Declarative and programmatic access control of component-based server applications using roles

Abstract

A programming model for component-based server applications provides declarative and programmatic access control at development without knowledge of the security configuration at deployment. The developer defines the server application access control by defining logical classes of users, called roles. The developer also can declare access privileges of the roles at package, component and interface levels of the server application. At development, the roles are bound to the particular security configuration of the server computer. The programming model also provides application programming and integration interfaces with which the developer can programmatically define access control of the roles to the server application's processing services.

Claims

We claim:

1. In a software application development system, a method of defining user access rights to objects of a component-based application prior to distribution and deployment to a plurality of end-user computer systems having a security facility requiring a user to log-on under one of a plurality of user identities configured on the respective computer system, and having a role-based access control operating in response to roles and access privileges declared for the component-based application and a configuration associating the user identities of the respective computer system to the declared roles to control access of a current user to component-based application objects depending on the user identity of the current user being associated in a declared role having declared access privileges for the object, the method comprising:

declaratively creating a roles data structure containing information defining a plurality of roles applicable to the component-based application;

declaratively creating a role privileges data structure containing information defining access privileges of the roles to the objects; and

packaging the roles data structure and the role privileges data structure with the component-based application into a distribution unit;

whereby on deployment of the distribution unit to a respective one of the end-user computer systems, the role-based access control of such respective end-user computer system operates to control access of such respective end-user computer system's users to the objects based on the roles and access privileges defined in the distribution unit.

2. The method of claim 1 wherein declaratively creating the role privileges data structure comprises specifying access privileges of roles to interfaces of the objects.

3. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 1.

4. A computer-readable data storage media having a distribution unit for a distributable component-based software application stored thereon, the software application being installable for execution on a computer system having, a role-based access control operating to control access by a user operating the computer system under a user identity to objects depending on the user's user id entity being associated in a role having access privileges for the objects, the distribution unit of the software application comprising:

executable code to implement a set of objects of the software application having interfaces providing a set of operations accessible to a client program;

a roles data structure containing information defining a set of roles applicable to the software application; and

an access privileges data structure containing information defining access privileges of the roles to objects in the software application;

whereby access control is declaratively defined for the software application prior to distribution and deployment of the software application to the computer system.

5. The computer-readable data storage media of claim 4 wherein the access privileges data structure contains information defining access privileges of the roles to interfaces of the objects.

6. In a computer configured for operation by users having user identities, an object execution system software program for controlling access by a user of the computer to objects in a component-based software application based on a set of abstract user classes defined for the software application at development thereof, the component-based software application being distributed to the computer in a deployment unit containing a roles data structure defining the set of abstract user classes and an access privileges data structure defining access privileges of the abstract user classes to the objects, the object execution system software program comprising:

a security configuration data store containing data associating user identities to the abstract user classes; and

an authorization checker operating to check upon access by a caller program operating under a user identity to a called object in the component-based software application whether the user identity is associated with an abstract user class having an access privilege to call into the called object, and to permit or deny the access depending on a result of the check;

whereby the object execution system software program permits access control for the component-based software application to be declaratively defined at development as an abstraction independent of the user identities actually configured on the computers on which the software application is later deployed.

7. The object execution system software program of claim 6 further comprising:

a security configuration utility operating in response to declaration of a binding of a user identity to an abstract user class to store an association of the user identity to the abstract user class in the security configuration data store.

8. A method of access control within a computer based on abstract user classes declaratively defined at development of a software application having code to implement a set of objects, the method comprising:

in response to declaration by a developer of a set of roles representing abstract classes of users not as yet fixed to any particular configuration of actual user identities on computers to which the software application is to be deployed, generating a roles data structure containing data to represent the role classes;

in response to declaration by the developer of access privileges of the role classes to the objects, generating an access privileges data structure containing data to represent the access privileges;

packaging the roles data structure and the access privileges data structure into a deployment unit containing the software application;

deploying the deployment unit to a computer;

in response to declaration by an administrator of the computer of bindings from user identities configured on the computer to the role classes, storing data in a configuration store to represent the bindings;

upon a request of a client program code operating under a user identity on the computer to access an object of the software application, determining to permit or deny the access depending upon a result of an authorization check whether the user identity is bound to a role having an access privilege to the object.

9. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 8.

10. In a computer configured for operation by users having user identities, an object execution system software module for controlling access to objects of a software application distributed to the computer in a deployment unit containing a roles data structure declaratively defining roles representative of a set of abstract user classes and an access privileges data structure declaratively defining access privileges of the roles to the objects, the object execution system software module comprising:

a configuration data store containing data defining bindings of the user identities to the roles; and

code to implement a programmatic access control function for calling from the software application, the programmatic access control function having a role parameter designating a role out of the roles set, the programmatic access control function operating in response to the software application's call to return a value indicating whether a user identity under which the software application was accessed is bound to the parameter-designated role.

11. A method of programmatically controlling access within a component-based software application based on a set of abstract user classes declaratively defined at development independent of the user identities actually configured on the computers to which the component-based software application is to be later deployed, the component-based software application being executable on a computer having an object execution system that implements a programmatic access control function operative to return a value indicative of whether a user identity of a calling thread is bound to a parameter-specified abstract user class of the component-based software application, the method comprising:

in response to declaration by a developer of a set of roles representing abstract classes of users not as yet fixed to any particular configuration of actual user identities on computers to which the component-based software application is to be deployed, generating a roles data structure containing data to represent the roles;

within program code of an object of the component-based software application, issuing a call to the programmatic access control function in which a particular role is specified by a function parameter and also conditioning a processing operation of the object on a result of the programmatic access control function call; and

packaging the roles data structure and the access privileges data structure into a deployment unit containing the software application.

12. A computer-readable storage medium having stored thereon computer-executable program code operative to perform the method of claim 11.

Description

FIELD OF THE INVENTION

The present invention relates to a server application-programming model using software components, and more particularly relates to maintaining security of a component-based server application.

BACKGROUND OF THE INVENTION

In many information processing applications, a server application running on a host or server computer in a distributed network provides processing services or functions for client applications running on terminal or workstation computers of the network which are operated by a multitude of users. Common examples of such server applications include software for processing class registrations at a university, travel reservations, money transfers and other services at a bank, and sales at a business. In these examples, the processing services provided by the server application may update databases of class schedules, hotel reservations, account balances, order shipments, payments, or inventory for actions initiated by the individual users at their respective stations.

In a server application that is used by a large number of people, it is often useful to discriminate between what different users and groups of users are able to do with the server application. For example, in an on-line bookstore server application that provides processing services for entering book orders, order cancellations, and book returns, it may serve a useful business purpose to allow any user (e.g., sales clerk or customers) to access book order entry processing services, but only some users to access order cancellation processing services (e.g., a bookstore manager) or book return processing services (e.g., returns department staff).

Network operating systems on which server applications are typically run provide sophisticated security features, such as for controlling which users can logon to use a computer system, or have permission to access particular resources of the computer system (e.g., files, system services, devices, etc.) In the Microsoft Window NT operating system, for example, each user is assigned a user id which has an associated password. A system administrator also can assign sets of users to user groups, and designate which users and user groups are permitted access to system objects that represent computer resources, such as files, folders, and devices. During a logon procedure, the user is required to enter the user id along with its associated password to gain access to the computer system. When the user launches a program, the Windows NT operating system associates the user id with the process in which the program is run (along with the process' threads). When a thread executing on the user's behalf then accesses a system resource, the Windows NT operating system performs an authorization check to verify that the user id associated with the thread has permission to access the resource. (See, Custer, Inside Windows NT 22, 55-57, 74-81 and 321-326 (Microsoft Press 1993).)

A thread is the basic entity to which the operating system allocates processing time on the computer's central processing unit. A thread can execute any part of an application's code, including a part currently being executed by another thread. All threads of a process share the virtual address space, global variables, and operating-system resources of the process. (See, e.g., Tucker Jr., Allen B. (editor), The Computer Science and Engineering Handbook 1662-1665 (CRC Press 1997).)

