![[Help]](/netaicon1/PTO/help.gif)
![[Home]](/netaicon1/PTO/home.gif)
![[Boolean Search]](/netaicon1/PTO/boolean.gif)
![[Manual]](/netaicon1/PTO/manual.gif)
![[Number Search]](/netaicon1/PTO/number.gif)
![[PTDLs]](/netaicon1/PTO/ptdl.gif)
![[CURR_LIST]](/netaicon1/PTO/hitlist.gif)
![[PREV_DOC]](/netaicon1/PTO/prevdoc.gif)
![[NEXT_DOC]](/netaicon1/PTO/nextdoc.gif)
![[Shopping Cart]](/netaicon1/PTO/cart.gif)
![[Order Copy]](/netaicon1/PTO/order.gif)
![[Image]](/netaicon1/PTO/image.gif)
| United States Patent Application |
20060031855
|
| Kind Code
|
A1
|
|
Smithline; Neil
|
February 9, 2006
|
System and method for runtime interface versioning
Abstract
The present invention provides methods, machine readable memories and
systems for versioning plugin adapters for servers so as to allow legacy
versions of software plugins to function when the interfaces configured
to accept the plugins are upgraded. An adapter resides between a plugin
interface and the plugin module and converts requests designed for a
current or new version to requests designed for legacy versions. In some
embodiments, the interface elements are designed to extend and adapt the
functionality of a security apparatus by enabling the security apparatus
to utilize third party security providers.
| Inventors: |
Smithline; Neil; (Newton, MA)
|
| Correspondence Address:
|
FLIESLER MEYER, LLP
FOUR EMBARCADERO CENTER
SUITE 400
SAN FRANCISCO
CA
94111
US
|
| Assignee: |
BEA Systems, Inc.
San Jose
CA
|
| Serial No.:
|
195991 |
| Series Code:
|
11
|
| Filed:
|
August 3, 2005 |
| Current U.S. Class: |
719/328 |
| Class at Publication: |
719/328 |
| International Class: |
G06F 9/46 20060101 G06F009/46 |
Claims
1. A method for utilizing a plugin product for a server, the plugin
product having an old interface version, the method comprising:
accepting a request directed towards a new interface version of the
plugin; converting the request directed towards the new interface
version to a request directed towards the old interface version; and
transmitting the request directed towards the old interface version to
the plugin.
2. The method of claim 1, wherein accepting a request directed towards a
new interface version of the plugin comprises: receiving a request to
access a protected resource; and creating a provider object that
performs tasks related to the request on behalf of a provider.
3. The method of claim 2, wherein converting the request directed towards
the new interface version to a request directed towards the old interface
version comprises: determining whether the provider uses a current
version of the interface or a legacy version; and using the existing
provider when the provider is determined to use the current interface
version; otherwise wrapping the existing provider with an adapter when
the provider is determined to use the legacy version.
4. The method of claim 3, wherein transmitting the request directed
towards the old interface version to the plugin comprises: transmitting
the request to the wrapped provider when the provider is determined to
use the legacy version.
5. The method of claim 1, wherein accepting a request directed towards a
new interface version of the plugin comprises: accepting a request to a
security provider accessible via the plugin.
6. The method of claim 5, wherein accepting a request to a security
provider accessible via the plugin comprises accepting a request for at
least one of: an authentication system, an identity assertion system, an
authorization system, and an auditing system.
7. A machine readable medium having instructions stored thereon that when
executed by a processor cause a system to: accept a request directed
towards a new interface version for a plugin product for a server;
convert the request directed towards the new interface version to a
request directed towards an old interface version of the plugin product;
and transmit the request directed towards the old interface version to
the plugin.
8. The machine readable medium of claim 7, wherein the instructions for
causing the system to accept a request directed towards a new interface
version of the plugin comprise instructions that cause a system to:
receive a request to access a protected resource; and create a provider
object that performs tasks related to the request on behalf of a
provider.
9. The machine readable medium of claim 8, wherein the instructions for
causing the system to convert the request directed towards the new
interface version to a request directed towards the old interface version
comprise instructions that cause a system to: determine whether the
provider uses a current version of the interface or a legacy version; and
use the existing provider when the provider is determined to use the
current interface version; otherwise wrap the existing provider with an
adapter when the provider is determined to use the legacy version.
10. The machine readable medium of claim 9, wherein the instructions for
causing the system to transmit the request directed towards the old
interface version to the plugin comprise instructions that cause a system
to: transmit the request to the wrapped provider when the provider is
determined to use the legacy version.
