1. Field of the Invention
The present invention relates to an improved data processing system and, in particular, to a method and apparatus for multicomputer data transferring. Still more particularly, the present invention provides a method and apparatus for computer-to-computer authentication.
2. Description of Related Art
In a distributed data processing environment that comprises multiple security domains, a client within one security domain may need to communicate with servers within multiple security domains, each of which requires the successful completion of an authentication operation that is valid only within a particular security domain. Moreover, each of the security domains may employ different types of authentication procedures, all of which complicates the development of applications that operate in such environments.
In order to standardize security operations and minimize effort in developing Java applications, programmers may develop Java applications in accordance with the Java Authentication and Authorization Service (JAAS) programming model, which simplifies application development by serving as a building block for developers. The JAAS programming model enables developers to authenticate users and enforce access controls upon those users within these applications. By abstracting underlying authentication and authorization mechanisms and standardizing interfaces, the JAAS programming model minimizes the risk of creating security vulnerabilities within application code.
Although the JAAS programming model simplifies some aspects of incorporating authentication operations into the development of an application, the JAAS programming model contains an inherent disadvantage as follows. Before attempting to access any objects that are supported by servers within a given security domain, a client application must complete an authentication operation with respect to that given security domain. In response to completing an authentication operation, a credential for the security domain is stored within an object of Class “Subject” that is returned to the client application, which then uses the credential within a particular block of code that accesses objects that are supported within the security domain. This particular block of code is enclosed within a “doAs” operation within the “Subject” class. For example, the following programming statement, “Subject.doAs(subjectZ){block of code}”, associates the provided block of code with a particular instance of a “subject” object, which in this example is “subjectZ”, ostensibly a “subject” object of Class “Subject” that was returned by an authentication operation. With this exemplary operation, the Class “Subject” and other aspects of the JAAS programming model use the previously obtained credentials within the “subject” object when making any remote invocations of objects.
If the associated block of code tries to access servers in various security domains, and object of Class “Subject” does not contain all of the required credentials for these security domains, then the attempted operations will fail. Hence, the client application is required to perform any necessary authentication operations and update the object of Class “Subject” prior to accessing any objects in these security domains. However, prior to executing the associated block of code, the client application may not have the identities of the security domains of the servers with which it will attempt to communicate, i.e., the security domains of the objects within the particular block of code.
Therefore, it would be advantageous to have a method for performing timely authentication operations just prior to accessing objects within different security domains. It would be particularly advantageous to have a method for timely authentication operations that extended functionality within a pre-existing standard infrastructure or within a standard programming model for accomplishing these operations in a manner that is transparent to the client application and, therefore, not burdensome to an application developer.