Abstract: A software system for controlling the unauthorized transfer of data from a data processing system to a network is provided. A file monitor module monitors requests made by a process to access a data file within the computer system, and cross-checks the data file name against a protected file list database. If the file is listed in the protected file list database, the process name is added to a process list for the data file. A process monitor module monitors all processes contained in the process list, and if a process in the process list transfers the data file to another process, the receiving process is added to the process list. An upload monitor module searches the process list for any process that requests a network data transfer. The upload monitor module holds the transfer request for any process listed within the process list, and displays a warning message to the system user indicating that a process having had access to protected data is requesting network access to upload a data file.

Abstract: A method, system, and computer program product for using weighted condition primitives to facilitate the description of a business policy for providing a web service to a user. When a set of facts associated with a user requesting a web service is obtained, an evaluation of each weighted condition primitive in a business policy is performed using the set of facts. A weight value assigned to a result of the evaluation of each weighted condition primitive is identified, and a total weight value of the identified weight values is calculated. The total weight value is then compared against a pre-defined business weight threshold condition. If the total weight value satisfies the pre-defined business weight threshold condition, the web service is provided to the user. If the total weight value does not satisfy the pre-defined business weight threshold condition, the request by the user for the web service is denied.

Abstract: The present invention implements a set of interfaces for a standard Java execution environment to provide authorization with conditional permissions. In particular, a framework enables a provider to provide a condition-based runtime authorization decision when a caller entity requests a Java resource. To this end, during a policy configuration certain “Conditions” may be associated with a standard Java Permission object using a ConditionalPermission class. Each “Condition” may be represented in one of a set of different conditions (e.g., containment, logical, comparison, owner and regular expression conditions) using various name-value pairs of “AttributeName” objects. During runtime, an “implies” method in the ConditionalPermission class returns true if the argument permission is implied by the wrapped permission and the additional “Conditions” are evaluated to be true.

Abstract: A method, computer program product, and data processing system, with which a unified security policy may be implemented using existing application components with disparate security mechanisms and user registries is disclosed. The present invention provides a generic application programming interface (API) that forms a framework for creating registry adapters. Registry adapters allow a policy director (an item of software for imposing a sitewide security policy) to operate with new or unfamiliar registry types by acting as a drop-in translator for converting generic registry-access commands into operations specific to the particular registry in question.

Abstract: A method and system for sharing existing user and group registry information between heterogeneous application servers is provided. The method and system make use of an adapter that communicates with each registry associated with each application server through a registry communication mechanism. In a preferred embodiment, the present invention provides an additional application-specific database to protect application-specific data that is required for each application server's operation but is not part of an existing database registry. Both the application-specific databases and existing user and group definitions in a user and group registry form a new registry abstraction which is required for each application server. As a result, each application server automatically shares user and group definitions with the existing database server. Furthermore, both the database server and each application server maintain a centralized user and group management model across different application domains.

Abstract: A software system for controlling the unauthorized transfer of data from a data processing system to a network is provided. A file monitor module monitors requests made by a process to access a data file within the computer system, and cross-checks the data file name against a protected file list database. If the file is listed in the protected file list database, the process name is added to a process list for the data file. A process monitor module monitors all processes contained in the process list, and if a process in the process list transfers the data file to another process, the receiving process is added to the process list. An upload monitor module searches the process list for any process that requests a network data transfer. The upload monitor module holds the transfer request for any process listed within the process list, and displays a warning message to the system user indicating that a process having had access to protected data is requesting network access to upload a data file.

Abstract: A routing routine is used within a security access program in order to provide access to various heterogeneous directories and registries. Each user logs on with an indication of the domain of which they are a part. An access protocol for the given domain is loaded and used to authenticate the user's access rights.

Abstract: A mechanism for extending user interfaces applied in conjunction with a data processing system platform is provided. In particular, mechanisms for extending such interfaces across software resources, or applications, is provided. A management agent is implemented to mediate actions supported by the user interface and the application functionality. The user interface communicates with the management agent to provide the parameters required by the application. The agent contacts the application which provides the required functionality, for example, a security context for a user. The agent may then perform other management related operations, for example, importing a management object into a management access system.

Abstract: A global sign-on mechanism (GSO) is implemented. The mechanism provides a GSO system and method for a networked data processing system within an open architecture framework. The system and method are constructed on a Lightweight Directory Access Protocol (LDAP) framework by defining a set of data structures, the GSO LDAP schema. GSO functionality is effected using protocol operations on the LDAP object and attribute instances as defined in accordance with the GSO schema.

Abstract: A caching mechanism for a directory service having a backing store. According to the invention, directory search results are cached over a given data capture period, with the information then being used by a data analysis routine to generate a data access history for the user for a particular application. That history is then used to generate a recommended pre-fetch time, a filter key for the pre-fetch, and a preferred cache replacement policy (e.g., static or LRU). Based on that information, a control routine pre-fetches and populates the cache with information that is expected to be needed by the user as a result of that access history.

Abstract: A method, computer program product, and data processing system, with which a unified security policy may be implemented using existing application components with disparate security mechanisms and user registries is disclosed. The present invention provides a generic application programming interface (API) that forms a framework for creating registry adapters. Registry adapters allow a policy director (an item of software for imposing a sitewide security policy) to operate with new or unfamiliar registry types by acting as a drop-in translator for converting generic registry-access commands into operations specific to the particular registry in question.

Abstract: A method and system for sharing existing user and group registry information between heterogeneous application servers is provided. The method and system make use of an adapter that communicates with each registry associated with each application server through a registry communication mechanism. In a preferred embodiment, the present invention provides an additional application-specific database to protect application-specific data that is required for each application server's operation but is not part of an existing database registry. Both the application-specific databases and existing user and group definitions in a user and group registry form a new registry abstraction which is required for each application server. As a result, each application server automatically shares user and group definitions with the existing database server. Furthermore, both the database server and each application server maintain a centralized user and group management model across different application domains.

Abstract: A method of routing in a computer network having a pool of servers capable of servicing requests for access to a set of server resource objects. The set of server resource objects are distributed in a non-homogeneous manner across the server pool. According to the method, each incoming client request for access to a specified server resource object is targeted to a router having an associated port space identifying a plurality of ports. Based on the port on which an incoming client request is received, the request is mapped to one of the server resource objects. The router then selects the “best provider” and redirects or forwards the request to that server. The routing and redirection is based upon the port for the incoming request.

Abstract: A method of dynamically generating a Web page at a Web server in response to an HTTP request from a Web client in a computer network. The Web page has a hypertext reference identifying a linked page supported on each of a set of other servers in the computer network. In response to the request, a given one of the set of other servers is identified based on some given criteria, e.g., shortest access time, lightest current load, or the like. Information identifying a path to the identified other server is then inserted into the hypertext reference as the Web page (including the hypertext reference) is returned to the Web client in response to the request. Thus, if the hypertext reference is later activated by the user browsing the returned Web page, the linked page is preferentially served from the identified other server.

Abstract: A system and method for managing client authorization to access remote data repositories through a middle tier server such as a web server. Client remote data repository access is intercepted by the middle tier server and the server is searched for stored credentials permitting client access to the remote data repository. If found, the stored credentials are used to authenticate access without further interaction with the client system. If no stored credentials are found, the server requests credentials from the client and passes them to the remote data repository for validation. Validated credentials are stored by the server for future use and indexed by a client identifier. Permitted remote data repository access is stored with the validated credentials. Access to a mounted remote file system is not permitted without authorization even if the remote file system would not otherwise require authorization.