11. The machine readable medium of claim 7, wherein the instructions for
causing the system to accept a request directed towards a new interface
version of the plugin comprise instructions that cause a system to:
accept a request to a security provider accessible via the plugin.
12. The machine readable medium of claim 11, wherein the instructions for
causing the system to accept a request to a security provider accessible
via the plugin comprise instructions for causing the system to accept a
request to at least one of: an authentication system, an identity
assertion system, an authorization system, and an auditing system.
13. A system for utilizing a plugin product in a server, the system
comprising: an interface element configured to utilize a new interface
version for plugin products; a plugin product, the plugin product having
an old interface version; and an adapter configured to: receive a
request from the interface element, the request configured for the new
interface version for plugin products; and convert the request to a
request configured for the old interface version of the plugin product.
14. A security system in a server, the security system comprising: one
or more security provider interfaces, the security provider interfaces
configured to pass requests for security services, the requests
associated with a new interface version; one or more security providers,
the security providers configured to accept requests associated with an
old interface version; and an adapter configured to: accept requests
associated with the new interface version from the one or more security
provider interfaces; convert the requests associated with the new
interface version to requests associated with the old interface version;
and transmit the requests associated with the old interface version to
the one or more security providers.
Description
CLAIM OF PRIORITY
[0001] The present application claims priority to the following
provisional application, the contents of which are incorporated by
reference herein in their entirety:
[0002] U.S. Provisional Patent Application No. 60/598,315, entitled
SYSTEM AND METHOD FOR RUNTIME INTERFACE VERSIONING, by Neil Smithline,
filed on Aug. 3, 2004. (Attorney's Docket No: BEAS-1690US0).
CROSS REFERENCE TO RELATED APPLICATIONS
[0003] The present application relates to the following application, the
contents of which are hereby incorporated by reference in their entirety:
[0004] U.S. patent application Ser. No. 10/373,532 entitled SYSTEM AND
METHOD FOR ENTERPRISE AUTHENTICATION, by Paul Patrick, filed on Feb. 24,
2003 (Attorney Docket No. BEAS-01400US0).
COPYRIGHT NOTICE
[0005] A portion of the disclosure of this patent document contains
material which is subject to copyright protection. The copyright owner
has no objection to the facsimile reproduction by anyone of the patent
document or the patent disclosure, as it appears in the Patent and
Trademark Office patent file or records, but otherwise reserves all
copyright rights whatsoever.
FIELD OF THE INVENTION
[0006] The present invention relates to systems, methods and computer
readable media for upgrading servers. The present invention relates more
particularly to enabling interoperability between related software
products that are designed to work with different versions of servers.
BACKGROUND OF THE INVENTION
[0007] Since its inception in 1995, the Java.TM. programming language has
become increasingly popular. (Java.TM. is a trademark of Sun
Microsystems, Inc.) Java, which is an interpreted language, enabled the
creation of applications that could be run on a wide variety of
platforms. This ability to function across a variety of different client
platforms, i.e. platform independence, and Java's relatively easy
implementation of network applications has resulted in its use in
endeavors as basic as personal webpages to endeavors as complex as large
business-to-business enterprise systems.
[0008] As Java has become more commonplace, a wide variety of tools and
development platforms have been created to assist developers in the
creation and implementation of applications and portals using Java or
other languages supporting platform independence.
[0009] Many of such applications and portals are based around one or more
servers that provide, inter alia, application support and control access
to resources. It is often desirable to enable third parties to produce
custom software modules or plugins that can be inserted into such servers
to perform functions that would otherwise be performed by the base
software of the server. Server architectures can be designed to enable
easy development of plugins for certain features such as security.
[0010] However, as the interfaces through which the plugins interact with
the server are upgraded, plugins that were designed for previous versions
of the interfaces may be rendered incompatible. The process of upgrading
the plugins can be time consuming and expensive.
[0011] What is needed is an improved interface that allows legacy plugin
products to be used with newer plugin interfaces.
BRIEF DESCRIPTION OF THE DRAWINGS
[0012] FIG. 1 is a block diagram illustrating one embodiment of a
security framework.
[0013] FIG. 2 is a block diagram illustrating one embodiment of an
interaction among a security provider interface, an adapter, and a
security provider.
[0014] FIG. 3 is a block diagram illustrating another high-level view of
an adapter in an embodiment.
[0015] FIG. 4 is a flow chart illustrating one embodiment of a process
for utilizing a security provider.
