公开(公告)号：US07337318B2

公开(公告)日：2008-02-26

申请号：US10376113

申请日：2003-02-27

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

IPC分类号： H04L9/00

CPC分类号： G06F21/64

摘要： A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.

摘要翻译： 提供了用于防止安全敏感类接口的流氓实现的方法和装置。 使用该方法和装置，当服务器进程启动时，由服务器进程创建唯一标识符（UID）。 服务器进程（即服务器运行时环境）在服务器进程启动后实例化新的凭据对象时，加密的UID将被放置在新凭证对象内的私有字段中。 此外，UID被加密并存储在服务器运行时环境的私有类中。 在服务器运行时环境中提供了一个验证类，其中包括一个或多个接收凭证对象作为参数的方法，并返回true或false作为证书对象的有效性。 这些一个或多个方法通过从存储在服务器运行时环境中的私有类中检索加密的UID来确定凭证对象的有效性，解密UID并将其与存储在证书对象的私有字段中的解密的UID进行比较。 如果两个UID匹配，则确定凭据对象是由服务器运行时环境创建的，而不是流氓应用程序。 如果两个UID不匹配，或者如果凭证对象中没有UID，那么验证类将返回一个错误的结果。

公开(公告)号：US07752452B2

公开(公告)日：2010-07-06

申请号：US12364207

申请日：2009-02-02

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L63/0815 ,  G06F21/31 ,  H04L63/083

摘要： A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code. This invention stores the user credentials in a distributed cache and provides a system and method to compute the unique key based on the dynamic security credentials for cache lookup.

摘要翻译： 用于在分布式计算环境中跟踪用户安全凭证的系统和方法。 认证用户的安全凭证不仅包括其唯一的用户标识符，还包括一组安全属性，如认证时间，用户认证的位置（即内部网用户v。互联网用户），认证强度 ， 等等。 安全属性用于访问控制决策。 如果他具有不同的安全属性值，则可以给予相同的用户不同的授权。 安全凭证可能由WebSphere安全代码或第三方安全提供商代码生成。 本发明将用户凭证存储在分布式高速缓存中，并提供基于用于高速缓存查找的动态安全凭证来计算唯一密钥的系统和方法。

公开(公告)号：US07734918B2

公开(公告)日：2010-06-08

申请号：US12015615

申请日：2008-01-17

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

IPC分类号： H04L9/00

CPC分类号： G06F21/64

摘要： A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.

摘要翻译： 提供了用于防止安全敏感类接口的流氓实现的方法和装置。 使用该方法和装置，当服务器进程启动时，由服务器进程创建唯一标识符（UID）。 服务器进程（即服务器运行时环境）在服务器进程启动后实例化新的凭据对象时，加密的UID将被放置在新凭证对象内的私有字段中。 此外，UID被加密并存储在服务器运行时环境的私有类中。 在服务器运行时环境中提供了一个验证类，其中包括一个或多个接收凭证对象作为参数的方法，并返回true或false作为证书对象的有效性。 这些一个或多个方法通过从存储在服务器运行时环境中的私有类中检索加密的UID来确定凭证对象的有效性，解密UID并将其与存储在证书对象的私有字段中的解密的UID进行比较。 如果两个UID匹配，则确定凭据对象是由服务器运行时环境创建的，而不是流氓应用程序。 如果两个UID不匹配，或者如果凭证对象中没有UID，那么验证类将返回一个错误的结果。

公开(公告)号：US20080222697A1

公开(公告)日：2008-09-11

申请号：US12123693

申请日：2008-05-20

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Ajaykumar Karkala Reddy ,  Vishwanath Venkataramappa

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Ajaykumar Karkala Reddy ,  Vishwanath Venkataramappa

IPC分类号： G06F21/00

CPC分类号： G06F21/31

摘要： Objects on application servers may be defined into classes which receive different levels of security protection, such as definition of user objects and administrative objects. Domain-wide security may be enforced on administrative objects, which user object security may be configured separately for each application server in a domain. In a CORBA architecture, IOR's for shared objects which are to be secured on a domain-wide basis, such as administrative objects, are provided with tagged components during IOR creation and exporting to a name server. Later, when the IOR is used by a client, the client invokes necessary security measures such as authentication, authorization and transport protection according to the tagged components.

