1. Field of Invention
The invention relates generally to computer systems. More particularly, methods and apparatus for providing distributed authentication in an enterprise computer system.
2. Description of Relevant Art
In modem enterprise computing environments, a number of personal computers, workstations, mainframes, and the like along with other devices such as large mass storage subsystems, network interfaces, as well as interfaces to the public telephony systems are interconnected providing an integrated environment in which information may be shared among the various users. Typically, users may be performing a variety of operations, including order receipt, manufacturing, shipping, billing, inventory control, and other operations in which sharing of data on a real time basis provides a significant advantage over, for example, maintaining separate records and attempting to reconcile them later.
One problem that arises in an enterprise computing environment is that often the various users are using programs which have been developed based on a data or programming model that assumes that the data they receive, process, and store will be unique to that particular program. One solution to this problem is to force all types of programs to be constrained to the same type data or programming model. However, there are several problems with this strategy, one of which is for example that while constraining the enterprise computer system to a single platform may be efficient for some types of programs it can be very inefficient for other types of programs.
Another strategy used to overcome the problem of cross platform communication is to provide an information exchange engine that can translate data between platforms. While this will allow each program to have its own data or programming model, it requires acquiring and maintaining exchange engines for a number of programs and a user to select an appropriate exchange engine when importing or exporting information form another program. In addition, as the number of users and/or exchange engines increases in order to meet the needs of an expanding system, the interconnections between each of the components becomes prohibitively complex forming a xe2x80x9cspaghetti like massxe2x80x9d. This increase in complexity effectively limits the scalability of an integrated set of computer resources since any additional computer resources require reconfiguring the entire system.
As an example, FIG. 1 is an illustration of a conventional enterprise computing system 100. The enterprise computing system 100 includes exchange engines 102-110 capable of accessing and cross connection of any number and type of information sources 112 and 114. Such sources include various database management systems, applications programs, large mass storage subsystems, network interfaces, as well as interfaces to the public telephony systems such as to the Internet. The database management applications generally include computer programs that are executed in conventional manner by digital computer systems over any number of computing platforms. Typically, the exchange engines include computer programs executed by digital computer systems (which may be the same digital computer systems on which their respective applications programs are executed). The exchange engines and the application programs are processed and maintained on a number of digital computer systems interconnected by, for example, a network 116 which transfers data access requests, translated data access requests and responses between the computer systems on which the exchange engines and application programs are processed. As can be seen, as the enterprise computer system expands, the number of application programs and associated digital computer systems increase to meet the needs of the expanded enterprise computer system. The scalability of this type enterprise computer system is poor since any substantial increase in the number of digital computers greatly increases the complexity of the network 116 which in turn greatly increases the resources required to maintain and upgrade the system 100.
One approach to solving the problems of cross platform communication and scalability is to use component based, multi-tier applications based on, for example, Enterprise JavaBeans (EJB) technology from Sun Microsystems Inc. of Mountain View, Calif. Enterprise JavaBeans technology, in the form of an EJB server, represents a multi-tier design that simplifies developing, deploying, and maintaining enterprise applications. It enables developers to focus on the specifics of programming their business logic, relying on the EJB server to provide system services, and client-side applications (both stand alone and within web browsers) to provide the user interaction. Once developed, business logic can be deployed on servers appropriate to existing needs of an organization.
Although EJB server technology substantially improves scalability and many of the problems related to cross platform performance, there still remains the need to provide some form of cross platform security since a number of the computer systems within the enterprise computer system have their own authentication protocols and methods.
Therefore, in view of the foregoing, it would be advantageous and therefore desirable to have a scalable, cross platform enterprise computer system having the capability of providing transparent multi-platform security.
The invention can be implemented in numerous ways, including as a method, an apparatus, and a computer system Several embodiments of the invention are discussed below.
In one embodiment of the invention, a distributed object computing system having an authentication server is described. The authentication server provides a credential that grants a credential owner permission to access a protected resource in the computing system. The protected resource is identified in authentication data included in an associated credential request that is provided by a requesting client. The authentication server includes a credential request verifier that determines if additional authentication data is required by the authentication server in order to grant the credential to the requesting client. A realm authenticator coupled to the credential request verifier that authenticates the requesting client in a requested realm when it is determined that the requesting client is allowed to access the requested realm. A credential translator coupled to the realm authenticator that grants a requested privilege in the authenticated realm to the requesting client when it is determined that the requesting client is allowed the requested privilege in the authenticated realm. A credential generator coupled to the credential translator arranged to provide the credential to the requesting client.
In another embodiment of the invention, a method for accessing a protected resource coupled to a server in an enterprise computer system is described. A requesting client provides a protected resource access request to an authentication server. The authentication server uses authentication data provided in the authentication request to provide the requesting client a reference to a credential. The requesting client, in turn, provides the reference to the credential in conjunction with a protected resource access request to the server coupled to the protected resource. The server requests that the authentication server validates by credential after which the server grants the requesting client access to the protected resource.
In a preferred embodiment, the server is an Enterprise Java Bean (EJB) server.