DETAILED DESCRIPTION
[0016] The invention is illustrated by way of example and not by way of
limitation in the figures of the accompanying drawings in which like
references indicate similar elements. References to embodiments in this
disclosure are not necessarily to the same embodiment, and such
references mean at least one. While specific implementations are
discussed, it is understood that this is done for illustrative purposes
only. A person skilled in the relevant art will recognize that other
components and configurations may be used without departing from the
scope and spirit of the invention.
[0017] In the following description, numerous specific details are set
forth to provide a thorough description of the invention. However, it
will be apparent to those skilled in the art that the invention may be
practiced without these specific details. In other instances, well-known
features have not been described in detail so as not to obscure the
invention.
[0018] Although a diagram may depict components as logically separate,
such depiction is merely for illustrative purposes. It can be apparent to
those skilled in the art that the components portrayed can be combined or
divided into separate software, firmware and/or hardware components. For
example, one or more of the embodiments described herein can be
implemented in a network accessible device/appliance such as a router.
Furthermore, it can also be apparent to those skilled in the art that
such components, regardless of how they are combined or divided, can
execute on the same computing device or can be distributed among
different computing devices connected by one or more networks or other
suitable communication means.
[0019] In accordance with embodiments, there are provided mechanisms and
methods for versioning plugin adapters for servers. These mechanisms and
methods can enable embodiments to provide legacy versions of software
plugins the capability to function when the interfaces configured to
accept the plugins are upgraded. The ability of embodiments to provide
plugins with the capability to function when the interfaces configured to
accept the plugins are upgraded can enable easier migrations to new
versions, extended use from legacy plugins and so forth.
[0020] In an embodiment, a method for utilizing a plugin product for a
server is provided. The plugin product can have an old interface version.
One embodiment of the method includes accepting a request directed
towards a new interface version of the plugin. The request directed
towards the new interface version is converted to a request directed
towards the old interface version. The request directed towards the old
interface version is transmitted to the plugin.
[0021] In some embodiments, the request may be a request directed to a
security provider. In various embodiments, accepting a request to a
security provider accessible via the plugin can include accepting a
request for any of: an authentication system, an identity assertion
system, an authorization system, and an auditing system.
[0022] While the present invention is described with reference to an
embodiment in which security providers create executable adapter programs
written in the Java.TM. programming language that are executed in
conjunction with plugin interfaces adapted to work with legacy versions
of software, the present invention is not limited to security providers,
nor to the Java.TM. programming language and may be practiced using other
programming languages, i.e., JSP and the like without departing from the
scope of the embodiments claimed. (Java.TM. is a trademark of Sun
Microsystems, Inc.) In one embodiment, the servers utilize an application
server product, such as WebLogic.RTM. Server by BEA systems of San Jose,
Calif.
[0023] FIG. 1 is a block diagram illustrating one embodiment of a
security framework of a server. In one embodiment, the server is a Java
server. The security framework includes a resource container 118
containing resources 105, 110, and 115. Preferably, the resource
container contains all of the resources required by a particular activity
or particular group of activities. The resources include information and
programs that will be utilized within the activities. The resource
container is configured to provide the resources in response to an
approved request from a security framework 122.
[0024] The security framework 122 includes multiple Service Provider
Interfaces (SPIs). These interfaces may also be referred to as Security
Provider Interfaces. The SPIs are configured to access security providers
that provide security verification services for users attempting access
the resources 105, 110, and 115.
[0025] The SPIs include an authentication SPI 125. The authentication SPI
125 is configured to utilize an external authentication provider 140 to
verify a user's credentials. The authentication provider 140 accepts
credentials from a user and uses those credentials to verify the user's
identity. The authentication provider 140, like the identity assertion
provider 145, authorization provider 150, and adjudication provider 155
is a software plugin that interacts with the security framework 122
through the SPIs.
[0026] The credentials utilized by the authentication provider can
include usernames and passwords, secure tokens, biometric data, secure
hardware keys, or any other credentials that can be used to verify a user
identity. The authentication provider returns to the security framework
122 a value indicating whether the user has been successfully
authenticated and information about the user (e.g. what groups the user
belongs to).
[0027] Another type of SPI is an identity assertion SPI 130. The identity
assertion SPI 130 is configured to accept identity assertions for users
from external systems such as the identity assertion provider 145. The
identity assertion SPI can be configured for multiple provider types,
including multiple tokens and certificates for verifying a user's
identity. The identity assertion SPI provides a response to an
authentication request indicating whether a user is permitted to access
the resource.
