-
1.发明申请Method and Apparatus for Processing Extensible Markup Language Security Messages Using Delta Parsing Technology 审中-公开使用Delta分析技术处理可扩展标记语言安全消息的方法和装置公开(公告)号:US20080235258A1
公开(公告)日:2008-09-25
申请号:US11690434
申请日:2007-03-23
IPC分类号: G06F17/00
CPC分类号: G06F21/602 , G06F17/2211 , G06F17/2247 , G06F17/2264 , G06F17/248 , G06F17/2705 , G06F21/64
摘要: A computer implemented method, apparatus, and computer program product for processing markup language security messages. A template corresponding to a markup language security message is identified. The markup language security message is parsed for variable values using the template. A transition sequence is generated that represents the entire markup language security message. Each transition in the transition sequence is associated with a portion of the markup language security message. A lightweight data model of the markup language security message is populated using the transition sequence. The lightweight data model includes nodes for the variable values and a set of selected constant values.
摘要翻译: 一种用于处理标记语言安全消息的计算机实现的方法,装置和计算机程序产品。 识别与标记语言安全消息相对应的模板。 使用模板为变量值解析标记语言安全消息。 生成代表整个标记语言安全消息的转换序列。 转换序列中的每个转换都与标记语言安全消息的一部分相关联。 使用转换序列填充标记语言安全消息的轻量级数据模型。 轻量级数据模型包括可变值的节点和一组选定的常数值。
-
2.发明申请PROCESSING EXTENSIBLE MARKUP LANGUAGE SECURITY MESSAGES USING DELTA PARSING TECHNOLOGY 审中-公开使用DELTA PARSING技术处理可扩展的语言安全消息公开(公告)号:US20120210396A1
公开(公告)日:2012-08-16
申请号:US13456097
申请日:2012-04-25
IPC分类号: G06F21/00
CPC分类号: G06F21/602 , G06F17/2211 , G06F17/2247 , G06F17/2264 , G06F17/248 , G06F17/2705 , G06F21/64
摘要: Markup language security messages are processed. A template corresponding to a markup language security message is identified. The markup language security message is parsed for variable values using the template. A transition sequence is generated that represents the entire markup language security message. Each transition in the transition sequence is associated with a portion of the markup language security message. A lightweight data model of the markup language security message is populated using the transition sequence. The lightweight data model includes nodes for the variable values and a set of selected constant values.
摘要翻译: 标记语言安全消息被处理。 识别与标记语言安全消息相对应的模板。 使用模板为变量值解析标记语言安全消息。 生成代表整个标记语言安全消息的转换序列。 转换序列中的每个转换都与标记语言安全消息的一部分相关联。 使用转换序列填充标记语言安全消息的轻量级数据模型。 轻量级数据模型包括可变值的节点和一组选定的常数值。
-
公开(公告)号:US08375211B2
公开(公告)日:2013-02-12
申请号:US12427095
申请日:2009-04-21
IPC分类号: H04L29/06
CPC分类号: H04L9/3247 , H04L9/3236 , H04L2209/68 , H04L2209/80
摘要: An XML digital signature mechanism for providing message integrity. A sending party serializes a source XML document into a serialized byte array, calculates the source offset and length of the array of the signed part in the serialized byte array, and calculates a source hash value using the serialized array and the source offset and length. The serialized byte array is a non-canonicalized array. The array and source hash value used to sign a part or the whole of the serialized byte array is sent to a receiving party. The receiving party calculates the target offset and length of the signed part in the serialized byte array and calculates a target hash value of the signed part by using the array and the target offset and length. The receiving party compares the target hash value and the source hash value to verify the integrity of the target XML document.
摘要翻译: 一种用于提供消息完整性的XML数字签名机制。 发送方将源XML文档串行化为串行字节数组,计算序列化字节数组中有符号部分的数组的源偏移量和长度,并使用序列化数组和源偏移量和长度计算源散列值。 序列化字节数组是非规范数组。 用于对部分或全部序列化字节数组进行签名的数组和源哈希值发送给接收方。 接收方计算序列化字节数组中有符号部分的目标偏移量和长度,并使用数组和目标偏移量和长度计算有符号部分的目标散列值。 接收方比较目标散列值和源哈希值,以验证目标XML文档的完整性。
-
公开(公告)号:US20100268952A1
公开(公告)日:2010-10-21
申请号:US12427095
申请日:2009-04-21
CPC分类号: H04L9/3247 , H04L9/3236 , H04L2209/68 , H04L2209/80
摘要: An XML digital signature mechanism for providing message integrity. A sending party serializes a source XML document into a serialized byte array, calculates the source offset and length of the array of the signed part in the serialized byte array, and calculates a source hash value using the serialized array and the source offset and length. The serialized byte array is a non-canonicalized array. The array and source hash value used to sign a part or the whole of the serialized byte array is sent to a receiving party. The receiving party calculates the target offset and length of the signed part in the serialized byte array and calculates a target hash value of the signed part by using the array and the target offset and length. The receiving party compares the target hash value and the source hash value to verify the integrity of the target XML document.
