|
|
|
| United States Patent | 6014666 |
| Link to this page | http://www.wikipatents.com/6014666.html |
| Inventor(s) | Helland; Patrick James (Redmond, WA), Limprecht; Rodney (Woodinville, WA), Al-Ghosein; Mohsen (Issaquah, WA), Reed; David R. (Seattle, WA), Devlin; William D. (Redmond, WA) |
| Abstract | A programming model for component-based server applications provides
declarative and programmatic access control at development without
knowledge of the security configuration at deployment. The developer
defines the server application access control by defining logical classes
of users, called roles. The developer also can declare access privileges
of the roles at package, component and interface levels of the server
application. At development, the roles are bound to the particular
security configuration of the server computer. The programming model also
provides application programming and integration interfaces with which the
developer can programmatically define access control of the roles to the
server application's processing services. |
|
|
 |
Title Information  |
|
|
|
|
|
|
| Publication Date |
January 11, 2000 |
|
|
|
|
|
| Filing Date |
October 28, 1997 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
 |
Title Information |
|
|
|
References |
|
|
| *references marked with an asterisk below are user-added references |
 |
U.S. References |
|
|
| Add a new US reference: |
| | Reference | Relevancy | Comments | Reference | Relevancy | Comments | 5941947
Brown et al.
Aug,1999 |  Your vote accepted
[0 after 0 votes] | | 5881225
Worth
Mar,1999 | Your vote accepted
[0 after 0 votes] | | 5864683
Boebert et al.
Jan,1999 | Your vote accepted
[0 after 0 votes] | | 5838916
Domenikos et al.
Nov,1998 | Your vote accepted
[0 after 0 votes] | | 5832274
Cutler et al.
Nov,1998 | Your vote accepted
[0 after 0 votes] | | 5822435
Boebert et al.
Oct,1998 | Your vote accepted
[0 after 0 votes] | | 5815665
Teper et al.
Sep,1998 | Your vote accepted
[0 after 0 votes] | | 5778365
Nishiyama
Jul,1998 | Your vote accepted
[0 after 0 votes] | | 5717439
Levine et al.
Feb,1998 | Your vote accepted
[0 after 0 votes] | | 5689708
Regnier et al.
Nov,1997 | Your vote accepted
[0 after 0 votes] | | 5577252
Nelson et al.
Nov,1996 | Your vote accepted
[0 after 0 votes] | | 5524238
Miller et al.
Jun,1996 | Your vote accepted
[0 after 0 votes] | | 5481715
Hamilton et al.
Jan,1996 | Your vote accepted
[0 after 0 votes] | | 5455953
Russell
Oct,1995 | Your vote accepted
[0 after 0 votes] | | |
|
 |
|
|
|
U.S. References |
|
|
|
Foreign References |
|
|
|
|
|
|
|
|
Foreign References |
|
|
|
Other References |
|
|
| Add a new Other reference: |
| Post related web sites and other references in this section |
| | Reference | Relevancy | Comments | Barkley, "Role Based Access Control (RBAC)," Software Diagnostics and Conformance Testing National Institute of Standards and Technology (Mar.
1998).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Gavrila and Barkley, "Formal Specification for Role Based Access Control User/Role and Role/Role Relationship Management," (Oct. 1998).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Barkley, "Application Engineering in Health Care," pp. 1-7 (May 9, 1995).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Cugini and Ferraiolo, "Role Based Access Control Slide Set--May 1995," National Institute of Standards and Technology (1995).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Smith, Sr. et al., "A Marketing Survey of Civil Federal Government Organizations to Determine the Need for a Role-Based Access Control (RBAC) Security Product," Seta Corporation (Jul. 1996).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Ferraiolo and Barkley, "Specifying and Managing Role-Based Access Control within a Corporation Intranet," (1997).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Ferraiolo et al., "Role-Based Access Control (RBAC): Features and Motivations," (1995).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Kuhn, "Mutual Exclusion of Roles as a Means of Implementing Separation of Duty in Role-Based Access Control Systems," (1997).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Barkley, "Comparing Simple Role Based Access Control Models and Access Control Lists," (1997).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Barkley et al., "Role Based Access Control for the World Wide Web," (1997).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Ferraiolo and Kuhn, "Role-Based Access Control," Reprinted from Proceedings of 15.sup.th National Computer Security Conference (1992).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Barkley, "Implementing Role Based Access Control using Object Technology,"(1995).
