US007346921B2 (12) United States Patent (10) Patent N0.: US 7,346,921 B2 Murren et al. (45) Date of Patent: Mar. 18, 2008 (54) DEFINITION OF LOW-LEVEL SECURITY 5,745,754 A 4/1998 Lagarde et a1. RULES IN TERMS OF HIGH-LEVEL 5,790,790 A 8/1998 Smith et a1. SECURITY CONCEPTS 5,790,809 A 8/1998 Holmes 5,835,896 A 11/1998 Fisher et a1. (75) Inventors: Brian T. Murren, Clifton Park, NY 5,870,605 A 2/1999 Bracho et a1. 5,890,175 A 3/1999 Wong et a1. (US); Thomas R. Kiehl, Wynantskill, 5,898,836 A 4/1999 Freivald et a1. NY (US) 5,915,209 A 6/1999 Lawrence 5,928,335 A 7/1999 Morita (73) Assignee: GE Capital Corporation, Stamford, 5,970,231 A 10/1999 Crandall CT (US) 5,977,971 A 11/1999 Guzak et a1. 5,978,799 A 11/1999 Hirsch Notice: Subject to any disclaimer, the term of this 5,999,948 A 12/1999 Nelson et a1. patent is extended or adjusted under 35 6,035,121 A 3/2000 Chiu et a1. U.S.C. 154(b) by 827 days. 6,047,377 A * 4/2000 Gong ....................... .. 713/201 6,058,417 A 5/2000 Hess et a1. (21) Appl. No.2 09/847,037 6,061,686 A 5/2000 Gauvin et a1. 6,115,690 A 9/2000 Wong (22) Filed: Apr. 30, 2001 6,128,655 A 10/2000 Fields et a1. 6,144,944 A 11/2000 Kurtzman, 11 et a1. 6,151,022 A 11/2000 Alshibani et a1. (65) Prior Publication Data US 2003/0167401 A1 Sep. 4, 2003 (Continued) OTHER PUBLICATIONS (51) Int. Cl. G06F 17/00 (2006.01) Belge, “The Next Step in Software Internationalization,” Jan. 1995, (52) US. Cl. ........................ .. 726/1; 713/156; 713/166; ACM Press Interactions, vol. 2, Issue 1, pp. 21-25, ISSN: 1072 705/51 5520. (58) Field of Classi?cation Search .............. .. 713/200, (Continued) 713/156, 166; 709/9, 249; 705/76, 50, 51; 726/26, 8429, 1; 707/9, 10 Primary ExamineriT. B. Truong See application ?le for complete search history. (74) Attorney, Agent, or Fi rmiLee & Hayes, PLLC (56) References Cited (57) ABSTRACT U.S. PATENT DOCUMENTS A set of pluggable rules are used to de?ne low-level security 5,265,221 A * 11/1993 Miller ...................... .. 711/163 rules in terms of high-level security concepts. The rules are 5,410,646 A 4/1995 Tondevold et a1. part of a pluggable module that can interact With a business 5,434,776 A 7/1995 Jain logic to provide different granularities of control. 5,590,197 A 12/1996 Chen et a1. 5,678,039 A 10/1997 Hinks et a1. 5,704,029 A 12/1997 Wright, Jr. 27 Claims, 9 Drawing Sheets {-100 102(3) 102(2) l C] 21> CLIENT BROWSER 11155 WEB SERVICE 102(N) ‘m REOUESTS/ REPLlES APPLICATION SERVER SYSTEM 110 MULTl-LAYER APPLICATION] DOMAIN ARCHITECTURE A ‘"1. 