Data storage schema independent programming for data retrieval using semantic bridge6711579Abstract A computer implemented process accesses data stored on one or more computers, the data on each computer having a data storage schema. A program is generated to access the data using terms and constructs of a semantic programming interface. The semantic programming interface provides an abstract, object-oriented representation of the data that is independent of the data storage schemas of the data. Mappings of the representation of the data in the semantic programming interface to each of the data storage schemas of the data stored on the one or more computers are created. The data mappings are used to translate the interface-based program into one or more executable programs. The executable programs are run to access the data stored on the one or more computers. System security and data security are maintained on the one or more computers. Claims What is claimed is: Description COPYRIGHT NOTICE AND AUTHORIZATION
private String mapping(String input)throws Exception{
// `input` is the Shared Model property of this object.
// This method returns the expression that maps the data to the
// Shared Model Properties.
// This is done, by accessing a database where the DBA has
// entered this information.
// The database access uses the doPrivileged method - see the
// security section below for more detail
}
Instead of a table, property/value pairs of Java properties objects or a suitably designed XML document or even a database can be used. However, the best approach is to generate a dynamic SQL statement that generates a "view" that makes the information in the database look like a view of the objects in the Shared Model. At this point, any row level security the DBA wants to introduce can also be included. At the point when the above method is called, the identity of the user will be known to the system. This can be used to impose row level restrictions as well. For example, if a user is to be allowed to access only a limited set of accounts in an accounts table and this set of permitted accounts is itself stored in a table, the condition added to the select clause in the view definition will include a sub-query such as: accountID in (Select accountID from accountsPermission where user=userID) For the example given above, the following view definition is required. Except for the sub-string referring to the row level security, the rest of the string is a constant for a given implementation and this is provided by the DBA as an entry in a database table, which is accessed to construct the view. The row level security is entered in a different table and is dependent on the user and the Shared Model Object that is being mapped. The design of these tables is straight forward, and is not elaborated here. A routine that reads these tables is used to dynamically generate the SQL statement below and create the temporary view. This view has a one-to-one relationship with the Shared Model Object and standard SQL queries can now be built using this view. However, there are some constraints imposed from the security point of view as discussed later. create view ItemUserxx [ItemNumber, ItemNumberOnRight, ItemName] as select table1A.IDofThing, table1B.IDofThing, NameOfThing from table1 AS table1A, table1 AS table1B where (table1A.IDOfThing=table1B. IDOfThingOnLeft) [and (row level security constraints)] If any data type conversion is necessary, that also needs to be done in the mapping expression and view definitions (using SQL data type conversion functions). If any mismatch exists between the units specified in the Shared Model and the database, the DBA needs to use the appropriate conversion factor for that also. The DBA enters the mapping information into specially designed tables. The Shared Model has special methods that will automatically read these tables and dynamically generate the SQL statements that will create "views" of the database like the sample "create view" shown above. Note that the views are user-specific and temporary. When the program terminates, all the created views are dropped. For each of the objects in the domain, a method such as the one below is implemented to construct the object from its identifier:
public void createItem(String identifier)throws Exception{
String s1 = "select * from ItemUserxx where ItemNumber =" +
identifier
/*
The database access is performed using privileged access.
*/
ExecuteQuery eq = new ExecuteQuery(s1);
fillObject((rs1 = eq.getResultSet( )));
}
/*
* This method is used for filling the object variables by means of
* ResultSet values (rs1).
*/
protected void fillObject(ResultSet rs1)throws SQLException{
// The colunm values in the ResultSet rs1 are assigned to the object
properties
// here. A security check is also performed to ensure that only the
properties
// that can be seen by the user are assigned the true values.
The properties the user // is not permitted to see are set
to null values.
