公开(公告)号：US08635660B2

公开(公告)日：2014-01-21

申请号：US11296027

申请日：2005-12-06

Applicant: Raymond K. Ng ,  Ganesh Kirti ,  Thomas Keefe ,  Naresh Kumar

Inventor： Raymond K. Ng ,  Ganesh Kirti ,  Thomas Keefe ,  Naresh Kumar

IPC: H04L29/06 ,  G06F17/30 ,  H04L9/32 ,  G06F17/00 ,  G06F15/16

CPC classification number: G06F21/6227 ,  G06F2221/2105 ,  G06F2221/2149 ,  H04L63/168

Abstract: Systems, methods, and machine-readable media are disclosed for providing dynamic and/or conditional constraints on queries based on an external security policy. In one embodiment, a method is provided which comprises receiving from a user a request to access a resource. A condition clause can be read from a grant statement defined in the security policy. The grant statement can define permission for the user to access the requested resource. In some cases, the grant statement can comprise a Java Authentication and Authorization Service (JAAS) grant statement. A query associated with the requested access can be modified based on the permission granted to the user. The modified query can then be made to perform the requested access.

Abstract translation: 公开了系统，方法和机器可读介质，用于基于外部安全策略来提供关于查询的动态和/或条件约束。 在一个实施例中，提供了一种方法，其包括从用户接收访问资源的请求。 可以从安全策略中定义的授权语句读取条件子句。 授权语句可以定义用户访问所请求资源的权限。 在某些情况下，授权语句可以包含Java认证和授权服务（JAAS）授权语句。 可以基于授予用户的权限来修改与请求的访问相关联的查询。 然后可以使修改的查询执行请求的访问。

公开(公告)号：US07404203B2

公开(公告)日：2008-07-22

申请号：US10430967

申请日：2003-05-06

Applicant: Raymond K. Ng

Inventor： Raymond K. Ng

IPC: G06F11/30

CPC classification number: G06F21/10 ,  G06F21/6227

Abstract: A system and methods for applying capability-based authorization within a distributed computing environment. Instead of associating permissions or privileges with objects (e.g., computing resources), permissions are associated with subjects (e.g., users, roles). Compared to object-based methods of access control, such as Access Control Lists (ACL), management of capability-based authorizations scales much better as the number of objects becomes very large. A central repository allows changes to the authorization framework (e.g., new subjects, modified permissions) to be made once. The changes can then be propagated across, and applied to, multiple address spaces instead of having to individually or manually update each local node or address space.

Abstract translation: 在分布式计算环境中应用基于能力的授权的系统和方法。 而不是将权限或权限与对象（例如，计算资源）相关联，权限与主题（例如，用户，角色）相关联。 与基于对象的访问控制方法（如访问控制列表（ACL））相比，基于能力的授权的管理随着对象数量的增加而增加得更好。 中央存储库允许修改授权框架（例如，新主题，修改的权限）一次。 然后，可以在多个地址空间中传播和​​应用更改，而不必单独或手动更新每个本地节点或地址空间。

公开(公告)号：US08220033B2

公开(公告)日：2012-07-10

申请号：US11418051

申请日：2006-05-03

Applicant: Raymond K. Ng ,  Ganesh Kirti ,  Thomas Keefe ,  Naresh Kumar

Inventor： Raymond K. Ng ,  Ganesh Kirti ,  Thomas Keefe ,  Naresh Kumar

IPC: H04L29/06

CPC classification number: H04L63/062

Abstract: One embodiment of the present invention provides a system that facilitates accessing a credential. During operation, the system receives a request at a credentials-storage framework (CSF) to retrieve the credential. If a target credential store containing the credential is not already connected to the CSF, the system looks up a bootstrap credential for the target credential store in a bootstrap credential store, which contains bootstrap credentials for other credential stores. Next, the system uses this bootstrap credential to connect the CSF to the target credential store. Finally, the system retrieves the credential from the target credential store, and returns the credential to the requestor.

Abstract translation: 本发明的一个实施例提供一种便于访问证书的系统。 在操作期间，系统在凭证存储框架（CSF）处接收请求以检索凭证。 如果包含凭据的目标凭据存储库尚未连接到CSF，则系统将在引导凭证存储中查找目标凭据存储的引导凭据，其中包含其他凭据存储的引导凭据。 接下来，系统使用此引导凭据将CSF连接到目标凭据存储。 最后，系统从目标凭证存储中检索凭证，并将凭证返回给请求者。

公开(公告)号：US07461395B2

公开(公告)日：2008-12-02

申请号：US10430505

申请日：2003-05-06

Applicant: Raymond K. Ng

Inventor： Raymond K. Ng

IPC: G06F21/22 ,  G06F9/44

CPC classification number: G06F21/10 ,  G06F21/6227

Abstract: An authorization architecture for authorizing access to resource objects in an object-oriented programming environment. In one distributed environment, the permission model of JAAS (Java Authentication and Authorization Service) is replaced or enhanced with role-based access control. Thus, users and other subjects (e.g., pieces of code) are assigned membership in one or more roles, and appropriate permissions or privileges to access resource objects are granted to those roles. Permissions may also be granted directly to users. Roles may be designed to group users having similar functions, duties or similar requirements for accessing the resources. Roles may be arranged hierarchically, so that users explicitly assigned to one role may indirectly be assigned to one or more other roles (i.e., descendants of the first role). A realm or domain may be defined as a namespace, in which one or more role hierarchies are established.