The Windows NT operating system also provides a way, known as impersonation, to authenticate access from a remote user to resources of a server computer in a distributed network. When a request is received from a remote computer for processing on the server computer, a thread that services the request on the server computer can assume the user id from the thread on the remote computer that made the request. The Windows NT operating system then performs authorization checks on accesses by the servicing thread to system resources of the server computer based on the user id. (See, Siyan, Windows NT Server 4, Professional Reference 1061 (New Riders 1996).)

The use of such operating system security features to control access to particular processing services in a server application presents cumbersome distribution and deployment issues. The user ids and user groups are configured administratively per each computer station and/or network, and thus vary between computers and networks. When the particular user ids or groups that will be configured on a computer system are known at the time of developing a server application, the server application can be designed to control access to particular processing services and data based on those user ids and groups. Alternatively, specific user ids or groups that a server application uses as the basis for access control can be configured on a computer system upon deployment of the server application on the computer system. These approaches may be satisfactory in cases where development and deployment is done jointly, such as by in-house or contracted developers. However, the approaches prove more cumbersome when server application development and deployment are carried out separately, such as where an independent software vendor develops a server application targeted for general distribution and eventual installation at diverse customer sites. On the one hand, the server application developer does not know which user ids and groups will be configured on the end customers' computer systems. On the other, the server application developer must force system administrators to configure specific user ids or groups, which at a minimum could lead to an administratively unwieldy number of user configurations and at worst poses a security risk on the computer systems of the developer's customers.

SUMMARY OF THE INVENTION

The present invention provides a way to declaratively and programmatically define access control to processing services of a server application independently of deployment during development of the server application using roles. Roles are logical groups of users that can be assigned at development time, and independent of a specific operating system security configuration until deployment. At development, the server application developer declaratively defines roles and assigns access privileges of the roles to processing services of the server application. At deployment, the installer maps the roles to the security configuration of the computer system on which the server application is installed, such as to specific user ids and groups. A run-time execution environment of the server application performs authorization checks based on the roles and assigned access privileges to control access to the server application's processing services. The developer is thus able to control access by different groups of users to specific server application processing services without prior knowledge of the security configuration at deployment, or requiring a specific security configuration at deployment.

According to a further aspect of the invention, a server application framework provides application programming interfaces that allow programmatic use of role-based security information by the server application to control processing services. At development time, the developer can program code into the server application to perform authorization checks within a processing service to control specific processing based on roles. In particular, the framework includes an application programming interfaces to obtain information as to the role of a current user that initiated the processing service. Within a processing service of the server application, the developer thus has a fine granularity of programmatic control over specific processing in the server application based on the roles that are assigned access privileges to the processing service.

According to another aspect of the invention, the developer declaratively assigns access privileges of roles at package, component, and interface levels of a server application constructed as object-oriented components. In object-oriented programming, programs are written as a collection of object classes which each model real world or abstract items by combining data to represent the item's properties with functions to represent the item's functionality. More specifically, an object is an instance of a programmer-defined type referred to as a class, which exhibits the characteristics of data encapsulation, polymorphism and inheritance. Data encapsulation refers to the combining of data (also referred to as properties of an object) with methods that operate on the data (also referred to as member functions of an object) into a unitary software component (i.e., the object), such that the object hides its internal composition, structure and operation and exposes its functionality to client programs that utilize the object only through one or more interfaces. An interface of the object is a group of semantically related member functions of the object. In other words, the client programs do not access the object's data directly, but must instead call functions on the object's interfaces to operate on the data. Polymorphism refers to the ability to view (i.e., interact with) two similar objects through a common interface, thereby eliminating the need to differentiate between two objects. Inheritance refers to the derivation of different classes of objects from a base class, where the derived classes inherit the properties and characteristics of the base class. In an embodiment of the invention illustrated herein, a package is a group of related components of the server application that are run together in a single process on the server computer.

The run-time environment of the server application performs authorization checks for access to a particular package, component or interface of the server application according to the access privileges assigned to roles per package, component and interface. This allows the developer flexible declarative access control at various levels of processing services of the server application.

