Patent application number | Description | Published |
20120131091 | IDENTIFYING COMPATIBLE WEB SERVICE POLICIES - Methods, systems, and devices are described for identifying compatible web service policies between a web service and a web service client. A first and second set of one or more identifiers linked to web service policies supported by the web service and web service client may be calculated, respectively. The sets of identifiers may be compared. Using the comparison, a number of common identifiers present in the first set of one or more identifiers linked to the web service policies supported by the web service and the second set of one or more identifiers linked to the web service policies supported by the web service client may be identified. Using the number of common identifiers, a web service policy of the web service compatible with a web service policy of the web service client may be identified. | 05-24-2012 |
20120131135 | NONCONFORMING WEB SERVICE POLICY FUNCTIONS - Arrangements for enforcing a nonconforming web service policy document are presented. A request for a web service policy document may be received by a web service. A conforming web service policy document may be generated using the nonconforming web service policy document. The nonconforming web service policy document may comprise one or more functions unsupported by the web service description language. The conforming web service policy document may be transmitted to the web service client. The nonconforming web service policy document may be enforced by the web service, wherein the functions that are unsupported by the web service description language standard modifies enforcement of the web service policy document by the web service computer system. The conforming web service policy document may comprise sufficient information for the web service client computer system to comply with the nonconforming web service policy document. | 05-24-2012 |
20120131164 | ATTACHING WEB SERVICE POLICIES TO A GROUP OF POLICY SUBJECTS - In one set of embodiments, methods, systems, and apparatus are provided to attach one or more quality of service policies to resources in an enterprise system by receiving a first global policy attachment that references an attachment attribute value and a first service policy, receiving a request to access a policy subject associated with a subject attribute value, identifying an effective policy set referenced by the first global policy attachment, the effective policy set including the first service policy if the attachment attribute value equals the subject attribute value, and granting the request to access based upon the at least one effective policy. The at least one effective policy may further include a first service policy referenced by the first global policy attachment if a first policy attachment scope referenced by the first global policy attachment matches or contains a subject scope associated with the policy subject. | 05-24-2012 |
20120131641 | OPTIMIZING INTERACTIONS BETWEEN CO-LOCATED PROCESSES - In one set of embodiments, methods, systems, and apparatus are provided to enable secure local invocation of a web service in response to receiving a request from a first composite application to invoke a web service operation of a second composite application, where the first application is associated with a reference policy, and the second application is associated with a service policy, then determining, based upon the service policy and the reference policy, whether local invocation is secure, and invoking the operation using the local invocation in response to determining that the local invocation is secure. Attributes associated with the reference and service policies can indicate whether those policies can be used in a local invocation, or if user authentication is needed before performing the invocation with those policies. The local invocation may comprise a procedure call in an application server from the first application to the second application. | 05-24-2012 |
20120131654 | PROPAGATING SECURITY IDENTITY INFORMATION TO COMPONENTS OF A COMPOSITE APPLICATION - Various methods and systems for propagating identity information in a composite application are presented. State data of a composite application, as executed for a particular entity, may be transferred to and stored by a computer-readable storage medium. The state data may include a portion of a set of subject information linked with the entity. A security attribute of the subject may not be present in the portion of the set of subject information in the state data transferred to the non-transitory computer-readable storage medium. After a period of time, such as an hour or a day, the state data of the composite application as executed for the entity may be retrieved and the security attribute of the set of subject information linked with the entity may be determined. The composite application may then continue to be executed for the entity. | 05-24-2012 |
20130086184 | ENFORCEMENT OF CONDITIONAL POLICY ATTACHMENTS - Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context. | 04-04-2013 |
20130086240 | PRIORITY ASSIGNMENTS FOR POLICY ATTACHMENTS - Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a priority value can be assigned to each policy attached to a policy subject via the policy's corresponding policy attachment metadata file. These priority values can be taken into account when determining whether one policy should be given precedence over another, conflicting policy attached to the same policy subject. In certain embodiments, as part of this determination, the priority value of a policy can be given greater weight than the scope at which the policy is attached. | 04-04-2013 |
20130086241 | VALIDATION OF CONDITIONAL POLICY ATTACHMENTS - Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a validation process can be performed at a policy subject during an initialization phase to ensure that there are no validation errors with respect to the web service policies that may be conditionally attached to the subject. This validation process can include grouping the policies that have been associated with the policy subject (via policy attachment metadata) by their corresponding constraint expressions, and determining which groups can potentially overlap (i.e., be simultaneously attached to the policy subject) at runtime. Each set of overlapping groups can then be validated using a predefined set of validation rules to identify potential errors pertaining to the policies in the set. | 04-04-2013 |
20130086242 | ADVERTISEMENT OF CONDITIONAL POLICY ATTACHMENTS - Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context. | 04-04-2013 |
20130086626 | CONSTRAINT DEFINITION FOR CONDITIONAL POLICY ATTACHMENTS - Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context. | 04-04-2013 |
