Controlling access to a resource

DC CAFC

US 6,192,476 B1
Filed: 12/11/1997
Issued: 02/20/2001
Est. Priority Date: 12/11/1997
Status: Expired due to Term

- Alert
- Pin

First Claim

Patent Images

1. A method for providing security, the method comprising the steps of:

detecting when a request for an action is made by a principal; and

in response to detecting the request, determining whether said action is authorized based on permissions associated with a plurality of routines in a calling hierarchy associated with said principal, wherein said permissions are associated with said plurality of routines based on a first association between protection domains and permissions.

View all claims

2 Assignments

Timeline View

Assignment View

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

A method and system are provided for determining whether a principal (e.g. a thread) may access a particular resource. According to one aspect of the invention, the access authorization determination takes into account the sources of the code on the call stack of the principal at the time the access is desired. Because the source of the code on the call stack will vary over time, so will the access rights of the principal. Thus, when a request for an action is made by a thread, a determination is made of whether the action is authorized based on permissions associated with routines in a calling hierarchy associated with the thread. The determination of whether a request is authorized is based on a determination of whether at least one permission associated with each routine encompasses the permission required to perform the requested action. Support for “privileged” routines is also provided. When a routine in the calling hierarchy is privileged, the determination of whether an action is authorized is made by determining whether at least one permission associated with each routine between and including the privileged routine and a second routine in the calling hierarchy encompasses the permission required to perform the requested action.

163 Citations

21 Claims

1. A method for providing security, the method comprising the steps of:
- detecting when a request for an action is made by a principal; and
  
  in response to detecting the request, determining whether said action is authorized based on permissions associated with a plurality of routines in a calling hierarchy associated with said principal, wherein said permissions are associated with said plurality of routines based on a first association between protection domains and permissions.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein:
3. The method of claim 1, wherein:
- the calling hierarchy includes a first routine; and
  
  the step of determining whether said action is authorized further includes determining whether a permission required to perform said action is encompassed by at least one permission associated with said first routine.
4. The method of claim 1, wherein the step of determining whether said action is authorized further includes determining whether a permission required to perform said action is encompassed by at least one permission associated with each routine in said calling hierarchy.

5. A method for providing security, the method comprising the steps of:
- detecting when a request for an action is made by a principal, determining whether said action is authorized based on an association between permissions and a plurality of routines in a calling hierarchy associated with said principal;
  
  wherein each routine of said plurality of routines is associated with a class; and
  
  wherein said association between permissions and said plurality of routines is based on a second association between classes and protection domains.

6. A method for providing security, the method comprising the steps of:
- detecting when a request for an action is made by a principal; and
  
  in response to detecting the request, determining whether said action is authorized based on permissions associated with a plurality of routines in a calling hierarchy associated with said principal, wherein a first routine in said calling hierarchy is privileged; and
  
  wherein the step of determining whether said action is authorized further includes determining whether a permission required to perform said action is encompassed by at least one permission associated with each routine in said calling hierarchy between and including said first routine and a second routine in said calling hierarchy, wherein said second routine is invoked after said first routine, wherein said second routine is a routine for performing said requested action.
- View Dependent Claims (7, 8, 9)
- - 7. The method of claim 6, wherein the step of determining whether said permission required to perform said action is encompassed by at least one permission associated with each routine in said calling hierarchy between and including said first routine and said second routine further includes the steps of:
8. The method of claim 7, wherein:
- the method further includes the step of setting a flag associated with said first routine to indicate that said first routine is privileged; and
  
  the step of determining that said next routine is said first routine includes determining that a flag associated with said next routine indicates said next routine is privileged.
9. The method of claim 8, wherein the step of setting said flag associated with said first routine includes setting a flag in a frame in said calling hierarchy associated with said thread.