Additional features and advantages of the invention will be made apparent from the following detailed description of an illustrated embodiment which proceeds with reference to the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a distributed computer system that may be used to implement a method and apparatus embodying the invention for declarative and programmatic access control of component-based server applications using roles.

FIG. 2 is a block diagram of a server application component execution environment provided by a server executive on a server computer in the distributed computer system of FIG. 1.

FIG. 3 is a block diagram of the structure of a server application component in the execution environment of FIG. 2.

FIG. 4 is a view of a graphical user interface of an administration utility called the Transaction Server Explorer, for grouping server application components into packages and declaring roles.

FIGS. 5 and 6 are views of a feature of the Transaction Server Explorer's graphical user interface for grouping server application components into packages.

FIGS. 7 and 8 are view of a feature of the Transaction Server Explorer's graphical user interface for defining roles and assigning package level access privileges of the roles.

FIG. 9 is a view of a feature of the Transaction Server Explorer's graphical user interface for assigning component level access privileges of the roles.

FIG. 10 is a view of a feature of the Transaction Server Explorer's graphical user interface for assigning interface level access privileges of the roles. FIG. 11 is a view of a feature of the Transaction Server Explorer's graphical user interface for establishing a process identity at development under which a package is run in the execution environment of FIG. 2.

FIG. 12 is a view of a feature of the Transaction Server Explorer's graphical user interface for packaging server application components with role-based access privileges defined at development.

FIG. 13 is a view of a feature of the Transaction Server Explorer's graphical user interface for deploying a package having pre-defined role-based access privileges.

FIG. 14 is a view of a feature of the Transaction Server Explorer's graphical user interface for mapping users to roles at deployment of a package having pre-defined role-based access privileges.

FIG. 15 is a view of a feature of the Transaction Server Explorer's graphical user interface for setting an authentication level and enabling authorization checking for the package.

FIG. 16 is a block diagram of a file structure of a package of server application components with role-based access privileges defined at development.

FIG. 17 is a block diagram showing registration of attributes for running a server application component grouped in the package of FIG. 16 in the execution environment of FIG. 2 at installation on the server computer of FIG. 1.

FIG. 18 is a block diagram illustrating authorization checks based on roles.

FIG. 19 is a block diagram illustrating a sequence of calls in an example server application to show operation of an advanced programmatic security interface.

DETAILED DESCRIPTION OF THE ILLUSTRATED EMBODIMENTS

The present invention is directed toward a method and system for declarative and programmatic access control of component-based server applications using roles. In one embodiment illustrated herein, the invention is incorporated into an application server execution environment or platform, entitled "Microsoft Transaction Server," marketed by Microsoft Corporation of Redmond, Wash. Briefly described, this software provides a run-time environment and services to support component-based server applications in a distributed network.

Exemplary Operating Environment

FIG. 1 and the following discussion are intended to provide a brief, general description of a suitable computing environment in which the invention may be implemented. While the invention will be described in the general context of computer-executable instructions of a computer program that runs on a server computer, those skilled in the art will recognize that the invention also may be implemented in combination with other program modules. Generally, program modules include routines, programs, components, data structures, etc. that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including single--or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices, microprocessor--based or programmable consumer electronics, and the like. The illustrated embodiment of the invention also is practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. But, some embodiments of the invention can be practiced on stand-alone computers. In a distributed computing environment, program modules may be located in both local and remote memory storage devices.

With reference to FIG. 1, an exemplary system for implementing the invention includes a conventional server computer 20, including a processing unit 21, a system memory 22, and a system bus 23 that couples various system components including the system memory to the processing unit 21. The processing unit may be any of various commercially available processors, including Intel x86, Pentium and compatible microprocessors from Intel and others, including Cyrix, AMD and Nexgen; Alpha from Digital; MIPS from MIPS Technology, NEC, IDT, Siemens, and others; and the PowerPC from IBM and Motorola. Dual microprocessors and other multi-processor architectures also can be used as the processing unit 21.

The system bus may be any of several types of bus structure including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of conventional bus architectures such as PCI, VESA, Microchannel, ISA and EISA, to name a few. The system memory includes read only memory (ROM) 24 and random access memory (RAM) 25. A basic input/output system (BIOS), containing the basic routines that help to transfer information between elements within the server computer 20, such as during start-up, is stored in ROM 24.