}
By asking the DBA to reason about implied relationships during mapping, we have essentially partitioned the problem between the user and the DBA--the user program needs to handle the procedural aspects alone and the DBA will handle the logic and reasoning that ensures proper mapping. Resolving the differences in terminology, interpreting the relationships, figuring out what is required, and determining the means of getting that information, are all hard tasks for pure knowledge based systems. However, mapping is a simple matter for seasoned programmers. The use of expressions or aggregating sub-queries depending on the structure of the underlying data, are all simple tasks for humans. If the version of SQL supports calls to external functions (in a select clause), DBA's can even use functions to map the fields. If the computation is complex and function calls are not supported, the DBA may consider adding the field to his database. The point that is emphasized here is that the partitioning of the problem greatly simplifies the solution. If the mapping process also has to be automated, the sophistication of the knowledge base, and the reasoning capabilities required of the program, have to be far greater. In the mapping process, certain exceptions will also have to be handled. If the database has not at all captured some field that is used in the Shared Model class, then the DBA should map the field to a "null." The effect of this is that, if the user denotes objects of this type with specific property values for this field, the three-valued logic of SQL will return "UNKNOWN" for the boolean expression referring to this field and not produce a SQL runtime error. The designer of the Shared Model should preferably keep this in mind and should try to make the model as general as possible. From what we have so far, using the mapping process, the properties of the objects can be retrieved, if the object's identity is known. How to specify the objects of interest and gain access to their identifiers is discussed in the next section. The Semantic Programming Interface An important aspect of the Shared Model and its Semantic Programming Interface is the denotation methods and the ability to combine the denotations to build more complex denotations. The objects of interest can be denoted with the help of useful relationships in the domain. For example, the position of a door relative to a customer may be useful in a robotic security system, but is irrelevant in a business application. It does not make sense to refer to a customer as the one standing near the door in the business application, but may make a lot of sense in the security system. In the business application, denotations such as, for example, the customer who paid using Amex card Number xxxxx, make much more sense. Similarly, objects of interest can also be denoted using properties. Like in the case of relationships, here again, the properties should be meaningful in the domain. A customer denoted by his credit line is more useful than one denoted by his receding hairline, in a business application. It is the responsibility of the modeler developing the Shared Objects to identify the useful relationships for the domain and include them in the Shared Model and in its Semantic Programming Interface. The use of denotations allows the users to write programs in more abstract terms, making development easier, faster, and less error prone. Programs are also better controlled from the data security point-of-view because of the object-oriented approach. With this way of programming it is not possible to gain access to object properties directly. The user programs are forced to use the special "getmethods" (described below) associated with each property. The DBA enters access control restrictions on certain properties like the way the mapping information is entered--into a separate table. The getmethods check the constraints and hide the values of the restricted fields. This way, apart from the row level security using views (and permissions granted for each user), field level security can also be enforced. For example, the user might be permitted to see the quantity of a certain transaction but not the price. In the sample customer class for the business domain shown in Appendix A, the relationships are implemented as methods that return strings that can be used to construct complex "where" clauses for SQL query strings. The SQL statements constructed using these clauses will return, when executed, zero or more customer identifiers having the properties and relationships specified. Each method relates the customer objects with some other object. For example, getCustomerFromInvoice is used to build the "where" clause for customers associated with the invoice objects. All of the methods of this kind need to specify certain essential information. In general, the information necessary for referring to objects using relationships are: 1) The kind (class) of objects of interest; 2) Properties the objects of interest should have; 3) The relationship and the role in which the objects of interest should participate; and 4) A similar description that limits the range of the related objects. The sample implementation shown in Appendix A to explain these concepts uses String functions with three parameters. The first parameter is the Shared Model identifier property for the object that is denoted. The second parameter allows one to specify the properties the qualifying objects should have. The third parameter is used to specify the properties and relationships the related object--invoice in the example above--should have. This is a means of qualifying the invoice objects that are related to customer objects of interest. All the objects in the domain have similar methods that allow them to relate to other objects. So, it is possible to combine the relationships to select, for instance, customers with some properties and having a specific relationship with another set of objects that have specific properties and have a specific relationship with some other set of objects, and so on. The SQL strings constructed just get concatenated to represent the complex semantics of the denotation. All of the information needed to construct the SQL query, even in the case of very complex queries, is automatically obtained from the denotative methods. In the sample implementation shown in Appendix A, every object has a getSubQuery<objectName> method like the getSubQueryCustomer method set forth in Appendix A. This takes care of translating and building sub queries. The "select" method, also shown in Appendix A, is used to get the objects required. Each Class has an identical select method. These are the methods that help denote objects in their classes. The objects can be denoted by their properties and/or their relationships with other objects. The syntax used for these denotations allows one to combine various selection criteria and also qualify the objects referenced in the