1). Field of the Invention
This invention relates to a computing system, in particular a computing system for accessing various resources.
2). Discussion of Related Art
The task of protecting information stored on computers is becoming increasingly difficult and complex as more and more companies are storing an ever increasing amount of data electronically. The job of keeping such information secure is even further hampered by the fact that many of the computers and databases on which this information is stored are remotely accessible through various public networks, such as the internet.
The container 16, which may be implemented on a server, includes an application 22 stored thereon. As illustrated, there is one user manager 18 for each of the resources 201-20N. Each of the resources 201-20N, which may be, for example, databases, has a plurality of various files 24 stored thereon.
The client 12 accesses the application 22 within the container 16 through the network 14. Once the client 12 has successfully gained access to the application 22, the application 22 may need to access one or more of the resources 201-20N on behalf of the client 12. Before the application 22, or the client 12, is granted access to any of the resources, the client 12 must be authenticated and authorized for access.
Authentication is the process of determining whether someone or something is actually who or what it is claiming to be. One common authentication tool uses a user identification and a password, other such tools may use digital certificates. Authorization is the process of giving someone or something permission to do or have something. Thus authentication determines who the client 12 is, and authorization determines what information the client 12 will be able to access.
Each of the user managers 181-18N authenticate and authorize the application 22, or client 12, to access the particular resource with which it is associated. The resources 201-20N may be stored on various types of servers or database services such as a Lightweight Directory Access Protocol (LDAP) server, a Database Management Software (DBMS) based server, and a file system (FS) server.
Each of the different user managers 181-18N may be unique or different amongst each other (e.g., a first user manager may be associated with an LDAP service, a second user manager may be associated with a Kerberos service, etc.) and may utilize a unique “language,” or protocol, for communicating with the application 22. Therefore, in order for the application 22 to successfully request authentication and authorization from any particular one of the user managers 181-18N, the application 22 must know which particular protocol that particular user manager utilizes and send requests and/or commands to the particular user manager in the particular language that it uses. For example, if the client 12, or the application 22 on behalf of the client, wishes to perform a high level function, such as “modify group,” on two different user managers 181 and 182, two different syntaxes are required. One of the user managers 181 may require the command in the syntax “modify_group” while another user manager 182 requires that the command be in the syntax “mg.”
Thus, the application 22 must be designed to comprehend multiple communication protocols in order to communicate with the different user managers 181-18N in the particular syntaxes that they require. As the number of communication protocols programmed within an application 22 increases, the application 22 becomes more complicated and difficult to program and manage.
Additionally, various types of authentication services may be used by the different user managers 181-18N or resources 201-20N, each of which may utilize a different login protocol module.
The application 64 can invoke multiple high level commands/requests from the various user managers 581-58N with only a single communication protocol PAPI through the common API 66. Examples of the high level commands include commands for managing users and groups of users (e.g., obtain information from a user account, create a user account, delete a user account, modify a user account, define a group, modify a group, delete a group, add a user to a group, remove a user from a group, and add a group to a group.) The application may also invoke authentication commands through the API 66 such as “login” and “logout.” In an embodiment, authentication commands that flow through the common API 66 are the same as those used in Java Authentication and Authorization Service (JAAS). These commands include login, logout, abort, and commit).
Each of the user managers 581-58N is responsible for implementing authentication and authorization services for a corresponding one of the resources 621-62N, and each of the user stores 681-68N within the container 56 is responsible for communicating with a corresponding one of the user managers 581-58N in the language/syntax/format P1, P2 . . . PN that the user manager comprehends. That is, each of the user stores 681-68N is able to communicate with the particular user manager 581-58N with the communication protocol that it understands.
That is, referring again to
Each time the client 12 is authenticated by a new user manager, another principle needs to be tracked by the application 22 and/or the login context used by the application 22. As the application 22 has to manage more and more principles, it becomes more complicated and more difficult to manage.
The invention is described by way of example with reference to the accompanying drawings, wherein:
The client 52 is, for example, a computer, or an individual using a computer or another application running on a computer. The network 54 includes a series of points or nodes (e.g., switches, routers, etc.) interconnected by communication paths. The network 54 may include one or more of the following: the internet, a public network, or a local area network (LAN), and a private network.
