Patent Application
20050086228
The present invention is related to a method and apparatus for controlling an access for a client application residing on a user computer to data stored on a network computer within a network.
Access control usually is part of the middleware and defines whether a user may access a resource by means of an access control policy. This policy is usually defined by an administrator who defines access rights for each pair of user and resource, which are also referred to as access decision information (ADI). This approach can be augmented by allowing boolean conditions that evaluate attributes.
Known proposals present an abstract manner of retrieving resource or object ADI with a so-called attribute function AF that is provided by the application itself, e.g., as proposed by Konstantin Beznosov, “Object Security Attributes: Enabling Application-specific Access Control in Middleware,” presented at the 4th International Symposium on Distributed Objects & Applications (DOA), pp. 693-710, Irvine, Calif., Oct. 28-Nov. 1, 2002.
The known proposals present the attribute function as part of the application, which has the disadvantage that it is outside of the scope of the administration of the access control system in the middleware, that means the function is within the application space. Further, the proposals refer to an attribute function as an abstract concept only.
In common systems only the attributes of a user, that is the accessing party, are considered by the addressed access control system. The system decides then whether or not a recourse is accessible for the user based on the mentioned user attributes. This static process, for example, provides the user with read or write rights.
Known are also systems which use a filter for their access control. However, a filter based system is rather fixed and therefore a reconfiguration is costly.
From the above it follows that there is still a need in the art for an improved access control which is capable of retrieving access decision information from the content or resource of pages or files at the application layer. Moreover, a working protocol flow for the attribute retrieval of HyperText Markup Language (HTML) pages and other parsable data should be provided.
In accordance with the present invention, there is provided a method for controlling an access for a client application residing on a user computer to data stored on a network computer within a network. The method comprises the steps of receiving a request from the user computer for accessing the data; retrieving the data from the network computer and storing it in a memory; deriving from the stored data at least one attribute that relates to the content of the data; and deciding based on the derived at least one attribute whether or not the data stored in the memory is provided to the user computer.
In accordance with a second aspect of the present invention, there is provided an apparatus for controlling an access for a client application residing on a user computer to data stored on a network computer within a network. The apparatus comprises an access control unit for retrieving the data on request by the user computer from the network computer and storing the data in a memory; a content analysis unit connected to the access control unit for deriving from the stored data at least one attribute that relates to the content of the data; and a rules engine that decides based on the derived at least one attribute whether or not the data stored in the memory is provided to the user computer. The rules engine is part of the access control unit. The attribute can be combined with the attributes from other attribute functions.
An access control system can comprise the apparatus or perform the method. The system may form an access control product.
In general, the method and apparatus allow to dynamically retrieve application-specific access control information from pages, files, or other resource information which can be parsed. In other words, the accessed pages of files can be pre-fetched and parsed at the application layer to obtain access decision information, also abbreviated as ADI. Based on the retrieved content of the pages or files, the access control system can then dynamically decide whether access shall be granted or not. An attribute function can be provided that is located in the middleware and capable of retrieving the access decision information from the content or resource pages of the application layer. The decision step takes advantage of the attribute function.
The decision step can further comprise the step of granting or denying access to the stored data in the memory. This allows to control the access of the user computer to the stored data, i.e. to the requested data.
Moreover, the decision step can comprise the step of deriving from a provided attribute name and the content of the stored data an attribute result that is usable to decide whether or not the stored data is allowed to be accessed.
Further, the access control can be based on short-term states of the content of the data.
The step of deriving the attribute result can comprise analyzing meta information of the stored data. Meta information is contemplated as data related information which may be stored in the header or somewhere within a file or page, e.g. an HTML page announces those information with “meta”. This allows an owner or editor of an HTML page to classify said page application specific or according to the owner or editor's principles.
The meta information can specify a workflow state, for example, whether a document is in a “draft” or “final” state. When the workflow state of a page comprises ‘draft’, the page might be not accessible. Further, the meta information can specify a confidentiality state, e.g. any external (public) access to pages containing “Confidential” can be blocked automatically. According to the state, the users have or have not respective access rights.
The meta information can further specify a topic of the data, i.e. a topic can be assigned to the data or the page content. For instance, only users responsible for a topic is allowed to access pages that are tagged with this topic. In a further example the meta information comprises a definition of a work group, thus the access control system grants access to specific work group members assigned by the document owner.
