Abstract: A system and method for providing an infrastructure that can be provisioned for use with dynamic business applications. In accordance with an embodiment, the business application infrastructure comprises a plurality of drop-in components which can be added or provisioned as necessary to create a dynamic business application. For example, an integrated composition environment component can be provisioned to allow end-users to quickly develop business applications from an overall business process perspective. In accordance with other embodiments, the business application infrastructure can incorporate additional components as necessary to better support a particular business application, or a particular execution environment.

Abstract: The invention provides a software component plugin framework. The system described supports dynamic loading, instantiation, and unloading of interface implementations (plugin modules), together with encapsulation of these interface implementations. The many benefits provided by the invention include software reuse, interoperability and fast product development cycles.

Abstract: A computer-implemented system and method for policy inheritance, comprising, defining a first group wherein the first group refers to at least one of: a user and a group different from the first group, defining a second group wherein the second group is nested within the first group, defining a first policy wherein the first policy includes a resource, a subject and one of, an action and a role, and wherein the subject includes the first group, inheriting the first policy by the second group, wherein the resource is part of a resource hierarchy, and wherein the first policy can be used to control access to the resource.

Abstract: A method for adaptively authenticating a subject based on authentication information, comprising the steps of providing for the receipt of the authentication information; providing for the performance of Java Authentication and Authorization Service (JAAS) authentication of the subject based on the authentication information and wherein successful authentication of the subject results in the association of a principal with the subject; providing for the signing of the principal by determining an authentication code for the principal that is a function of the principal and a key.

Abstract: A system for distributing information from a first process to one or more security service modules. The system comprises a remote interface, capable of accepting first information from the first process, and a provisioning service provider (PSP) coupled to the remote interface. The PSP can obtain the first information from the remote interface, and also can provide second information to a local interface. The second information is based on the first information and is tailored for the one or more security service modules. The local interface can provide the second information to the one or more security service modules and the one or more security service modules can accept the second information and perform at least one of the following: adjust a configuration of the one or more security service modules to reflect the second information, and protect access to at least one resource based on the second information.

Abstract: A method for providing a security provider for a client comprises providing a service provider interface, that is compatible with a security framework layer, and one or more services. The one or more services include at least one of, authentication, authorization, auditing, role mapping and credential mapping. The one or more services can be exposed through the service provider interface and the framework layer can expose the one or more services to an application program interface.

Abstract: A system and method for providing an infrastructure that can be provisioned for use with dynamic business applications. In accordance with an embodiment, the business application infrastructure comprises a plurality of drop-in components which can be added or provisioned as necessary to create a dynamic business application. For example, an integrated composition environment component can be provisioned to allow end-users to quickly develop business applications from an overall business process perspective. In accordance with other embodiments, the business application infrastructure can incorporate additional components as necessary to better support a particular business application, or a particular execution environment.

Abstract: A system and method for distributed enterprise security, comprising, a server operable to update information, wherein the information can include one or more of a policy and configuration information, a security control module (SCM) operable to accept the information, at least one security service module (SSM) operable to accept the information from the SCM, and herein the information accepted by the SCM is relevant to one or more of the at least one SSMs.

Abstract: A system and method comprising the steps of, delegating a capability from a first user to a second user, propagating information that includes evidence of the delegation to a plurality of security service modules, wherein each one of the plurality of security service modules is capable of protecting one or more resources, providing the evidence to a first security service module belonging to the plurality of security service modules, enforcing the delegation when the second user attempts to access a resource in the one or more resources wherein the resource is protected by the first security service module, and wherein the enforcement is carried out by the first security service module.