112(1) 112(2) 112(3) 110 11 L RESOURCE I l RESOURCE I I" I RESOURCE I 105(1) J 108(2) J 108(M) J US 7,346,921 B2 Page 2 U.S. PATENT DOCUMENTS 2001/0044809 A1 11/2001 Parasnis et al. 2002/0107684 A1 8/2002 Gao 6,175,841 B1 V2001 Loiacono 2002/0147656 A1 10/2002 Tam et al. 6,192,407 B1 2/2001 Smith et 91- 2002/0156678 A1 10/2002 Adams 6,216,114 B1 4/2001 Alaifl er 91- 2002/0161674 A1 10/2002 Scheer 6,233,566 B1 5/2001 Levlne et 31 2003/0033448 A1 2/2003 Kiefrer 6,243,721 B1 6/2001 Duape er 91- 2003/0078960 A1 4/2003 Murren etal. 6252589 B1 6/2001 Remg 9t 81 2003/0233296 A1 12/2003 Wagner 6,253,251 B1* 6/2001 Benantar et al. .......... .. 719/315 2004/0039993 A1 2/2004 Kouglouris @131‘ 6,292,827 B1 9/2001 R?Z 2004/0205575 A1 10/2004 Wattenberg 6,308,212 B1 10/2001 BeSaW er a1~ 2004/0205644 A1 10/2004 Shaughnessy et al. 6,345,278 B1 2/2002 Hitchcock et al. 2005/0055633 A1 3/2005 A11 @131‘ 6,366,891 B1 4/2002 Feinberg 6,385,724 B1 * 5/2002 Beckman et al. ......... .. 713/167 OTHER PUBLICATIONS 6,412,008 B1 6/2002 Fields et a1. 6,415,284 B1 7/2002 D’Souza e1 31‘ “Borland’s Paradox for Windows User’s Guide”, Borland Interna 6,434,568 B1 8/2002 Bowman-Amuah tional, Inc, 1994, 23 P9899 6,438,594 B1 g/2002 BOWmamAmuah Bragg, “Accounting Best Practices,” John Wiley and Sons, Inc. 6,460,036 B1 10/2002 Herz 1999, 289 P9899 6,473,748 B1 * 10/2002 Archer ...................... .. 706/45 d9 Mauro, “Internationalizing Messages in Linus Program,” Mar 6,473,791 B1 * 10/2002 A1_Ghosein e131‘ ______ __ 709/217 1999, Specialized Systems Consultants Inc., Linux Journal, vol. 6,477,665 B1 11/2002 BOWmamAmuah 1999, Issue 59es, Article No. 4, ISSN 1075-3583, 10 pages. 6,487,599 B1 11/2002 Smith et a1‘ Der?er, et al., “How Networks Work,” Millennium Ed., Euq Cor 6,487,665 B1 * 11/2002 Andrews et al. .......... .. 713/201 poration, Jan 2000, 19 pages 6,513,038 B1 1/2003 Hasegawa et a1‘ “Developer’s Guide to Internationalization,” 1995 Sun 6,519,570 B1 2/2003 Faber et al. Microsystems, 96 P9899 6,519,571 B1 2/2003 Guheen e1 31‘ Gavron, et al., “How to Use Microsoft Windows NT4Workstation,” 6,529,950 B1 * 3/2003 Lumelsky et al. ........ .. 709/218 Macmillian Computer Publishing, USA, 1996, 197 P9899 6,529,956 B1 3/2003 Smith et a1‘ Gilly, “Unix in a Nutshell: A Desktop Quick Reference for System 6,546,397 B1 4/2003 Rempell V and Solaris 2.0,” Cambridge: O’Reilly, 1992, 4 pages. 6,549,397 B1 4/2003 Diaz et a1‘ Gralla, “How the Internet Works,” Millennium Ed., Que Corpora 6,560,592 B1 * 5/2003 Reid et al. ................... .. 707/2 tion, A118 1999, 28 pages 6,567,846 B1 5/2003 Garg et a1, Lemay, et al., “Laura Lemay’s Workshop Javascript,” 1996, Sams. 6,611,498 B1 8/2003 Baker et a1. 