10. A computer-readable medium carrying one or more sequences of one or more instructions, the one or more sequences of the one or more instructions including instructions which, when executed by one or more processors, causes the one or more processors to perform the steps of:
- detecting when a request for an action is made by a principal; and
  
  in response to detecting the request, determining whether said action is authorized based on permissions associated with a plurality of routines in a calling hierarchy associated with said principal, wherein said permissions are associated with said plurality of routines based on a first association between protection domains and permissions.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-readable medium of claim 10, wherein:
12. The computer readable medium of claim 10, wherein:
- the calling hierarchy includes a first routine; and
  
  the step of determining whether said action is authorized further includes determining whether a permission required to perform said action is encompassed by at least one permission associated with said first routine.
13. The computer readable medium of claim 10, wherein the step of determining whether said action is authorized further includes determining whether a permission required to perform said action is encompassed by at least one permission associated with each routine in said calling hierarchy.

14. A computer-readable medium bearing instructions for providing security, the instructions including instructions for performing the steps of:
- detecting when a request for an action is made by a principal;
  
  determining whether said action is authorized based on an association between permissions and a plurality of routines in a calling hierarchy associated with said principal;
  
  wherein each routine of said plurality of routines is associated with a class; and
  
  wherein said association between permissions and said plurality of routines is based on a second association between classes and protection domains.

15. A computer-readable medium carrying one or more sequences of one or more instructions, the one or more sequences of the one or more instructions including instructions which, when executed by one or more processors, causes the one or more processors to perform the steps of:
- detecting when a request for an action is made by a principal; and
  
  in response to detecting the request, determining whether said action is authorized based on permissions associated with a plurality of routines in a calling hierarchy associated with said principal, wherein a first routine in said calling hierarchy is privileged; and
  
  wherein the step of determining whether said action is authorized further includes determining whether a permission required to perform said action is encompassed by at least one permission associated with each routine in said calling hierarchy between and including said first routine and a second routine in said calling hierarchy, wherein said second routine is invoked after said first routine, wherein said second routine is a routine for performing said requested action.
- View Dependent Claims (16, 17, 18)
- - 16. The computer readable medium of claim 15, wherein the step of determining whether said permission required to perform said action is encompassed by at least one permission associated with each routine in said calling hierarchy between and including said first routine and said second routine further includes the steps of:
17. The computer readable medium of claim 16, wherein:
- the computer readable medium further comprises one or more instructions for performing the step of setting a flag associated with said first routine to indicate that said first routine is privileged; and
  
  the step of determining that said next routine is said first routine includes determining that a flag associated with said next routine indicates said next routine is privileged.
18. The computer readable medium of claim 17, wherein the step of setting said flag associated with said first routine includes setting a flag in a frame in said calling hierarchy associated with said thread.

19. A computer system comprising:
- a processor;
  
  a memory coupled to said processor;
  
  said processor being configured to detect when a request for an action is made by a principal; and
  
  said processor being configured to respond to detecting the request by determining whether said action is authorized based on permissions associated with a plurality of routines in a calling hierarchy associated with said principal, wherein said permissions are associated with said plurality of routines based on a first association between protection domains and permissions.
- View Dependent Claims (20, 21)
- - 20. The computer system of claim 19, wherein:
21. The computer system of claim 19, whereinsaid processor is configured to determine whether said action is authorized by determining whether a permission required to perform said action is encompassed by at least one permission associated with each routine in said calling hierarchy.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Gong, Li
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
Baderman, Scott T.

Application Number

US08/988,431
Time in Patent Office

1,167 Days
Field of Search

713/200, 713/201-202, 713/152-153, 713/154, 713/117, 713/187, 713/188, 308/4, 714/38, 714/48, 395/704, 709/229
US Class Current

726/4
CPC Class Codes

G06F 21/629   to features or functions of...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

Controlling access to a resource

First Claim

2 Assignments

Litigations

0 Petitions

Reexamination

Accused Products

Abstract

163 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling access to a resource

First Claim

2 Assignments

Subscription Required

Subscription Required

Litigations

0 Petitions

Subscription Required

Reexamination

Accused Products

Subscription Required

Abstract

163 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links