relationships. The parameters help identify the objects denoted. The first parameter is used to specify the properties the qualifying objects should have. This is a string of property constraints given using Shared Model variables and SQL syntax. This can also be a function that returns a string that can be used in the "where" clause of the SQL Select statement. For example, the getTopNInvoices method in the invoice class can be used to select invoices or the return value of that method can be combined with another string to generate more complex property constraints. The second parameter is used to specify the relational constraints for the qualifying objects. Here again it is possible to combine and extend the relationships by using combinations of strings and functions that return strings, which can be used in the "where" clause. The main difference between the first string of property constraints and the second string of relational constraints is that the relationships are checked with a sub-query by determining the existence of an identifier in a list of selected rows from a different table. This is based on the semantics of the relational database systems wherein a relationship between entities is denoted by the existence of a row in a specific table in which the identifiers participating in the relationship appear in specific fields. Since the DBA has ensured that the relationships implied in the Shared Model are mapped correctly, like in the leftOf/rightOf example discussed above, the denotations in the user program will be accurately translated in the query. Denotations Explained A set of objects is denoted by some common properties or the relationships the objects bear with another set of objects. Let A, B, C, etc. represent sets of objects of different types. If B represents objects that signify relationships of type `b` between objects of types A and C, the fields in B will include IdentifierOfA, IdentifierOfB, and IdentifierOfC. The relationship `b` is said to exist between an instance of A and some instance of C only if both their identifiers are found in some instance of an object of type B. Furthermore, the objects A and C are said to have specific roles in the relationship `b`. Objects can be denoted using the relationships and roles they play in the relationships. When we talk about relationships, there are at least two sets of objects and these second set of objects in turn may be denoted using the same mechanism. Depending on the nature of the relationship between the sets, we may want to denote the entities in the first set that relate to all/none or at least one of the entities in the second set. In addition, the various set operations (such as union, intersection etc.) can be performed while specifying the denoted entities. The fact that all the above methods of denoting entities are well supported by standard SQL is the key that makes this approach very attractive. For example, the SQL that may be generated in general for the object relationships shown in FIG. 3 is as follows:
Select Distinct Object1_ID from view1 where
(special properties predicate for Object1) and
Object1_ID in (Select distinct Object1_ID from view2 where
(spl properties predicate for Object2) and
Object2_ID in (Select distinct Object2_ID from view3 where
(spl properties predicate for Object3)));
Here, "view2" is a representation of an object that implies the required relationship between Object1 and Object2 and "view3" implies the relationship between Object2 and Object3. Instead of the conjunctions used, disjunctions or various combinations of conjunctions and disjunctions can be used to arrive at different denotations. The relationships used in the denotation can be specified to imply that the elements of the denoted set are related to all/none/some of the elements of another set. The whole denotation can be represented as a tree, as shown, for example, in FIG. 4, where each node represents a set of objects, and child nodes are used to denote the parent objects. The structure cannot have cycles because circular references in denotations are not permitted. From the description above, it can be seen that the user has the ability to specify very complex "where" clauses in the SQL "select" statement. In fact the user is not restricted to using the given denotations alone. Using the SQL views, data stored in the remote systems can be accessed as if the data were stored in the Shared Model schema, and it is possible to write programs with embedded SQL queries. But the denotative power of the proposed model gives the programmer the ability to write programs at a more abstract level. Any useful methods developed using this approach constitutes an abstract solution and is usable without change on any implementation. This enables greater code reuse and avoids solving the same problems over and over. The "views" defined by the DBA permit the user to view only a subset of the available data. However, the DBA may wish to allow the user to see some of the properties of certain objects while hiding other properties. Under these conditions, it is also necessary to prevent the user from performing "searches" on these properties. Therefore, the property level permissions can take one of three values--0, 1 or `*`. `0` indicates that the user is not permitted to see this field at all. No search on the field can be performed as well. `*` indicates that the user is permitted to see the property values only for his own records, and searching may not be performed on these fields. `1` allows the user to view the property and also perform searches on this property. Using this information, the SQL queries are parsed and properties that should be inaccessible are replaced with nulls. If the program encounters an access violation in this respect, a security exception is thrown that the user has to provide the code to handle. The "select" method returns a record set of identifiers with the specified properties and relationships. The set of identifiers returned is processed in a "while" loop. As explained earlier, an object is built for each identifier. This object may be used to find other related objects. This way any complex set of interacting objects can be constructed. Since the implementation specific information is completely stored in special database tables accessible to the Shared Model objects, the DBA does not have to make any changes to any of the Shared Model classes. In fact, the Shared Model classes should be declared "final." The "getmethods" that enforce implementation-specific field-level access permission policies are shown in the following sample code:
public class Customer extends AbstractCustomer implements
CustomerInterface{
/*
* A static initializer block should initialize the viewName and property
level access
* permissions (containg a string of 1's, 0's and *'s as described in the
text). This is
* done by accessing the utility class that authenticates the user and sets
up the
* various user permissions.