.
May,2007 | Your vote accepted
[0 after 0 votes] | | Tucker (editor), "The Computer Science and Engineering Handbook", chapter 49, pp. 1112-1124 and chapter 91, pp. 1929-1948 (1996)..
May,2007 | Your vote accepted
[0 after 0 votes] | | |
|
|
|
|
|
|
Other References |
|
|
|
|
|
|
|
References |
|
|
|
|
|
|
| Market Size |
|
Estimate the gross annual revenues of the relevant market
sector:
|
| | |
| |
|
|
| Market Share |
|
Estimate the percentage of the relevant market sector this invention will capture:
|
| | |
| |
|
|
| Reasonable Royalty |
|
What percentage of gross sales should the inventor or assignee be paid?
|
| | |
| |
|
|
|
Public's "Guesstimation" of Royalty Value
|
| Market Size | N/A | [No votes] | | x | Market Share | N/A | [No votes] | | x | Reasonable Royalty | N/A | [No votes] |
| | N/A | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Market Review |
|
|
|
Technical Review |
|
|
|
Claims |
|
|
We claim:
1. In a software application development system, a method of defining user access rights to objects of a component-based application prior to distribution and deployment to a plurality
of end-user computer systems having a security facility requiring a user to log-on under one of a plurality of user identities configured on the respective computer system, and having a role-based access control operating in response to roles and access
privileges declared for the component-based application and a configuration associating the user identities of the respective computer system to the declared roles to control access of a current user to component-based application objects depending on
the user identity of the current user being associated in a declared role having declared access privileges for the object, the method comprising:
declaratively creating a roles data structure containing information defining a plurality of roles applicable to the component-based application;
declaratively creating a role privileges data structure containing information defining access privileges of the roles to the objects; and
packaging the roles data structure and the role privileges data structure with the component-based application into a distribution unit;
whereby on deployment of the distribution unit to a respective one of the end-user computer systems, the role-based access control of such respective end-user computer system operates to control access of such respective end-user computer
system's users to the objects based on the roles and access privileges defined in the distribution unit.
2. The method of claim 1 wherein declaratively creating the role privileges data structure comprises specifying access privileges of roles to interfaces of the objects.
3. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 1.
4. A computer-readable data storage media having a distribution unit for a distributable component-based software application stored thereon, the software application being installable for execution on a computer system having, a role-based
access control operating to control access by a user operating the computer system under a user identity to objects depending on the user's user id entity being associated in a role having access privileges for the objects, the distribution unit of the
software application comprising:
executable code to implement a set of objects of the software application having interfaces providing a set of operations accessible to a client program;
a roles data structure containing information defining a set of roles applicable to the software application; and
an access privileges data structure containing information defining access privileges of the roles to objects in the software application;
whereby access control is declaratively defined for the software application prior to distribution and deployment of the software application to the computer system.
5. The computer-readable data storage media of claim 4 wherein the access privileges data structure contains information defining access privileges of the roles to interfaces of the objects.
6. In a computer configured for operation by users having user identities, an object execution system software program for controlling access by a user of the computer to objects in a component-based software application based on a set of
abstract user classes defined for the software application at development thereof, the component-based software application being distributed to the computer in a deployment unit containing a roles data structure defining the set of abstract user classes
and an access privileges data structure defining access privileges of the abstract user classes to the objects, the object execution system software program comprising:
a security configuration data store containing data associating user identities to the abstract user classes; and
an authorization checker operating to check upon access by a caller program operating under a user identity to a called object in the component-based software application whether the user identity is associated with an abstract user class having
an access privilege to call into the called object, and to permit or deny the access depending on a result of the check;
whereby the object execution system software program permits access control for the component-based software application to be declaratively defined at development as an abstraction independent of the user identities actually configured on the
computers on which the software application is later deployed.
