Abstract: In large distributed computing environments, application execution may be distributed between a plurality of groups, the plurality of groups containing a set of host computer systems responsible for the execution of one or more operations of the application. Group membership may be determined by generating configuration information based at least in part on the plurality of groups. The configuration information may be provided to a plurality of host computer systems and each host computer system of the plurality of host computer systems may determine membership to a particular group of the plurality of groups based at least in part on the configuration information.

Abstract: Technologies are disclosed for providing a large scale data join service within a service provider network. A data set includes first and second sets of files that correspond to each other. Each file includes a first identifier (ID) and a second ID. The first set of files is partitioned based at least in part upon the first ID into a plurality of first subsets of files and the second set of files is partitioned based at least in part upon the first ID into a plurality of second subsets of files. Files within a first group of the plurality of first subsets and files within a second group of the plurality of second subsets are encoded into first and second bitsets, respectively, based at least in part upon the second IDs. An exclusive-or operation is performed on the first and second bitsets to find discrepancies between the data files.

Abstract: Markup language security messages are processed. A template corresponding to a markup language security message is identified. The markup language security message is parsed for variable values using the template. A transition sequence is generated that represents the entire markup language security message. Each transition in the transition sequence is associated with a portion of the markup language security message. A lightweight data model of the markup language security message is populated using the transition sequence. The lightweight data model includes nodes for the variable values and a set of selected constant values.

Abstract: Markup language security messages are processed. A template corresponding to a markup language security message is identified. The markup language security message is parsed for variable values using the template. A transition sequence is generated that represents the entire markup language security message. Each transition in the transition sequence is associated with a portion of the markup language security message. A lightweight data model of the markup language security message is populated using the transition sequence. The lightweight data model includes nodes for the variable values and a set of selected constant values.

Abstract: An XML digital signature mechanism for providing message integrity. A sending party serializes a source XML document into a serialized byte array, calculates the source offset and length of the array of the signed part in the serialized byte array, and calculates a source hash value using the serialized array and the source offset and length. The serialized byte array is a non-canonicalized array. The array and source hash value used to sign a part or the whole of the serialized byte array is sent to a receiving party. The receiving party calculates the target offset and length of the signed part in the serialized byte array and calculates a target hash value of the signed part by using the array and the target offset and length. The receiving party compares the target hash value and the source hash value to verify the integrity of the target XML document.

Abstract: Markup language security messages are processed. A template corresponding to a markup language security message is identified. The markup language security message is parsed for variable values using the template. A transition sequence is generated that represents the entire markup language security message. Each transition in the transition sequence is associated with a portion of the markup language security message. A lightweight data model of the markup language security message is populated using the transition sequence. The lightweight data model includes nodes for the variable values and a set of selected constant values.

Abstract: An authentication system and method for allowing an administrator to host a plurality of service principal names (SPNs) over a common network port of a backend server. The authentication system includes a client computer, a backend server, and a service principal name (SPN) apparatus. The client computer sends an authentication request to the backend server. The backend server performs an authentication procedure in response to a reception of the authentication request from the client computer. The SPN apparatus configures a plurality of service SPNs for the web service application over the common network port.

Abstract: A message gateway apparatus is provided for use in a web service system to process a message containing a request for a destination web service application, in which the message includes a plurality of events within a structured document conforming to a web service protocol and each event of the plurality of events has a name and a content thereof.

Abstract: A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object.

Abstract: An XML digital signature mechanism for providing message integrity. A sending party serializes a source XML document into a serialized byte array, calculates the source offset and length of the array of the signed part in the serialized byte array, and calculates a source hash value using the serialized array and the source offset and length. The serialized byte array is a non-canonicalized array. The array and source hash value used to sign a part or the whole of the serialized byte array is sent to a receiving party. The receiving party calculates the target offset and length of the signed part in the serialized byte array and calculates a target hash value of the signed part by using the array and the target offset and length. The receiving party compares the target hash value and the source hash value to verify the integrity of the target XML document.

Abstract: Objects on application servers are distributed to one or more application servers; a user is allowed to declare in a list which objects residing on each application server are to be protected; the list is read by an interceptor; responsive to exportation of a Common Object Request Broker Architecture (“CORBA”) compliant Interoperable Object Reference (“IOR”) for a listed object, the interceptor associates one or more application server security flags with interfaces to the listed objects by tagging components of the IOR with one or more security flags; and one or more security operations are performed by an application server according to the security flags tagged to the IOR when a client accesses an application server-stored object, the security operations including an operation besides establishing secure communications between the client process and the server-stored object.

Abstract: Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client's user identifier and password. The server authenticates the client and stores the client's user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.

Abstract: A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code. This invention stores the user credentials in a distributed cache and provides a system and method to compute the unique key based on the dynamic security credentials for cache lookup.

Abstract: A method and apparatus for preventing rogue implementations of a security-sensitive class interface are provided. With the method and apparatus, a unique identifier (UID) is created by a server process when the server process is started. Anytime the server process, i.e. a server runtime environment, instantiates a new credential object following start-up of the server process, the encrypted UID is placed into a private field within the new credential object. In addition, the UID is encrypted and stored in a private class of the server runtime environment. A verification class is provided within the server runtime environment which includes one or more methods that receive the credential object as a parameter and return true or false as to the validity of the credential object.

Abstract: An extensible token framework is provided for identifying purpose and behavior of run time security objects. The framework includes a set of marker token interfaces, which extends from a default token interface. A service provider may implement one or more marker token interfaces for a Subject or a thread of execution. A service provider may also implement its own custom marker tokens to perform custom operations. The security infrastructure runtime recognizes behavior and purpose of run time security objects based on the marker or custom marker token interfaces the token implements and handles the security objects accordingly.

Abstract: An authentication system and method for allowing an administrator to host a plurality of service principal names (SPNs) over a common network port of a backend server. The authentication system includes a client computer, a backend server, and a service principal name (SPN) apparatus. The client computer sends an authentication request to the backend server. The backend server performs an authentication procedure in response to a reception of the authentication request from the client computer. The SPN apparatus configures a plurality of service SPNs for the web service application over the common network port.

Abstract: A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code.

Abstract: Run-as credentials delegation using identity assertion is presented. A server receives a request from a client that includes the client's user identifier and password. The server authenticates the client and stores the client's user identifier without the corresponding password in a client credential storage area. The server determines if a run-as command is specified to communicate with a downstream server. If a run-as command is specified, the server retrieves a corresponding run-as identity which identifies whether a client credential type, a server credential type, or a specific identifier credential type should be used in the run-as command. The server retrieves an identified credential corresponding to the identified credential type, and sends the identified credential in an identity assertion token to a downstream server.

Abstract: A method for tracking security attributes along invocation chain using secure propagation token. When a user is authenticated, a propagation token is created. The propagation token includes a caller list, a host list, and custom attributes. The propagation token may be propagated downstream along with other marker tokens. A service provider may associate custom attributes in the propagation token or create custom propagation token to be propagated. The propagation token tracks the original caller and subsequent callers when user switches occur and a list of hosts at which the propagation token lands on.

Abstract: A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code.