The server computer 20 further includes a hard disk drive 27, a magnetic disk drive 28, e.g., to read from or write to a removable disk 29, and an optical disk drive 30, e.g., for reading a CD-ROM disk 31 or to read from or write to other optical media. The hard disk drive 27, magnetic disk drive 28, and optical disk drive 30 are connected to the system bus 23 by a hard disk drive interface 32, a magnetic disk drive interface 33, and an optical drive interface 34, respectively. The drives and their associated computer-readable media provide nonvolatile storage of data, data structures, computer-executable instructions, etc. for the server computer 20. Although the description of computer-readable media above refers to a hard disk, a removable magnetic disk and a CD, it should be appreciated by those skilled in the art that other types of media which are readable by a computer, such as magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, and the like, may also be used in the exemplary operating environment.

A number of program modules may be stored in the drives and RAM 25, including an operating system 35, one or more application programs 36, other program modules 37, and program data 38. The operating system 35 in the illustrated server computer is the Microsoft Windows NT Server operating system, together with the before mentioned Microsoft Transaction Server.

A user may enter commands and information into the server computer 20 through a keyboard 40 and pointing device, such as a mouse 42. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 21 through a serial port interface 46 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface, such as a video adapter 48. In addition to the monitor, server computers typically include other peripheral output devices (not shown), such as speakers and printers.

The server computer 20 may operate in a networked environment using logical connections to one or more remote computers, such as a remote client computer 49. The remote computer 49 may be a workstation, a server computer, a router, a peer device or other common network node, and typically includes many or all of the elements described relative to the server computer 20, although only a memory storage device 50 has been illustrated in FIG. 1. The logical connections depicted in FIG. 1 include a local area network (LAN) 51 and a wide area network (WAN) 52. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.

When used in a LAN networking environment, the server computer 20 is connected to the local network 51 through a network interface or adapter 53. When used in a WAN networking environment, the server computer 20 typically includes a modem 54, or is connected to a communications server on the LAN, or has other means for establishing communications over the wide area network 52, such as the Internet. The modem 54, which may be internal or external, is connected to the system bus 23 via the serial port interface 46. In a networked environment, program modules depicted relative to the server computer 20, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.

In accordance with the practices of persons skilled in the art of computer programming, the present invention is described below with reference to acts and symbolic representations of operations that are performed by the server computer 20, unless indicated otherwise. Such acts and operations are sometimes referred to as being computer-executed. It will be appreciated that the acts and symbolically represented operations include the manipulation by the processing unit 21 of electrical signals representing data bits which causes a resulting transformation or reduction of the electrical signal representation, and the maintenance of data bits at memory locations in the memory system (including the system memory 22, hard drive 27, floppy disks 29, and CD-ROM 31) to thereby reconfigure or otherwise alter the computer system's operation, as well as other processing of signals. The memory locations where data bits are maintained are physical locations that have particular electrical, magnetic, or optical properties corresponding to the data bits.

Server Application Execution Environment

With reference now to FIG. 2, a transaction server executive 80 provides run-time or system services to create a run-time execution environment 80 on a server computer 84 for the server application components (e.g., server application component 86). The transaction server executive also provides services for thread and context management to the server application components 86. Included in the services are a set of API functions, including a GetObjectContext and a SafeRef API functions described below.

The illustrated transaction server executive 80 is implemented as a dynamic link library ("DLL"). (A DLL is a well-known executable file format which allows dynamic or run-time linking of executable code into an application program's process.) The transaction server executive 80 is loaded directly into application server processes (e.g., "ASP" 90) that host server application components, and runs transparently in the background of these processes. The illustrated ASP 90 is a system process that hosts execution of server application components. Each ASP 90 can host multiple server application components that are grouped into a collection called a "package." Also, multiple ASPs 90 can execute on the server computer under a multi-threaded, multi-tasking operating system (e.g., Microsoft Windows NT in the illustrated embodiment). Each ASP 90 provides a separate trust boundary and fault isolation domain for the server application components. In other words, when run in separate ASPs, a fault by one server application component which causes its ASP to terminate generally does not affect the server application components in another ASP.

