Abstract: Techniques for auto-remediating security issues with artificial intelligence. One technique includes obtaining a problem detected within a signal from an emitter associated with a user, inferring a first response, using a global model having a global set of model parameters learned from mappings between problems and responses globally with respect to preferences of all users using a security architecture, inferring a second response, using a local model having a local set of model parameters learned from mappings between problems and responses locally with respect to preferences of the user; evaluating the first response and the second response using criteria, determining a final response for the problem based on the evaluation of the first response and the second response, and selecting a responder from a set of responders based on the final response. The responder is adapted to take one or more actions to respond to the problem.

Abstract: In one set of embodiments, methods, systems, and apparatus are provided to attach one or more service policies to resources in an enterprise by receiving a first service policy, receiving a first policy attachment that identifies one or more policy attachment attributes of resources in the enterprise, and generate a first global policy attachment that references the first policy attachment and the first service policy. The method can include receiving a request to access a resource including an attribute that matches one of the policy attachment attributes. The method can include determining that the first service policy is an effective policy for the resource based on the matching resource attribute with the policy attachment attribute. The method can include controlling access to the resource responsive to the request using the effective policy.

Abstract: Methods, systems, and devices are described for identifying compatible web service policies between a web service and a web service client. A first and second set of one or more identifiers linked to web service policies supported by the web service and web service client may be calculated, respectively. The sets of identifiers may be compared. Using the comparison, a number of common identifiers present in the first set of one or more identifiers linked to the web service policies supported by the web service and the second set of one or more identifiers linked to the web service policies supported by the web service client may be identified. Using the number of common identifiers, a web service policy of the web service compatible with a web service policy of the web service client may be identified.

Abstract: Embodiments of the invention provide techniques for processing messages transmitted between computer networks. Messages, such as requests from client devices for web services and other web content may be transmitted between multiple computer networks. Intermediary devices or applications such as proxy servers may receive, process, and transmit the messages between the communication endpoints. In some embodiments, a reverse proxy server may be configured to dynamically generate Representational State Transfer (REST) services and REST resources within the reverse proxy server. The REST services and REST resources within the reverse proxy server may handle incoming requests from client devices and invoke backend web services, thereby allowing design abstraction and/or enforcement of various security policies on the reverse proxy server.

Abstract: In one set of embodiments, methods, systems, and apparatus are provided to attach one or more service policies to resources in an enterprise by receiving a first service policy, receiving a first policy attachment that identifies one or more policy attachment attributes of resources in the enterprise, and generate a first global policy attachment that references the first policy attachment and the first service policy. The method can include receiving a request to access a resource including an attribute that matches one of the policy attachment attributes. The method can include determining that the first service policy is an effective policy for the resource based on the matching resource attribute with the policy attachment attribute. The method can include controlling access to the resource responsive to the request using the effective policy.

Abstract: In one set of embodiments, methods, systems, and apparatus are provided to attach one or more quality of service policies to resources in an enterprise system by receiving a first global policy attachment that references an attachment attribute value and a first service policy, receiving a request to access a policy subject associated with a subject attribute value, identifying an effective policy set referenced by the first global policy attachment, the effective policy set including the first service policy if the attachment attribute value equals the subject attribute value, and granting the request to access based upon the at least one effective policy. The at least one effective policy may further include a first service policy referenced by the first global policy attachment if a first policy attachment scope referenced by the first global policy attachment matches or contains a subject scope associated with the policy subject.

Abstract: Embodiments of the invention provide techniques for processing messages transmitted between computer networks. Messages, such as requests from client devices for web services and other web content may be transmitted between multiple computer networks. Intermediary devices or applications such as proxy servers may receive, process, and transmit the messages between the communication endpoints. In some embodiments, a reverse proxy server may be configured to dynamically generate Representational State Transfer (REST) services and REST resources within the reverse proxy server. The REST services and REST resources within the reverse proxy server may handle incoming requests from client devices and invoke backend web services, thereby allowing design abstraction and/or enforcement of various security policies on the reverse proxy server.

Abstract: Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context.

Abstract: Arrangements for enforcing a nonconforming web service policy document are presented. A request for a web service policy document may be received by a web service. A conforming web service policy document may be generated using the nonconforming web service policy document. The nonconforming web service policy document may comprise one or more functions unsupported by the web service description language. The conforming web service policy document may be transmitted to the web service client. The nonconforming web service policy document may be enforced by the web service, wherein the functions that are unsupported by the web service description language standard modifies enforcement of the web service policy document by the web service computer system. The conforming web service policy document may comprise sufficient information for the web service client computer system to comply with the nonconforming web service policy document.

Abstract: Various methods and systems for propagating identity information in a composite application are presented. State data of a composite application, as executed for a particular entity, may be transferred to and stored by a computer-readable storage medium. The state data may include a portion of a set of subject information linked with the entity. A security attribute of the subject may not be present in the portion of the set of subject information in the state data transferred to the non-transitory computer-readable storage medium. After a period of time, such as an hour or a day, the state data of the composite application as executed for the entity may be retrieved and the security attribute of the set of subject information linked with the entity may be determined The composite application may then continue to be executed for the entity.

