-
公开(公告)号:US07051201B2
公开(公告)日:2006-05-23
申请号:US10099739
申请日:2002-03-15
IPC分类号: G06F1/26
CPC分类号: G06F21/6227 , H04L63/0209 , H04L63/0428
摘要: A method for securing cached data in an enterprise environment. The method can include processing a request to locate data in a query cache. If the data can be located in the query cache, the data can be retrieved from the query cache. Additionally, at least one encrypted portion of the retrieved data can be decrypted. Finally, the decrypted portion and any remaining unencrypted portion of the retrieved data can be forwarded to a requesting client. By comparison, if the data cannot be located in the query cache, the data can be retrieved from a back-end data source over a computer communications network, and forwarded to the requesting client. Additionally, at least a portion of the retrieved data can be encrypted and both the encrypted portion and any remaining unencrypted portion can be stored in the query cache.
-
公开(公告)号:US20080168528A1
公开(公告)日:2008-07-10
申请号:US11619672
申请日:2007-01-04
IPC分类号: G06F21/00
CPC分类号: H04L63/102 , G06F21/53 , G06F21/6218 , G06F2221/2105 , G06F2221/2141 , H04L63/105 , H04L63/168
摘要: The present invention implements a set of interfaces for a standard Java execution environment to provide authorization with conditional permissions. In particular, a framework enables a provider to provide a condition-based runtime authorization decision when a caller entity requests a Java resource. To this end, during a policy configuration certain “Conditions” may be associated with a standard Java Permission object using a ConditionalPermission class. Each “Condition” may be represented in one of a set of different conditions (e.g., containment, logical, comparison, owner and regular expression conditions) using various name-value pairs of “AttributeName” objects. During runtime, an “implies” method in the ConditionalPermission class returns true if the argument permission is implied by the wrapped permission and the additional “Conditions” are evaluated to be true. The ConditionalPermission class allows the caller to seamlessly instrument an instance evaluation “Condition” into a regular permission evaluation and to hand off this evaluation to a provider to facilitate an instance-based runtime authorization decision. The framework is highly flexible and provides for a wide-range of possible fine-grained policy and instance-based “Conditions” for authorization evaluation.
摘要翻译: 本发明实现了用于标准Java执行环境的一组接口,以提供具有条件许可的授权。 特别地,当呼叫者实体请求Java资源时,框架使得供应商能够提供基于条件的运行时授权决定。 为此,在策略配置期间,某些“条件”可能与使用ConditionalPermission类的标准Java Permission对象相关联。 可以使用“AttributeName”对象的各种名称 - 值对,以一组不同条件(例如,包含,逻辑,比较,所有者和正则表达条件)中的一个来表示每个“条件”。 在运行时,ConditionalPermission类中的“暗示”方法如果被包装的权限隐含参数许可,并且额外的“条件”被评估为true,则返回true。 ConditionalPermission类允许调用者将实例评估“条件”无缝地仪器仪器置于常规权限评估中,并将此评估移交给提供者以促进基于实例的运行时授权决策。 该框架是高度灵活的,并提供广泛的可能的细粒度政策和基于实例的“条件”进行授权评估。
-
公开(公告)号:US07124192B2
公开(公告)日:2006-10-17
申请号:US09943618
申请日:2001-08-30
CPC分类号: H04L63/20 , H04L63/102 , H04L63/105 , Y10S707/99939
摘要: Methods, systems, and computer program products are disclosed for protecting the security of resources in distributed computing environments. The disclosed techniques improve administration and enforcement of security policies. Allowed actions on resources, also called permissions, (such as invocations of particular methods, read or write access of a particular row or perhaps a particular column in a database table, and so forth) are grouped, and each group of permissions is associated with a role name. A particular action on a particular resource may be specified in more than one group, and therefore may be associated with more than one role. Each role is administered as a security object. Users and/or user groups may be associated with one or more roles. At run-time, access to a resource is protected by determining whether the invoking user has been associated with (granted) at least one of the roles required for this type of access on this resource.
-
4.发明申请DISCOVERY AND MANAGEMENT OF CONTEXT-BASED ENTITLEMENTS ACROSS LOOSELY-COUPLED ENVIRONMENTS 审中-公开基于环境友好环境的基于语境的实践的发现与管理公开(公告)号:US20110162034A1
公开(公告)日:2011-06-30
申请号:US12649421
申请日:2009-12-30
CPC分类号: G06F21/604
摘要: A method, apparatus and computer program product are provided to model and manage context-based entitlements that govern a user's access to information, applications and systems across a loosely-coupled distributed environment. One such distributed environment is a federated environment, which may span across companies, organizations, and geographical locations and regions. According to one embodiment, an entitlement modeling framework comprises a discovery module and an entitlement generator module. The discovery framework generates a data model for storing information concerning user identity, context, relationships between users, relationships between users and contexts and relationships between contexts. Preferably, the user identity, context, relationships between users, relationships between users and contexts, and relationships between contexts, are stored as attributes in the data model. An entitlement generator generates an entitlement according to the data model, wherein the entitlement (e.g., a user entitlement) is generated according to one or more contexts.
