Abstract: A system may include an attack preventing creator module that is configured to create at least one attack preventing head block for a message having message elements in a tree structure with one or more of the message elements being signed, wherein the attack preventing header block includes structure specific information that comprises at least a digest value of a pre-order traversal list of the tree structure and for each signed message element a unique ID attribute, a depth, a parent's name and a parent's ID attribute. The system may include an attack preventing verifier module that is configured to verify the at least one attack preventing header block by comparing the structure specific information which can be derived from the message with the structure specific information carried by the first attack preventing header block.

Abstract: Secure message transfer of at least one message from a sender to a receiver within a network system may be provided. For example, a message structure information regarding the at least one message may be computed on a sender-side and according to a pre-given scheme. The computed message structure information may be added as message account information into the at least one message to be sent. The message account information may be protected by a signature. The at least one message may be transferred through the network system to the receiver. On a receiver-side, the message account information may be validated after reception of the at least one message and according to the pre-given scheme.

Abstract: A method, a system, and a computer program product for access control using resource filters for a strict separation of application and security logic are described. The computer-implemented method for access control may include receiving at least one access request to at least one resource from an application; providing a resource hierarchy for the at least one resource, the resource having at least one resource class, wherein the resource hierarchy is defined in a single resource; providing a policy comprising at least one access control rule for accessing at least one element of the at least one resource class; verifying the at least one access request based on the policy through an authorization service; and processing the at least one access request through a service interface.

Abstract: Secure message transfer of at least one message from a sender to a receiver within a network system may be provided. For example, a message structure information regarding the at least one message may be computed on a sender-side and according to a pre-given scheme. The computed message structure information may be added as message account information into the at least one message to be sent. The message account information may be protected by a signature. The at least one message may be transferred through the network system to the receiver. On a receiver-side, the message account information may be validated after reception of the at least one message and according to the pre-given scheme.

Abstract: A method and system to execute an activity in a workflow process. The method includes receiving a notification to execute the activity. The notification contains private information and public information relating to the activity. The method further includes removing the private information from the notification, providing the notification that contains the public information to users being affected by the activity, receiving a request to execute the activity from one or more of the users, and providing the private information to the users after verifying the request.

Abstract: A system may include an attack preventing creator module that is configured to create at least one attack preventing head block for a message having message elements in a tree structure with one or more of the message elements being signed, wherein the attack preventing header block includes structure specific information that comprises at least a digest value of a pre-order traversal list of the tree structure and for each signed message element a unique ID attribute, a depth, a parent's name and a parent's ID attribute. The system may include an attack preventing verifier module that is configured to verify the at least one attack preventing header block by comparing the structure specific information which can be derived from the message with the structure specific information carried by the first attack preventing header block.

Abstract: Secure message transfer of at least one message from a sender to a receiver within a network system may be provided. For example, a message structure information regarding the at least one message may be computed on a sender-side and according to a pre-given scheme. The computed message structure information may be added as message account information into the at least one message to be sent. The message account information may be protected by a signature. The at least one message may be transferred through the network system to the receiver. On a receiver-side, the message account information may be validated after reception of the at least one message and according to the pre-given scheme.

Abstract: The present description refers in particular to a method, a system, and a computer program product for access control using resource filters for a strict separation of application and security logic. The computer-implemented method for access control may include receiving at least one access request to at least one resource from an application; providing a resource hierarchy for the at least one resource, the resource having at least one resource class, wherein the resource hierarchy is defined in a single resource; providing a policy comprising at least one access control rule for accessing at least one element of the at least one resource class; verifying the at least one access request based on the policy through an authorization service; and processing the at least one access request through a service interface.

Abstract: Secure message transfer of at least one message from a sender to a receiver within a network system may be provided. For example, a message structure information regarding the at least one message may be computed on a sender-side and according to a pre-given scheme. The computed message structure information may be added as message account information into the at least one message to be sent. The message account information may be protected by a signature. The at least one message may be transferred through the network system to the receiver. On a receiver-side, the message account information may be validated after reception of the at least one message and according to the pre-given scheme.

Abstract: There is proposed a method for executing a workflow, comprising providing the workflow comprising process level activities, at least one process level activity being able to access system resources, the access to the system resources being mediated by a plurality of backend modules. A backend module of the plurality of backend modules carries out the steps of receiving a hierarchical attribute certificate, validating the attribute certificate, checking whether the attribute certificate grants a right to execute the backend module, checking whether a predefined execution path from the process level activity to the backend module has been traversed, and if both checking steps are successful, executing the backend module. Moreover, there is proposed a respective device, computer program medium and computer program product.

Abstract: A method and system to execute an activity in a workflow process. The method includes receiving a notification to execute the activity. The notification contains private information and public information relating to the activity. The method further includes removing the private information from the notification, providing the notification that contains the public information to users being affected by the activity, receiving a request to execute the activity from one or more of the users, and providing the private information to the users after verifying the request.

Abstract: A method and system to control an interaction of a plurality of participants in a workflow process. The method classifies the plurality of activities as (1) first activity of the workflow process, (2) first activity of a participant in an on-going workflow process, and (3) interaction activity. A set of access control policies is generated for each type of activity. The policies include workflow initialization policy, participation policy and interaction policies. The policies determine if a requesting participant is permitted to interact with a responding participant. In addition, the system includes a policy enforcement point for receiving a request from a requesting participant, wherein the request is for activating an activity of a responding participant. The policy enforcement point forwards the request to a policy decision point where the request is evaluated based on the set of access control policies.

Abstract: Systems and methods for reverse engineering access control include determining a set of potential access control target methods, functions and/or subroutines that may be used in software applications. A software application is then analyzed to determine if the access control targets are present in the software application. If an access control target is used by the software application, then the access control policy for the target is analyzed to determine the roles, privileges, or rights that are necessary to successfully execute the access control target. A report is then generated that provides information about the access control policy elements actually used by the software application.

Abstract: A method and apparatus for observing runtime behavior of an application program. In one embodiment, the runtime behavior of the input program is observed according to at least one program target. Following execution of the input program, a report is generated to identify access to underlying layers of the input program directed to the at least one program target. In one embodiment, aspect oriented programming enables observation of the behavior of a running program. This enables the checking of each method invocation in the input program against a program target. This runtime information is extracted and provided as a report, which may be used to redesign an existing application for improving security or manageability. Other embodiments are described and claims.

Abstract: A system for dynamic software updating using a mobile agent includes a server for issuing the mobile agent with a software update and a client for receiving the mobile agent. The mobile agent executes the software update, on the client, utilizing aspect oriented programming.

Abstract: A method for automatically filling an electronic timesheet includes extracting one or more calendar entries from an electronic calendar and matching each calendar entry of the one or more calendar entries to a corresponding project of a list of projects. An electronic timesheet is then filled based on each calendar entry matched with the corresponding project.

Abstract: A method for dynamic security enforcement includes running an application with linked aspects and determining if a security issue is present in the application. A type of the security issue is determined and an aspect is written to fix the security issue based on the type of the security issue. Finally, the aspect linked to the application.

Abstract: A system to update a filter to discourage a sender from communicating an electronic message to a user. The system receives a message from a sender that includes a network address of the sender and determines whether to discourage the sender from communicating a second message to the user based on input from a user. If a user indicates that the sender should be discouraged, the system updates the filter by registering the network address of the sender in the filter that is subsequently utilized to communicate a response message to the sender that includes an error code indicating that the network address of the user is an invalid network address. A system to use a filter to discourage a sender from communicating the second message to a user and a system to automatically remove a user from a mailing list are also described.