公开(公告)号：US09258125B2

公开(公告)日：2016-02-09

申请号：US11245310

申请日：2005-10-06

申请人： Paul R. Bunter ,  Ralph A. Hertlein ,  Sreedhar Janaswamy ,  Rania Y. Khalaf ,  Keeranoor G. Kumar ,  Michael McIntosh ,  Anthony J. Nadalin ,  Shishir Saxena ,  Ralph P. Williams

发明人： Paul R. Bunter ,  Ralph A. Hertlein ,  Sreedhar Janaswamy ,  Rania Y. Khalaf ,  Keeranoor G. Kumar ,  Michael McIntosh ,  Anthony J. Nadalin ,  Shishir Saxena ,  Ralph P. Williams

IPC分类号： H04L9/32 ,  H04L29/06

CPC分类号： H04L9/3247 ,  H04L63/12 ,  H04L2209/56 ,  H04L2209/60 ,  H04L2209/68 ,  H04L2209/80

摘要： Methods, systems, and products are disclosed in which generating evidence of web services transactions are provided generally by receiving in an ultimate recipient web service from an initial sender a request, the request containing a proof of message origin (‘PMO’). The PMO contains an element addressed to the ultimate recipient web service and the element bears a first signature, the first signature having a value. Embodiments also include authenticating the identity of the initial sender; creating a proof of message receipt (‘PMR’) including signing the value of the first signature; sending the PMR to the initial sender, receiving, by the initial sender, the PMR; and saving, by the initial sender, the PMR.

摘要翻译： 披露了方法，系统和产品，其中通常通过从初始发送者接收最终接收者Web服务的请求来提供Web服务交易的证据，该请求包含消息来源证据（“PMO”）。 PMO包含寻址到最终的接收者Web服务的元素，该元素具有第一个签名，第一个签名具有一个值。 实施例还包括验证初始发送者的身份; 创建消息收据证明（“PMR”），包括签署第一个签名的价值; 将PMR发送到初始发送者，由初始发送者接收PMR; 并由初始发件人保存PMR。

公开(公告)号：US09292619B2

公开(公告)日：2016-03-22

申请号：US11427408

申请日：2006-06-29

申请人： Paula K. Austel ,  Maryann Hondo ,  Michael McIntosh ,  Anthony J. Nadalin

发明人： Paula K. Austel ,  Maryann Hondo ,  Michael McIntosh ,  Anthony J. Nadalin

IPC分类号： G06F17/00 ,  G06F17/30 ,  G06F21/64

CPC分类号： G06F17/30908 ,  G06F21/64

摘要： A sending entity creates a structured document and communicates it to a receiving entity includes a transform to ensure document elements are not moved during communication. The structured document comprises a root element and a set of child elements. A child element is protected by a digital signature, prior to being positioned within the document. This element includes a sending entity security policy. The receiving entity includes a transform that determines whether the signed element is in a given position within the received document. The transform evaluates the data string against a set of ancestor elements of the signed element to determine whether the signed element is in the given position. If so, the transform preferably outputs the signed element itself. If the transform determines that the signed element has been moved, however, preferably it outputs a given value other than the signed element.

摘要翻译： 发送实体创建结构化文档并将其传送到接收实体包括转换以确保文档元素在通信期间不被移动。 结构化文档包括根元素和一组子元素。 子元素在被放置在文档中之前被数字签名保护。 该元素包括发送实体安全策略。 接收实体包括一个变换，该变换确定有符号元素是否在接收的文档内的给定位置。 该变换根据有符号元素的一组祖先元素来评估数据字符串，以确定有符号元素是否在给定的位置。 如果是，变换优选地输出有符号元素本身。 然而，如果变换确定有符号元素已被移动，则优选地，它输出除了带符号元素之外的给定值。

公开(公告)号：US20090171989A1

公开(公告)日：2009-07-02

申请号：US11966541

申请日：2007-12-28

申请人： Gregory T. Byrd ,  Michael Mcintosh ,  Anthony J. Nadalin ,  Nataraj Nagaratnam

发明人： Gregory T. Byrd ,  Michael Mcintosh ,  Anthony J. Nadalin ,  Nataraj Nagaratnam

IPC分类号： G06F17/30

CPC分类号： G06F16/25

摘要： A method, system and computer program product for handling identity data from heterogeneous sources utilizes an Identity Data Model Broker (IDMB). The IDMB maps fields between heterogeneous data sources, served by disparate Identity Attribute Service (IdAS) context providers, to establish a normalized data format. Within an IdAS, an abstract data model, which is brokered the IDMB, is created to present a normalized view of the data from the IDMB. When a request for data is received at the IdAS, the requested data is retrieved from appropriate data sources, through respective IdAS context providers, normalized to the abstract data model, and provided to the requester by the IdAS, such that the heterogeneous data sources are shielded from the requester.