The container 56, which may be implemented on a server or other computing system, includes an application 64, a common application programming interface (API) 66, user stores 681-68N, a default user store 70, and a principle map 72. Although only one principle map 72 is illustrated as being connected to one user store 681, it should be understood that other principle maps may be connected to the other user stores 681-68N, or the container 56 may contain multiple principle maps, one for each of the user stores 681-68N. The common API 66 is a communication syntax between application 64 and each of the user stores 681-68N and the default user store 70.
The application 64 can invoke multiple high level commands/requests from the various user managers 581-58N with only a single communication protocol through the common API 66. Examples of the high level commands include commands for managing users and groups of users (e.g., obtain information from a user account, create a user account, delete a user account, modify a user account, define a group, modify a group, delete a group, add a user to a group, remove a user from a group, and add a group to a group.) The application may also invoke authentication commands through the API 66 such as “login” and “logout.” In an embodiment, authentication commands that flow through the common API 66 are the same as those used in Java Authentication and Authorization Service (JAAS). These commands include login, logout, abort, and commit).
Each of the user managers 581-58N is responsible for implementing authentication and authorization services for a corresponding one of the resources 621-62N, and each of the user stores 681-68N within the container 56 is responsible for communicating with a corresponding one of the user managers 581-58N in the language/syntax/format that the user manager comprehends. That is, each of the user stores 681-68N is able to communicate with the particular user manager 581-58N with the communication protocol that it understands.
As illustrated, the default user store 70 is associated with the default user manager 60.
The single user module 76 includes code for translating common API 66 commands from the application 64 dealing with single users (e.g., obtaining information from a user account, creating a user account, deleting a user account, modifying a user account, etc.).
The group user module 78 includes code for translating common API 66 commands dealing with groups of users (e.g., defining a group, modifying a group, deleting a group, adding a user to a group, removing a user from a group, adding a group to a group, etc.).
The authentication module 80 includes code for translating common API 66 for commands dealing with the authentication of users (e.g., login, logout, abort, commit, etc.). In an embodiment, the authentication module 80 takes the form of the authentication approach shown in
The configuration module 82 includes various configurable information used for communication with one of the particular user managers 581-58N, such as the IP address and port of the particular user manager. The configuration module 82 may also include restrictions on users, such as a minimum character requirement for attempting to access a particular user manager or resource, and information regarding the use of specific transport protocols for certain types of communication, such as secure socket layer (SSL).
The default user manager 60 is the user manager that performs authentication and authorization services for the applications within the container (rather than any of resources 621-62N). Therefore, in use, referring again to
The client 52 may then attempt to access one of the resources 621-62N. When the client 52 attempts to access one of the resources 621, a high level authentication command, such as “login,” is sent through the common API 66 to user store 681 associated with user manager 581 that communicates with resource 621 that the client 52 is attempting to access. In an embodiment, where user store 681 conforms to the design approach of
Once the client 52, or the application 64 on behalf of the client, 52 has been authenticated for access to user manager 581, another principle for use with user manager 581 (“B” for example) is sent from user manager 581 to user store 681 as illustrated in
Through the principle map 72, user store 681 is able to recognize that the principles A and B have been granted to the same client, and thus, when the client 52, or application 64 on behalf of the client 52, again attempts to access resource 621, the client 52 is identified as “A” across the common API 66 and the user store 681 simply sends principle B back to user manager 581. That is, user store 681 “looks up” the appropriate principle (B) from the principle map 72 for the client 52 that is requesting access to resource 621 (who is identified as principle A). The client 52 may then access various files 74 on resource 621 based on the roles that user manager 581 has assigned to principle B.
If the client 52 also attempts to access a second resource 622, the client 52 must be authenticated and authorized by a second user manager 582 that controls access to the second resource 622. The application 64 sends a “login” command through the common API 66 along with the identity of the client 52 as recognized by the container 56 (principle A) to a second user store 682 (i.e., using the same communication protocol as was used to access the first resource 621). The second user store 682 invokes authentication services by user manager 582.