摘要翻译： 应用服务器上的对象可以被定义为接收不同级别的安全保护的类，例如用户对象和管理对象的定义。 可以在管理对象上实施全域安全性，可以为域中的每个应用程序服务器单独配置哪些用户对象安全性。 在CORBA体系结构中，IOR对于在域范围内进行安全保护的共享对象（如管理对象）在IOR创建和导出到名称服务器期间提供了已标记组件。 之后，当客户端使用IOR时，客户机根据标记的组件调用必要的安全措施，如认证，授权和传输保护。

公开(公告)号：US07925881B2

公开(公告)日：2011-04-12

申请号：US11867015

申请日：2007-10-04

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

IPC分类号： H04L9/00

CPC分类号： G06F21/64

摘要： A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.

摘要翻译： 提供了用于防止安全敏感类接口的流氓实现的方法和装置。 使用该方法和装置，当服务器进程启动时，由服务器进程创建唯一标识符（UID）。 服务器进程（即服务器运行时环境）在服务器进程启动后实例化新的凭据对象时，加密的UID将被放置在新凭证对象内的私有字段中。 此外，UID被加密并存储在服务器运行时环境的私有类中。 在服务器运行时环境中提供了一个验证类，其中包括一个或多个接收凭证对象作为参数的方法，并返回true或false作为证书对象的有效性。 这些一个或多个方法通过从存储在服务器运行时环境中的私有类中检索加密的UID来确定凭证对象的有效性，解密UID并将其与存储在证书对象的私有字段中的解密的UID进行比较。 如果两个UID匹配，则确定凭据对象是由服务器运行时环境创建的，而不是流氓应用程序。 如果两个UID不匹配，或者如果凭证对象中没有UID，那么验证类将返回一个错误的结果。

公开(公告)号：US07487361B2

公开(公告)日：2009-02-03

申请号：US10881962

申请日：2004-06-30

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

IPC分类号： H04L9/00 ,  H04L9/32

CPC分类号： H04L63/0815 ,  G06F21/31 ,  H04L63/083

摘要： A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code. This invention stores the user credentials in a distributed cache and provides a system and method to compute the unique key based on the dynamic security credentials for cache lookup

摘要翻译： 用于在分布式计算环境中跟踪用户安全凭证的系统和方法。 认证用户的安全凭证不仅包括其唯一的用户标识符，还包括一组安全属性，如认证时间，用户认证的位置（即内部网用户v。互联网用户），认证强度 ， 等等。 安全属性用于访问控制决策。 如果他具有不同的安全属性值，则可以给予相同的用户不同的授权。 安全凭证可能由WebSphere安全代码或第三方安全提供商代码生成。 本发明将用户凭证存储在分布式高速缓存中，并提供基于用于高速缓存查找的动态安全凭证来计算唯一密钥的系统和方法

公开(公告)号：US07448066B2

公开(公告)日：2008-11-04

申请号：US10246909

申请日：2002-09-19

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Ajaykumar Karkala Reddy ,  Vishwanath Venkataramappa

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Ajaykumar Karkala Reddy ,  Vishwanath Venkataramappa

IPC分类号： G06F7/04 ,  G06F17/30 ,  G06F9/32 ,  H04L9/00

CPC分类号： G06F21/31

摘要： Objects on application servers may be defined into classes which receive different levels of security protection, such as definition of user objects and administrative objects. Domain-wide security may be enforced on administrative objects, which user object security may be configured separately for each application server in a domain. In a CORBA architecture, IOR's for shared objects which are to be secured on a domain-wide basis, such as administrative objects, are provided with tagged components during IOR creation and exporting to a name server. Later, when the IOR is used by a client, the client invokes necessary security measures such as authentication, authorization and transport protection according to the tagged components.

摘要翻译： 应用服务器上的对象可以被定义为接收不同级别的安全保护的类，例如用户对象和管理对象的定义。 可以在管理对象上实施全域安全性，可以为域中的每个应用程序服务器单独配置哪些用户对象安全性。 在CORBA体系结构中，IOR对于在域范围内进行安全保护的共享对象（如管理对象）在IOR创建和导出到名称服务器期间提供了已标记组件。 之后，当客户端使用IOR时，客户机根据标记的组件调用必要的安全措施，如认证，授权和传输保护。

公开(公告)号：US20080133910A1

公开(公告)日：2008-06-05

申请号：US12015615

申请日：2008-01-17

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

IPC分类号： H04L9/00

CPC分类号： G06F21/64

摘要： A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object. These one or more methods determine the validity of the credential object by retrieving the encrypted UID from the private class stored in the server runtime environment, decrypting the UID and comparing it to the decrypted UID stored in the private field of the credential object. If the two UIDs match, a determination is made that the credential object was created by the server runtime environment rather than a rogue application. If the two UIDs do not match, or if there is no UID in the credential object, then a false result will be returned by the verification class.