[0028] An authorization SPI 135 is configured to use an authorization
provider 150 to determine whether a user is permitted to access a
resource. Once a user's identity has been established through the
authentication provider 140 or the identity assertion provider, the
authorization provider 150 determines whether the user as currently
identified is permitted to access the resource.
[0029] The security framework also includes an auditing SPI 120. In some
embodiments, the various SPIs can utilize multiple providers. The
auditing SPI 120 utilizes an auditing provider 158 to record the various
responses from the differing security providers. An adjudication SPI 138
and adjudication provider 155 are configured to resolve a conflict when
one exists. For example, in some embodiments, the authentication SPI 125
can utilize multiple authorization providers 150. If some return a
successful authentication and some return an unsuccessful authentication
in response to an authentication request, the adjudication provider 155
determines whether the user should be authenticated. In some embodiments,
an administrator can set adjudication criteria indicating how conflicts
are resolved. For example, the criteria could be set such that a
successful authentication from any of the providers, or all of the
providers is needed for a user to be considered authenticated.
[0030] In some embodiments, the security provider also includes role
mapping SPIs, credential mapping SPIs and other SPIs for outsourcing
security functions to plugins.
[0031] FIG. 2 is a block diagram illustrating one embodiment of an
interaction among a security provider interface 215, an adapter 210, and
a security provider 205 in an embodiment. The legacy security provider
205 is one of the service providers 140, 145, 150, 155 illustrated in
FIG. 1. The SPI 215 is one of the SPIs 125, 130, 135, 138, 158
illustrated in FIG. 1.
[0032] The SPI 215 has a set of interface parameters governing how it
will interact with the security provider 205. These parameters indicate
the formatting and content of data transmitted to and received from the
security provider 205. As new versions of the SPI are released, these
interface parameters can change, thus requiring that the security
provider 205 be updated to interact with the SPIs correctly.
[0033] However, security providers are often difficult to update,
requiring considerable amounts of time and expense. Thus, legacy
providers 205 often remain in place long after the SPI 215 is updated.
Thus, an adapter 210 is used to translate information passed between the
SPI 215 and the security provider 205. The adapter 210 receives
communications from the SPI 215 configured for a new version of the
provider 205, and translates the communications into communications
configured for the legacy version of the provider 215. The adapter also
receives communications configured for the legacy version of the SPI and
converts the communications to communications designed for the new
version of the SPI.
[0034] In some embodiments, the adapter 210 "wraps" the service provider,
generating a new service provider object that interacts with SPI as a
provider 215, but is capable of converting requests between versions.
[0035] FIG. 3 is a block diagram illustrating another high-level view of
an adapter in an embodiment. The adapter includes an input module 305
that is configured to receive communications from either the SPI 205 or
the security provider. These communications are passed to a translator
310.
[0036] The translator 310 receives the communications and according to
the type of communications, translates them as necessary. The translator
310 preferably stores information indicating a version of the SPI 205 and
the security provider 215. In some embodiments, the translator can
translate between multiple differing versions of the SPI and providers.
When the translator 310 receives input from the SPI 205 or the provider
215 through the input module, it converts it to output that is configured
for the type of the destination and passes it to an output module 315.
[0037] While in the present embodiment, the adapter 210 is used to bridge
communications between legacy security providers and new SPIs, in
alternate embodiments, adapters can be used to enable any type of plugin
having similar compatibility issues.
[0038] Disclosed below is computer code for implementing an adapter for
an authorization provider in an embodiment.
TABLE-US-00001
package weblogic.security.service.adapters;
import javax.security.auth.login.AppConfigurationEntry;
import weblogic.security.spi.AuthenticationProvider;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.ChallengeIdentityAsserter;
import weblogic.security.spi.ChallengeIdentityAsserterV2;
import weblogic.security.spi.IdentityAsserter;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.PrincipalValidator;
public class AuthenticationProviderV1Adapter extends
SecurityProviderV1Adapter
implements AuthenticationProviderV2 {
public AuthenticationProviderV1Adapter(AuthenticationProvider provider) {
base = provider;
}
public AppConfigurationEntry getLoginModuleConfiguration() {
AuthenticationProvider atn = (AuthenticationProvider) base;
return atn.getLoginModuleConfiguration();
public AppConfigurationEntry getAssertionModuleConfiguration() {
AuthenticationProvider atn = (AuthenticationProvider) base;
return atn.getAssertionModuleConfiguration();
}
public Principal Validator getPrincipalValidator() {
AuthenticationProvider atn = (AuthenticationProvider) base;
return atn.getPrincipalValidator();
}
public IdentityAsserterV2 getIdentityAsserter() {
AuthenticationProvider atn = (AuthenticationProvider) base;
IdentityAsserter asserter = atn.getIdentityAsserter();
if (asserter instanceof ChallengeIdentityAsserter) {
return new ChallengeIdentityAsserterV1Adapter((ChallengeIdentityAsserter)a-
sserter);
}
else {
return new IdentityAsserterV1Adapter(asserter);
}
}
}
[0039] FIG. 4 is a flow chart illustrating one embodiment of a process
for utilizing a security provider. In block (405) the security framework
122 receives a request for a protected resource. In block (410) the
security framework creates a provider object from the security provider.
