authorization will be used for, 'read' and 'search' actions, for example. This is accomplished as the authorization policy is stored in the authorization XML file. At deployment time, by simply changing the XML, the above-described grouping of actions can be accomplished.

[049] Next, the embodiments of the invention provide a method to fulfill authorization re¬ quirements without having to write any new code. A new authorization scenario can be obtained at deployment time by changing the declarative settings. This is accomplished as indicated above, simply by changing the XML. As such the embodiments of the invention provide a new policy, which does not require changes to the code. Since au¬ thorization requirements are expressed in XML rather than integrating them with the application, authorization settings can be changed by simply changing the XML (rather than code changes). In the XML based policy file provided by the embodiments of the invention, a user principal is permitted access to a certain Java^® object if it has certain characteristics represented using the returned value of certain "Java^® bean-like" methods such as getOwner, getManager, etc.

[050] The embodiments of the invention further include a method to represent varied au¬ thorization requirements in an XML format. The format includes specifying objects using some field or method calling on the Java object, specifying principals using re¬ lationships, and grouping actions. The embodiments of the invention also represent en¬ vironmental variables such as time, day, etc. in the XML format and define au¬ thorization policies on these variables. This is particularly advantageous because by including a number of methods to identify objects in the XML format, the em¬ bodiments of the invention produce a wide variety of options for authorization settings. These options include: field value and method return value for Java^® objects, principal and relationships among them, and environmental variables, among others. Thus, the embodiments of the invention can change the authorization policy at deployment time, which can make use of the JAAS standard. In other words, the advantages of JAAS are obtained by and instance-level authorization without making use of programmatic au¬ thorization.

[051] Moreover, the embodiments of the invention provide a generic permission class, which has a constructor that allows the passing of the object on which the authorization is to be checkeφand/or the object which is making the access request. Conventionally, in JAAS, a Permission object is required for checking the permission using an access controller. Conversely, according to the method provided by an embodiment of the invention, the Permission class is extended using GenericPermission so that object, on which the permission is asked, is a parameter of the Permission object passed to the access controller 208. Thus, the access controller 208 can decide on an authorization based on the object passed on to it. This aspect is used to provide authorization rules based on the characteristics of the particular instance of application object on which the authorization decision is to be made. As mentioned earlier, in JAAS, the au¬ thorization policy is independent of the instance of the application object and the policy is the same for all instances of the application object of the same category. Using the above technique of using a generic permission class that takes the object instance as a parameter, the embodiments of the invention can provide instance-level authorization.

[052] Next, the embodiments of the invention provide a generic policy file that allows the use of environmental variables, allows the representation of dynamic method calls using reflection, and allows the representation of expressions, predicated logic, etc. For example, the embodiments of the invention provide a format to write authorization re- quirements. The format includes specifying objects using some field or method call on the Java object, specifying principals using relationships, and grouping actions. The embodiments of the invention also represent environmental variables such as time, day, etc. in the XML format and define authorization policies on these variables.

[053] Additionally, the embodiments of the invention provide a Policy File imple¬ mentation that parses the generic policy file, understands the syntax of the Generic Policy File, and creates a GenericPermissionCollection out of the Generic Policy File based on the past user Object, user Principal/user Subject, and user code. This is ac¬ complished by using a new type of GenericPermission class, whereby a different type of policy file implementation is used. Accordingly, the embodiments of the invention understand the general format of the Generic Policy File, but do not necessarily understand the object constraint logic specified in the policy file. However, the imple¬ mentation creates a GenericPermission class using the policy file. As such, the Gener¬ icPermission class, as described earlier, understands the object constraint logic specified in the policy file.

[054] Thus, the embodiments of the invention use of a GenericPermission class that uses the policy file and understands the declarative specification of the policy language and is capable to get values of environmental variables, evaluate expressions and predicate logic, and uses Java reflection to obtain run-time parameter values. In other words, the embodiments of the invention understand the logic written in the generic XML _abased policy file.

