Specifically the present invention relates to a method to control the access to application objects which, in order to make them accessible for users and application processes over one or more computer networks, have to be exposed to one or more networks with a multitude of users, the latter partly unknown to the owner of the application objects or being potentially vicious or fraudulent.
In networked computer environments, application program systems are increasingly realized as systems consisting of a multitude of networked objects, which are accessible through well defined operations. Frequently used terms related to this approach to build program systems are Web Applications, Distributed Objects, Components, and Net Objects. Typically, the users (human users as well as machine based entities acting under a certain identity) of such distributed program systems access the system over a network. For the user, using an application program that consists of several objects means accessing a multitude of objects in the course of each program system use. Examples of such objects are CORBA objects, remotely accessible Java objects, remotely accessible DCOM components, and the static or dynamically created HTML as well as WAP pages of Web Applications. The well defined operations are either operations explicitly defined for the object type in the interface definition language of the respective technology (CORBA, Java, DCOM) or are operations implicitly defined and implemented as a combination of a generic protocol method with well defined parameter types (Web Applications).
Each of the respective objects has a specific reference to be used to access it. Normally, the user does not yet have all the necessary references before starting to use the application. In the regular case, before use of the application he has obtained a single reference which refers to an object that serves as the starting point for using the application. He obtains the necessary references to access other objects in the course of the interactions with the application program system. A reference to an object to be accessed is usually delivered and received contained in the output produced by other application objects which have been accessed before. The output is received by the user in the form of Web pages or object output parameters.
A reference contains the information that is technically necessary for the user's computer system to establish a transport connection with the proper qualities (e.g., a TCP connection) to the respective object's computer system and the information that is necessary for the object's computer system to address the object within this computer system. The respective examples of references for the object technology examples given above are CORBA IORs, Java-RMI references, DCOM references, and URIs.
The objects to be accessed by the user in the course of the use of a program system are in many cases exclusively dedicated to this user. This may, for instance, serve for security separation and personalized behavior or personalized output generation of the respective objects. The objects may be dynamically created specifically for the respective user and the respective use and access (often called a session). The time of creation may vary; the respective object may be created before handing out its reference to the intended user (e.g., following the Factory pattern in CORBA applications, servlet instances for dynamically created HTLM). The references to such user and/or session dedicated objects are willingly handed out by the program system to the respective user only, in the understanding of the program system and its application programmer that they semantically represent not only a handle of the object for the user but also an implicit authorization.
Current networked objects technology does not provide the functionality of an efficient access control system that meets the requirements of implicit authorization as mentioned above. I.e. they do not check whether the reference to a certain object used by a certain user to access the object has been handed out by the owner of the accessed object to the accessing user or not. This means they do not enforce the access control needed for the secure realization of said implicit authorization. In these systems, fraudulent users can use intercepted, forged, or fabricated references to illegitimately access objects. Intercepting or forging references is often possible because of insecure communications links,. e.g., the Internet, used. Fabricating references is always possible since the references have standard formats and the contained values can easily be guessed.
Prior art access control technology does not support secured implicit authorization. This is due to the fact that secured implicit authorization is mainly appropriate for systems with many short-lived objects, whereas most research on access control concepts and technology so far centered around less dynamic populations of long-lived documents and computing resources.
However, today's network centered application program systems consisting of a multitude of networked objects (as they are becoming standard technology in the Internet) need an authorization and access control scheme that allows secured implicit authorization of network connected users through the export of object references as part of and controlled by the application logic.
Therefore it is the object of the invention to provide methods and systems for a secured implicit authorization, that enforces access control, so that illegitimate access is technically made impossible.
This object is achieved by the method of claim 1 and the system of claim 6. Advantageous embodiments of the method and systems are described in the dependant claims.
In the context of the present invention it is clear to a person skilled in the art that Initiator Domains may exist that comprise(s) single or multiple Initiator Hosts each one able to request services of one or more target hosts in a target domain, preferably to use networked application objects, using the methods or systems of the present invention.
The method embodiments of the present invention are implementable on computer systems. In a further embodiment, the present invention may be implemented as a computer program product for use with a computer system. Those skilled in the art should readily appreciate that programs defining the function of the present invention can be delivered to a computer in many forms; including, but not limited to:                information permanently stored on non-writable storage media, e.g. read only memory devices witin a computer such as ROM's or CD-ROM's readable by a computer I/O-device;        information, alterably stored on writable storage-media, e.g. floppy disks or hard disks;        information conveyed to a computer through communication media such as networks or telephone networks via modem.        
It should be understood, therefore, that such media, when carrying computer readable instructions that direct the method functions of the present invention represent alternate embodiments of the present invention.
Yet a computer program product stored on a computer readable storage medium, comprising computer readable program code means for an ingress-session-based authorization and control method to control access from an initiator-host to on a target host comprising the steps of:                (i) receiving an access-request, preferably a request-message, originally coming from the initiator-host, that references an object on the target host to access,        (ii) assigning the access-request to an ingress-session and selecting a session-context belonging to that ingress-session,        (iii) checking whether the access to the referenced object is authorized in the selected session-contextor not, and        (iv) denying the access to the referenced object if the access to said object on the target host is not authorized in the selected session-context,        (v) granting the access to the referenced object if the access to said object on the target host is allowed in the selected session-contextwherein references to objectson the target host were handed over to the initiator-host as a response to an access-request already granted and wherein the object the reference is handed over for is authorized for access under the handed over reference in that session-context the already granted access-request is assigned to, is an another preferred embodiment of the present invention.        