With reference to FIG. 4, server application components in the illustrated embodiment are grouped as a package to be run together in one ASP 90 using an administration utility called "the Transaction Server Explorer." This utility provides a graphical user interface (shown in FIGS. 4-13) for managing attributes associated with server application components, including grouping the components into packages and defining roles as discussed below.

In a typical installation shown in FIG. 2, the execution environment 80 is on the server computer 84 (which may be an example of the computer 20 described above) that is connected in a distributed computer network comprising a large number of client computers 92 which access the server application components in the execution environment. Alternatively, the execution environment 80 may reside on a single computer and host server application components accessed by client processes also resident on that computer.

Server Application Components

The server application components 86 that are hosted in the execution environment 80 of the ASP 90 implement the business logic of a server application, such as the code to manage class registrations in a university's registration application or orders in an on-line sales application. Typically, each server application comprises multiple components, each of which contains program code for a portion of the application's work. For example, a banking application may comprise a transfer component, a debit account component, and a credit account component which perform parts of the work of a money transfer operation in the application.

With reference now to FIG. 3, the server application component 86 (FIG. 2) in the illustrated embodiment conforms to the Component Object Model ("COM") of Microsoft Corporation's OLE and ActiveX specifications (i.e., is implemented as a "COM Object"), but alternatively may be implemented according to other object standards including the CORBA (Common Object Request Broker Architecture) specification of the Object Management Group. OLE's COM specification defines binary standards for components and their interfaces which facilitate the integration of software components. For a detailed discussion of OLE, see Kraig Brockschrnidt, Inside OLE, Second Edition, Microsoft Press, Redmond, Wash., 1995.

In accordance with COM, the server application component 86 is represented in the computer system 20 (FIG. 1) by an instance data structure 102, a virtual function table 104, and member functions 106-108. The instance data structure 102 contains a pointer 110 to the virtual function table 104 and data 112 (also referred to as data members, or properties of the component). A pointer is a data value that holds the address of an item in memory. The virtual function table 104 contains entries 116-118 for the member functions 106-108. Each of the entries 116-118 contains a reference to the code 106-108 that implements the corresponding member function.

The pointer 110, the virtual function table 104, and the member functions 106-108 implement an interface of the server application component 86. By convention, the interfaces of a COM object are illustrated graphically as a plug-in jack as shown for the server application component 100 in FIG. 3. Also, Interfaces conventionally are given names beginning with a capital "I." In accordance with COM, the server application component 86 can include multiple interfaces which are implemented with one or more virtual function tables. The member function of an interface is denoted as "IInterfaceName::FunctionName."

The virtual function table 104 and member functions 106-108 of the server application component 86 are provided by a server application program 120 (hereafter "server application DLL") which is stored in the server computer 84 (FIG. 2) as a dynamic link library file (denoted with a ".dll" file name extension). In accordance with COM, the server application DLL 120 includes code for the virtual function table 104 (FIG. 3) and member functions 106-108 (FIG. 3) of the classes that it supports, and also includes a class factory 122 that generates the instance data structure 102 (FIG. 3) for a component of the class.

Like any COM object, the sever application component can maintain internal state (i.e., its instance data structure 102 including data members 112) across multiple interactions with a client (i.e., multiple client program calls to member functions of the component). The server application component that has this behavior is said to be "stateful." The server application component can also be "stateless," which means the component does not hold any intermediate state while waiting for the next call from a client.

In the execution environment 80 of FIG. 2, the server application component 86 is executed under control of the transaction server executive 80 in the ASP 90. The transaction server executive 80 is responsible for loading the server application DLL 300 into the ASP 90 and instantiating the server application component 86 using the class factory 122 as described in more detail below. The transaction server executive 80 further manages calls to the server application component 86 from client programs (whether resident on the same computer or over a network connection).

