公开(公告)号：US20060041636A1

公开(公告)日：2006-02-23

申请号：US10892007

申请日：2004-07-14

申请人： Keith Ballinger ,  Hervey Wilson ,  Vick Mukherjee

发明人： Keith Ballinger ,  Hervey Wilson ,  Vick Mukherjee

IPC分类号： G06F15/16

CPC分类号： H04L67/16 ,  H04L67/28 ,  H04L67/2852

摘要： Example embodiments provide for processing policies that include policy assertions associated with incoming or outgoing messages of an application in a distributed system, without having to have code within the application for executing the policy assertions. When a message is received by a Web service engine, a policy document associated with an application may be accessed for identifying objects corresponding to policy assertions within the policy document. The objects identified can then be used to generate assertion handlers, which are software entities that include executable code configured to determine if messages can satisfy requirements described by the policy assertions.

摘要翻译： 示例性实施例提供了处理策略，其包括与分布式系统中的应用的传入或传出消息相关联的策略断言，而不必在应用程序内具有用于执行策略断言的代码。 当Web服务引擎接收到消息时，可以访问与应用相关联的策略文档，用于识别与策略文档内的策略断言相对应的对象。 所识别的对象然后可以用于生成断言处理程序，这些软件实体包括被配置为确定消息是否可以满足策略断言描述的要求的可执行代码的软件实体。

公开(公告)号：US20050053050A1

公开(公告)日：2005-03-10

申请号：US10645279

申请日：2003-08-20

申请人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

发明人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

IPC分类号： H04L12/56 ,  G06F15/173

CPC分类号： H04L45/00 ,  H04L45/34

摘要： A sending computer system relays a message or a processing request through one or more configurable routers prior to the message or request reaching an ultimate destination. A client at the sending computer system can indicate a routing preference for the message or request, and a module can supplement or override the routing preference by adding or deleting a router from a router list contained within the message or request. This change can be done based on router data, as well as based on content within the message. One or more intermediate routers along the routing path can perform a similar function as the module. The ultimate destination, or receiving computer system, verifies that it is the appropriate recipient of the message or request, and then accepts the data associated with the message or request. This has application to many types of messaging systems, including simple object access protocols.

摘要翻译： 发送计算机系统在消息或请求到达最终目的地之前通过一个或多个可配置路由器中继消息或处理请求。 发送计算机系统中的客户端可以指示消息或请求的路由选择，并且模块可以通过从包含在消息或请求中的路由器列表添加或删除路由器来补充或覆盖路由选择。 此更改可以基于路由器数据，以及基于消息内的内容来完成。 沿着路由路径的一个或多个中间路由器可以执行与该模块类似的功能。 最终目的地或接收计算机系统验证它是消息或请求的适当接收者，然后接受与该消息或请求相关联的数据。 这可以应用于许多类型的消息系统，包括简单的对象访问协议。

公开(公告)号：US20050044398A1

公开(公告)日：2005-02-24

申请号：US10645375

申请日：2003-08-20

申请人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

发明人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

IPC分类号： G06F21/00 ,  H04L9/32 ,  G06F11/30 ,  H04L9/00

CPC分类号： G06F21/6209 ,  H04L9/3234 ,  H04L9/3247 ,  H04L2209/60 ,  H04L2209/68 ,  H04L2209/80

摘要： A sending computer system generates a message and creates one or more security tokens to encrypt portions of the message. The computer system includes in the message a markup language identifier for the one or more security tokens used for encryption, and includes identification of the value type used to create the tokens. The computer system then serializes at least the portion of the message that identifies the one or more security tokens, without serializing other portions of the message that aid relaying of the message to a receiving computer system. A receiving computer system deserializes at least the portion of the message that identifies the one or more security tokens, and then uses deserialized token data to decrypt encrypted portions of the message. Each created security token can be made with customized data and fields, and can be made with a customized value type.