摘要翻译： 提供了用于防止安全敏感类接口的流氓实现的方法和装置。 使用该方法和装置，当服务器进程启动时，由服务器进程创建唯一标识符（UID）。 服务器进程（即服务器运行时环境）在服务器进程启动后实例化新的凭据对象时，加密的UID将被放置在新凭证对象内的私有字段中。 此外，UID被加密并存储在服务器运行时环境的私有类中。 在服务器运行时环境中提供了一个验证类，其中包括一个或多个接收凭证对象作为参数的方法，并返回true或false作为证书对象的有效性。 这些一个或多个方法通过从存储在服务器运行时环境中的私有类中检索加密的UID来确定凭证对象的有效性，解密UID并将其与存储在证书对象的私有字段中的解密的UID进行比较。 如果两个UID匹配，则确定凭据对象是由服务器运行时环境创建的，而不是流氓应用程序。 如果两个UID不匹配，或者如果凭证对象中没有UID，那么验证类将返回一个错误的结果。

公开(公告)号：US07810132B2

公开(公告)日：2010-10-05

申请号：US12123693

申请日：2008-05-20

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Ajaykumar Karkala Reddy ,  Vishwanath Venkataramappa

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung ,  Carlton Keith Mason ,  Ajaykumar Karkala Reddy ,  Vishwanath Venkataramappa

IPC分类号： H04L29/06 ,  G06F17/00 ,  G06F15/16 ,  G06F9/44 ,  G06F9/00

CPC分类号： G06F21/31

摘要： Objects on application servers are distributed to one or more application servers; a user is allowed to declare in a list which objects residing on each application server are to be protected; the list is read by an interceptor; responsive to exportation of a Common Object Request Broker Architecture (“CORBA”) compliant Interoperable Object Reference (“IOR”) for a listed object, the interceptor associates one or more application server security flags with interfaces to the listed objects by tagging components of the IOR with one or more security flags; and one or more security operations are performed by an application server according to the security flags tagged to the IOR when a client accesses an application server-stored object, the security operations including an operation besides establishing secure communications between the client process and the server-stored object.

摘要翻译： 应用程序服务器上的对象分发到一个或多个应用程序服务器; 允许用户在列表中声明哪些驻留在每个应用服务器上的对象将被保护; 列表由拦截器读取; 响应于为列出的对象导出通用对象请求代理体系结构（“CORBA”）兼容的可互操作对象引用（“IOR”），拦截器通过标记所列对象的组件将一个或多个应用程序服务器安全标志与列出的对象的接口相关联 IOR带有一个或多个安全标志; 并且当客户端访问应用服务器存储的对象时，应用服务器根据标记为IOR的安全标志执行一个或多个安全操作，该安全操作包括除客户端进程和服务器端之间建立安全通信之外的操作， 存储对象。

公开(公告)号：US07634803B2

公开(公告)日：2009-12-15

申请号：US10882053

申请日：2004-06-30

申请人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

发明人： Peter Daniel Birk ,  Ching-Yun Chao ,  Hyen Vui Chung

IPC分类号： H04L29/06 ,  H04L29/00

CPC分类号： H04L63/0281 ,  H04L63/08 ,  H04L63/083 ,  H04L63/104

摘要： An extensible token framework is provided for identifying purpose and behavior of run time security objects. The framework includes a set of marker token interfaces, which extends from a default token interface. A service provider may implement one or more marker token interfaces for a Subject or a thread of execution. A service provider may also implement its own custom marker tokens to perform custom operations. The security infrastructure runtime recognizes behavior and purpose of run time security objects based on the marker or custom marker token interfaces the token implements and handles the security objects accordingly.

摘要翻译： 提供了可扩展令牌框架，用于标识运行时安全对象的目的和行为。 该框架包括一组标记令牌接口，它从默认令牌接口扩展。 服务提供商可以为主体或执行线程实现一个或多个标记令牌接口。 服务提供商还可以实现自己的自定义标记代码来执行定制操作。 安全基础架构运行时基于令牌实现的标记或自定义标记令牌接口识别运行时安全对象的行为和目的，并相应地处理安全对象。