20130086627 | CONFLICT RESOLUTION WHEN IDENTICAL POLICIES ARE ATTACHED TO A SINGLE POLICY SUBJECT - Techniques for resolving conflicts between web service policies that are attached (via LPA and/or GPA metadata) to a single policy subject (e.g., a WS client/service endpoint). In one set of embodiments, a determination can be made whether two conflicting policies that are attached to a single policy subject are identical. This determination can be based on, e.g., a Uniform Resource Identifier (URI) that is used to identify the policies in their respective policy attachment metadata files, as well as any policy configuration properties. If the two conflicting policies are determined to be identical, the policy attachment metadata for one of the policies can be considered valid, while the policy attachment metadata for the other, duplicate policy can be ignored. In this manner, validation errors arising from duplicate policy attachments can be avoided. | 04-04-2013 |
20130086629 | DYNAMIC IDENTITY CONTEXT PROPAGATION - Techniques are provided for dynamically propagating identity context for a user in a Service-Oriented Architecture. Methods and apparatus are provided that include receiving a request to invoke a web service, retrieving first security claims from application identity context information pertaining to a user, generating second security claims at runtime, packaging the first and second security claims into an authentication token, and transmitting the authentication token to a second computer system in a service request. The second computer system can be configured to extract the first and second security claims from the authentication token, validate the extracted first and second security claims, generate identity context information based upon the extracted first and second security claims, and publish and propagate the identity content information in an identity context object. The second computer system can verify that the security claims conform to corresponding security claim schemas stored in a claims dictionary. | 04-04-2013 |
20130086630 | DYNAMIC IDENTITY SWITCHING - Techniques are disclosed for dynamically switching user identity when generating a web service request by receiving, at a client application, an invocation of a web service, the invocation associated with a first authenticated user identity of a first user, identifying a second user identity, verifying that a switch from the first user identity to the second user identity is permitted by switching rules, including the second user identity in a service request when the switch is permitted, and communicating the service request to the web service. The switching rules can include associations between initial user identities and permitted user identities. Verifying that a switch is permitted can include searching the associations for an entry having an initial user identity that matches the first authenticated user identity and a new user identity that matches the second user identity, wherein the switch is permitted when the entry is found. | 04-04-2013 |
20130086651 | RE-AUTHENTICATION IN SECURE WEB SERVICE CONVERSATIONS - Techniques are disclosed for sharing communication session information, such as encryption keys for data protection, among multiple communication operations and/or multiple users. Multiple users can share the same communication session concurrently, with each message being individually authenticated. The provided techniques include receiving, at a client application, a first request to send a first web service message to a web service application or group of web services, retrieving existing communication session information having the same sharing characteristics as the first request, where the sharing characteristics include web service environment information and/or request information, including the user credentials associated with the user in the message and in each subsequent message communicated using the existing communication session information, and communicating the web service message to the web service application or group of web services using the existing communication session information. | 04-04-2013 |
20130086652 | SESSION SHARING IN SECURE WEB SERVICE CONVERSATIONS - Techniques are disclosed for sharing communication session information sharing in web service applications. The techniques include management of concurrent sessions by dynamically determining the session association of web service requests at runtime. These sessions can be shared by a group of web services on the server side, and across multiple web services clients with many users, independently of where these applications reside. Session identifiers are determined for these concurrent web service invocations based on an algorithm that uses information from configuration and runtime data. Different information is used in the session identifier depending on configuration parameters to provide different types of sharing that correspond to different use cases. This mechanism can be used with SOAP-based web services, REST-based web services, and the like. | 04-04-2013 |
20140109195 | PROPAGATING SECURITY IDENTITY INFORMATION TO COMPONENTS OF A COMPOSITE APPLICATION - Various methods and systems for propagating identity information in a composite application are presented. State data of a composite application, as executed for a particular entity, may be transferred to and stored by a computer-readable storage medium. The state data may include a portion of a set of subject information linked with the entity. A security attribute of the subject may not be present in the portion of the set of subject information in the state data transferred to the non-transitory computer-readable storage medium. After a period of time, such as an hour or a day, the state data of the composite application as executed for the entity may be retrieved and the security attribute of the set of subject information linked with the entity may be determined The composite application may then continue to be executed for the entity. | 04-17-2014 |
20140129706 | IDENTIFYING COMPATIBLE WEB SERVICE POLICIES - Methods, systems, and devices are described for identifying compatible web service policies between a web service and a web service client. A first and second set of one or more identifiers linked to web service policies supported by the web service and web service client may be calculated, respectively. The sets of identifiers may be compared. Using the comparison, a number of common identifiers present in the first set of one or more identifiers linked to the web service policies supported by the web service and the second set of one or more identifiers linked to the web service policies supported by the web service client may be identified. Using the number of common identifiers, a web service policy of the web service compatible with a web service policy of the web service client may be identified. | 05-08-2014 |
20140188972 | MODELING ENTERPRISE RESOURCES AND ASSOCIATING METADATA THEREWITH - A computer-controlled method of registering an application can include indicating a type of platform, providing information about the application, registering at least one port hosted by the application, and saving the application configuration. | 07-03-2014 |
20140189681 | DEFINING CONFIGURABLE CHARACTERISTICS OF A PRODUCT AND ASSOCIATING CONFIGURATION WITH ENTERPRISE RESOURCES - A computer-controlled method of managing third party installations within an enterprise can include inventorying the third party installations, specifying a number of configuration parameters for each third party installation, and storing the configuration parameters for the third party installations in a WSM metadata repository. | 07-03-2014 |