1. Field of the Invention
The present invention relates to the field of multi-tier application management and more particularly to authorizing access to multiple components of a multi-tier application.
2. Description of the Related Art
A multi-tier application is an application structurally distributed across a computer communications network. In a multi-tier application, the interface, data storage, the logical functionality of the application can be spread across one or more computing units and can be configured to interact with one another in concert to produce the effect of a unitary application. Different layers of a multi-tier application can communicate with one another, receiving input for processing and producing output to be provided to a different layer of the application.
Functional layers of a multi-tier application include a persistence layer in which application data is stored in a sensible, organized way, an accessor layer in which database access logic can be implemented to interact with the persistence layer, a logic layer processing user input and stored data to produce a useful result, and a presentation layer configured to present the useful result to an interacting end user. Additionally, a requestor/consumer layer can be provided through which an end user can interact with the application. Typically, a Web browser or heavy client acts as the requestor/consumer layer. Of note, security considerations must be applied at all layers of a multi-tier application.
In this regard, coordinating access control to different layers of a multi-tier application can be challenging as different technologies can structurally support different layers. For instance, user interface technologies such as dynamic markup language and script driven user interface engines require and support one set of languages and tools for specifying access control policies and different policy enforcement points for enforcing them. Intermediately, the logical components of the business logic and process orchestration layer of a multi-tier application support yet a different set of languages and tools for specifying access control policies and different policy enforcement points for enforcing them
With respect to a database in the persistence layer, the structured query language (SQL) grant statement (SQL_GRANT) provides an exemplary mechanism for specifying authorization rules for database tables. SQL_GRANT statements generally are stored within special tables of an associated database. By comparison, with respect to component based logic in the logic layer, role-based access control is provided and stored in deployment descriptors for respective components. While the identity of an end user can flow from the logic layer to the persistence layer, the authorization rules for the same end user can vary due to different languages of specification and different storage locations. Additionally, due to the differences in the policy specification language and multiplicity of policy enforcement points, applications often choose to simplify specification and enforcement of access control policies only at one layer of the multi-tier application leaving other layers unprotected. Accordingly, inconsistencies can arise in the production and management of the authorization rules giving rise to security holes.