The illustrated execution environment 80 imposes certain additional requirements on the server application component 86 beyond conforming with COM requirements. First, the server application component is implemented in a DLL file (i.e., the server application DLL 120 of FIG. 3). (COM objects otherwise alternatively can be implemented in an executable (".exe") file.) Second, the component's DLL file 120 has a standard class factory 122 (i.e., the DLL implements and exports the DllGetClassObject function, and supports the IClassFactory interface). Third, the server application component exports only interfaces that can be standard marshaled, meaning the component's interfaces are either described by a type library or have a proxy-stub DLL. The proxy-stub DLL provides a proxy component 130 in a client process 132 on the client computer 92, and a stub component 131 in the ASP 90 on the server computer 84. The proxy component 130 and stub component 131 marshal calls from a client program 134 across to the server computer 84. The proxy-stub DLL in the illustrated system is built using the MIDL version 3.00.44 provided with the Microsoft Win32 SDK for Microsoft Windows NT 4.0 with the Oicf compiler switch, and linked with the transaction server executive 80. These additional requirements conform to well known practices.

The client program 134 of the server application component 86 is a program that uses the server application component. The client program can be program code (e.g., an application program, COM Object, etc.) that runs outside the execution environment 80 (out of the control of the transaction server executive 80). Such client programs are referred to as "base clients. Alternatively, the client program 134 can be another server application component that also runs under control of the transaction server executive (either in the same or a separate ASP 90). The client program 134 can reside on the server computer 84 or on a separate client computer 92 as shown in FIG. 2 (in which case the client computer interacts with the server application component 86 remotely through the proxy object 130).

Before the server application component 86 can execute in the illustrated execution environment 80, the server application component 86 is first installed on the server computer 84. As with any COM object, the server application component 86 is installed by storing the server application DLL file 120 that provides the server application component 86 in data storage accessible by the server computer (typically the hard drive 27, shown in FIG. 1, of the server computer), and registering COM attributes (e.g., class identifier, path and name of the server application DLL file 120, etc. as described below) of the server application component in the system registry. The system registry is a configuration database. Preferably, the server application component is packaged to self register its COM attributes as shown in FIG. 17 and discussed below. In addition to the server application component's COM attributes, the server application is registered in the system registry with a "transaction server execution" attribute indicating that the server application component is run under control of the transaction server executive in the illustrated execution environment 80. In the illustrated embodiment, this attribute has the form shown in the following example registry entry.

    ______________________________________
    HKEY.sub.-- CLASSES.sub.-- ROOT.backslash.CLSID.backslash.{AB077646-E902-1
    1D0-B5BE-
    00C04FB957D8}.backslash.LocalServer32 = C:.backslash.WINNT.backslash.Syste
    m32.backslash.mtx.exe/
    p:{DA16F24B-2E23-11D1-8116-00C04FC2F9C1}
    ______________________________________

    ______________________________________
    If roles are configured on the component interface Then
      If caller is in the set of roles on the component interface
        Return call authorization succeeds
      End if
    End if
    If roles are configured on the component Then
      If caller is in the set of roles on the component
        Return call authorization succeeds
      End if
    End if
    Return call authorization fails
    ______________________________________

    ______________________________________
              coclass HRData
              {
                 IReadInformation
                 IWriteInformation
              }
    ______________________________________

    ______________________________________
    DECLARE.sub.-- INTERFACE.sub.-- (IObjectContext, IUnknown)
      //IUnknown functions
      HRESULT QueryInterface(THIS.sub.-- REFIID riid, LPVOID FAR*
        ppvObj);
      ULONG AddRef(THIS);
      ULONG Release(THIS);
    //IObjectContext functions
    HRESULT CreateInstance(THIS.sub.-- REFCLSID rclsid, REFIID
      riid, LPVOID FAR* ppvObj);
      HRESULT SetComplete(THIS);
      HRESULT SetAbort(THIS);
      HRESULT EnableCommit(THIS);
      HRESULT DisableCommit(THIS);
      BOOL IsIn Transaction(THIS);
      HRESULT IsCallerInRole (BSTR bstrRole, BOOL* pfIsInRole);
      BOOL IsSecurityEnabled ();
    };
    ______________________________________