摘要翻译: 提供了一种方法,装置和计算机程序产品来建模和管理基于上下文的权限,该权限管理用户对松散耦合的分布式环境中的信息,应用和系统的访问。 一个这样的分布式环境是联合环境,可能跨越公司,组织以及地理位置和地区。 根据一个实施例,授权建模框架包括发现模块和授权生成器模块。 发现框架生成用于存储关于用户身份,上下文,用户之间的关系,用户与上下文之间的关系以及上下文之间的关系的信息的数据模型。 优选地,用户身份,上下文,用户之间的关系,用户和上下文之间的关系以及上下文之间的关系被存储为数据模型中的属性。 授权生成器根据数据模型生成授权,其中根据一个或多个上下文生成授权(例如,用户授权)。
-
公开(公告)号:US20100076914A1
公开(公告)日:2010-03-25
申请号:US12235900
申请日:2008-09-23
CPC分类号: G06F21/604
摘要: A method, system, and computer usable program product for classification and policy management for software components are provided in the illustrative embodiments. A metadata associated with an application or component is identified. A mapping determination is made whether the metadata maps to a classification in a set of classifications. A policy that is applicable to the classification is identified and associated with the classification. If the mapping determination is deterministic, the component is assigned to the classification and the policy associated with the classification is associated with the component. If the mapping determination is not deterministic, a user intervention may be necessary, the component may be classified in a default classification, or both. Because of the policy being associated with the classification, associating the policy with the component may occur based on the metadata of the application or component and its resultant classification.
摘要翻译: 在说明性实施例中提供了用于软件组件的分类和策略管理的方法,系统和计算机可用程序产品。 识别与应用或组件相关联的元数据。 做出映射确定是否元数据映射到一组分类中的分类。 识别适用于分类的策略并与分类相关联。 如果映射确定是确定性的,则将组件分配给分类,并且与分类相关联的策略与组件相关联。 如果映射确定不是确定性的,则可能需要用户干预,该组件可以被分类为默认分类,或者两者。 由于与分类相关联的策略,将策略与组件相关联可以基于应用或组件的元数据及其结果分类而发生。
-
公开(公告)号:US08387111B2
公开(公告)日:2013-02-26
申请号:US10002439
申请日:2001-11-01
申请人: Lawrence Koved , Anthony Joseph Nadalin , Nataraj Nagaratnam , Marco Pistoia , Bruce Arland Rich
发明人: Lawrence Koved , Anthony Joseph Nadalin , Nataraj Nagaratnam , Marco Pistoia , Bruce Arland Rich
IPC分类号: G06F12/14
CPC分类号: G06F21/53 , G06F2221/2145
摘要: A method and apparatus for type independent permission based access control are provided. The method and apparatus utilize object inheritance to provide a mechanism by which a large group of permissions may be assigned to a codesource without having to explicitly assign each individual permission to the codesource. A base permission, or superclass permission, is defined along with inherited, or subclass, permissions that fall below the base permission in a hierarchy of permissions. Having defined the permissions in such a hierarchy, a developer may assign a base permission to an installed class and thereby assign all of the inherited permissions of the base permission to the installed class. In this way, security providers need not know all the permission types defined in an application. In addition, security providers can seamlessly integrate with many applications without changing their access control and policy store semantics. Moreover, application providers' security enforcement is no dependent on the security provider defined permissions. The method and apparatus do not require any changes to the Java security manager and do not require changes to application code.
摘要翻译: 提供了一种用于基于类型独立许可的访问控制的方法和装置。 该方法和装置利用对象继承来提供一种机制,通过该机制,可以将大量的权限组分配给代码源,而不必对代码源明确地分配每个单独的权限。 基本权限或超类权限与继承层级或权限级别中的基本权限之下的继承或子类权限一起定义。 在这样的层次结构中定义了权限之后,开发人员可以为已安装的类分配一个基本权限,从而将基本权限的所有继承的权限分配给已安装的类。 以这种方式,安全提供程序不需要知道应用程序中定义的所有权限类型。 此外,安全提供商可以无缝地集成许多应用程序,而无需更改其访问控制和策略存储语义。 此外,应用程序提供商的安全执行不依赖于安全提供程序定义的权限。 该方法和设备不需要对Java安全管理器进行任何更改,也不需要更改应用程序代码。
-
公开(公告)号:US08112370B2
公开(公告)日:2012-02-07
申请号:US12235900
申请日:2008-09-23
IPC分类号: G06N5/00
CPC分类号: G06F21/604
摘要: A method, system, and computer usable program product for classification and policy management for software components are provided in the illustrative embodiments. A metadata associated with an application or component is identified. A mapping determination is made whether the metadata maps to a classification in a set of classifications. A policy that is applicable to the classification is identified and associated with the classification. If the mapping determination is deterministic, the component is assigned to the classification and the policy associated with the classification is associated with the component. If the mapping determination is not deterministic, a user intervention may be necessary, the component may be classified in a default classification, or both. Because of the policy being associated with the classification, associating the policy with the component may occur based on the metadata of the application or component and its resultant classification.