Abstract: Methods, systems, and devices are described for identifying compatible web service policies between a web service and a web service client. A first and second set of one or more identifiers linked to web service policies supported by the web service and web service client may be calculated, respectively. The sets of identifiers may be compared. Using the comparison, a number of common identifiers present in the first set of one or more identifiers linked to the web service policies supported by the web service and the second set of one or more identifiers linked to the web service policies supported by the web service client may be identified. Using the number of common identifiers, a web service policy of the web service compatible with a web service policy of the web service client may be identified.

Abstract: Various methods and systems for propagating identity information in a composite application are presented. State data of a composite application, as executed for a particular entity, may be transferred to and stored by a computer-readable storage medium. The state data may include a portion of a set of subject information linked with the entity. A security attribute of the subject may not be present in the portion of the set of subject information in the state data transferred to the non-transitory computer-readable storage medium. After a period of time, such as an hour or a day, the state data of the composite application as executed for the entity may be retrieved and the security attribute of the set of subject information linked with the entity may be determined The composite application may then continue to be executed for the entity.

Abstract: Methods, systems, and devices are described for identifying compatible web service policies between a web service and a web service client. A first and second set of one or more identifiers linked to web service policies supported by the web service and web service client may be calculated, respectively. The sets of identifiers may be compared. Using the comparison, a number of common identifiers present in the first set of one or more identifiers linked to the web service policies supported by the web service and the second set of one or more identifiers linked to the web service policies supported by the web service client may be identified. Using the number of common identifiers, a web service policy of the web service compatible with a web service policy of the web service client may be identified.

Abstract: In one set of embodiments, methods, systems, and apparatus are provided for determining, by a server, a policy association between a web service policy and a policy subject associated with an application hosted by the server, the policy association being made while the server is offline, generating a runtime usage association based on the policy association, wherein the runtime usage association is between the web service policy and the policy subject; and generating a user interface based upon the runtime usage association, the user interface displaying one or more web service policies associated with one or more policy subjects of the application. The runtime usage association may be updated in response to a change to the policy association made by an administrative tool, where the change and the updating occur in real time while the server is online.

Abstract: Various methods and systems for propagating identity information in a composite application are presented. State data of a composite application, as executed for a particular entity, may be transferred to and stored by a computer-readable storage medium. The state data may include a portion of a set of subject information linked with the entity. A security attribute of the subject may not be present in the portion of the set of subject information in the state data transferred to the non-transitory computer-readable storage medium. After a period of time, such as an hour or a day, the state data of the composite application as executed for the entity may be retrieved and the security attribute of the set of subject information linked with the entity may be determined. The composite application may then continue to be executed for the entity.

Abstract: Framework for conditionally attaching web service policies to a policy subject (e.g., a web service client or service endpoint) at subject runtime. In one set of embodiments, a constraint expression can be defined that specifies one or more runtime conditions under which a policy should be attached to a policy subject. The constraint expression can be associated with the policy and the policy subject via policy attachment metadata. The constraint expression can then be evaluated at runtime of the policy subject to determine whether attachment of the policy to the policy subject should occur. If the evaluation indicates that the policy should be attached, the attached policy can be processed at the policy subject (e.g., enforced or advertised) as appropriate. Using these techniques, the policy subject can be configured to dynamically exhibit different behaviors based on its runtime context.

Abstract: In one set of embodiments, methods, systems, and apparatus are provided for determining, by a server, a policy association between a web service policy and a policy subject associated with an application hosted by the server, the policy association being made while the server is offline, generating a runtime usage association based on the policy association, wherein the runtime usage association is between the web service policy and the policy subject; and generating a user interface based upon the runtime usage association, the user interface displaying one or more web service policies associated with one or more policy subjects of the application. The runtime usage association may be updated in response to a change to the policy association made by an administrative tool, where the change and the updating occur in real time while the server is online.

Abstract: Methods, systems, and devices are described for identifying compatible web service policies between a web service and a web service client. A first and second set of one or more identifiers linked to web service policies supported by the web service and web service client may be calculated, respectively. The sets of identifiers may be compared. Using the comparison, a number of common identifiers present in the first set of one or more identifiers linked to the web service policies supported by the web service and the second set of one or more identifiers linked to the web service policies supported by the web service client may be identified. Using the number of common identifiers, a web service policy of the web service compatible with a web service policy of the web service client may be identified.

Abstract: Various methods and systems for propagating identity information in a composite application are presented. State data of a composite application, as executed for a particular entity, may be transferred to and stored by a computer-readable storage medium. The state data may include a portion of a set of subject information linked with the entity. A security attribute of the subject may not be present in the portion of the set of subject information in the state data transferred to the non-transitory computer-readable storage medium. After a period of time, such as an hour or a day, the state data of the composite application as executed for the entity may be retrieved and the security attribute of the set of subject information linked with the entity may be determined. The composite application may then continue to be executed for the entity.

Abstract: In one set of embodiments, methods, systems, and apparatus are provided to attach one or more quality of service policies to resources in an enterprise system by receiving a first global policy attachment that references an attachment attribute value and a first service policy, receiving a request to access a policy subject associated with a subject attribute value, identifying an effective policy set referenced by the first global policy attachment, the effective policy set including the first service policy if the attachment attribute value equals the subject attribute value, and granting the request to access based upon the at least one effective policy. The at least one effective policy may further include a first service policy referenced by the first global policy attachment if a first policy attachment scope referenced by the first global policy attachment matches or contains a subject scope associated with the policy subject.