Electrical computers and digital processing systems: multicomput – Computer-to-computer data routing – Least weight routing
Reexamination Certificate
1996-01-03
2001-06-26
Courtenay, III, St. John (Department: 2151)
Electrical computers and digital processing systems: multicomput
Computer-to-computer data routing
Least weight routing
Reexamination Certificate
active
06253251
ABSTRACT:
TECHNICAL FIELD OF THE INVENTION
The present invention relates to information handling systems, methods and articles of manufacture, and more particularly to information handling systems, methods and articles of manufacture for enhancing object security in an object oriented system.
1. Background of the Invention
There is a need to improve security in object oriented systems. Traditionally, controlling access to a resource implies determining whether or not data can be disclosed, altered, or modified. Access control in object oriented systems, however, presents different aspects and semantics. In object oriented systems, resources are objects consisting not only of data but also of operations that can manipulate and transform the object's data. As such, object access control is concerned with determination of which users can invoke what method on what object. Thus, access rights need to correspond to semantics of functionality and side effects of methods to which they apply. In the simplest case, this correspondence can be one to one. That is, a method M's required access rights can be uniquely identified in the class that defines it by the method's name, or simply M. Thus, a subject would have to acquire permission M in order to be able to invoke method M and expect its side effect. This approach, however, introduces a problem of scale as object oriented systems are likely to expose a very large number of types of operations (methods), each with a different signature and semantic. Since such access control to the protected objects of an application need to be tailored for that particular application in that the semantics of access rights or permissions are, generally, valid only for the application at hand. In addition, administering object access control becomes a complex task as the set of access rights or permissions rapidly grows in size with each newly introduced class library.
2. Prior Art
In the prior art there are many techniques for improving object oriented programming systems (OOPS).
The following are examples of the prior art.
U.S. Pat. No. 4,525,780 teaches a data processing system having a memory organized into objects, where the system uses a protection technique to prevent unauthorized access to objects by users which are identified by a subject number identifying the user, a process for executing a user's procedure and the type of system operation to be performed by the user's procedure. An access control list is maintained to control access to objects based on subject identifier.
U.S. Pat. No. 5,136,712 teaches an object based operating system for a multitasking computer system including means for making an object private to a process. Access to a private object is controlled by an access control list.
U.S. Pat. No. 5,265,221 teaches an access control mechanism for granting, revoking, and denying authorization to objects using a system of verbs, parameters, attributes and functions.
U.S. Pat. No. 5,297,283 and U.S. Pat. No. 5,321,841 appear to teach the same system as U.S. Pat. No. 5,136,712 discussed above.
U.S. Pat. No. 5,093,914 generally teaches a method used by a digital computer in controlling execution of an object oriented program to effect a defined action, for example, stopping the program when a specified virtual function is invoked on a specified object during execution of the program.
U.S. Pat. No. 5,343,554 teaches a computing system in which problems are solved by a process which includes creating objects of first and second classes wherein the second class objects are externally invocable and where the externally invocable sub-class objects include an indication of an internally invocable sub-class object and executing the class of objects wherein one externally invocable sub-object invokes the internally invocable sub-object and a new object of the first class is generated in response to the results.
Although the patents generally deal with methods for protecting access to objects in object oriented programs, the patents do not teach nor suggest solving the problem of scale by assigning and selecting a method required access right set as is taught and claimed herein with reference with the present invention.
There is a need to automatically add object services features, for example, persistence, recoverability, concurrency and security to a binary class. A related copending patent application S/N 08/537,648 teaches and claims automatically inserting object services into binary classes in an object oriented system. The teaching of U.S. patent application Ser. No. 08/537,648 is incorporated by reference herein. Sometimes the source code of a class is not available for modification. Even when the source code is available, a considerable reprogramming effort is required to add the object services features.
SUMMARY OF THE INVENTION
It is an object of the present invention to integrate object security service authorization in a distributed computing environment.
Accordingly, a system, method and article of manufacture, for integrating object security service authorization in a distributed computing environment, includes one or more processors, a storage system, a system bus, a display sub-system controlling a display device, a cursor control device, an I/O controller for controlling I/O devices, all connected by system bus an operating system such as the OS/2* operating system program (OS/2 is a registered trademark of International Business Machines Corporation), one or more application programs for executing user tasks and an object oriented control program, such as, DSOM Objects program, which is a commercially available product of International Business Machines Corporation, the object oriented control program including mapping a set of methods defined by a given class to a finite and a fixed set of access rights from which a method required access rights set is assigned, and selecting the access rights set by examining two components, first, a family right type and, second, a set of permissions pertaining to each such family, where the rights type is the component which dictates semantics of its set of permissions. Two family types may be employed, operation rights and role rights. Scalability of embodiments of the invention may be demonstrated by the ability of adding new families of rights types along with a corresponding set of permissions for each family.
It is an advantage of the present invention that object security in distributed object systems is improved by integrating object security service authorization in a distributed computing environment.
REFERENCES:
patent: 4919545 (1990-04-01), Yu
patent: 5297283 (1994-03-01), Kelly et al.
patent: 5335346 (1994-08-01), Fabbio et al.
patent: 5414852 (1995-05-01), Kramer et al.
patent: 5450493 (1995-09-01), Maher
patent: 5450593 (1995-09-01), Howell et al.
patent: 5519867 (1996-05-01), Moeller et al.
patent: 5742826 (1998-04-01), Endicott et al.
SOMobjects Developer Toolkit, User's Guide, An introductory guide to the System Object Model, Version 2.0, pp. 6-1 thru 6-5, Jun 1993.
Benantar Messaoud
Blakley, III George Robert
Nadalin Anthony Joseph
Courtenay III St. John
Dawkins Marilyn Smith
International Business Machines Corp.
LandOfFree
Information handling system, method, and article of... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Information handling system, method, and article of..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Information handling system, method, and article of... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2486176