Abstract: Embodiments relate to systems and methods for maintaining cryptographic keys for application servers. In particular, applications and/or services of the application servers can desire to encrypt and/or decrypt data during operation of the applications. A key management tool can receive requests, and associated digital certificates from applications of the application servers for associated keys for use by the applications to encrypt and/or decrypt the data. The key management tool can generate a new key for the applications, or locate and retrieve an existing key for the applications. Further, the key management tool can provide a copy of the key to the applications.

Abstract: Systems and methods for a security token management service hosted in an application server. A set of services and/or associated applications can be served from an application server to one or more clients. The set of services may require one or more token services in order to deliver their intended functionalities, so that for instance an email client may require the use and presentation of a token or other object incorporating user ID, password, or other authentication information for the user to access and retrieve their email messages. Different served applications and/or services may require the installation of various different token types or services, conventionally requiring manually configuration. A centralized security token management service can be installed and configured in the application server itself, which interfaces to requesting services and automatically locates and acquires diverse token types and/or associated token services to support served applications or services.

Abstract: Embodiments disclosed herein provide an authorization framework. An apparatus may include a data storage to store a first plurality of authorization plugin modules and a server coupled to the data storage. The server may receive a request to access a resource, identify a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules, execute each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions and determine whether to grant the request in view of plurality of authorization decisions.

Abstract: Embodiments relate to systems and methods for updating changes to caches. In aspects, a provisioning server can receive by a hardware processor a security data provisioning request from a first application server in a set of application servers. In response to receiving the security data change provisioning request, identifying updated security data compatible with the cache of a second application server of the set of application servers. Further, sending a command to the second application server of the set of application servers to clear the cache of the second application server of the set of application servers. A provisioning server sending the updated security data to the cache of the second application server of the set of application servers.

Abstract: Embodiments of the present invention provide a security cache update mechanism for J2EE where changes to external sources affecting information in the security cache are automatically propagated into the security cache. In some embodiments, the update mechanism utilizes a standards based mechanism, such as a Service Provisioning Markup Language (SPML) exchange, to propagate changes at these external sources.

Abstract: Embodiments disclosed herein provide an authorization framework. An apparatus may include a data storage to store a first plurality of authorization plugin modules and a server coupled to the data storage. The server may receive a request to access a resource, identify a second plurality of authorization plugin modules that is a proper subset of the first plurality of authorization plugin modules, execute each of the second plurality of authorization plugin modules to generate a plurality of authorization decisions and determine whether to grant the request in view of plurality of authorization decisions.

Abstract: Embodiments relate to systems and methods for maintaining attributes associated with application servers. In particular, a system administrator can register a set of services associated with an application server. Before initiating, a service can need to be configured with a set of attributes. According to embodiments, a vault service associated with the application can validate a service requesting to be configured. Further, an attribute management tool can store attributes, such as passwords and other sensitive data, associated with the requesting service. Upon a successful validation, the attribute management tool can provide the associated attributes to the vault service, which uses the attributes to configure the service.

Abstract: Systems and methods for a security token management service hosted in an application server. A set of services and/or associated applications can be served from an application server to one or more clients. The set of services may require one or more token services in order to deliver their intended functionalities, so that for instance an email client may require the use and presentation of a token or other object incorporating user ID, password, or other authentication information for the user to access and retrieve their email messages. Different served applications and/or services may require the installation of various different token types or services, conventionally requiring manually configuration. A centralized security token management service can be installed and configured in the application server itself, which interfaces to requesting services and automatically locates and acquires diverse token types and/or associated token services to support served applications or services.

Abstract: Embodiments relate to systems and methods for maintaining attributes associated with application servers. In particular, a system administrator can register a set of services associated with an application server. Before initiating, a service can need to be configured with a set of attributes. According to embodiments, a vault service associated with the application can validate a service requesting to be configured. Further, an attribute management tool can store attributes, such as passwords and other sensitive data, associated with the requesting service. Upon a successful validation, the attribute management tool can provide the associated attributes to the vault service, which uses the attributes to configure the service.

Abstract: Embodiments relate to systems and methods for maintaining cryptographic keys for application servers. In particular, applications and/or services of the application servers can desire to encrypt and/or decrypt data during operation of the applications. A key management tool can receive requests, and associated digital certificates from applications of the application servers for associated keys for use by the applications to encrypt and/or decrypt the data. The key management tool can generate a new key for the applications, or locate and retrieve an existing key for the applications. Further, the key management tool can provide a copy of the key to the applications.

Abstract: Embodiments relate to systems and methods for maintaining data consistencies among a set of security caches. In aspects, a set of application servers comprising a set of security caches can submit a provisioning request to a provisioning server. The provisioning server can interface with a directory server that stores security data. Further, the provisioning server can send a command to the set of application servers that causes the data of the set of security caches to clear. In response, the directory server can send updated security data to the set of application servers, whereby the updated security data can be stored in the security caches of the set of application servers. Applications associated with the set of application servers can use the updated security data for validating user credentials or other functionality.

Abstract: Embodiments of the present invention provide an authorization framework that can accept one or more pluggable authorization modules and the final authorization decision can be a collective decision of these modules based on some criteria. The authorization framework of the present invention can be used by an application to call upon one or more pluggable authorization modules, which can be configured externally by some mechanism, to make individual authorization decisions. The overall authorization decision by the authorization framework is cumulative decision of the individual modules based on some criteria that can be configured. Each pluggable authorization module can be configured to perform its own authorization decision making process that can be different from those of the other modules.

Abstract: Embodiments of the present invention provide a security cache update mechanism for J2EE where changes to external sources affecting information in the security cache are automatically propagated into the security cache. In some embodiments, the update mechanism utilizes a standards based mechanism, such as a Service Provisioning Markup Language (SPML) exchange, to propagate changes at these external sources.