公开(公告)号：US20060021010A1

公开(公告)日：2006-01-26

申请号：US10878855

申请日：2004-06-28

申请人： Barry Atkins ,  David Melgar ,  Anthony Nadalin ,  Ajamu Wesley

发明人： Barry Atkins ,  David Melgar ,  Anthony Nadalin ,  Ajamu Wesley

IPC分类号： H04L9/32

CPC分类号： H04L63/0823 ,  H04L29/06

摘要： A method, system and apparatus for federated identity brokering. In accordance with the present invention, a credential processing gateway can be disposed between one or more logical services and one or more service requesting clients in a computer communications network. Acting as a proxy and a trusted authority to the logical services, the credential processing gateway can map the credentials of the service requesting clients to the certification requirements of the logical services. In this way, the credential processing gateway can act as a federated identity broker in providing identity certification services for a multitude of different service requesting clients without requiring the logical services to include a pre-configuration for specifically processing the credentials of particular service requesting clients.

公开(公告)号：US20050114701A1

公开(公告)日：2005-05-26

申请号：US10719490

申请日：2003-11-21

申请人： Barry Atkins ,  David Melgar ,  Anthony Nadalin ,  Ajamu Wesley

发明人： Barry Atkins ,  David Melgar ,  Anthony Nadalin ,  Ajamu Wesley

IPC分类号： H04L9/32 ,  H04L29/06 ,  H04L9/00

CPC分类号： H04L63/08 ,  H04L9/3226 ,  H04L9/3247 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/76

摘要： Techniques are disclosed for federating identity management within a distributed portal server, leveraging Web services techniques and a number of industry standards. Identities are managed across autonomous security domains which may be comprised of independent trust models, authentication services, and user enrollment services. The disclosed techniques enable integrating third-party Web services-based portlets, which rely on various potentially-different security mechanisms, within a common portal page.

摘要翻译： 披露了在分布式门户服务器内联合身份管理的技术，利用Web服务技术和许多行业标准。 身份在跨独立的安全域管理，可以由独立的信任模型，认证服务和用户注册服务组成。 所公开的技术使得能够在通用门户页面内集成依赖各种潜在不同的安全机制的第三方基于Web服务的portlet。

公开(公告)号：US20050223412A1

公开(公告)日：2005-10-06

申请号：US10814090

申请日：2004-03-31

申请人： Anthony Nadalin ,  Ajamu Wesley

发明人： Anthony Nadalin ,  Ajamu Wesley

IPC分类号： G06F11/30 ,  G06F12/14 ,  H04L9/00 ,  H04L9/32 ,  H04L29/06

CPC分类号： H04L63/0428 ,  G06F21/6209 ,  H04L63/126

摘要： Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

摘要翻译： 披露技术用于在分布式Web门户（或类似的聚合框架）内聚合内容的联合环境中实现上下文敏感的机密性，确保应该保密的消息部分对于联合环境中除实体之外的所有实体是机密的 消息部分可以正确地泄露给消息部分。 联盟可以包括任意数量的自治安全域，并且这些安全域可以具有独立的信任模型和认证服务。 使用所公开的技术，可以在跨域联合（不管路由路径）内安全地路由消息，从而确保机密信息不会暴露给无意的第三方，并且关键信息在安全域之间传输时不被篡改。 优选实施例利用Web服务技术和许多行业标准。

公开(公告)号：US20080022409A1

公开(公告)日：2008-01-24

申请号：US11867291

申请日：2007-10-04

申请人： Maryann Hondo ,  Anthony Nadalin ,  Ajamu Wesley

发明人： Maryann Hondo ,  Anthony Nadalin ,  Ajamu Wesley

IPC分类号： G06F7/04

CPC分类号： H04L63/20 ,  H04L29/06 ,  H04L63/0478 ,  H04L63/104 ,  H04L67/322 ,  H04L69/329

摘要： A method, system, apparatus, or computer program product is presented for routing event messages between data processing systems based on privacy policies associated with the data processing systems and based on event policies associated with event types for the event messages. When a system attempts to publish an event message for a particular type of event or to subscribe to those event messages, an event policy is checked to determine whether the system may publish messages for that type of event or may subscribe to those messages. Moreover, if a publishing system publishes an event message that contains personally identifiable information for a user of a data processing system, and a subscribing system has subscribed to event messages having the same event type, then the privacy policies associated with the systems are compared to determine compatibility or incompatibility between the privacy policies before routing a message between the systems.