*/
public Customer( ){
}
public String getcustID( ){
/* Check access permission for the field and if permission is denied set
the field to
* null and throw a security exception
*/
return custID;
}
public String getcustName( ){
/* Check access permission for the field and if permission is denied set
the field to
* null and throw a security exception
*/
return name;
}
public String getAddress( ){
/* Check access permission for the field and if permission is denied set
the field to
* null and throw a security exception
*/
return addr;
}
}
The Semantic Programming Interface seen by the user program developer for the customer class example discussed above is shown in the following sample code:
// Semantic Programming Interface for Customer Class
// In addition to the methods shown here there could be other useful class
methods
// such as:
// printCustomerMailingList(String denotedCustomerSet).
// Methods to access property values:
public abstract String getcustID( );
public abstract String getcustName( );
public abstract String getAddress( );
// Methods to help construct other queries:
public String queryBuilder(node rootOfDenotationTree);
public void treeBuilderAdd(node parent, node child);
public void treeBuilderRemove(node child);
public node nodeBuilder(String nodeDescriptor);
// Methods to navigate through the selected records:
public boolean isNextIdentifier( );
public String getNextIdentifier( );
// Methods used to denote Customers: This is not an exhaustive list
public String select(String propertyconstraints,String subquery);
public String getCustomerFromCustomerReceipt(String id, String
propertyconstraints,String subquery);
public String getCustomerFromInvoice(string id,String
propertyconstraints,String
subquery);
public String getCustomerFromCustomer(string id,String
propertyconstraints,String subquery);
public String getCustomerFromSaleOrder(string id,String
propertyconstraints,String subquery);
public String getCustomerFromSalesRejection(String id,String
propertyconstraints,String subquery);
public String getCustomerFromChartOfAccounts(string id, String
propertyconstraints,String subquery);
public final void createCustomer(String identifier);
// CustomerListQuery and ProductListQuery use the `select` methods for the
// customer and product classes.
public String getCustomersBoughtAll(String CustomerListQuery,String
ProductListQuery);
public String getCustomersBoughtNone(String CustomerListQuery,String
ProductListQuery);
The relationships/denotations in a domain can be very complex. For example in many-to-many associations, like, for example, with Customers and the Products they have bought, the following denotations are possible: 1) The set of Customers from a selected sub-set of Customers who have bought all/none/some Items from a selected sub-set of Items. 2) The set of Items from a selected sub-set of Items that have been bought by all/none/some Customers from a selected sub-set of Customers. 3) The top/bottom n Items based on some property (on which theta operators can be used). The above denotations can also be combined with the simpler ones described earlier to construct really horrendous looking queries. But, the construction of the queries will be automatic. Neither the DBA nor the programmer has to worry about the query building process. The builder of the Shared Model simply has to provide the code for building the queries in a manner that fits in with the scheme for combining relationships (perhaps with the help of denotation trees), to produce useful denotations, without breaking the security features provided by the model. Some of the implementation details of the Shared Objects were described above. However, the user who writes programs sees only an API consisting of properties and methods for the objects in the domain. The steps involved in building the Semantic Program are described in the next section. The Semantic User Program The user programs are preferably sent as Java source files with special headers that identify themselves as Semantic Bridge Programs. The header may also contain information that identifies and authenticates the user. The user program also may be required to follow certain protocols depending on the implementation of this server side code. For example, all programs preferably should be required to use a standard class name such as "SemanticBridge" or implement a standard interface such as the "SemanticBridgeInterface." The following code shows an example Semantic Program:
// This is the User program //
public class SemanticBridge {
Invoice i;
public void operation( )throws Exception{
i=new Invoice( );
try{
i.select(null,i.getTopNInvoices(3,"amount"));
} catch(Exception r){
// The I/O functions may have to go through Special
Utility Class methods
// that handle I/O under controlled conditions using privileged
access.