7. The object execution system software program of claim 6 further comprising:
a security configuration utility operating in response to declaration of a binding of a user identity to an abstract user class to store an association of the user identity to the abstract user class in the security configuration data store.
8. A method of access control within a computer based on abstract user classes declaratively defined at development of a software application having code to implement a set of objects, the method comprising:
in response to declaration by a developer of a set of roles representing abstract classes of users not as yet fixed to any particular configuration of actual user identities on computers to which the software application is to be deployed,
generating a roles data structure containing data to represent the role classes;
in response to declaration by the developer of access privileges of the role classes to the objects, generating an access privileges data structure containing data to represent the access privileges;
packaging the roles data structure and the access privileges data structure into a deployment unit containing the software application;
deploying the deployment unit to a computer;
in response to declaration by an administrator of the computer of bindings from user identities configured on the computer to the role classes, storing data in a configuration store to represent the bindings;
upon a request of a client program code operating under a user identity on the computer to access an object of the software application, determining to permit or deny the access depending upon a result of an authorization check whether the user
identity is bound to a role having an access privilege to the object.
9. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 8.
10. In a computer configured for operation by users having user identities, an object execution system software module for controlling access to objects of a software application distributed to the computer in a deployment unit containing a
roles data structure declaratively defining roles representative of a set of abstract user classes and an access privileges data structure declaratively defining access privileges of the roles to the objects, the object execution system software module
comprising:
a configuration data store containing data defining bindings of the user identities to the roles; and
code to implement a programmatic access control function for calling from the software application, the programmatic access control function having a role parameter designating a role out of the roles set, the programmatic access control function
operating in response to the software application's call to return a value indicating whether a user identity under which the software application was accessed is bound to the parameter-designated role.
11. A method of programmatically controlling access within a component-based software application based on a set of abstract user classes declaratively defined at development independent of the user identities actually configured on the
computers to which the component-based software application is to be later deployed, the component-based software application being executable on a computer having an object execution system that implements a programmatic access control function
operative to return a value indicative of whether a user identity of a calling thread is bound to a parameter-specified abstract user class of the component-based software application, the method comprising:
in response to declaration by a developer of a set of roles representing abstract classes of users not as yet fixed to any particular configuration of actual user identities on computers to which the component-based software application is to be
deployed, generating a roles data structure containing data to represent the roles;
within program code of an object of the component-based software application, issuing a call to the programmatic access control function in which a particular role is specified by a function parameter and also conditioning a processing operation
of the object on a result of the programmatic access control function call; and
packaging the roles data structure and the access privileges data structure into a deployment unit containing the software application.
12. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 11. |
|
|
|
|
|
|
Claims |
|
|
|
Description |
|
|
FIELD OF THE INVENTION
The present invention relates to a server application-programming model using software components, and more particularly relates to maintaining security of a component-based server application.
BACKGROUND OF THE INVENTION
In many information processing applications, a server application running on a host or server computer in a distributed network provides processing services or functions for client applications running on terminal or workstation computers of the
network which are operated by a multitude of users. Common examples of such server applications include software for processing class registrations at a university, travel reservations, money transfers and other services at a bank, and sales at a
business. In these examples, the processing services provided by the server application may update databases of class schedules, hotel reservations, account balances, order shipments, payments, or inventory for actions initiated by the individual users
at their respective stations.
In a server application that is used by a large number of people, it is often useful to discriminate between what different users and groups of users are able to do with the server application. For example, in an on-line bookstore server
application that provides processing services for entering book orders, order cancellations, and book returns, it may serve a useful business purpose to allow any user (e.g., sales clerk or customers) to access book order entry processing services, but
only some users to access order cancellation processing services (e.g., a bookstore manager) or book return processing services (e.g., returns department staff).