摘要翻译： 发送计算机系统生成消息并创建一个或多个安全令牌来加密消息的部分。 计算机系统在消息中包括用于加密的一个或多个安全令牌的标记语言标识符，并且包括用于创建令牌的值类型的标识。 然后，计算机系统至少串行标识一个或多个安全令牌的消息的部分，而不串行化消息的其他部分，该消息有助于将消息中继到接收计算机系统。 接收计算机系统反序列化标识一个或多个安全令牌的消息的至少部分，然后使用反序列化令牌数据来解密消息的加密部分。 每个创建的安全令牌都可以使用自定义的数据和字段进行创建，并且可以使用自定义的值类型。

公开(公告)号：US20060075466A1

公开(公告)日：2006-04-06

申请号：US11055435

申请日：2005-02-10

申请人： Govindaraj Ramanathan ,  Hervey Wilson ,  Keith Ballinger ,  Vick Mukherjee

发明人： Govindaraj Ramanathan ,  Hervey Wilson ,  Keith Ballinger ,  Vick Mukherjee

IPC分类号： H04L9/00 ,  G06F17/00 ,  H04K1/00

CPC分类号： H04L41/5083 ,  H04L9/3213 ,  H04L9/3247 ,  H04L9/3263 ,  H04L41/0893 ,  H04L41/16 ,  H04L41/5003 ,  H04L63/168 ,  H04L63/20 ,  H04L2209/80

摘要： Example embodiments provide for a rule-based wizard type tool for generating secure policy documents. Wizard pages present a user with general Web Service security options or questions at a user interface, which abstracts the user from any specific code, e.g., XML code, used for creating a Web Service policy document. Based on user input selecting general criteria, security rules are accessed and evaluated for automatically making choices on behalf of the user for creating a secure policy document. Other embodiments also provide for presenting the user with an easily understandable visual representation of selected criteria of a policy document in, e.g., a tree like structure that shows relationships between various elements of the criteria.

摘要翻译： 示例性实施例提供用于生成安全策略文档的基于规则的向导类型工具。 向导页面向用户呈现在用户界面处的一般Web服务安全选项或问题，其将用户从用于创建Web服务策略文档的任何特定代码（例如，XML代码）抽象出来。 基于选择一般标准的用户输入，访问和评估安全规则以代表用户自动进行选择以创建安全策略文档。 其他实施例还提供向用户呈现在例如呈现标准的各个要素之间的关系的树状结构中的策略文档的选定标准的易于理解的视觉表示。

公开(公告)号：US20060015933A1

公开(公告)日：2006-01-19

申请号：US10891884

申请日：2004-07-14

申请人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

发明人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

IPC分类号： H04L9/32

CPC分类号： H04L63/0823 ,  G06F21/335 ,  H04L63/105

摘要： A mechanism for performing role-based authorization of the one or more services using security tokens associated with received service request messages. This role-based authentication is performed regardless of the type of security token associated with the received service request messages. Upon receiving a service request message over the network for a particular service offered by the service providing computing system, the service providing computing system accesses a security token associated with the received service request message. Then, the computing system identifies one or more roles that include the identity associated with the security token, and correlates the roles with the security token. These correlated roles are then used to authorize the requested service. This mechanism is performed regardless of the type of the security token.

摘要翻译： 用于使用与所接收的服务请求消息相关联的安全令牌来执行所述一个或多个服务的基于角色的授权的机制。 无论与接收到的服务请求消息相关联的安全令牌的类型如何，都会执行此基于角色的身份验证。 在由服务提供计算系统提供的特定服务通过网络接收到服务请求消息时，服务提供计算系统访问与所接收的服务请求消息相关联的安全令牌。 然后，计算系统识别包括与安全令牌相关联的身份的一个或多个角色，并且将角色与安全令牌相关联。 然后将这些相关角色用于授权所请求的服务。 无论安全令牌的类型如何，都会执行此机制。

公开(公告)号：US20060015932A1

公开(公告)日：2006-01-19

申请号：US10891926

申请日：2004-07-14

申请人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

发明人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

IPC分类号： H04L9/32

CPC分类号： H04L63/0823 ,  H04L63/104 ,  H04L63/126 ,  H04L67/02

摘要： A message handling computing system that provides security across even transport-independent communication mechanisms, and which allows for convenient extension of security to different security token types, and may provide end-to-end security across different transport protocols. The message handling computing system includes a message handling component configured to send and receive network messages having security tokens. The message handling component interfaces with an expandable and contractible set of security token managers through a standardized application program interface. Each security manager is capable of providing security services for messages that correspond to security tokens of a particular type. A security token plug-in component registers new security token managers with the message handling component.

