公开(公告)号：US20060168132A1

公开(公告)日：2006-07-27

申请号：US11264355

申请日：2005-10-31

申请人： Paul Bunter ,  Ralph Hertlein ,  Sreedhar Janaswamy ,  Rania Khalaf ,  Keeranoor Kumar ,  Michael Mcntosh ,  Anthony Nadalin ,  Shishir Saxena ,  Ralph Williams

发明人： Paul Bunter ,  Ralph Hertlein ,  Sreedhar Janaswamy ,  Rania Khalaf ,  Keeranoor Kumar ,  Michael Mcntosh ,  Anthony Nadalin ,  Shishir Saxena ,  Ralph Williams

IPC分类号： G06F15/16

CPC分类号： G06F9/547 ,  G06Q10/10 ,  H04L67/02

摘要： A web services framework consists of a modular, extensible stack of XML specifications and standards targeting the emerging infrastructure in which distributed, heterogeneous applications are exposed by different organizations as services on the Internet. These services have their capabilities described and published in a machine readable format.

摘要翻译： Web服务框架包括一个模块化的，可扩展的XML规范和标准栈，针对新兴基础架构，其中分布式异构应用程序由不同组织作为互联网上的服务公开。 这些服务具有以机器可读格式描述和发布的功能。

公开(公告)号：US20070083761A1

公开(公告)日：2007-04-12

申请号：US11245310

申请日：2005-10-06

申请人： Paul Bunter ,  Ralph Hertlein ,  Sreedhar Janaswamy ,  Rania Khalaf ,  Keeranoor Kumar ,  Michael McIntosh ,  Anthony Nadalin ,  Shishir Saxena ,  Ralph Williams

发明人： Paul Bunter ,  Ralph Hertlein ,  Sreedhar Janaswamy ,  Rania Khalaf ,  Keeranoor Kumar ,  Michael McIntosh ,  Anthony Nadalin ,  Shishir Saxena ,  Ralph Williams

IPC分类号： H04L9/00

CPC分类号： H04L9/3247 ,  H04L63/12 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/68 ,  H04L2209/80

摘要： Methods, systems, and products are disclosed in which generating evidence of web services transactions are provided generally by receiving in an ultimate recipient web service from an initial sender a request, the request containing a proof of message origin (‘PMO’). The PMO contains an element addressed to the ultimate recipient web service and the element bears a first signature, the first signature having a value. Embodiments also include authenticating the identity of the initial sender; creating a proof of message receipt (‘PMR’) including signing the value of the first signature; sending the PMR to the initial sender, receiving, by the initial sender, the PMR; and saving, by the initial sender, the PMR.

摘要翻译： 披露了方法，系统和产品，其中通常通过从初始发送者接收最终接收者Web服务的请求来提供Web服务交易的证据，该请求包含消息来源证据（“PMO”）。 PMO包含寻址到最终的接收者Web服务的元素，该元素具有第一个签名，第一个签名具有一个值。 实施例还包括验证初始发送者的身份; 创建消息收据证明（“PMR”），包括签署第一个签名的价值; 将PMR发送到初始发送者，由初始发送者接收PMR; 并由初始发件人保存PMR。

公开(公告)号：US20050039158A1

公开(公告)日：2005-02-17

申请号：US10639862

申请日：2003-08-13

申请人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

发明人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

IPC分类号： G06F9/44

CPC分类号： G06F21/53

摘要： A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission. Thus, the AdoptPermission Permission type provides an intermediate mechanism that is not as over-inclusive as the AllPermission Permission type and is not as under-inclusive as requiring that all methods in the thread stack include the required Permission expressly granted to them.

摘要翻译： 提供了一种用于实现执行回调操作的方法的新的Permission的方法和装置。 该方法和设备提供了一个AdoptPermission权限类型，允许一种方法传递Java 2授权测试，而不会明确授予该方法的特定所需权限，而不授予其授予AllPermission权限的方法。 使用设备和方法，定义了一个AdoptPermission权限类型，该类型用于允许ProtectionDomain“采用”所需的权限。 但是，只有当线程堆栈中至少有一个方法的ProtectionDomain被授予一个隐含所需权限的权限时，才能执行所需的权限。 因此，AdoptPermission Permission类型提供了一个不像AllPermission Permission类型那样超出包容性的中间机制，并且不包含要求线程堆栈中的所有方法都包含明确授予它们的所需权限。

公开(公告)号：US20080104698A1

公开(公告)日：2008-05-01

申请号：US11968673

申请日：2008-01-03

申请人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

发明人： Lawrence Koved ,  Anthony Nadalin ,  Marco Pistoia

IPC分类号： G06F21/00

CPC分类号： G06F21/53

摘要： A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission. Thus, the AdoptPermission Permission type provides an intermediate mechanism that is not as over-inclusive as the AllPermission Permission type and is not as under-inclusive as requiring that all methods in the thread stack include the required Permission expressly granted to them.