摘要翻译： 呈现方法，系统，装置或计算机程序产品，用于基于与数据处理系统相关联的隐私策略并且基于与事件消息的事件类型相关联的事件策略在数据处理系统之间路由事件消息。 当系统尝试为特定类型的事件发布事件消息或订阅这些事件消息时，将检查事件策略以确定系统是否可以为该类型的事件发布消息或者可以订阅这些消息。 此外，如果发布系统发布包含用于数据处理系统的用户的个人身份信息的事件消息，并且订阅系统已订阅具有相同事件类型的事件消息，则将与系统相关联的隐私策略与 在系统之间路由消息之前确定隐私策略之间的兼容性或不兼容性。

公开(公告)号：US20050039158A1

公开(公告)日：2005-02-17

申请号：US10639862

申请日：2003-08-13

申请人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

发明人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

IPC分类号： G06F9/44

CPC分类号： G06F21/53

摘要： A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission. Thus, the AdoptPermission Permission type provides an intermediate mechanism that is not as over-inclusive as the AllPermission Permission type and is not as under-inclusive as requiring that all methods in the thread stack include the required Permission expressly granted to them.

摘要翻译： 提供了一种用于实现执行回调操作的方法的新的Permission的方法和装置。 该方法和设备提供了一个AdoptPermission权限类型，允许一种方法传递Java 2授权测试，而不会明确授予该方法的特定所需权限，而不授予其授予AllPermission权限的方法。 使用设备和方法，定义了一个AdoptPermission权限类型，该类型用于允许ProtectionDomain“采用”所需的权限。 但是，只有当线程堆栈中至少有一个方法的ProtectionDomain被授予一个隐含所需权限的权限时，才能执行所需的权限。 因此，AdoptPermission Permission类型提供了一个不像AllPermission Permission类型那样超出包容性的中间机制，并且不包含要求线程堆栈中的所有方法都包含明确授予它们的所需权限。

公开(公告)号：US20080104698A1

公开(公告)日：2008-05-01

申请号：US11968673

申请日：2008-01-03

申请人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

发明人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

IPC分类号： G06F21/00

CPC分类号： G06F21/53

摘要： A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission. Thus, the AdoptPermission Permission type provides an intermediate mechanism that is not as over-inclusive as the AllPermission Permission type and is not as under-inclusive as requiring that all methods in the thread stack include the required Permission expressly granted to them.

摘要翻译： 提供了一种用于实现执行回调操作的方法的新的Permission的方法和装置。 该方法和设备提供了一个AdoptPermission权限类型，允许一种方法传递Java 2授权测试，而不会明确授予该方法的特定所需权限，而不授予其授予AllPermission权限的方法。 使用设备和方法，定义了一个AdoptPermission权限类型，该类型用于允许ProtectionDomain“采用”所需的权限。 但是，只有当线程堆栈中至少有一个方法的ProtectionDomain被授予一个隐含所需权限的权限时，才能执行所需的权限。 因此，AdoptPermission Permission类型提供了一个不像AllPermission Permission类型那样超出包容性的中间机制，并且不包含要求线程堆栈中的所有方法都包含明确授予它们的所需权限。

公开(公告)号：US20070234417A1

公开(公告)日：2007-10-04

申请号：US11761818

申请日：2007-06-12

申请人： George Blakley III ,  Heather Hinton ,  Anthony Nadalin

发明人： George Blakley III ,  Heather Hinton ,  Anthony Nadalin

IPC分类号： H04L9/32

CPC分类号： H04L63/0281 ,  H04L63/0807 ,  H04L63/0815 ,  H04L63/0823 ,  H04L2463/102

摘要： A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions.

摘要翻译： 提出了一种方法，其中联合域在联合环境中相互作用。 联盟内的域可以为其他联盟域的用户启动联合单点登录操作。 域内的联络点服务器依赖于域内的信任代理来管理域和联盟之间的信任关系。 信任代理根据需要解释其他联盟域的断言。 信托代理可能与一个或多个信托经纪人有信任关系，信托代理可以依赖信托经纪人来解释断言。

公开(公告)号：US20060168132A1

公开(公告)日：2006-07-27

申请号：US11264355

申请日：2005-10-31

申请人： Paul Bunter ,  Ralph Hertlein ,  Sreedhar Janaswamy ,  Rania Khalaf ,  Keeranoor Kumar ,  Michael Mcntosh ,  Anthony Nadalin ,  Shishir Saxena ,  Ralph Williams

发明人： Paul Bunter ,  Ralph Hertlein ,  Sreedhar Janaswamy ,  Rania Khalaf ,  Keeranoor Kumar ,  Michael Mcntosh ,  Anthony Nadalin ,  Shishir Saxena ,  Ralph Williams

IPC分类号： G06F15/16

CPC分类号： G06F9/547 ,  G06Q10/10 ,  H04L67/02

摘要： A web services framework consists of a modular, extensible stack of XML specifications and standards targeting the emerging infrastructure in which distributed, heterogeneous applications are exposed by different organizations as services on the Internet. These services have their capabilities described and published in a machine readable format.