摘要翻译： 一种消息处理计算系统，其提供跨传输独立通信机制的安全性，并且允许将安全性方便地扩展到不同的安全令牌类型，并且可以在不同的传输协议之间提供端到端的安全性。 消息处理计算系统包括被配置为发送和接收具有安全令牌的网络消息的消息处理组件。 消息处理组件通过标准化应用程序接口与可扩展和可收缩的安全令牌管理器集接口。 每个安全管理器能够为与特定类型的安全令牌相对应的消息提供安全服务。 安全令牌插件组件使用消息处理组件注册新的安全令牌管理器。

公开(公告)号：US20060075465A1

公开(公告)日：2006-04-06

申请号：US10959886

申请日：2004-10-05

申请人： Govindaraj Ramanathan ,  Hervey Wilson ,  Keith Ballinger ,  Vick Mukherjee

发明人： Govindaraj Ramanathan ,  Hervey Wilson ,  Keith Ballinger ,  Vick Mukherjee

IPC分类号： H04L9/00

CPC分类号： H04L41/5083 ,  H04L9/3213 ,  H04L9/3247 ,  H04L9/3263 ,  H04L41/0893 ,  H04L41/16 ,  H04L41/5003 ,  H04L63/168 ,  H04L63/20 ,  H04L2209/80

摘要： Example embodiments provide for a rule-based wizard type tool for generating secure policy documents. Wizard pages present a user with general Web Service security options or questions at a user interface, which abstracts the user from any specific code, e.g., XML code, used for creating a Web Service policy document. Based on user input selecting general criteria, security rules are accessed and evaluated for automatically making choices on behalf of the user for creating a secure policy document. Other embodiments also provide for presenting the user with an easily understandable visual representation of selected criteria of a policy document in, e.g., a tree like structure that shows relationships between various elements of the criteria.

摘要翻译： 示例性实施例提供用于生成安全策略文档的基于规则的向导类型工具。 向导页面向用户呈现在用户界面处的一般Web服务安全选项或问题，其将用户从用于创建Web服务策略文档的任何特定代码（例如，XML代码）抽象出来。 基于选择一般标准的用户输入，访问和评估安全规则以代表用户自动进行选择以创建安全策略文档。 其他实施例还提供向用户呈现在例如呈现标准的各个要素之间的关系的树状结构中的策略文档的选定标准的易于理解的视觉表示。

公开(公告)号：US20060015728A1

公开(公告)日：2006-01-19

申请号：US10892046

申请日：2004-07-14

申请人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

发明人： Keith Ballinger ,  HongMei Ge ,  Hervey Wilson ,  Vick Mukherjee

IPC分类号： H04L9/00 ,  G06F17/00 ,  H04K1/00

CPC分类号： H04L63/0428 ,  H04L63/08 ,  H04L63/20

摘要： The present invention provides for maintaining security context during a communication session between applications, without having to have executable code in either application for obtaining or generating a security context token (SCT) used to secure the communication. On a service side, a configuration file is provided that can be configured to indicate that automatic issuance of a SCT is enabled, thereby allowing a Web service engine to generate the SCT upon request. On the client side, when a message is sent from the client application to the service application, a policy engine accesses a policy that includes assertions indicating that a SCT is required for messages destined for the Web service application. As such, the policy engine requests and receives the SCT, which it uses to secure the message.

公开(公告)号：US20060015625A1

公开(公告)日：2006-01-19

申请号：US10891946

申请日：2004-07-14

申请人： Keith Ballinger ,  Hervey Wilson ,  Vick Mukherjee

发明人： Keith Ballinger ,  Hervey Wilson ,  Vick Mukherjee

IPC分类号： G06F15/16

CPC分类号： H04L67/322 ,  H04L67/02

摘要： Within a distributed system, e.g., Web service environment, the present invention provides a way for identifying policies mapped to messages associated with an application, without having to have code within the application for determining what policies should apply to the messages. A centralized Web service engine is provided that receives incoming and outgoing messages associated with an application. The messages have associated with them destination endpoint identifiers and request-reply properties, which the Web service engine can access. The Web service engine can then use at least the identifiers and properties for scanning policy message files corresponding to the applications in order to identify what policies, if any, should be applied to the messages.

摘要翻译： 在分布式系统（例如，Web服务环境）内，本发明提供了一种用于识别映射到与应用相关联的消息的策略的方法，而不必在应用程序内具有用于确定哪些策略应用于消息的代码。 提供了一种集中式Web服务引擎，用于接收与应用程序相关联的传入和传出消息。 消息与它们相关联的目标端点标识符和请求回复属性，Web服务引擎可以访问它们。 因此，Web服务引擎至少可以使用标识符和属性来扫描与应用程序相对应的策略消息文件，以便确定哪些策略（如果有的话）应该应用于消息。