Network operating systems on which server applications are typically run provide sophisticated security features, such as for controlling which users can logon to use a computer system, or have permission to access particular resources of the
computer system (e.g., files, system services, devices, etc.) In the Microsoft Window NT operating system, for example, each user is assigned a user id which has an associated password. A system administrator also can assign sets of users to user
groups, and designate which users and user groups are permitted access to system objects that represent computer resources, such as files, folders, and devices. During a logon procedure, the user is required to enter the user id along with its
associated password to gain access to the computer system. When the user launches a program, the Windows NT operating system associates the user id with the process in which the program is run (along with the process' threads). When a thread executing
on the user's behalf then accesses a system resource, the Windows NT operating system performs an authorization check to verify that the user id associated with the thread has permission to access the resource. (See, Custer, Inside Windows NT 22, 55-57,
74-81 and 321-326 (Microsoft Press 1993).)
A thread is the basic entity to which the operating system allocates processing time on the computer's central processing unit. A thread can execute any part of an application's code, including a part currently being executed by another thread.
All threads of a process share the virtual address space, global variables, and operating-system resources of the process. (See, e.g., Tucker Jr., Allen B. (editor), The Computer Science and Engineering Handbook 1662-1665 (CRC Press 1997).)
The Windows NT operating system also provides a way, known as impersonation, to authenticate access from a remote user to resources of a server computer in a distributed network. When a request is received from a remote computer for processing
on the server computer, a thread that services the request on the server computer can assume the user id from the thread on the remote computer that made the request. The Windows NT operating system then performs authorization checks on accesses by the
servicing thread to system resources of the server computer based on the user id. (See, Siyan, Windows NT Server 4, Professional Reference 1061 (New Riders 1996).)
The use of such operating system security features to control access to particular processing services in a server application presents cumbersome distribution and deployment issues. The user ids and user groups are configured administratively
per each computer station and/or network, and thus vary between computers and networks. When the particular user ids or groups that will be configured on a computer system are known at the time of developing a server application, the server application
can be designed to control access to particular processing services and data based on those user ids and groups. Alternatively, specific user ids or groups that a server application uses as the basis for access control can be configured on a computer
system upon deployment of the server application on the computer system. These approaches may be satisfactory in cases where development and deployment is done jointly, such as by in-house or contracted developers. However, the approaches prove more
cumbersome when server application development and deployment are carried out separately, such as where an independent software vendor develops a server application targeted for general distribution and eventual installation at diverse customer sites.
On the one hand, the server application developer does not know which user ids and groups will be configured on the end customers' computer systems. On the other, the server application developer must force system administrators to configure specific
user ids or groups, which at a minimum could lead to an administratively unwieldy number of user configurations and at worst poses a security risk on the computer systems of the developer's customers.
SUMMARY OF THE INVENTION
The present invention provides a way to declaratively and programmatically define access control to processing services of a server application independently of deployment during development of the server application using roles. Roles are
logical groups of users that can be assigned at development time, and independent of a specific operating system security configuration until deployment. At development, the server application developer declaratively defines roles and assigns access
privileges of the roles to processing services of the server application. At deployment, the installer maps the roles to the security configuration of the computer system on which the server application is installed, such as to specific user ids and
groups. A run-time execution environment of the server application performs authorization checks based on the roles and assigned access privileges to control access to the server application's processing services. The developer is thus able to control
access by different groups of users to specific server application processing services without prior knowledge of the security configuration at deployment, or requiring a specific security configuration at deployment.
According to a further aspect of the invention, a server application framework provides application programming interfaces that allow programmatic use of role-based security information by the server application to control processing services.
At development time, the developer can program code into the server application to perform authorization checks within a processing service to control specific processing based on roles. In particular, the framework includes an application programming
interfaces to obtain information as to the role of a current user that initiated the processing service. Within a processing service of the server application, the developer thus has a fine granularity of programmatic control over specific processing in
the server application based on the roles that are assigned access privileges to the processing service.