With reference to
In the following the general flow for an attribute retrieval of an HTML (HyperText Markup Language) page or resource “D”, also referred as data or document “D”, is described, where the HTML content is pre-fetched and analyzed the following way:
The backend server 60 storing the HTML resource “D” is protected by a Boolean condition of the access control system 30. This condition can specify an access decision information, also shortened as ADI, that shall be applied. If the ADI is associated with the resource “D”, a dedicated component of the access control system 30 can pre-fetch the HTML resource “D”. It can then parse the HTML resource “D” using an analysis scheme in order to retrieve the desired ADI. This ADI is then used to evaluate the Boolean condition that defines whether the HTML resource “D” can be accessed or not.
A step-wise description reads as follows: A user wants to access a resource, i.e. the HTML resource “D” on the backend server 60. The HTML resource “D” is protected by an access control list of the access control system 30 which comprises a Boolean condition that evaluates the ADI. The access control system 30 pre-fetches the HTML resource “D” from the backend server 60 and caches it. Then, the access control system 30 parses the HTML resource “D” to obtain the desired ADI and further evaluates the Boolean condition using the obtained ADI. Finally, the access control system 30 grants or denies access to the cached resource. In a further embodiment the ADI can be retrieved by analyzing so-called HTML META Tags, i.e. meta information, within the HTML content of the HTML resource “D” in order to retrieve the access control information.
In operation, the access control unit 40 retrieves the data “D”, also referred to as document “D”, on request by the user computer 20 from the backend server 60 and stores the data “D” in the memory 42. The content analysis unit 54 derives then from the stored data, also labeled with “sD” within the memory 42, at least one attribute that relates to the content of the data. The attribute can also be combined with attributes from other attribute functions. The rules engine 44 decides based on the derived at least one attribute whether or not the data stored “sD” in the memory 42 is provided to the user computer 20.
As indicated with 2., the rules engine 44 of the access control unit 40 calls the content analysis unit 50, in particular the Dyn ADI entitlement service unit 52, for values for the attribute name “in draft”. The Dyn ADI entitlement service unit 52 provides the attribute name “in draft” to the content analysis client 54.
As indicated with 3., the content analysis client 54 calls with “retrieve D” the access control unit 40 and requests document “D”.
As indicated with 4., the access control unit 40 sends the request “retrieve D” to the backend server 60 requesting document “D”.
The backend server 60 responses to the access control unit 40 and provides the requested document “D” that is then stored as stored data, also abbreviated as sD, in the memory or cache 42. This is indicated with 5. “cache D”.
As further illustrated with 6. in
As indicated with 7. and “analysis of sD”, the content analysis client 54 performs the content analysis by, for example, analyzing meta information or data related information that is contained in the document, i.e. the stored document “sD”. The content of the meta information is here compared with part of the attribute type. An attribute result specifies whether or not the attribute name is contained in the meta information or data related information.
As indicated with 8., the Dyn ADI entitlement service unit 52 of the content analysis unit 50 provides then the rule engine 44 with an attribute that comprises here the attribute name “in draft” and the attribute result “true” that was detected in the content analysis. In general, the rules engine 42 is awaiting the attribute result as “true” or “false”. Then, the rules engine 44 controlled by the access manager unit 43 decides based on the received attribute result “false” that access is granted.
As indicated with 9. and “response: cached sD”, the document “D” in its cached version from the cache 32 is then provided to the web browser 22. In case the decision is based on the attribute result “true” the stored document “sD” is not released and an error message is sent instead to the user computer 20, e.g., “response: error”.
Any disclosed embodiment may be combined with one or several of the other embodiments shown and/or described. This is also possible for one or more features of the embodiments.
The present invention can be realized in hardware, software, or a combination of hardware and software. Any kind of computer system—or other apparatus adapted for carrying out the method described herein—is suited. A typical combination of hardware and software could be a general purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein. The present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which - when loaded in a computer system—is able to carry out these methods.
Computer program means or computer program in the present context mean any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or notation; b) reproduction in a different material form.
| Number | Date | Country | Kind |
|---|---|---|---|
| 03405756.2 | Oct 2003 | EP | regional |
