| 摘要 |
A method and system for determining and enforcing security policy in a communication session are provided in distributed systems. Policy encompasses the provisioning, authorization, and access control within the protected environment. Hence, all communication security requirements are explicitly stated through policy. A policy instantiation is constructed at run-time through policy determination. Conditional, abstract, and discretionary policies stated by communication participants are reconciled to arrive at an instantiation. The resulting instantiation is a concrete specification of the mechanisms, configurations, and access control model to be implemented by the session. The semantics of an instantiation are achieved through policy enforcement. The policy enforcement architecture implements session policies through the composition and configuration of security mechanisms using a novel event-bus architecture. Policy is enforced through the observation of and reaction to relevant events. The method and system of the invention diverges from past subscription-based event architectures by introducing additional infrastructure allowing significant implementation flexibility, robustness, and efficiency.
|