System.out.print(".backslash.n Select "+r);
}
try{
while(i.isNextIdentifier( )){
String g=i.getNextIdentifier( );
i.createInvoice(g);
System.out.print(".backslash.n"+i.getinvoiceID( ));
}
}catch(Exception r){
System.out.print(".backslash.n while "+r);
}
}
public void handleException(Exception e){
System.out.println(".backslash.n Error "+e.getMessage( ));
e.printStackTrace( );
if(e instanceof SQLException){
while((e=((SQLException) e).getNextException( ))!=null){
System.out.println(e);
}
}
}
Execution of the Semantic Program The Semantic Program is compiled within a server program dynamically and executed. However, the rights and permissions for the user code are severely restricted so that no damaging actions can be performed. This is discussed in detail below in the section on Security Issues. The code shown in Appendix B below describes how user code gets executed. In addition to the code shown in Appendix B, there will be code that identifies the user, determines the domain for which the program is written, assigns the security level for the user for that domain and sets up the security environment in which the code will execute. Also, the output produced by the user program has to be redirected to the user. Special code can be used to handle the standard output and standard error and the captured information can be sent back to the user using any of the standard protocols. As such code is well known to programmers of ordinary skill in the art, it is not discussed in detail herein. Turning to FIG. 5, a schematic diagram is shown of the preferred process by which: (1) a user program is sent from a client machine 24 to an external server 26; (2) the user program is compiled and executed on the external server 26; and (3) the results of the execution of the user program on the external server 26 are returned to the client machine 24. On the client machine 24, the Client Program Manager 28 is the controlling element of the new class of application programs written using the Semantic Bridge System of the present invention. The Client Program Manager 28 manages the connection with external servers 26 and packages the requests and transfers the requests from the client machine 24 to the external servers 26. The Request Generator 30 of the Client Program Manager 28 packages requests from the client machine 24 and sends them to one or more external servers 26. As described above, the requests include a user source program 32 written using the Semantic Programming Interface, which contains the program that the client wants executed on the remote database, as well as an identification of the program domain 34 for which the source program 32 is written. The external server 26 uses the program domain 34 to permit the incoming source program 32 to access the corresponding domain classes. If a request is to be sent to multiple external servers 26, a parameters database 36 is preferably used to store certain site-specific information in a database (such as, for example, userID, password, user account number etc.) so that the Client Program Manager 28 can build custom request objects for each external server 26. The design of the parameters database 36 is straightforward and is not elaborated here. Requests are preferably sent by the Request Generator 30 using the HTTP protocol. Protocols other than HTTP can also be used. For example, requests may be sent using a mail protocol and the responses can also be received using the mail protocol. Requests sent by the Request Generator 30 are sent to one or more external servers 26 where they are received by the external servers 26 and sent to the Semantic Bridge Servlet (SB Servlet) 38. The "dopost" method of the SB Servlet 38 is subsequently activated. The doPost method of the SB Servlet 38 performs the following functions. The user sending the request is identified and authenticated. A special temporary directory is created to store the user class file (e.g., the user source program 32). The domain for which the client code has been written is identified from the program domain 34 and a class loader capable of loading classes in that domain and the code in the user class file is instantiated. Two database connection objects are assigned to the request from two independent pools of available connections. One database connection is for internal operations--to fetch user specific database access permissions and information to build the "views" appropriate for the current user for the domain database. These are the "views" that will be used by the domain classes referenced in the user code. The second connection is used to access the actual data. The newly instantiated class loader is used to create a separate name space and a "user request" object is instantiated in that name space to store the references to the connection objects and user identification in static variables. The access to this object will be controlled through the class loader mechanism--the domain classes will be able to access this object while the user code will not. The Class Loader is a key element in the Java 2 Security architecture. The SB Servlet 38 uses two user-defined class loader types. One type is used to load the classes in the compiled user package and the other type is used to load the application domain classes. One of each of these class loaders is instantiated for each user request (The SB Servlet 38 may service more than one user request at the same time and this facilitates isolation of name spaces). In addition, the class loaders permit the segregation of user code and application domain code (classes of the Shared Model) into separate protection domains. This allows the system of the