摘要翻译: 一种用于提供消息完整性的XML数字签名机制。 发送方将源XML文档串行化为串行字节数组,计算序列化字节数组中有符号部分的数组的源偏移量和长度,并使用序列化数组和源偏移量和长度计算源散列值。 序列化字节数组是非规范数组。 用于对部分或全部序列化字节数组进行签名的数组和源哈希值发送给接收方。 接收方计算序列化字节数组中有符号部分的目标偏移量和长度,并使用数组和目标偏移量和长度计算有符号部分的目标散列值。 接收方比较目标散列值和源哈希值以验证目标XML文档的完整性。
-
5.发明授权公开(公告)号:US07337318B2
公开(公告)日:2008-02-26
申请号:US10376113
申请日:2003-02-27
IPC分类号: H04L9/00
CPC分类号: G06F21/64
摘要: A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.
摘要翻译: 提供了用于防止安全敏感类接口的流氓实现的方法和装置。 使用该方法和装置,当服务器进程启动时,由服务器进程创建唯一标识符(UID)。 服务器进程(即服务器运行时环境)在服务器进程启动后实例化新的凭据对象时,加密的UID将被放置在新凭证对象内的私有字段中。 此外,UID被加密并存储在服务器运行时环境的私有类中。 在服务器运行时环境中提供了一个验证类,其中包括一个或多个接收凭证对象作为参数的方法,并返回true或false作为证书对象的有效性。 这些一个或多个方法通过从存储在服务器运行时环境中的私有类中检索加密的UID来确定凭证对象的有效性,解密UID并将其与存储在证书对象的私有字段中的解密的UID进行比较。 如果两个UID匹配,则确定凭据对象是由服务器运行时环境创建的,而不是流氓应用程序。 如果两个UID不匹配,或者如果凭证对象中没有UID,那么验证类将返回一个错误的结果。
-
6.发明申请公开(公告)号:US20080222697A1
公开(公告)日:2008-09-11
申请号:US12123693
申请日:2008-05-20
申请人: Peter Daniel Birk , Ching-Yun Chao , Hyen Vui Chung , Carlton Keith Mason , Ajaykumar Karkala Reddy , Vishwanath Venkataramappa
发明人: Peter Daniel Birk , Ching-Yun Chao , Hyen Vui Chung , Carlton Keith Mason , Ajaykumar Karkala Reddy , Vishwanath Venkataramappa
IPC分类号: G06F21/00
CPC分类号: G06F21/31
摘要: Objects on application servers may be defined into classes which receive different levels of security protection, such as definition of user objects and administrative objects. Domain-wide security may be enforced on administrative objects, which user object security may be configured separately for each application server in a domain. In a CORBA architecture, IOR's for shared objects which are to be secured on a domain-wide basis, such as administrative objects, are provided with tagged components during IOR creation and exporting to a name server. Later, when the IOR is used by a client, the client invokes necessary security measures such as authentication, authorization and transport protection according to the tagged components.
摘要翻译: 应用服务器上的对象可以被定义为接收不同级别的安全保护的类,例如用户对象和管理对象的定义。 可以在管理对象上实施全域安全性,可以为域中的每个应用程序服务器单独配置哪些用户对象安全性。 在CORBA体系结构中,IOR对于在域范围内进行安全保护的共享对象(如管理对象)在IOR创建和导出到名称服务器期间提供了已标记组件。 之后,当客户端使用IOR时,客户机根据标记的组件调用必要的安全措施,如认证,授权和传输保护。
-
公开(公告)号:US07765585B2
公开(公告)日:2010-07-27
申请号:US12105257
申请日:2008-04-17
CPC分类号: H04L63/0807 , H04L63/205
摘要: Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client's user identifier and password. The server authenticates the client and stores the client's user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.
