Browse Prior Art Database

A Mechanism & Apparatus of transparency support application sensitive data protection

IP.com Disclosure Number: IPCOM000198979D
Publication Date: 2010-Aug-19
Document File: 4 page(s) / 199K

Publishing Venue

The IP.com Prior Art Database

Abstract

Applications implement role-based security (e.g. only finance can see billing records) in their application through application filter; they has potential SQL injection risk as the shared database account. There should be some mechanism to help prevent the un-authorized access to application's data. One way to make more secured protection is protect at the database level. Some mature database (DB2,Oracle) has provided some row based access control mechanism to protect data in database layer.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 56% of the total text.

Page 1 of 4

A Mechanism & Apparatus of transparency support application sensitive data protection

1Our Disclosure provide the following capabilities:
Mechanism & Apparatus to transparently enable LBAC (DBMS Level Isolation) for legacy applications:
- Provide management toolkits to:
automatically generate LBAC elements from application role structure, and transform the legacy database schema and business data to enable LBAC feature
- Provide runtime database access libraries to:
enable the legacy application instance to access LBAC based database (e.g. transformed by the mgmt toolkits above) transparently without changing the source code of the legacy application

2Main Architecture

App Admin

Users

1

2

Role Authority Definer

( role structure, role & data privilege)

Application

4

JDBC Wrapper

   Role Identification

  Account Transformation

LBAC Structure Generator

( base on role definition, account mapping)

Meta Repository

 (Role definition & data mapping, role & account mapping, LBAC definition)

Table Transformer

(transform tables to add security tag and user security policy)

3

App Database

   C1
C2 C3 C4

  C5 C6 C7

C0

   Data Transformer

( base on LBAC & role)

Label Component

The function of each component is as following.

1

Page 2 of 4

JDBC Wrapper

Identity current role used SPI

 Generator security label & security account by role group

Get security account by role group

Use security account to access database & data

Role Authority Definer

 Save role definition information in MetaDB

 Save role access data privilege information in MetaDB

LBAC Structure Generator

 Save role structure information in MetaDB

 Generator default label component & other label component base on role structure

Composition default & other to generator the security label

Table Transformer

Identify the sensitive table where need be protected

  Alter table add security_tag column

Data Transformer

Modify all of data to default security label value

Modify the data by role privilege definition

3Details of JDBC Wrapper, this is used for perform the ACLs for the role in runtime

Role Identification

- Transparency-Implement JAAS
- Adapter/SPI to set current role

Global filter get SPI Implementation from Metadata

Data request call

public interface IRoleIdentityUtil { public String getCurrentRole();

}

Call SPI to get current user's role

Default Implementation Demo

public class IR...