Abstract: One particular implementation may take the form of a system or method for tracking application identification and application context in a context-isolated computing environment. The method may store such application information to reduce redundant information being stored on a stack. More particularly, the embodiment may store the application information in a context-specific marker frame. The context-specific marker frame may be stored once on the stack or it may be stored separately from the stack to maintain a small stack size. In another implementation, an invocation handler method may be called to store the redundant information about the executing application. The invocation handler may store the necessary information in a well-known location for later use by the virtual machine. The invocation handler may also provide further benefits, such as synchronization to ensure thread safety on shareable objects.

Abstract: An authentication mechanism is provided to authenticate both client and user of a portable computing device when the user causes a client to request a protected resource on the portable computing device. Upon receiving a request a protected resource by the client, the authentication mechanism determines which authentication method is specified for authentication of the client, and authenticates the client accordingly. Upon a determination that the client is authentic, the authentication mechanism invokes a user interface that is separate and distinct from the client to solicit input from the user. Based on the input solicited from the user, the authentication mechanism determines whether the user is an authentic user of the portable computing device. If it is determined that the user is an authentic user, the authentication mechanism determines based on an indication from the user whether the client should be authorized to access the protected resource requested.

Abstract: A access control mechanism is provided on a computing device to allow an application provider to set up a declarative security policy specific to an application module. When a runtime environment of the computing device receives a request from a second application instance in a second execution context to access a protected resource in a first application instance, the runtime environment invokes the access control mechanism to determine, based on a protection-domain-level domain security policy, whether the second application instance is allowed to access protected resources in the first execution context. If so, the runtime environment invokes the access control mechanism to determine, based on a declarative security policy for a first application module associated with the first application instance, whether the second application instance is allowed to access the protected resource. If so, the runtime environment allows the second application instance access to the protected resource requested.

Abstract: In a smart card system in which applications executing in different execution contexts are allowed to communicate with each other only through shareable interface objects (SIO's), a registry mechanism is provided to mediate in inter-application communication between legacy applets, extended applets and servlets. A request by a client application for a SIO of a server application in a different execution context is routed to the registry mechanism by the system. Dependent on what types the client and server applications are, the registry mechanism provides call interfaces as would be expected by the applications to enable passing the SIO from the server application to the client application. In one embodiment, servlets and extended applets may also register and unregister their SIOs dynamically with the registration mechanism.

Abstract: One particular implementation may take the form of a system or method for tracking application identification and application context in a context-isolated computing environment. The method may store such application information to reduce redundant information being stored on a stack. More particularly, the embodiment may store the application information in a context-specific marker frame. The context-specific marker frame may be stored once on the stack or it may be stored separately from the stack to maintain a small stack size. In another implementation, an invocation handler method may be called to store the redundant information about the executing application. The invocation handler may store the necessary information in a well-known location for later use by the virtual machine. The invocation handler may also provide further benefits, such as synchronization to ensure thread safety on shareable objects.

Abstract: A method for resetting a pin on an access card is disclosed. The method includes generating a server authentication (SA) public key and an SA private key and attempting a write of the SA public key to the access card over a non-secure channel. The method further includes determining if the access card currently contains an existing SA public key.