Abstract translation: 授权架构，用于授权在面向对象的编程环境中访问资源对象。 在一个分布式环境中，JAAS（Java认证和授权服务）的权限模型被替换或增强了基于角色的访问控制。 因此，将用户和其他主题（例如，代码片段）分配给一个或多个角色的成员身份，并且向这些角色授予访问资源对象的适当权限或特权。 权限也可以直接授予用户。 角色可以被设计为对具有类似功能，职责或对访问资源的类似要求的用户进行分组。 角色可以被分层排列，使得明确分配给一个角色的用户可间接地分配给一个或多个其他角色（即，第一角色的后代）。 领域或域可以被定义为命名空间，其中建立一个或多个角色层次结构。

公开(公告)号：US07721322B2

公开(公告)日：2010-05-18

申请号：US11387644

申请日：2006-03-22

Applicant: Hari V. N. Sastry ,  Ramana Rao Turlapati ,  Saurabh Shrivastava ,  Stephen Man Lee ,  Raymond K. Ng

Inventor： Hari V. N. Sastry ,  Ramana Rao Turlapati ,  Saurabh Shrivastava ,  Stephen Man Lee ,  Raymond K. Ng

IPC: H04L29/00

CPC classification number: H04L63/105 ,  G06F21/33

Abstract: Embodiments of the invention provide a trust framework for governing service-to-service interactions. This trust framework can provide enhanced security and/or manageability over prior systems. Merely by way of example, in some cases, an information store can be used to store information security information (such as trust information, credentials, etc.) for a variety of services across an enterprise. In other cases, the trust framework can provide authentication policies to define and/or control authentication between services (such as, for example, types of authentication credentials and/or protocols are required to access a particular service—either as a user and/or as another service—and/or types of authentication credentials and/or protocols a service may be enabled to use to access another service). Alternatively and/or additionally, the trust framework can provide authorization policies to define and/or control authorization between services.

Abstract translation: 本发明的实施例提供了一种用于管理服务到服务交互的信任框架。 该信任框架可以提供比现有系统更强的安全性和/或可管理性。 仅仅作为示例，在某些情况下，可以使用信息存储来存储跨企业的各种服务的信息安全信息（例如信任信息，凭证等）。 在其他情况下，信任框架可以提供认证策略来定义和/或控制服务之间的认证（例如，需要认证证书和/或协议的类型来访问特定服务，或者作为用户和/或 作为服务可以被允许用于访问另一服务的另一服务和/或类型的认证凭证和/或协议）。 或者和/或另外，信任框架可以提供授权策略来定义和/或控制服务之间的授权。

公开(公告)号：US07945960B2

公开(公告)日：2011-05-17

申请号：US11296086

申请日：2005-12-06

Applicant: Raymond K. Ng ,  Ganesh Kirti ,  Thomas Keefe ,  Naresh Kumar

Inventor： Raymond K. Ng ,  Ganesh Kirti ,  Thomas Keefe ,  Naresh Kumar

IPC: H04L9/32

CPC classification number: H04L63/08

Abstract: Systems, methods, and machine-readable media are disclosed for providing conditional grants of permission in an externally configured security policy. In one embodiment, a method is provided which comprises reading a condition clause from a grant statement defined in the security policy. The grant statement can cause the granting of permission for a user to access a requested resource. One or more constraints on the grant statement can be determined based on the condition clause. Permission can be granted to access the requested resource based on the one or more constraints.

Abstract translation: 公开了用于在外部配置的安全策略中提供有限许可的系统，方法和机器可读介质。 在一个实施例中，提供了一种方法，其包括从安全策略中定义的授权语句读取条件子句。 授权语句可能导致授予用户访问所请求资源的权限。 授权语句的一个或多个约束可以基于条件子句来确定。 可以授予权限以基于一个或多个约束来访问所请求的资源。

公开(公告)号：US07788489B2

公开(公告)日：2010-08-31

申请号：US10430737

申请日：2003-05-06

Applicant: Raymond K. Ng

Inventor： Raymond K. Ng

IPC: H04L29/06 ,  G06F7/04

CPC classification number: G06F21/6227

Abstract: A system and method for using meta-permissions to manage or administer object permissions within an object-oriented computing environment. A permission allowing a subject (e.g., a user or role) to access an object within the environment, such as a Java FilePermission or SocketPermission, is considered an object permission. An AdminPermission is defined and created to administer an object permission. Each AdminPermission instance refers to one or more object permissions, and specifies the actions that the AdminPermission allows to be performed on the object permissions (e.g., grant, revoke, modify).

Abstract translation: 一种使用元权限管理或管理面向对象计算环境中的对象权限的系统和方法。 允许主体（例如，用户或角色）访问环境中的对象（例如Java FilePermission或SocketPermission）的权限被认为是对象许可。 定义并创建AdminPermission以管理对象权限。 每个AdminPermission实例引用一个或多个对象权限，并指定AdminPermission允许对对象权限执行的操作（例如，授权，撤销，修改）。