摘要翻译： 提供了一种用于实现执行回调操作的方法的新的Permission的方法和装置。 该方法和设备提供了一个AdoptPermission权限类型，允许一种方法传递Java 2授权测试，而不会明确授予该方法的特定所需权限，而不授予其授予AllPermission权限的方法。 使用设备和方法，定义了一个AdoptPermission权限类型，该类型用于允许ProtectionDomain“采用”所需的权限。 但是，只有当线程堆栈中至少有一个方法的ProtectionDomain被授予一个隐含所需权限的权限时，才能执行所需的权限。 因此，AdoptPermission Permission类型提供了一个不像AllPermission Permission类型那样超出包容性的中间机制，并且不包含要求线程堆栈中的所有方法都包含明确授予它们的所需权限。

公开(公告)号：US20070234417A1

公开(公告)日：2007-10-04

申请号：US11761818

申请日：2007-06-12

申请人： George Blakley III ,  Heather Hinton ,  Anthony Nadalin

发明人： George Blakley III ,  Heather Hinton ,  Anthony Nadalin

IPC分类号： H04L9/32

CPC分类号： H04L63/0281 ,  H04L63/0807 ,  H04L63/0815 ,  H04L63/0823 ,  H04L2463/102

摘要： A method is presented in which federated domains interact within a federated environment. Domains within a federation can initiate federated single-sign-on operations for a user at other federated domains. A point-of-contact server within a domain relies upon a trust proxy within the domain to manage trust relationships between the domain and the federation. Trust proxies interpret assertions from other federated domains as necessary. Trust proxies may have a trust relationship with one or more trust brokers, and a trust proxy may rely upon a trust broker for assistance in interpreting assertions.

摘要翻译： 提出了一种方法，其中联合域在联合环境中相互作用。 联盟内的域可以为其他联盟域的用户启动联合单点登录操作。 域内的联络点服务器依赖于域内的信任代理来管理域和联盟之间的信任关系。 信任代理根据需要解释其他联盟域的断言。 信托代理可能与一个或多个信托经纪人有信任关系，信托代理可以依赖信托经纪人来解释断言。

公开(公告)号：US20070056026A1

公开(公告)日：2007-03-08

申请号：US11221630

申请日：2005-09-08

申请人： Kathryn Britton ,  Dieter Buehler ,  Ching-Yun Chao ,  Timothy Hahn ,  Anthony Nadalin ,  Nataraj Nagaratnam ,  Yi-Hsiu Wei ,  Chun Yang

发明人： Kathryn Britton ,  Dieter Buehler ,  Ching-Yun Chao ,  Timothy Hahn ,  Anthony Nadalin ,  Nataraj Nagaratnam ,  Yi-Hsiu Wei ,  Chun Yang

IPC分类号： H04L9/32

CPC分类号： G06F21/6236

摘要： Embodiments of the present invention address deficiencies of the art in respect to access control and provide a method, system and computer program product for access control management for a collection of heterogeneous application components. In a first embodiment, a data processing system for role-based access control management for multiple heterogeneous application components can include at least one business role descriptor associating a business role with multiple, different application roles for corresponding, disparate application components. The system also can include at least one access policy associating a user with the business role. Finally, the system can include policy deployment logic include program code enabled to process the access policy to assign the user to the different application roles in the disparate application components.

摘要翻译： 本发明的实施例解决了本领域在访问控制方面的缺陷，并提供了用于异构应用组件的集合的访问控制管理的方法，系统和计算机程序产品。 在第一实施例中，用于多个异构应用组件的用于基于角色的访问控制管理的数据处理系统可以包括将业务角色与用于相应的不同应用组件的多个不同应用角色相关联的至少一个业务角色描述符。 系统还可以包括将用户与业务角色相关联的至少一个访问策略。 最后，系统可以包括策略部署逻辑，包括能够处理访问策略的程序代码，以将用户分配给不同应用程序组件中的不同应用程序角色。

公开(公告)号：US20060294383A1

公开(公告)日：2006-12-28

申请号：US11168716

申请日：2005-06-28

申请人： Paula Austel ,  Maryann Hondo ,  Michael McIntosh ,  Anthony Nadalin ,  Nataraj Nagaratnam

发明人： Paula Austel ,  Maryann Hondo ,  Michael McIntosh ,  Anthony Nadalin ,  Nataraj Nagaratnam

IPC分类号： H04L9/00

CPC分类号： G06F21/606 ,  G06F21/629 ,  H04L63/12

摘要： Methods, systems, and products are disclosed in which secure data communications in web services are provided generally by receiving in a web service from a client a request containing an element bearing a first signature, the signature having a value; signing the value of the first signature, thereby creating a second signature; and sending a response from the web service to the client, the response including the second signature. The requester may verify that the response includes the second signature. The request may be encrypted, and the response may be encrypted. The first signature may be encrypted, and the web service may encrypt the value of the first signature and include the encrypted value of the first signature in the response. The web service may receive a request encoded in SOAP and may send a response also encoded in SOAP.