[055] Furthermore, the embodiments of the invention provide a GenericPermission Collec tion class that stores a collection of the GenericPermission and calls the implied method of GenericPermission, which is capable of understanding the Generic Policy File. Generally, the embodiments of the invention define a generic collection of permissions that take the object as one of the parameters, which works in a JAAS en¬ vironment in accordance with JAAS specifications. Specifically, the embodiments of the invention provide a Java^® based policy, which provides access control or an au¬ thorization defined in an XML format. Environmental variables are specified declaratively in an XML format to define authorization parameters of an authorization policy for Java^®. The XML is application independent and the use of declarative variables permits the generic authorization by defining the Java^® parameters of class, method, and object in XML. Several different policies are described in XML and the policies are declared as environmental variables. To change authorization policies, a declaration of an environmental variable is modified. Moreover, each application can have a different policy and can be specified declaratively in an XML format when the user logs in with a particular username and password.

[056] A representative hardware environment for practicing the embodiments of the invention is depicted in Figure 9. This schematic drawing illustrates a hardware con¬ figuration of an information handling/computer system in accordance with the em¬ bodiments of the invention. The system comprises at least one processor or central processing unit (CPU) 10. The CPUs 10 are interconnected via system bus 12 to various devices such as a random access memory (RAM) 14, read-only memory (ROM) 16, and an input/output (I/O) adapter 18. The I/O adapter 18 can connect to peripheral devices, such as disk units 11 and tape drives 13, or other program storage devices that are readable by the system. The system can read the inventive instructions on the program storage devices and follow these instructions to execute the methodology of the embodiments of the invention. The system further includes a user interface adapter 19 that connects a keyboard 15, mouse 17, speaker 24, microphone 22, and/or other user interface devices such as a touch screen device (not shown) to the bus 12 to gather user input. Additionally, a communication adapter 20 connects the bus 12 to a data processing network 25, and a display adapter 21 connects the bus 12 to a display device 23 which may be embodied as an output device such as a monitor, printer, or transmitter, for example. The authorization technique provided by the embodiments of the invention provides a method to fulfill authorization requirements without writing any new code, wherein a new authorization scenario can be obtained at deployment time by changing the declarative settings. Additionally, the embodiments of the invention provide a technique to: represent varied authorization requirements in an XML format; parse and generate object groups for authorization purposes using object constraints logic; add environmental variables as authorization parameters; define relationships between au¬ thenticated principals; implement a varied class of authorization policies using the same authorization policy provider; and group actions at deployment time. The em¬ bodiments of the invention are useful for all Java applications in J2EE /non-J2EE environments. Moreover, the environments described herein applies to all the J2EE^® / non-J2EE^® applications.

Claims

Claims

[001] A method of establishing security and authorization policies for users accessing a resource, data, or code represented by any of software objects and applications, said method comprising: generating at least one application object group from an application object description document run on a data processor; creating an au¬ thorization policy for each said application object group; sending a selected ap¬ plication object group to an access controller; and establishing access control parameters at a time of deployment of a software application for users attempting to access said selected application object based on said authorization policy.

[002] 2. The method of claim 1, wherein in said generating, said application object de¬ scription document comprises an extensible Markup Language (XML) format.

[003] 3. The method of claim 1, further comprising specifying environmental variables for said authorization policy.

[004] 4. The method of claim 3, further comprising changing said authorization policy by modifying a declarative specification of said environmental variables and modifying constraints defined on attributes of an application object.

[005] 5. The method of claim 1, further comprising specifying said application object group using any of a method and field parameter associated with said application object group.

[006] 6. The method of claim 1, further comprising specifying said application object group using a predetermined relationship among all application object groups.

[007] 7. The method of claim 1, further comprising specifying said application object group using predetermined grouping actions to parse said application object de¬ scription document into said at least one application object group.

[008] 8. The method of claim 1, further comprising implementing varied classes of au¬ thorization policies using a same authorization policy classifier.

[009] 9. A method of controlling access to a software application, said method comprising: grouping application objects in said software application according to a grouping parameter; establishing a user profile for each class of user accessing said application objects; specifying an authorization policy comprising access control parameters for each of the grouped application objects; and matching said authorization policy with said user profile for a user attempting to access selected grouped application objects at a time of deployment of said software application.