                  TABLE 1
    ______________________________________
    IObjectContext::IsCallerInRole Return Values
    Value         Description
    ______________________________________
    S.sub.-- OK   The role specified in the bstrRole
                  parameter is a recognized role, and the
                  Boolean result returned in the
                  pfIsInRole parameter indicates whether
                  or not the caller is in the role.
    CONTEXT.sub.-- E.sub.--
                  The role specified in the bstrRole
                  parameter does not exist.
    E.sub.-- INVALIDARG
                  One or more of the arguments passed
                  in is invalid.
    E.sub.-- UNEXPECTED
                  An unexpected error occurred. This
                  can happen if one object passes its
                  IObjectContest pointer to another
                  object and the other object calls
                  IsCallerInRole using this pointer. An
                  IObjectContext pointer is not valid
                  outside the context of the object that
                  originally obtained it.
    ______________________________________

                  TABLE 2
    ______________________________________
    SafeRef Return Values
    Value        Description
    ______________________________________
    Non-Null     A safe reference to the interface
                 specified in the riid parameter.
    NULL         The server application component
                 requested a safe reference on an object
                 other than itself, or the interface
                 specified by the riid parameter is not
                 implemented by the server application
                 component.
    ______________________________________

                  TABLE 3
    ______________________________________
    GetObjectContext Return Values
    Value           Description
    ______________________________________
    S.sub.-- OK     A reference to the IObjectContext
                    interface of the server application
                    component's component context object
                    is returned in the ppInstanceContext
                    parameter.
    E.sub.-- INVALIDARG
                    The argument passed in the
                    ppInstanceContext parameter is
                    invalid.
    E.sub.-- UNEXPECTED
                    An unexpected error occurred.
    CONTEXT.sub.-- E.sub.-- NOCONTEXT
                    The server application component
                    doesn't have a component context
                    object, such as because the component
                    was not created under the transaction
                    server executive's control.
    ______________________________________

                  TABLE 3
    ______________________________________
    ISecurityProperty member functions
    Function     Description
    ______________________________________
    GetDirectCallerSID
                 Retrieves the security ID of the external
                 process that called the currently executing
                 method.
    GetDirectCallerSID
                 Retrieves the security ID of the external
                 process that called the currently executing
                 method.
    GetDirectCreatorSID
                 Retrieves the security ID of the external
                 process that directly created the current
                 object.
    GetOriginalCallerSID
                 Retrieves the security ID of the base process
                 that initiated the call sequence from which the
                 current method was called.
    GetOriginalCreatorSID
                 Retrieves the security ID of the base process
                 that initiated the activity in which the current
                 object is executing.
    ReleaseSID   Releases the security ID returned by one of
                 the other ISecurityProperty methods.
    ______________________________________

    ______________________________________
    HRESULT ISecurityProperty::GetDirectCallerSID (
      PSID* ppSid
    );
    HRESULT ISecurityProperty::GetDirectCreatorSID (
      PSID* ppSid
    );
    HRESULT ISecurityProperty::GetOriginalCallerSID (
      PSID* ppSid
    );
    HRESULT ISecurityProperty::GetOriginalCreatorSID (
      PSID* ppSid
    );
    HRESULT ISecurityProperty::ReleaseSID (
      PSID pSID
    );
    ______________________________________

• Inventors
  Helland, Patrick James; Limprecht, Rodney; Al-Ghosein, Mohsen; Reed, David R.; Devlin, William D.;
• Assignee
  Microsoft Corporation (Redmond, WA)
• Published
  Jan-11-2000
• Current US Classes:
  707/10
  707/9
  717/104
  717/117
• Application #
  958974
• International Classes
  G06F 017/30
• Field of Search
  707/103 707/9 707/10 395/701 395/703 395/704 395/702 395/707 395/710
• Examiner
  Fetting; Anton W.
• Agent
  Klarquist Sparkman Campbell Leigh & Whinston LLP
• US Patent References:
  5455953
  5481715
  5524238
  5577252
  5689708
  5717439
  5778365
  5815665
  5822435
  5832274
  5838916
  5864683
  5881225
  5941947