present invention to have different security policies for the two domains and essentially confine the user code to a sand box. The security manager installed in the SB Servlet 38 dynamically enforces the security policy of the external server 26. The user source program 32, which implements the Semantic Programming Interface, is compiled next and the class is stored in the temporary directory. The class is loaded using the instantiated class loader (described above) and the parameters that were sent with the request as Name-Value pairs and the reference to the `print writer` object (this is the object returned by the getwriter method of the HttpServletResponse object in the HTTP protocol) are sent to the SB_Main method (of the Semantic Programming Interface) in the user's SB class as arguments. The Java class loading mechanism will ensure that any domain classes used in the user's SB class will be loaded using the same class loader used to load the user's SB class. The effect of this is that any other user's SB class using the same domain classes will belong in a different name space (because that class loader instance will be different). Hence any static variables in these classes will be unique to the thread processing a given user request. Static variables in these classes are used to store the user specific information such as the "view name" and "field access permissions" for the current user. These fields are initialized automatically when the classes are accessed the first time. The initialization code for the domain classes (generated by the developers of the domain classes) should set the correct value for the static variables mentioned above. This involves accessing the database where the system administrator has stored the "Shared model to Implementation mapping" information and the current user's row level and field level access permissions. Using the guidelines given here, the developer of the domain classes should design a suitable database for this purpose. The SB class is permitted to access only the set of domain classes and runs essentially in a sandbox. This is enforced using the policy file and Java's Access Controller mechanism. However, the domain classes and some helper classes in the SB Servlet 38 need to have permissions to access resources--the same resources the user code is not permitted to access. So, when the request to access these resources originates from the user code, the Java runtime system will not permit the operations unless the methods in these other classes access these resources in privileged mode. These classes are specifically designed to do this whenever controlled system resources (such as the databases) need to be accessed. The user source program 32 is written using the published public interface of the domain classes. The domain classes have special methods to return identifiers of objects denoted in a query and to build object instances for a given identifier. With object instances returned, the user code can perform various complex operations and computations, as described in detail above. Any data to be sent back to the client machine 24 is managed by writing to the "print writer" object that was passed by the SB Servlet 38 through the Semantic Programming Interface. This is returned to the Response Handler 40 of the Client Program Manager 28 using the HTTP response object when the user code terminates. At this stage various clean-up operations are also performed to reclaim the resources used by the just terminated user code. The Response Handler 40 will preferably store the data retrieved from the external servers 26 in a suitably designed local database 42 for further processing. This part of the processing is application dependent and has no special complications. In case an error is reported in the response from the external server 26, suitable actions can be designed through the use of error handling routines. After the Client Program Manager 28 completes the data retrieval from the various external servers 26, it can summarize and report on the whole data set. Security Issues The fact that the system and method of the present invention involves the granting of permission to unknown user programs to execute on a system means that proper security should be in place to prevent potentially hostile code from causing any damage. The security issues essentially deal with: (1) System security and (2) Data security. By implementing the present invention using Java, the security features inherent in the Java environment can be utilized. For example, Java provides a lot of features to have a strict control on what an application can and cannot do. In particular, the following Java security features are of interest: 1) Class Loader--provides key security features as explained above. 2) Protection Domain--This defines all the permissions that are granted to a code source. Each type (class) in the Java Virtual Machine (JVM) belongs to one and only one Protection Domain. This effectively defines what resources the class can and cannot access. 3) Policy Object--This is a global mapping of code sources to permissions. However, the Class Loader alone places the classes into their Protection Domains. The Class Loader usually queries the Policy Object for the permissions associated with a code source, and associates the permissions object with a Protection Domain, and then assigns the loaded class to the Protection Domain. 4) Class File Verifier--this is very essential for class files fetched over the a network such as the Internet because the byte codes may have been tampered with or may have been produced by a buggy or malicious Java compiler. In the case of the present invention, since the compiler resident on the server itself (i.e., a trusted Java compiler) compiles user code, this feature is of less importance. 