Abstract: Systems, methods, and machine-readable media are disclosed for providing dynamic and/or conditional constraints on queries based on an external security policy. In one embodiment, a method is provided which comprises receiving from a user a request to access a resource. A condition clause can be read from a grant statement defined in the security policy. The grant statement can define permission for the user to access the requested resource. In some cases, the grant statement can comprise a Java Authentication and Authorization Service (JAAS) grant statement. A query associated with the requested access can be modified based on the permission granted to the user. The modified query can then be made to perform the requested access.

Abstract: One embodiment of the present invention provides a system that facilitates accessing a credential. During operation, the system receives a request at a credentials-storage framework (CSF) to retrieve the credential. If a target credential store containing the credential is not already connected to the CSF, the system looks up a bootstrap credential for the target credential store in a bootstrap credential store, which contains bootstrap credentials for other credential stores. Next, the system uses this bootstrap credential to connect the CSF to the target credential store. Finally, the system retrieves the credential from the target credential store, and returns the credential to the requestor.

Abstract: Systems, methods, and machine-readable media are disclosed for providing conditional grants of permission in an externally configured security policy. In one embodiment, a method is provided which comprises reading a condition clause from a grant statement defined in the security policy. The grant statement can cause the granting of permission for a user to access a requested resource. One or more constraints on the grant statement can be determined based on the condition clause. Permission can be granted to access the requested resource based on the one or more constraints.

Abstract: A system and method for using meta-permissions to manage or administer object permissions within an object-oriented computing environment. A permission allowing a subject (e.g., a user or role) to access an object within the environment, such as a Java FilePermission or SocketPermission, is considered an object permission. An AdminPermission is defined and created to administer an object permission. Each AdminPermission instance refers to one or more object permissions, and specifies the actions that the AdminPermission allows to be performed on the object permissions (e.g., grant, revoke, modify).

Abstract: Embodiments of the invention provide a trust framework for governing service-to-service interactions. This trust framework can provide enhanced security and/or manageability over prior systems. Merely by way of example, in some cases, an information store can be used to store information security information (such as trust information, credentials, etc.) for a variety of services across an enterprise. In other cases, the trust framework can provide authentication policies to define and/or control authentication between services (such as, for example, types of authentication credentials and/or protocols are required to access a particular service—either as a user and/or as another service—and/or types of authentication credentials and/or protocols a service may be enabled to use to access another service). Alternatively and/or additionally, the trust framework can provide authorization policies to define and/or control authorization between services.

Abstract: An authorization architecture for authorizing access to resource objects in an object-oriented programming environment. In one distributed environment, the permission model of JAAS (Java Authentication and Authorization Service) is replaced or enhanced with role-based access control. Thus, users and other subjects (e.g., pieces of code) are assigned membership in one or more roles, and appropriate permissions or privileges to access resource objects are granted to those roles. Permissions may also be granted directly to users. Roles may be designed to group users having similar functions, duties or similar requirements for accessing the resources. Roles may be arranged hierarchically, so that users explicitly assigned to one role may indirectly be assigned to one or more other roles (i.e., descendants of the first role). A realm or domain may be defined as a namespace, in which one or more role hierarchies are established.

Abstract: A system and methods for applying capability-based authorization within a distributed computing environment. Instead of associating permissions or privileges with objects (e.g., computing resources), permissions are associated with subjects (e.g., users, roles). Compared to object-based methods of access control, such as Access Control Lists (ACL), management of capability-based authorizations scales much better as the number of objects becomes very large. A central repository allows changes to the authorization framework (e.g., new subjects, modified permissions) to be made once. The changes can then be propagated across, and applied to, multiple address spaces instead of having to individually or manually update each local node or address space.

Abstract: A system and method for using meta-permissions to manage or administer object permissions within an object-oriented computing environment. A permission allowing a subject (e.g., a user or role) to access an object within the environment, such as a Java FilePermission or SocketPermission, is considered an object permission. An AdminPermission is defined and created to administer an object permission. Each AdminPermission instance refers to one or more object permissions, and specifies the actions that the AdminPermission allows to be performed on the object permissions (e.g., grant, revoke, modify).

Abstract: A system and methods for applying capability-based authorization within a distributed computing environment. Instead of associating permissions or privileges with objects (e.g., computing resources), permissions are associated with subjects (e.g., users, roles). Compared to object-based methods of access control, such as Access Control Lists (ACL), management of capability-based authorizations scales much better as the number of objects becomes very large. A central repository allows changes to the authorization framework (e.g., new subjects, modified permissions) to be made once. The changes can then be propagated across, and applied to, multiple address spaces instead of having to individually or manually update each local node or address space.

Abstract: An authorization architecture for authorizing access to resource objects in an object-oriented programming environment. In one distributed environment, the permission model of JAAS (Java Authentication and Authorization Service) is replaced or enhanced with role-based access control. Thus, users and other subjects (e.g., pieces of code) are assigned membership in one or more roles, and appropriate permissions or privileges to access resource objects are granted to those roles. Permissions may also be granted directly to users. Roles may be designed to group users having similar functions, duties or similar requirements for accessing the resources. Roles may be arranged hierarchically, so that users explicitly assigned to one role may indirectly be assigned to one or more other roles (i.e., descendants of the first role). A realm or domain may be defined as a namespace, in which one or more role hierarchies are established.