Abstract: A keystore is described which provides unique views of certificates and keys to particular application components and/or users. Upon receiving a request from a user and/or an application component to view keystore data, the keystore system implements a first set of security restrictions associated with the request and provides a limited view of the keystore data to the requesting user and/or application component based on the results of the first set of security restrictions. Then, upon detecting an attempt by the user and/or application component to access specified portions of the keystore data provided in the view, the keystore system implements a second set of security restrictions associated with the attempt to access the specified portions of the keystore data, and provides access to the keystore data to the user and/or application component based on the results of the second set of security restrictions.

Abstract: A method is described that involves identifying a configuration file in response to a desire to obtain security services. The configuration file describes a security policy tailored for use in the environmental condition set under which the desire arose. The identifying is based upon at least a portion of the environmental condition set. The method also involves using information found within the configuration file to configure code that performs authentication and authorization services so that the code will implement the security policy.

Abstract: Improved authentication service schemes are described. A first technique enables application specific authentication services even if container-wide authentication services are made available. A second technique prevents an authentication service from being performed if an attempt is made to reach an item of insensitivity within a protected area. A third technique introduces “get/set” functions into a login module callback handler arrangement for retrieving/imposing information from/to a communication session with a user that the login module is authenticating. A fourth technique distributes a login context function so that a network resides between separate portions of the login context function. A fifth technique uses a fallback handler in an application based authentication service so that a container-wide authentication service can be used.

Abstract: According to one aspect of the invention, a hierarchy of security domains and a method for granting a user access to the security domains are provided. The hierarchy of security domains includes multiple security levels and relationships between particular security domains. When a user is authenticated and/or authorized for access to a first security domain, the user is tagged as having been granted access to that security domain. If the user attempts to access a related security domain with a lower security level, the user is granted access without having to be re-authenticated and/or re-authorized. If the user attempts to access a related security domain with a higher security level, the user must be re-authenticated and/or re-authorized be access is granted to the security domain with the higher security level.