1. Field of the Invention
The present invention relates to the field of computer user interfaces and, in particular, to a method and apparatus for restricted run-time environment with dynamic user context.
Sun, Sun Microsystems, the Sun logo, Solaris and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc., in the United States and other countries. All SPARC trademarks are used under license and are trademarks of SPARC International, Inc., in the United States and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.
2. Background Art
In some computer systems (e.g., thin client architectures) much of a user's data and computation is maintained and performed at a remote location using a server computer. When all of the data or computation necessary for a user's task is handled by a server, the user may easily interact with the system at different locations using different client computing devices. However, some applications require or prefer some data or computation to be handled at the client computer. Using prior art methods, the client's system data is vulnerable to tampering by a malicious user. Before further discussing the drawbacks of current schemes, it is instructive to discuss a computer architecture where this problem occurs.
Multi-Tier Application Architecture
In the multi-tier application architecture, a client communicates, for example, requests to a server for data, software and services, and the server responds to the requests. The server's response may entail communication with a database management system for the storage and retrieval of data.
The multi-tier architecture includes at least a database tier that includes a database server; an application tier that includes an application server and application logic (i.e., software application programs, functions, etc.); and a client tier. The data base server responds to application requests received from the client. The application server forwards data requests to the database server.
FIG. 1 provides an overview of a multi-tier architecture. Client tier 100 typically consists of a computer system that provides graphic user interface (GUI) generated by a client 110, such as a browser or other user interface application. Conventional browsers include Internet Explorer and Netscape Navigator, among others. Client 110 generates a display from, for example, a specification of GUI elements (e.g., a file containing input, form, and text elements defined using the Hypertext Markup Language (HTML)) and/or from an applet (i.e., a program written in the Java™ programming language or another platform independent programming language which runs when it is loaded by the browser).
Further application functionality is provided by application logic managed by an application server 120 in application tier 130. The apportionment of application functionality between client tier 100 and application tier 130 is dependent upon whether a “thin client” or a “thick client” topology is desired. In a thin client topology, the client tier (i.e., the end user's computer) is used primarily to display output and obtain input while the computing takes place in other tiers. On the other hand, a thick client topology uses a more conventional, general purpose computer which has processing, memory, and data storage abilities. Database tier 140 contains the data that is accessed by the application logic in application tier 130. Database server 150 manages the data and/or its structure, as well as the operations that can be performed on the data and/or its structure.
Application server 120 can include applications such as a corporation's scheduling, accounting, personnel and payroll applications. Application server 120 manages requests for the applications that are stored therein. Application server 120 can also manage the storage and dissemination of production versions of application logic. Database server 150 manages the database(s) that manage data for applications. For example, database server 150 responds to requests to access the scheduling, accounting, personnel and payroll applications' data.
Connection 160 is used to transmit data between client tier 100 and application tier 130, and may also be used to transfer the application logic to client tier 100. The client tier can communicate with the application tier via, for example, a Remote Method Invocator (RMI) application programming interface (API) available from Sun Microsystems™. The RMT API provides the ability to invoke methods, or software modules, that reside on another computer system. Parameters are packaged and unpackaged for transmittal to and from the client tier. Connection 170 between application server 120 and database server 150 represents the transmission of requests for data and the responses to such requests from applications that reside in application server 120.
Elements of the client tier, the application tier and the database tier (e.g., client 110, application server 120 and database server 150) may execute within a single computer. However, in a typical system, elements of the client tier, the application tier and the database tier may execute within separate computers interconnected over a network such as a LAN (local area network) or WAN (wide area network).
Local Machine System Security
If all of the user's data and computation (task) is handled at the remote location, the user will not need to create any files or modify any existing files on the client. Thus, in such a system, the user often is prevented from creating or modifying local files, which prevents a malicious user from damaging the local machine's system information, yet, still enables full use of the system. However, if some user task requires that the user be able to create or modify a local file, in prior art methods, a malicious user may be able to modify and damage the local machine's system information (i.e., the system information in the client tier). Thus, a need exists to allow a user to create or modify a local file while preventing a malicious user from modifying or damaging the local machine's system information.