Thus, the application 64 is able to communicate with the different user managers 581-58N by sending commands in a single communication protocol and does not have to be programmed with multiple communication protocols. That is, for example, for both of the accesses to resources 621 and 622, the application communicated “login A” to both of user stores 581 and 582.
Once the client 52 is authenticated by the second user manager 582, the second user manager 582 sends a principle, “C” for example, to the second user store 682. The principle C may then be stored within a second principle map 84 as illustrated in
For example, the second user store 682 is able to send principle C back to the second user manager 582 so that the client 52 may be authorized to access the files 74 within the second resource 622 which are based on the roles that the second user manager 582 has assigned to principle C.
If the application 64 (e.g., at the commands of the client 52) attempts to perform a high level modification to the user records of user manager 581 such as “modify user group,” a high level command is sent through the common API 66 to the user store 681 associated with user manager 581 that is connected to the resource 621 that the client 52 is attempting to access. This high level command is sent in the communication protocol used by the application 64, in a syntax not particularly utilized by the particular user manager 581.
User store 681 essentially “translates” the high level command into the particular communication protocol and syntax that is used by the particular user manager 581 that the client 52 is attempting to access. For example, the “modify user group” command may be translated into “modify_group.” The “translation” of the high level command into the particular communication protocol of the particular user manager 581 is pulled from one of the modules within the user stores being accessed. For example, as discussed above, the translation for the “modify user group” is stored in the group user module 78 as illustrated in
If the application 64 (e.g., at the commands of the client 52) attempts to perform a high level modification to the user records of the second user manager 582, such as “modify user group,” a high level command is sent through the common API 66 to the user store 682 associated with the second user manager 582 that is connected to the second resource 622 that the client 52 is attempting to access. This high level command is sent in the communication protocol used by the application 64. The second user store 682 translates the communication protocol used by the application 64 into the particular communication protocol and syntax used by the second user manager 582. For example, the “modify user group” command may be translated into “mg.”
As illustrated in
The computing system of
The processes taught by the discussion above can be practiced within various software environments such as, for example, object-oriented and non-object-oriented programming environments, Java based environments (such as a Java 2 Enterprise Edition (J2EE) environment or environments defined by other releases of the Java standard, or other environments (e.g., a .NET environment, a Windows/NT environment, each of which is provided by Microsoft Corporation).
Processes taught by the discussion above may be performed with program code such as machine-executable instructions which cause a machine (such as a “virtual machine”, general-purpose processor or special-purpose processor) to perform certain functions. Alternatively, these functions may be performed by specific hardware components that contain hardwired logic for performing the functions, or by any combination of programmed computer components and custom hardware components.
An article of manufacture may be used to store program code. An article of manufacture that stores program code may be embodied as, but is not limited to, one or more memories (e.g., one or more flash memories, random access memories (static, dynamic or other)), optical disks, CD-ROMs, DVD ROMs, EPROMs, EEPROMs, magnetic or optical cards or other type of machine-readable media suitable for storing electronic instructions. Program code may also be downloaded from a remote computer (e.g., a server) to a requesting computer (e.g., a client) by way of data signals embodied in a propagation medium (e.g., via a communication link (e.g., a network connection)).
While certain exemplary embodiments have been described and shown in the accompanying drawings, it is to be understood that such embodiments are merely illustrative and not restrictive of the current invention, and that this invention is not restricted to the specific constructions and arrangements shown and described since modifications may occur to those ordinarily skilled in the art.
Number | Name | Date | Kind |
---|---|---|---|
6594671 | Aman et al. | Jul 2003 | B1 |
6651168 | Kao et al. | Nov 2003 | B1 |
6892307 | Wood et al. | May 2005 | B1 |
6954792 | Kang et al. | Oct 2005 | B2 |
6976076 | Shrader et al. | Dec 2005 | B2 |
7017051 | Patrick | Mar 2006 | B2 |
7089584 | Sharma | Aug 2006 | B1 |
7340714 | Upton | Mar 2008 | B2 |
20020143943 | Lee et al. | Oct 2002 | A1 |
20040168060 | Patrick | Aug 2004 | A1 |