Creating a provider object can entail generating an object to perform the
provider's tasks. In block (412), the system determines whether the
provider object uses a current version of the interface or a legacy
version. If the provider uses the current interface version, the process
jumps to block (420), where the existing provider is utilized as the
provider object. If the provider uses the legacy interface, the process
moves to block (415), in which it wraps the existing provider around the
adapter.
[0040] In some embodiments, block (415) is implemented by the code
disclosed below: [0041] SecurityProvider
provider=AdapterFactory.getAuthenticationProvider(mbean, auditor);
[0042] The code disclosed above utilizes an adapter factory to produce an
adapter module instance, that with the SPI, communicates with the service
provider. The security framework 122 does not need to be aware of any
conversion steps being performed by the adapter, instead only receiving
notification from the SPI of the response (i.e., successful/unsuccessful
authentication/authorization etc.).
[0043] In block (420), the security provider is utilized to return an
authentication/authorization response. If the security provider and
adapter have the same version, the adapter does not perform any
conversion. The type of conversion depends on the level of change between
the two versions of the plugin interface.
[0044] For example, in the case of an improved identity assertion SPI, an
original version of a method used to access the identity assertion
provider might call the identity assertion provider with one argument,
whereas the improved SPI calls the provider with two arguments. The
adapter receives the two-argument call from the SPI, and makes a call to
the provider with a single argument. The new wrapped security provider is
used for future operations.
[0045] In some embodiments, the creation of the provider object and
wrapping of the adapter occurs during an initiation/bootup/deployment
stage rather than when a specific request is received.
[0046] It should also be understood that while a security provider is
discussed as an exemplary embodiment, the embodiments discussed above can
be applied to any type of software plugin.
[0047] Other features, aspects and objects of the invention can be
obtained from a review of the figures and the claims. It is to be
understood that other embodiments of the invention can be developed and
fall within the spirit and scope of the invention and claims.
[0048] The foregoing description of preferred embodiments of the present
invention has been provided for the purposes of illustration and
description. It is not intended to be exhaustive or to limit the
invention to the precise forms disclosed. Obviously, many modifications
and variations will be apparent to the practitioner skilled in the art.
The embodiments were chosen and described in order to best explain the
principles of the invention and its practical application, thereby
enabling others skilled in the art to understand the invention for
various embodiments and with various modifications that are suited to the
particular use contemplated. It is intended that the scope of the
invention be defined by the following claims and their equivalence.
[0049] In addition to an embodiment consisting of specifically designed
integrated circuits or other electronics, the present invention may be
conveniently implemented using a conventional general purpose or a
specialized digital computer or microprocessor programmed according to
the teachings of the present disclosure, as will be apparent to those
skilled in the computer art.
[0050] Appropriate software coding can readily be prepared by skilled
programmers based on the teachings of the present disclosure, as will be
apparent to those skilled in the software art. The invention may also be
implemented by the preparation of application specific integrated
circuits or by interconnecting an appropriate network of conventional
component circuits, as will be readily apparent to those skilled in the
art.
[0051] The present invention includes a computer program product which is
a storage medium (media) having instructions stored thereon/in which can
be used to program a computer to perform any of the processes of the
present invention. The storage medium can include, but is not limited to,
any type of disk including floppy disks, optical discs, DVD, CD-ROMs,
microdrive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs,
DRAMs, VRAMs, flash memory devices, magnetic or optical cards,
nanosystems (including molecular memory ICs), or any type of media or
device suitable for storing instructions and/or data.
[0052] Stored on any one of the computer readable medium (media), the
present invention includes software for controlling both the hardware of
the general purpose/specialized computer or microprocessor, and for
enabling the computer or microprocessor to interact with a human user or
other mechanism utilizing the results of the present invention. Such
software may include, but is not limited to, device drivers, operating
systems, and user applications.
[0053] Included in the programming (software) of the general/specialized
computer or microprocessor are software modules for implementing the
teachings of the present invention.
* * * * *