11991211 l32-13T 6,615,253 B1 9/2003 BOWmamAmuah Lawhead, “Flexible Formatting of Messages for Display,” Jun. 1, 6,623,529 B1 9/2003 Lakritz 1971, IBM Technical Disclosure Bulletin, vol. 14, Issue 1, pp. 6,625,581 B1 9/2003 Perkowski 46-48 6,631,357 B1 10/2003 perkowski Muller, “ Desktop Encyclopedia of the Internet,” Artech House, 6,632,251 B1 10/2003 Rutten et al. 1119, 1998, 499 P9899 6,636,886 B1 10/2003 Katiyar et a1, “OpenWindows Developer’s Guide: XView Code Generator Pro 6,643,652 B2 11/2003 Helgeson et a1‘ grammer’s Guide,” 1994 Sun Microsystems Product Manual ,Chap 6,654,726 B1 11/2003 Hanzek ter 1, and Appendix B, PP~ 1-3 and 95-106 6,662,342 B1 12/2003 Marcy Peek, et a1. “Unix Power Tools,” Cambridge: O’Reilly, 1997, 2nd 6,664,981 B2 12/2003 Ashe et a1. Edition, 6 P9899 6,671,674 B1 12/2003 Anderson @131, Pominville, et al., “A Framework for Optimizing Java Using 6,684,369 B1 1/2004 Bernardo et a1‘ Attributes,” IBM Centre for Advanced Studies Conference, 2000, 6,694,506 B1 * 2/2004 LeBlanc et al. .......... .. 717/108 p11 l-l7~ 6,704,906 B1 3/2004 yankovich et a1‘ Robbins, “Effective awk Programming,” May 2001, O’Reilly & 6,728,685 B1 4/2004 Ahluwaha Associates, ISBN: 0-596-00070-7, Chapter 9, 15 pages. 6,732,331 B1 5/2004 A1exander Robbins, “Gawk 3.1 New Feature List,” Sep. 3, 2000, Usenet 6,741,969 B1 5/2004 Chen et a1‘ newsgroup comp.lang.awk as archived on <<http://groups.google. 6,741,980 B1 5/2004 Langseth et a1, com>>, accessed and printed on Mar. 18, 2005, 3 pages. 6,742,015 B1 5/2004 Bowman.Amuah “SMT in Line”, available at <<www.smtinline.com>>, accessed on 6,745,203 B1 6/2004 Garg et al. APR 28, 2006, 2 pages. 6,751,673 B2 6/2004 Shaw Stephens, “Prototyping with Visual Basic,” Sep. 2001, Sams Pub 6,769,009 B1 7/2004 Reisman lishing, ISBN 0-7897-2578-9, Chapter 9, 6 pages. 6,771,384 B1 8/2004 Laverty et a1. Stevens, “Unix Network Programing,” New Jersey: Prentice Hall 6,779,155 B1* 8/2004 Bahrs et al. .............. .. 715/526 1990, 44 pages. 6,785,721 B1 8/2004 Immerman et a1. Tuthill, et a1, “Creating Worldwide Software: Solaris International 6,792,462 B2 * 9/2004 Bernhardt et al. ........ .. 709/225 Developer’s Guide,” Sun Microsystems Press, 1997, 2nd Edition, 6,802,059 B1 10/2004 Lyapustina et al. 13 pages, 6,807,558 B1 10/2004 H?ssett et a1~ Usdin, et al., “XML: NotA Silver Bullet, But a Great Pipe Wrench”, 6,820,082 B1 * 11/2004 Cook et al. .................. .. 707/9 Published by standard View, v01, 6, NO, 3, Sep, 1993, pp, 125.132, 6,832,369 B1 12/2004 Kryka et a1~ White, “How Computers Work”, Millennium Ed. Que Corporation, 6,842,906 B1 1/2005 Bowman-Amuah Sep, 1999, 38 pages, 7,013,289 B2 3/2006 Horn et a1. 2001/0039594 A1 11/2001 Park et al. * cited by examiner U.S. Patent Mar. 18, 2008 Sheet 1 0f 9 US 7,346,921 B2 r 100 102 1 [- ( ) III 102(3) CLIENT BROWSER CIDEI WEB SERVICE :- 102W) COMM. DEVICE REQuEsTs/ REPLIES 1 04 106 /. APPLICATION SERVER SYsTEM 110-\ MULTI-LAYER APPLICATION/DOMAIN ARCHITECTURE \ 7 \ / \ I JIIIIIHL m 112(1)J112(2)J112(3)J 112(s REsouRcE RESOURCE . . . RESOURCE 108(1) J 108(2) J 108(M) J w, I U.S. Patent Mar. 18, 2008 