摘要翻译： Web服务框架包括一个模块化的，可扩展的XML规范和标准栈，针对新兴基础架构，其中分布式异构应用程序由不同组织作为互联网上的服务公开。 这些服务具有以机器可读格式描述和发布的功能。

公开(公告)号：US20070056026A1

公开(公告)日：2007-03-08

申请号：US11221630

申请日：2005-09-08

申请人： Kathryn Britton ,  Dieter Buehler ,  Ching-Yun Chao ,  Timothy Hahn ,  Anthony Nadalin ,  Nataraj Nagaratnam ,  Yi-Hsiu Wei ,  Chun Yang

发明人： Kathryn Britton ,  Dieter Buehler ,  Ching-Yun Chao ,  Timothy Hahn ,  Anthony Nadalin ,  Nataraj Nagaratnam ,  Yi-Hsiu Wei ,  Chun Yang

IPC分类号： H04L9/32

CPC分类号： G06F21/6236

摘要： Embodiments of the present invention address deficiencies of the art in respect to access control and provide a method, system and computer program product for access control management for a collection of heterogeneous application components. In a first embodiment, a data processing system for role-based access control management for multiple heterogeneous application components can include at least one business role descriptor associating a business role with multiple, different application roles for corresponding, disparate application components. The system also can include at least one access policy associating a user with the business role. Finally, the system can include policy deployment logic include program code enabled to process the access policy to assign the user to the different application roles in the disparate application components.

摘要翻译： 本发明的实施例解决了本领域在访问控制方面的缺陷，并提供了用于异构应用组件的集合的访问控制管理的方法，系统和计算机程序产品。 在第一实施例中，用于多个异构应用组件的用于基于角色的访问控制管理的数据处理系统可以包括将业务角色与用于相应的不同应用组件的多个不同应用角色相关联的至少一个业务角色描述符。 系统还可以包括将用户与业务角色相关联的至少一个访问策略。 最后，系统可以包括策略部署逻辑，包括能够处理访问策略的程序代码，以将用户分配给不同应用程序组件中的不同应用程序角色。

公开(公告)号：US20060294383A1

公开(公告)日：2006-12-28

申请号：US11168716

申请日：2005-06-28

申请人： Paula Austel ,  Maryann Hondo ,  Michael McIntosh ,  Anthony Nadalin ,  Nataraj Nagaratnam

发明人： Paula Austel ,  Maryann Hondo ,  Michael McIntosh ,  Anthony Nadalin ,  Nataraj Nagaratnam

IPC分类号： H04L9/00

CPC分类号： G06F21/606 ,  G06F21/629 ,  H04L63/12

摘要： Methods, systems, and products are disclosed in which secure data communications in web services are provided generally by receiving in a web service from a client a request containing an element bearing a first signature, the signature having a value; signing the value of the first signature, thereby creating a second signature; and sending a response from the web service to the client, the response including the second signature. The requester may verify that the response includes the second signature. The request may be encrypted, and the response may be encrypted. The first signature may be encrypted, and the web service may encrypt the value of the first signature and include the encrypted value of the first signature in the response. The web service may receive a request encoded in SOAP and may send a response also encoded in SOAP.

摘要翻译： 公开了一种方法，系统和产品，其中Web服务中的安全数据通信通常通过从客户端接收web服务来提供包含具有第一签名的元素的请求，该签名具有值; 签署第一签名的价值，从而创建第二个签名; 以及将所述web服务的响应发送到所述客户端，所述响应包括所述第二签名。 请求者可以验证响应包括第二个签名。 该请求可以被加密，并且响应可以被加密。 可以对第一签名进行加密，并且web服务可以加密第一签名的值并将第一签名的加密值包括在响应中。 Web服务可以接收以SOAP编码的请求，并且可以发送也以SOAP编码的响应。