5) Security Manager--This is not automatically installed in applications. But once installed, it can check the executing code for access violations automatically. The automatic checking facility is available only for the permissions defined in the Java Security architecture. If user-defined permissions are to be granted to code sources, then the programs have to be designed to check for the required permissions at strategic points in their execution. 6) Privileged API--Because a Java application may use classes belonging to multiple Protection Domains, a thread of execution may traverse multiple domains before it becomes necessary to check the permission needed to access a resource. There are situations in which all the domains traversed should have the required permission, and there are situations in which this should not be the case. The Privileged API helps solve this problem of specifying clearly what is intended. The security solution of the present invention divides the user program into two parts--(1) the classes provided with the Semantic Bridge and the Shared Model and (2) the remote code from the user. The classes in the Semantic Bridge and the Shared Model are considered trusted code while the user code is not. As shown in FIG. 6, the trusted code will have the access permissions for reading databases and creating files etc., but the user code will not have any direct I/O permissions. However, the architecture requires that the user code be able to load the trusted code and have the trusted code perform actions that the user code itself does not have the permission to do. This is easily accomplished by forcing the trusted code to execute under privileged mode whenever it has to perform actions that may require special permissions. Since the trusted code is incapable of performing any damaging actions and the untrusted user code will be prevented from performing any direct I/O, the system security is assured. Also, since Java source code is compiled locally, byte code verification is also unnecessary. The data security features that the DBA uses to control the data that is accessible by the user program have already been described above. Sample Application Using the Semantic Programming Interface/Semantic Bridge The system and method of the present invention may be better understood by considering the following example of a data gathering application using the Semantic Programming Interface and the Semantic Bridge. A law enforcement agency wants to trace the present whereabouts of a man aged about 40 traveling with a boy aged about 14. They are suspected to have left the country using forged documents. What is required is a computer program to identify and verify possible leads on the suspects. The following programming strategy can be used to accomplish the goal: 1) Identify from the immigration records all travelers (leaving the country) aged about 40 with a boy aged about 14, within the desired period. 2) Verify the travel documents with the issuing authorities, and look for suspicious features, and forgeries. 3) For the leads to be pursued, track the port of disembarkation and the immigration/embarkation records in that country/port to verify if they are still in that country/port. If they have left, trace them to their destination. 4) At their destination, a search on the hotel records is now initiated to finally track down the suspects. The program may have to gather information from the immigration records, passport issuing records and hotel records from numerous systems with very different data storage schemas. Requests for information may have to be sent to literally thousands of servers. All this can be accomplished easily and effectively using the techniques of the present invention. Furthermore, if the first attempt is not successful, modifications to the algorithms to select the target sites, and modifications to the operations at the selected target sites will significantly alter the results obtained. Because the process is fully automated, this iterative approach can be continued until the desired objective is achieved. Turning to FIG. 7, a schematic diagram is shown of the preferred process of creating a program that gathers information from multiple domains. The diagram describes the structure of a complex information gathering application using the features of the Semantic Bridge and the Semantic Programming Interface. The first step is to identify the target domains and the target servers of interest that implement the Semantic Programming Interface for the domain. This information preferably should be stored in a properly designed database so that it is possible to search for the identity of the target servers based on various criteria such as the domain serviced, other domain specific information, geographical location covered by the data, etc. The next step is to write programs that we want executed at the various sets of target sites, using the Semantic Programming interface. These programs, called request, will be used to gather the information of interest from the various target servers. Together with these programs, we also need to develop the code, known as response handlers, that will handle the response for each type of request. The combination of the request and response handler is termed a "chore." The request encapsulates all information specific to a target such as its Internet Protocol (IP) address, the authentication information, protocols needed (such as Secure Sockets Layer (SSL) and SSL session), program to