摘要翻译： 用于处理来自异构源的身份数据的方法，系统和计算机程序产品利用身份数据模型代理（IDMB）。 IDMB映射异构数据源之间的字段，由不同的身份属性服务（IdAS）上下文提供者提供服务，以建立规范化的数据格式。 在IdAS中，创建了代理IDMB的抽象数据模型，以呈现来自IDMB的数据的归一化视图。 当在IdAS上接收到对数据的请求时，通过相应的IdAS上下文提供者从适当的数据源检索所请求的数据，其被标准化为抽象数据模型，并由IdAS提供给请求者，使得异构数据源是 屏蔽了请求者。

公开(公告)号：US08484699B2

公开(公告)日：2013-07-09

申请号：US13414736

申请日：2012-03-08

申请人： Anthony J. Nadalin ,  Ajamu A. Wesley

发明人： Anthony J. Nadalin ,  Ajamu A. Wesley

IPC分类号： G06F7/04 ,  G06F21/00 ,  G06F15/173

CPC分类号： H04L63/0428 ,  G06F21/6209 ,  H04L63/126

摘要： Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

摘要翻译： 披露技术用于在分布式Web门户（或类似的聚合框架）内聚合内容的联合环境中实现上下文敏感的机密性，确保应该保密的消息部分对于联合环境中除实体之外的所有实体是机密的 消息部分可以正确地泄露给消息部分。 联盟可以包括任意数量的自治安全域，并且这些安全域可以具有独立的信任模型和认证服务。 使用所公开的技术，可以在跨域联合（不管路由路径）内安全地路由消息，从而确保机密信息不会暴露给无意的第三方，并且关键信息在安全域之间传输时不被篡改。 优选实施例利用Web服务技术和许多行业标准。

公开(公告)号：US20100192197A1

公开(公告)日：2010-07-29

申请号：US12714447

申请日：2010-02-27

申请人： Anthony J. Nadalin ,  Ajamu A. Wesley

发明人： Anthony J. Nadalin ,  Ajamu A. Wesley

IPC分类号： G06F7/04 ,  H04K1/00 ,  G06F15/173

CPC分类号： H04L63/0428 ,  G06F21/6209 ,  H04L63/126

摘要： Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

摘要翻译： 披露技术用于在分布式Web门户（或类似的聚合框架）内聚合内容的联合环境中实现上下文敏感的机密性，确保应该保密的消息部分对于联合环境中除实体之外的所有实体是机密的 消息部分可以正确地泄露给消息部分。 联盟可以包括任意数量的自治安全域，并且这些安全域可以具有独立的信任模型和认证服务。 使用所公开的技术，可以在跨域联合（不管路由路径）内安全地路由消息，从而确保机密信息不会暴露给无意的第三方，并且关键信息在安全域之间传输时不被篡改。 优选实施例利用Web服务技术和许多行业标准。

公开(公告)号：US07467399B2

公开(公告)日：2008-12-16

申请号：US10814090

申请日：2004-03-31

申请人： Anthony J. Nadalin ,  Ajamu A. Wesley

发明人： Anthony J. Nadalin ,  Ajamu A. Wesley

IPC分类号： G06F7/04 ,  G06F15/16 ,  G06F15/173 ,  H04K1/00 ,  H04L9/00

CPC分类号： H04L63/0428 ,  G06F21/6209 ,  H04L63/126

摘要： Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

摘要翻译： 披露技术用于在分布式Web门户（或类似的聚合框架）内聚合内容的联合环境中实现上下文敏感的机密性，确保应该保密的消息部分对于联合环境中除实体之外的所有实体是机密的 消息部分可以正确地泄露给消息部分。 联盟可以包括任意数量的自治安全域，并且这些安全域可以具有独立的信任模型和认证服务。 使用所公开的技术，可以在跨域联合（不管路由路径）内安全地路由消息，从而确保机密信息不会暴露给无意的第三方，并且关键信息在安全域之间传输时不被篡改。 优选实施例利用Web服务技术和许多行业标准。

公开(公告)号：US09160752B2

公开(公告)日：2015-10-13

申请号：US11848405

申请日：2007-08-31

申请人： German S. Goldszmidt ,  Dah-Haur H. Lin ,  Anthony J. Nadalin ,  Nataraj Nagaratnam ,  Indrajit Poddar

发明人： German S. Goldszmidt ,  Dah-Haur H. Lin ,  Anthony J. Nadalin ,  Nataraj Nagaratnam ,  Indrajit Poddar

IPC分类号： H04L29/06 ,  G06F21/62

CPC分类号： H04L63/105 ,  G06F21/6227

摘要： Embodiments of the present invention provide a method, system and computer program product for aggregating database and component logic authorization rules in a multi-tier application. In an embodiment of the invention, a method for aggregating database and component logic authorization rules in a multi-tier application system can include aggregating role-based authorization rules for both a persistence layer and a logic layer of a multi-tier application in a unified policy, distributing the unified policy to both the persistence layer and the logic layer of the multi-tier application, transforming the unified policy into respectively a set of role based permissions for the persistence layer and a set of role based permissions for the logic layer, and applying the set of role based permissions for the persistence layer in the persistence layer, and the set of role based permissions for the logic layer in the logic layer of the multi-tier application.