摘要翻译: 在说明性实施例中提供了用于软件组件的分类和策略管理的方法,系统和计算机可用程序产品。 识别与应用或组件相关联的元数据。 做出映射确定是否元数据映射到一组分类中的分类。 识别适用于分类的策略并与分类相关联。 如果映射确定是确定性的,则将组件分配给分类,并且与分类相关联的策略与组件相关联。 如果映射确定不是确定性的,则可能需要用户干预,该组件可以被分类为默认分类,或者两者。 由于与分类相关联的策略,将策略与组件相关联可以基于应用或组件的元数据及其合成分类而发生。
-
8.发明授权Pluggable trust adapter architecture, method and program product for processing communications 失效可插拔信任适配器架构,处理通信的方法和程序产品公开(公告)号:US07475239B2
公开(公告)日:2009-01-06
申请号:US10251502
申请日:2002-09-20
CPC分类号: H04L63/168
摘要: A pluggable trust adapter architecture that accommodates a plurality of interceptors is provided. Each interceptor is adapted to perform security processing of communications having a specific protocol. Specifically, when a communication is received, it will be routed from a channel router to a specific interceptor based on the protocol of the communication. The interceptor will then “security” process the communication (e.g., extract data, perform verification, etc.). Once the interceptor has processed the communication, the extracted data and the communication itself will be passed to an authorization system for authorization.
摘要翻译: 提供了容纳多个拦截器的可插拔信任适配器架构。 每个拦截器适于执行具有特定协议的通信的安全处理。 具体来说,当接收到通信时,将根据通信的协议从通道路由器路由到特定的拦截器。 拦截器然后“安全”处理通信(例如,提取数据,执行验证等)。 一旦拦截器处理了通信,提取的数据和通信本身将被传递给授权系统进行授权。
-
公开(公告)号:US07304982B2
公开(公告)日:2007-12-04
申请号:US10334474
申请日:2002-12-31
CPC分类号: H04L63/20 , H04L29/06 , H04L63/0478 , H04L63/104 , H04L67/322 , H04L69/329
摘要: A method, system, apparatus, or computer program product is presented for routing event messages between data processing systems based on privacy policies associated with the data processing systems and based on event policies associated with event types for the event messages. When a system attempts to publish an event message for a particular type of event or to subscribe to those event messages, an event policy is checked to determine whether the system may publish messages for that type of event or may subscribe to those messages. Moreover, if a publishing system publishes an event message that contains personally identifiable information for a user of a data processing system, and a subscribing system has subscribed to event messages having the same event type, then the privacy policies associated with the systems are compared to determine compatibility or incompatibility between the privacy policies before routing a message between the systems.
摘要翻译: 呈现方法,系统,装置或计算机程序产品,用于基于与数据处理系统相关联的隐私策略并且基于与事件消息的事件类型相关联的事件策略在数据处理系统之间路由事件消息。 当系统尝试为特定类型的事件发布事件消息或订阅这些事件消息时,将检查事件策略以确定系统是否可以为该类型的事件发布消息或者可以订阅这些消息。 此外,如果发布系统发布包含用于数据处理系统的用户的个人身份信息的事件消息,并且订阅系统已订阅具有相同事件类型的事件消息,则将与系统相关联的隐私策略与 在系统之间路由消息之前确定隐私策略之间的兼容性或不兼容性。
-
10.发明授权Method and system for consolidated sign-off in a heterogeneous federated environment 有权在异构联合环境中统一签发的方法和系统公开(公告)号:US07219154B2
公开(公告)日:2007-05-15
申请号:US10334325
申请日:2002-12-31
申请人: George Robert Blakley, III , Heather Maria Hinton , Anthony Joseph Nadalin , Ajamu Akinwunmi Wesley
发明人: George Robert Blakley, III , Heather Maria Hinton , Anthony Joseph Nadalin , Ajamu Akinwunmi Wesley
IPC分类号: G06F15/16
CPC分类号: H04L63/0815 , H04L63/0807 , H04L63/104 , H04L67/10
摘要: A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions. When a user requests to logoff from a domain that has initiated federated single-sign-on operations for the user at other federated domains, the domain initiates a consolidated logoff operation by requesting logoff operations at those other federated domains, which may also initiate logoff operations in a cascaded fashion to the domains at which they have initiated federated single-sign-on operations.
摘要翻译: 提出了一种方法,其中联合域在联合环境中相互作用。 联盟内的域可以为其他联盟域的用户启动联合单点登录操作。 域内的联络点服务器依赖于域内的信任代理来管理域和联盟之间的信任关系。 信任代理根据需要解释其他联盟域的断言。 信托代理可能与一个或多个信托经纪人有信任关系,信托代理可以依赖信托经纪人来解释断言。 当用户请求从其他联盟域的用户启动了联合单点登录操作的域注销时,域通过请求在其他联盟域的注销操作来启动合并注销操作,这些操作也可以启动注销操作 以级联方式发布到已启动联合单点登录操作的域。
-
-
-
-
-
-
-
-
-
搜索结果
34 条记录 (耗时 0.024 秒)