According to another aspect of the invention, the developer declaratively assigns access privileges of roles at package, component, and interface levels of a server application constructed as object-oriented components. In object-oriented
programming, programs are written as a collection of object classes which each model real world or abstract items by combining data to represent the item's properties with functions to represent the item's functionality. More specifically, an object is
an instance of a programmer-defined type referred to as a class, which exhibits the characteristics of data encapsulation, polymorphism and inheritance. Data encapsulation refers to the combining of data (also referred to as properties of an object)
with methods that operate on the data (also referred to as member functions of an object) into a unitary software component (i.e., the object), such that the object hides its internal composition, structure and operation and exposes its functionality to
client programs that utilize the object only through one or more interfaces. An interface of the object is a group of semantically related member functions of the object. In other words, the client programs do not access the object's data directly, but
must instead call functions on the object's interfaces to operate on the data. Polymorphism refers to the ability to view (i.e., interact with) two similar objects through a common interface, thereby eliminating the need to differentiate between two
objects. Inheritance refers to the derivation of different classes of objects from a base class, where the derived classes inherit the properties and characteristics of the base class. In an embodiment of the invention illustrated herein, a package is
a group of related components of the server application that are run together in a single process on the server computer.
The run-time environment of the server application performs authorization checks for access to a particular package, component or interface of the server application according to the access privileges assigned to roles per package, component and
interface. This allows the developer flexible declarative access control at various levels of processing services of the server application.
Additional features and advantages of the invention will be made apparent from the following detailed description of an illustrated embodiment which proceeds with reference to the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a distributed computer system that may be used to implement a method and apparatus embodying the invention for declarative and programmatic access control of component-based server applications using roles.
FIG. 2 is a block diagram of a server application component execution environment provided by a server executive on a server computer in the distributed computer system of FIG. 1.
FIG. 3 is a block diagram of the structure of a server application component in the execution environment of FIG. 2.
FIG. 4 is a view of a graphical user interface of an administration utility called the Transaction Server Explorer, for grouping server application components into packages and declaring roles.
FIGS. 5 and 6 are views of a feature of the Transaction Server Explorer's graphical user interface for grouping server application components into packages.
FIGS. 7 and 8 are view of a feature of the Transaction Server Explorer's graphical user interface for defining roles and assigning package level access privileges of the roles.
FIG. 9 is a view of a feature of the Transaction Server Explorer's graphical user interface for assigning component level access privileges of the roles.
FIG. 10 is a view of a feature of the Transaction Server Explorer's graphical user interface for assigning interface level access privileges of the roles. FIG. 11 is a view of a feature of the Transaction Server Explorer's graphical user
interface for establishing a process identity at development under which a package is run in the execution environment of FIG. 2.
FIG. 12 is a view of a feature of the Transaction Server Explorer's graphical user interface for packaging server application components with role-based access privileges defined at development.
FIG. 13 is a view of a feature of the Transaction Server Explorer's graphical user interface for deploying a package having pre-defined role-based access privileges.
FIG. 14 is a view of a feature of the Transaction Server Explorer's graphical user interface for mapping users to roles at deployment of a package having pre-defined role-based access privileges.
FIG. 15 is a view of a feature of the Transaction Server Explorer's graphical user interface for setting an authentication level and enabling authorization checking for the package.
FIG. 16 is a block diagram of a file structure of a package of server application components with role-based access privileges defined at development.
FIG. 17 is a block diagram showing registration of attributes for running a server application component grouped in the package of FIG. 16 in the execution environment of FIG. 2 at installation on the server computer of FIG. 1.
FIG. 18 is a block diagram illustrating authorization checks based on roles.
FIG. 19 is a block diagram illustrating a sequence of calls in an example server application to show operation of an advanced programmatic security interface.
DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS
The present invention is directed toward a method and system for declarative and programmatic access control of component-based server applications using roles. In one embodiment illustrated herein, the invention is incorporated into an
application server execution environment or platform, entitled "Microsoft Transaction Server," marketed by Microsoft Corporation of Redmond, Wash. Briefly described, this software provides a run-time environment and services to support component-based
server applications in a distributed network.
Exemplary Operating Environment
FIG. 1 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the invention may be implemented. While the invention will be described in the general context of
computer-executable instructions of a computer program that runs on a server computer, those skilled in the art will recognize that the invention also may be implemented in combination with other program modules. Gener | | |