摘要翻译: 呈现使用身份断言的运行凭证委派。 服务器从客户端收到包含客户端用户标识和密码的请求。 服务器对客户端进行身份验证,并将客户端的用户标识符存储在客户端凭证存储区域中,而没有相应的密码。 服务器确定是否指定了run-as命令来与下游服务器进行通信。 如果指定了run-as命令,则服务器检索相应的运行身份,该身份标识在run-as命令中是否应使用客户端凭据类型,服务器凭据类型或特定标识符凭据类型。 服务器检索与所识别的证书类型相对应的已识别证书,并且将识别的身份认证令牌发送到下游服务器。
-
公开(公告)号:US07752452B2
公开(公告)日:2010-07-06
申请号:US12364207
申请日:2009-02-02
CPC分类号: H04L63/0815 , G06F21/31 , H04L63/083
摘要: A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code. This invention stores the user credentials in a distributed cache and provides a system and method to compute the unique key based on the dynamic security credentials for cache lookup.
摘要翻译: 用于在分布式计算环境中跟踪用户安全凭证的系统和方法。 认证用户的安全凭证不仅包括其唯一的用户标识符,还包括一组安全属性,如认证时间,用户认证的位置(即内部网用户v。互联网用户),认证强度 , 等等。 安全属性用于访问控制决策。 如果他具有不同的安全属性值,则可以给予相同的用户不同的授权。 安全凭证可能由WebSphere安全代码或第三方安全提供商代码生成。 本发明将用户凭证存储在分布式高速缓存中,并提供基于用于高速缓存查找的动态安全凭证来计算唯一密钥的系统和方法。
-
公开(公告)号:US07734918B2
公开(公告)日:2010-06-08
申请号:US12015615
申请日:2008-01-17
IPC分类号: H04L9/00
CPC分类号: G06F21/64
摘要: A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.
摘要翻译: 提供了用于防止安全敏感类接口的流氓实现的方法和装置。 使用该方法和装置,当服务器进程启动时,由服务器进程创建唯一标识符(UID)。 服务器进程(即服务器运行时环境)在服务器进程启动后实例化新的凭据对象时,加密的UID将被放置在新凭证对象内的私有字段中。 此外,UID被加密并存储在服务器运行时环境的私有类中。 在服务器运行时环境中提供了一个验证类,其中包括一个或多个接收凭证对象作为参数的方法,并返回true或false作为证书对象的有效性。 这些一个或多个方法通过从存储在服务器运行时环境中的私有类中检索加密的UID来确定凭证对象的有效性,解密UID并将其与存储在证书对象的私有字段中的解密的UID进行比较。 如果两个UID匹配,则确定凭据对象是由服务器运行时环境创建的,而不是流氓应用程序。 如果两个UID不匹配,或者如果凭证对象中没有UID,那么验证类将返回一个错误的结果。
-
公开(公告)号:US06950825B2
公开(公告)日:2005-09-27
申请号:US10159482
申请日:2002-05-30
申请人: David Yu Chang , Ching-Yun Chao , Hyen Vui Chung , Carlton Keith Mason , Vishwanath Venkataramappa , Leigh Allen Williamson
发明人: David Yu Chang , Ching-Yun Chao , Hyen Vui Chung , Carlton Keith Mason , Vishwanath Venkataramappa , Leigh Allen Williamson
CPC分类号: H04L63/102 , G06F21/6218 , H04L63/08 , Y10S707/99939
摘要: A security policy process which provides role-based permissions for hierarchically organized system resources such as domains, clusters, application servers, and resources, as well as topic structures for messaging services. Groups of permissions are assigned to roles, and each user is assigned a role and a level of access within the hierarchy of system resources or topics. Forward or reverse inheritance is applied to each user level-role assignment such that each user is allowed all permissions for ancestors to the assigned level or descendants to the assigned level. This allows simplified security policy definition and maintenance of user permissions as each user's permission list must only be configured and managed at one hierarchical level with one role.
摘要翻译: 为分层组织的系统资源(如域,集群,应用服务器和资源)以及消息传递服务的主题结构提供基于角色的权限的安全策略流程。 将权限组分配给角色,并为系统资源或主题的层次结构中的每个用户分配角色和级别的访问权限。 将向前或反向继承应用于每个用户级别角色分配,以便允许每个用户将祖先的所有权限分配给所分配的级别或后代到所分配的级别。 这允许简化的安全策略定义和维护用户权限,因为每个用户的权限列表只能在一个层次上配置和管理一个角色。
-
-
-
-
-
-
-
-
-
搜索结果
19 条记录 (耗时 0.02 秒)