Abstract: A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

Abstract: A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

Abstract: A system and method for supporting Service Networks in a SOA environment. In accordance with an embodiment, the principles governing the topology of computer networks can be similarly applied to the service space—from small federated Service Segments (or sub-domains), to large public federated Service Domains. At the heart of the Service Network are one or more Service Routers, that are themselves responsible for transparently bridging between federated Service Segments. The Service Routers determine where services reside in the Service Network and, based on routing information gathered through interaction with other Service Routers, Network Routers and other mechanisms, deliver service requests, using optimal routes, from a source Service Segment to the target Service Segment. Working in concert with the Service Router, an Enterprise Service Bus (ESB) can abstract the location of services, and hide the existence of the Service Network from service requestors.

Abstract: A service router for use with a service-oriented architecture environment. In accordance with an embodiment, the principles governing the topology of computer networks can be similarly applied to the service space—from small federated Service Segments (or sub-domains), to large public federated Service Domains. At the heart of the Service Network are one or more Service Routers, that are themselves responsible for transparently bridging between federated Service Segments. The Service Routers determine where services reside in the Service Network and, based on routing information gathered through interaction with other Service Routers, Network Routers and other mechanisms, deliver service requests, using optimal routes, from a source Service Segment to the target Service Segment. Working in concert with the Service Router, an Enterprise Service Bus (ESB) can abstract the location of services, and hide the existence of the Service Network from service requestors.

Abstract: A system, method and media for a service oriented architecture. This description is not intended to be a complete description of, or limit the scope of, the invention. Other features, aspects and objects of the invention can be obtained from a review of the specification, the figures and the claims.

Abstract: A pluggable architecture allows security and business logic plugins to be inserted into a security service hosted by a server, and to control access to one or more secured resources on that server, on another server within the security domain, or between security domains. The security service may act as a focal point for security enforcement, and access rights determination, and information used or determined within one login process can flow transparently and automatically to other login processes. Entitlements denote what a particular user may or may not do with a particular resource, in a particular context. Entitlements reflect not only the technical aspects of the secure environment (the permit or deny concept), but can be used to represent the business logic or functionality required by the server provider. In this way entitlements bridge the gap between a simple security platform, and a complex business policy platform.

Abstract: In accordance with one embodiment of the present invention, there are provided mechanisms and methods for securing access to data. These mechanisms and methods for securing access to data make it possible for systems to have improved control over accesses to information by redacting responses made by services based upon access policies. Requestors may be users, proxies or automated entities. This ability of a system to redact responses to queries or requests for services in accordance with access policies makes it possible to attain improved security in computing systems over conventional access control mechanisms that control based upon privileges for accessing a file, an account, a storage device or a machine upon which the information is stored.

Abstract: A system, method and media for dynamically redacting data based on the evaluation of one or more policies. This abstract is not intended to be a complete description of, or limit the scope of, the invention. Other features, aspects and objects of the invention can be obtained from a review of the specification, the figures and the claims.

Abstract: A system, method and media for dynamically redacting data based on the evaluation of one or more policies. This abstract is not intended to be a complete description of, or limit the scope of, the invention. Other features, aspects and objects of the invention can be obtained from a review of the specification, the figures and the claims.

Abstract: A system, method and media for dynamically redacting data based on the evaluation of one or more policies. This abstract is not intended to be a complete description of, or limit the scope of, the invention. Other features, aspects and objects of the invention can be obtained from a review of the specification, the figures and the claims.

Abstract: A barrier for diverting fish from a water flow channel (42) along which water is to flow, the barrier (45) comprising a generally planar array of fixed upright slats (46) each extending at least the entire depth of the water. The array (45) is set at an angle less than 90° to the initial flow direction, preferably even less than 30°, and each slat is set at an orientation so as to divert water into a direction other than that through the barrier; the spacing between adjacent slats measured along the array is less than 300 mm. For example the flow channel (42) may branch off from a river (40), the barrier (45) being provided at the mouth of the channel (42) so that the barrier is oriented substantially parallel to the flow in the river, and the slats (46) may be at say 60° or 30° to the initial flow direction in the river, so as to divert fish and passively-carried objects along past the barrier and on down the river. (FIG.