[010] 10. The method of claim 9, wherein in said grouping, said software application comprises an application object description document comprising said ap¬ plication objects, wherein said application object description document comprises an extensible Markup Language (XML) format.

[011] 11. The method of claim 9, further comprising specifying environmental variables for said authorization policy.

[012] 12. The method of claim 11, further comprising changing said authorization policy by modifying a declarative specification of said environmental variables and modifying constraints defined on attributes of said application objects.

[013] 13. The method of claim 9, wherein in said grouping, said grouping parameter comprises specifying said application objects using any of a method and field parameter associated with said application objects.

[014] 14. The method of claim 9, wherein in said grouping, said grouping parameter comprises specifying said application objects using a predetermined relationship among all application objects in said software application.

[015] 15. The method of claim 9, wherein in said grouping, said grouping parameter comprises specifying said application objects using predetermined grouping actions to parse said software application into said at least one application object group.

[016] 16. The method of claim 9, further comprising implementing varied classes of authorization policies using a same authorization policy classifier.

[017] 17. A system for establishing security and authorization policies for users accessing a software application, said system comprising: means for generating at least one applicationobject group from an application object description document run on a data processor; means for specifying an authorization policy for each said application object group; means for sending a selected application object group to an access controller; and means for establishing access control parameters at a time of deployment of said software application for users attempting to access said selected application object group based on said au¬ thorization policy.

[018] 18. A system for controlling access to a software object, said system comprising: an application object description document comprising at least one application object group; an authorization policy classifier adapted to specify an au¬ thorization policy for each said application object group; and an access controller adapted to establish access control parameters for users attempting to access a selected application object group based on said authorization policy at a time of deployment of said software object.

[019] 19. The system of claim 18, wherein said application object description document comprises an extensible Markup Language (XML) format.

[020] 20. The system of claim 18, wherein said authorization policy comprises envi¬ ronmental variables. [021] 21. The system of claim 20, further comprising a generator routine adapted to change said authorization policy by modifying a declarative specification of said environmental variables and by modifying constraints defined on attributes of an application object.

[022] 22. The system of claim 18, wherein said application object group is specified using any of a method and field parameter associated with said application object group.

[023] 23. The system of claim 18, wherein said application object group is specified using a predetermined relationship among all application object groups.

[024] 24. The system of claim 18, wherein said application object group is specified using predetermined grouping actions to parse said application object description document into said at least one application object group.

[025] 25. The system of claim 18, wherein said authorization policy classifier is adapted to implement varied classes of authorization policies.

[026] 26. A program storage device readable by computer, tangibly embodying a program of instructions executable by said computer to perform a method of es¬ tablishing security and authorization policies for users accessing a software ap¬ plication, said method comprising: generating at least one application object group from an application object description document run on a data processor; specifying an authorization policy for each said application object group; sending ,,., a selected application object group to an access controller; and establishing access control parameters at a time of deployment of said software application for users attempting to access said selected application object group based on said authorization policy.

[027] 27. The program storage device of claim 26, wherein in said generating, said ap¬ plication object description document comprises an extensible Markup Language (XML) format.

[028] ^; 28. The program storage device of claim 26, wherein said method further comprises specifying environmental variables for said authorization policy.

[029] 29. The program storage device of claim 28, wherein said method further comprises changing said authorization policy by modifying a declarative spec¬ ification of said environmental variables and by modifying constraints defined on attributes of an application object.

[030] 30. The program storage device of claim 26, wherein said method further comprises specifying said application object group using any of a program storage device and field parameter associated with said application object group.

[031] 31. The program storage device of claim 26, wherein said method further comprises specifying said application object group using a predetermined re- lationship among all application object groups.

[032] 32. The program storage device of claim 26, wherein said method further comprises specifying said application object group using predetermined grouping actions to parse said application object description document into said at least one application object group.

[033] 33. The program storage device of claim 26, wherein said method further comprises implementing varied classes of authorization policies using a same au¬ thorization policy classifier.