1. Technical Field
This invention generally relates to computer systems and more specifically relates to an apparatus and method for authorizing and authenticating access to resources in a computer system.
2. Background Art
Since the dawn of the computer age, computer systems have evolved into extremely sophisticated devices, and computer systems may be found in many different settings. Modern computers are a sophisticated blend of hardware (e.g., integrated circuits and circuit boards) and software (e.g., computer programs). The power of a computer system is measured by the amount of work it can perform. With recent advances in both hardware and software, computer systems have become extremely powerful. A desktop computer today can out-perform by orders of magnitude computers of the same size just a few years earlier.
One common concern in computer programming is the need to provide authentication and authorization mechanisms. Authentication assures that an entity that requests access is known to the system. Authorization assures that the entity is authorized to access the requested resource. Thus, authentication and authorization can be though of as two different levels of security measures. If a user wants to access a computer system, the user typically must “log in” by entering a user name and password. Assuming the user enters a correct user name and password combination, the user is authenticated to the computer system, and is provided access to the computer's functions. Once logged in, the user may request access to a particular resource on the computer system, such as a file or a database table. The system can then determine from stored security information whether the user should be granted access to the requested resource or not. In this manner, authentication acts as a gate to keep unauthorized users out of the computer system, while authorization acts as a filter to assure that users access only the resources they are authorized to access.
The most common way to provide authentication and authorization in a computer program is for the programmer to provide code that performs the authentication and authorization functions. Referring to FIG. 1, a prior art application 100 is one type of computer program, and we assume that application 100 requires authentication and authorization functions to protect one or more resources that may be accessed by application 100. A programmer will typically define a user registry 110 in the application that contains a list of the users that can access the application. A permission table 120 is then provided that defines for each user the permitted access to resources that may be accessed by the application 100. A security component 130 provides authentication by assuring a user is listed in the user registry 110, and provides authorization by assuring a user has permission to access a requested resource according to permission table 120. Application logic 140 simply denotes the “rest” of the application that is not concerned with authentication and authorization.
Programming security into each application to provide the needed authentication and authorization functions is very time-consuming. In addition, there are no standards that allow security information for one application to be shared with a different application, so each application typically has its own user registry and its own scheme for performing authentication and authorization functions. As a result, a user has to register with each application separately. Without an apparatus and method for standardizing authentication and authorization in software applications, programmers will be forced to continue to provide authentication and authorization functions in each application, providing a great duplication of effort, thereby resulting in unnecessary effort and cost to the industry.