be executed, and the values for program parameters. The response handler has the ability to handle all possible outputs of the program, including errors. The logic for processing the output received could include sending a different request to some other server belonging to a different domain. In such a case, a program capable of running on this new target domain should also be written and the output of the previous server should be used to select the new list of target servers for each output. This process can repeat recursively depending on the nature of the task at hand. As a result, nested queues are created with chores of different kinds. The created chores are queued for execution. Preferably, multiple threads, and thus multiple sockets, are created to communicate with the servers. Multiple client machines can also be used to speed up the process of execution of the chores. In cases where further processing is needed, the response handler has the code to request a new set of chores (having the same request, response handler structure) to be generated by the Chore Builder and queue them for execution on the same thread. Please note that the information in the response may be used to identify a new set of target sites and the program that must run on them. Information contained in the response may also be used as parameters to the program in the next request. This information is sufficient to build a new set of request objects. By associating this set of request objects with another suitable response handler, we have a new set of chores that can be queued for execution. This way, nested queues of chores can be built dynamically depending on the output received from the target sites. The execution of the chores can be carried out in an orderly and sequential manner. The Thread Scheduler/Manager serves this purpose. Preferably, each thread picks up a chore from the outer-most queue, and processes all chores on all the inner nested queues before picking up any unserviced chore in the outer queue. Given the above general framework, the steps in the building of the program for the example application can now be discussed. As a first step, we write the programs using the Semantic Programming Interfaces. These programs include the following: 1) Program to search the Imigration records in all possible ports of embarkation within the country. 2) Program to search for matching disembarkation and embarkation records in other countries. 3) Program to search and verify the validity of the travel documents in the respective systems. This could include verification of the validity of Passports and Visas. 4) Program to search hotel records. Next, we write the response handlers for each of the programs above. These are associated with their corresponding request-for-information programs. The response handlers have the logic to determine the program and the corresponding response handler to use in the next stage. They also contain the logic to help determine the target sites for the next stage of processing. All response handlers implement a special interface so that the entry point to the code in the response handlers is known. The Chore Builder does the actual task of identifying the target sites. It does this by querying a local database containing information on accessing Semantic Bridge servlets in various domains. The database is designed to be searchable using the parameter passed to the Chore Builder by the response handler. Sample code to build a chore queue could be:
ChoreBuilder builder =
new ChoreBuilder(progrmReference, responseHndlrReference);
// the two parameters refer to the program and the corresponding
response handler
// queue
Q = builder.makeChoreQ(targetSelectionString);
// the string parameter helps build the SQL query to identify the
target sites
The makeChoreQ routine builds a queue of objects of type chore. The chore objects implement a special interface with an executeChore( ) method. The chore object contains all the information and code necessary to formulate a request to a target Semantic Bridge servlet. The response handler reference should handle all possible responses. The executeChore method first builds the request and sends it to a Semantic Bridge servlet and passes the response to the response handler. The executeChore( ) method is sequentially called on all the chore objects in the queue. The program can store information on a local database or output the information to the screen or printer. When all the queues are empty, the program terminates. The present invention may be implemented with any combination of hardware and software. If implemented as a computer-implemented apparatus, the present invention is implemented using means for performing all of the steps and functions described above. The present invention can be included in an article of manufacture (e.g., one or more computer program products) having, for instance, computer useable media. The media has embodied therein, for instance, computer readable program code means for providing and facilitating the mechanisms of the present invention. The article of manufacture can be included as part of a computer system or sold separately. It will be appreciated by those skilled in the art that changes could be made to the embodiments described above without departing from the broad inventive concept thereof. It is understood, therefore, that this invention is not limited to the particular embodiments disclosed, but it is intended to cover modifications within the spirit and scope of the present invention. ##SPC1## ##SPC2## ##SPC3## ##SPC4## ##SPC5## ##SPC6## ##SPC7## ##SPC8##
|
Same subclass Same class Consider this |
||||||||||