Sheet 2 0f 9 US 7,346,921 B2 REQUESTS REPLIES I 110 L I MULTl-LAYER ARCHITECTURE I EXECUTION ENVIRONMENT 2Q PRESENTATION LAYER @ ADAPTER(S) Q CONTENT RENDERER FRAMEWORK E \ 260 MODEL REQUEST DISPATCHER _22_4 DISPATCHER Q ENGINE RDT | TRANSLATOR _26_2 264 / I 226 —/ AUTHENTICATION MODEL BUSINESS LOGIC LAYER 204 210 SECURITY POLICY WLI ENFORCEMENT _2_§Q 230 ' DATA COORDINATION LAYER @ APPLICATION DATA MANAGERS w UTILITIES 242 APPLICATION FRAMEWORK EXTENSIONS 244 DOMAIN FRAMEWORK E 252 —\ r 254 PERSISTENCE MANAGEMENT BULK DATA ACCESS DATA ABSTRACTION LAYER 208 SERVICE LAYER m RESOURCE RESOURCE - - . RESOURCE 108(1) -/ 108(2) J 108(M) J Q9, 2 U.S. Patent Mar. 18,2008 Sheet 3 0f 9 US 7,346,921 B2 GENERAL OPERATION 300 302 -\ f RECEIVE REQUEST FROM CLIENT L I 304 _\ AUTHENTICATE REQUEST 306 _\ SELECT EXECUTION MODEL w 308 \F PROCESS REQUEST USING EXECUTION MODEL L I RESOURCE ACCESS NO RESOURCE ACCESS 3103 I ‘ l /—316 I QUERY FOR DESIRED GENERATE REPLY AND INFORMATION VIA DATA PASS REPLY TO COORDINATION AND PRESENTATION LAYER L ABSTRACTION LAYERS v /— 318‘ 312-\ I r w SELECT CLIENT ACCESS RESOURCES FOR APPROPRIATE INFORMATION PRESENTATION FORM 314\ I g I /-320 W h EXTRACT INFORMATION r FROM RESULTS AND RETURN REPLY IN SELECTED PRESENTATION RETURN TO EXECUTION MODEL FORM U.S. Patent Mar. 18, 2008 Sheet 5 0f 9 US 7,346,921 B2 OPERATION OF EXECUTION MODEL 500 [ SET ATTRIBUTE VALUES 502 RECEIVED FROM CLIENT REQUEST IN ATTRIBUTE STORE y SELECT NEXT COMMAND OF 504 INTERACTION 506 508 ALL COMMANDS PROCESS SELECTED? VIEW INSTANTIATE OBJECT r 51 O ASSOCIATED WITH COMMAND V RETRIEvE ATTRIBUTE VALUES FROM STORE AND INVOKE SET METHODS L V r 1 INvOKE VALIDATE METHOD /_ 514 L 7 h INVOKE SECURITY CHECK ‘ k METHOD 7 E INVOKE PERFORM METHOD 1/- 518 v INvOKE GET METHODS TO 520 EXTRACT OUTPUT VALUEs AND SET OUTPUT VALUES IN STORE E69. 5 U.S. Patent Mar. 18, 2008 Sheet 6 0f 9 US 7,346,921 B2 PROGRAM CONTROLLER Q5 HANDLE 5Q INPTREORCACETSISO N (Ti QE PROCESS PRocEss COMMAND PROCESS CONDITIONAL VIEW 610 — £52 TRANSLATOR 91:1 R9. 6 U.S. Patent Mar. 18, 2008 Sheet 7 0f 9 US 7,346,921 B2 USER ITEM 280 w INDICATION INDICATION 712 714 702 x POLICY ‘I’ v /»- 710 ENFORCER |NTERFACE(S) »- 7 V / O8 TO/FROM CONTROL MODULE > BUSINESS LOGIC LAYER 704 — 706 V / — RULE ~ RESULT COMPARATOR ' 716(1) 716 //_ x f- 718 720 ----- -- - X f- 726 728 730 PERMISSION 720 _ USER N AME' _ 1 f‘ ASSIGNMENT ‘ ROLE PERMISSION CONTEXT OBJECT 722 “GRANT/DENY \ OPERATION : ‘ DURATION - \ 723(R) L 732 a J '.‘ . 724 PERMISSION PERMISSION ' ASSIGNMENT 728(R) OBJECT / 716(P) -/ 769. 7 U.S. Patent Mar. 18, 2008 Sheet 8 0f 9 US 7,346,921 B2 $9 /- 802 PERMISSION CONCEPTS (CONTEXT AND OPERATION) /' ' ‘\ // /// \\ // ,/ \\ SECURITY SECURITY _ 0 _ SECURITY RULES RULEs RULES 804(1) J 804(2) J 804(8) -/ W X
Description: