1. Technical Field
The present invention relates to an improved data processing system. In particular, the present invention relates to providing access control to resources of a data processing system. Still more particular, the present invention relates to providing device dependent access control for device independent Web content in a data processing system.
2. Description of Related Art
In the current market, a variety of handheld or pervasive devices are available for consumers. Examples of pervasive devices include Web browsers, personal digital assistants (PDAs), smart phones, and traditional voice telephones. These devices support different security protocols, resources, and input capability. For example, a PDA may support input by a pen, while a traditional voice telephone only supports input by voice.
These devices may also have different screen sizes and bandwidth requirements. These variations present challenges in security and resource control for applications that support these devices. For example, a resource, such as a spreadsheet or a chart image, accessible by a user through a Web browser may not be available for the same user accessing through a smart phone, because either the resource is so sensitive that it should only be available to a secured smart phone or that the smart phone does not support the resource data format. A resource may be any data that is available in a given device, for example, an application, a Web page, a spreadsheet, or a data set.
Modern Web applications often adopt a device-independent approach to support various devices. In the device-independent approach, the page content containing business logic is independent from the display on a client device and is tailored to any device for display during run-time based on the device capability. The device-independent approach gives all the devices the same access privilege to a resource.
Traditionally, role-based access control may be used in applications for controlling resource access. Role-based access control is a standard security policy that is applied for many applications, including J2EE based applications. Role-based access control uses a two-dimensional matrix mechanism to control resource access. The two dimensional matrix includes a user role axis that has a list of user roles and a resource axis that has a list of resources. The list of user roles may include administrator, manager, editor or user. The list of resources may include Web page, data set, application, or any combination of the above. The content of the two dimensional matrix includes access rights or permissions assigned to a specific user for a given resource, for example, view, edit, or update.
While role-based access control solves the problem of who can access what resource, it does not distinguish users with different devices. Thus, a user that uses a smart phone is given the same access to a resource as the same user using a voice telephone. As more and more devices are introduced in the market, device capabilities and security becomes an issue. Different devices may have implemented different security protocols, and different encryption schemes, and applied different security patches. There is currently no existing mechanism that solves the problem of who and which device can access what resource. Thus, sensitive data that is only supposed to be delivered to a secured device may end up in an unsecured device.
In addition to role-based access control, programming-based access control can also be used in applications for controlling resource access. Programming-based access control allows security control to be hard-coded in a program. However, in order to add or change a device's access permissions, the user has to manually change the program code. There is no existing mechanism that dynamically configures new devices introduced in the market or removes existing devices for access control without modifying the program.
Therefore, it would be advantageous to have an improved method to control Web resources based not only on user role, but also on device security to achieve fine-grained access control, such that sensitive data may only be delivered to secured devices. In addition, it would be advantageous to have an improved method for adding or removing devices without the need to change the program code.