摘要翻译： 公开了一种方法，系统和产品，其中Web服务中的安全数据通信通常通过从客户端接收web服务来提供包含具有第一签名的元素的请求，该签名具有值; 签署第一签名的价值，从而创建第二个签名; 以及将所述web服务的响应发送到所述客户端，所述响应包括所述第二签名。 请求者可以验证响应包括第二个签名。 该请求可以被加密，并且响应可以被加密。 可以对第一签名进行加密，并且web服务可以加密第一签名的值并将第一签名的加密值包括在响应中。 Web服务可以接收以SOAP编码的请求，并且可以发送也以SOAP编码的响应。

公开(公告)号：US20060294366A1

公开(公告)日：2006-12-28

申请号：US11165483

申请日：2005-06-23

申请人： Anthony Nadalin ,  Bruce Rich ,  Xiaoyan Zhang

发明人： Anthony Nadalin ,  Bruce Rich ,  Xiaoyan Zhang

IPC分类号： H04L9/00

CPC分类号： H04L9/3265 ,  H04L9/3271 ,  H04L63/061 ,  H04L63/0823 ,  H04L63/166 ,  H04L2209/56

摘要： A method and system is presented for supporting the establishment of a secure communication session within a data processing system. A certificate request command is sent from a server to a client. A certificate command is received at the server from the client in response to the certificate request command, and the certificate command is accompanied by a public key certificate and an attribute certificate that is digitally signed by a private key that is bound to the public key certificate. A secure communication session is established in response to successfully verifying the public key certificate. The attribute certificate contains credential information for an authentication operation or an authorization operation that is performed after establishment of the secure communication session.

摘要翻译： 提出了一种用于支持在数据处理系统内建立安全通信会话的方法和系统。 证书请求命令从服务器发送到客户端。 响应于证书请求命令从客户端接收到证书命令，并且证书命令伴随有公钥证书和属性证书，该密钥证书和属性证书由绑定到公钥证书的私钥进行数字签名 。 响应成功验证公钥证书，建立安全通信会话。 属性证书包含认证操作的证书信息或在建立安全通信会话之后执行的授权操作。

公开(公告)号：US20060021010A1

公开(公告)日：2006-01-26

申请号：US10878855

申请日：2004-06-28

申请人： Barry Atkins ,  David Melgar ,  Anthony Nadalin ,  Ajamu Wesley

发明人： Barry Atkins ,  David Melgar ,  Anthony Nadalin ,  Ajamu Wesley

IPC分类号： H04L9/32

CPC分类号： H04L63/0823 ,  H04L29/06

摘要： A method, system and apparatus for federated identity brokering. In accordance with the present invention, a credential processing gateway can be disposed between one or more logical services and one or more service requesting clients in a computer communications network. Acting as a proxy and a trusted authority to the logical services, the credential processing gateway can map the credentials of the service requesting clients to the certification requirements of the logical services. In this way, the credential processing gateway can act as a federated identity broker in providing identity certification services for a multitude of different service requesting clients without requiring the logical services to include a pre-configuration for specifically processing the credentials of particular service requesting clients.

公开(公告)号：US20050278534A1

公开(公告)日：2005-12-15

申请号：US10855728

申请日：2004-05-27

申请人： Anthony Nadalin ,  Bruce Rich ,  Xiaoyan Zhang

发明人： Anthony Nadalin ,  Bruce Rich ,  Xiaoyan Zhang

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L9/3263 ,  H04L2209/56 ,  H04L2209/60

摘要： A method, an apparatus, a system, and a computer program product are presented for validating certificates. A certificate validation service receives a certificate validation request for a target certificate from a client, thereby allowing the client to offload certificate validation tasks into an online certificate validation service that is accessible and sharable by multiple components within a data processing system. In response to a determination that the target certificate is valid or invalid, the certificate validation service sends a certificate validation response with an indicating status value that the target certificate is valid or invalid. The certificate validation service is able to cache information about previously validated certificates and the associated certificate chains, thereby enhancing the efficiency of the service. Different certificate validation policies may be applied against target certificates based upon information associated with the target certificates.

摘要翻译： 提供了验证证书的方法，装置，系统和计算机程序产品。 证书验证服务从客户端接收目标证书的证书验证请求，从而允许客户端将证书验证任务卸载到可由数据处理系统内的多个组件访问和共享的在线证书验证服务。 响应于目标证书有效或无效的确定，证书验证服务发送具有目标证书有效或无效的指示状态值的证书验证响应。 证书验证服务能够缓存有关以前验证的证书和关联的证书链的信息，从而提高服务的效率。 可以根据与目标证书相关的信息，针对目标证书应用不同的证书验证策略。