摘要翻译： 本发明的实施例提供了一种用于在多层应用中聚合数据库和组件逻辑授权规则的方法，系统和计算机程序产品。 在本发明的一个实施例中，用于在多层应用系统中聚合数据库和组件逻辑授权规则的方法可以包括为统一的多层应用的持久层和逻辑层聚合基于角色的授权规则 策略，将统一策略分发到多层应用的持久层和逻辑层，将统一策略分为一组基于角色的持久层权限和逻辑层的一组基于角色的权限， 并在持久层中为持久层应用一组基于角色的权限，以及在多层应用程序的逻辑层中逻辑层的基于角色的权限集合。

公开(公告)号：US07657924B2

公开(公告)日：2010-02-02

申请号：US10907577

申请日：2005-04-06

申请人： Maryann Hondo ,  Anthony J. Nadalin ,  Nataraj Nagaratnam

发明人： Maryann Hondo ,  Anthony J. Nadalin ,  Nataraj Nagaratnam

IPC分类号： H04L9/00

CPC分类号： H04L63/102 ,  H04L63/08

摘要： A method, system and computer program product for implementing authorization policies for web services may include defining an authorization policy for access to a web service. The method, system and computer program product may also include attaching the authorization policy to a service definition for the web service.

摘要翻译： 用于实现web服务的授权策略的方法，系统和计算机程序产品可以包括定义用于访问web服务的授权策略。 方法，系统和计算机程序产品还可以包括将授权策略附加到web服务的服务定义。

公开(公告)号：US20080263225A1

公开(公告)日：2008-10-23

申请号：US12172229

申请日：2008-07-12

申请人： Anthony J. Nadalin ,  Ajamu A. Wesley

发明人： Anthony J. Nadalin ,  Ajamu A. Wesley

IPC分类号： G06F15/16

CPC分类号： H04L63/0428 ,  G06F21/6209 ,  H04L63/126

摘要： Techniques are disclosed for achieving context-sensitive confidentiality within a federated environment for which content is aggregated in a distributed Web portal (or similar aggregation framework), ensuring that message portions that should be confidential are confidential to all entities in the federated environment except those entities to which the message portions may properly be divulged. The federation may comprise an arbitrary number of autonomous security domains, and these security domains may have independent trust models and authentication services. Using the disclosed techniques, messages can be routed securely within a cross-domain federation (irrespective of routing paths), thereby ensuring that confidential information is not exposed to unintended third parties and that critical information is not tampered with while in transit between security domains. Preferred embodiments leverage Web services techniques and a number of industry standards.

摘要翻译： 披露技术用于在分布式Web门户（或类似的聚合框架）内聚合内容的联合环境中实现上下文敏感的机密性，确保应该保密的消息部分对于联合环境中除实体之外的所有实体是机密的 消息部分可以正确地泄露给消息部分。 联盟可以包括任意数量的自治安全域，并且这些安全域可以具有独立的信任模型和认证服务。 使用所公开的技术，可以在跨域联合（不管路由路径）内安全地路由消息，从而确保机密信息不会暴露给无意的第三方，并且关键信息在安全域之间传输时不被篡改。 优选实施例利用Web服务技术和许多行业标准。

公开(公告)号：US09292305B2

公开(公告)日：2016-03-22

申请号：US12013867

申请日：2008-01-14

申请人： Indrajit Poddar ,  Anthony J. Nadalin ,  Nataraj Nagaratnam

发明人： Indrajit Poddar ,  Anthony J. Nadalin ,  Nataraj Nagaratnam

IPC分类号： G06F9/44

CPC分类号： G06F9/4435 ,  G06F9/4493

摘要： Embodiments of the present invention provide a method, system and computer program product for declarative instance based access control for persistent application resources in a multi-tier application. In one embodiment of the invention, a method for instance based access control in a persistent application resource can be provided. The method can include creating one or more instances of an persistent application resource for a particular user or based on attributes of the user, coupling the instance(s) of the persistent application resource to a database implementing row-level access control, initializing access to the database according to a role or attribute for the particular user, and accessing a restricted set of data in the database through the instance(s) of the persistent application resource.

摘要翻译： 本发明的实施例提供了一种用于在多层应用中用于持久应用资源的基于声明性实例的访问控制的方法，系统和计算机程序产品。 在本发明的一个实施例中，可以提供用于持久应用资源中的基于实例的访问控制的方法。 该方法可以包括为特定用户创建持久性应用资源的一个或多个实例，或者基于用户的属性，将持久应用资源的实例耦合到实现行级访问控制的数据库，初始化对 数据库根据特定用户的角色或属性，以及通过持久性应用程序资源的实例访问数据库中受限制的一组数据。