Apparatus, methods and computer program products for secure distributed data processing using user-specific service access managers and propagated security identifications

摘要

A user-specific Service Access Manager object is instantiated at a computer in response to a request for access for a user at a client, e.g., an object or other process resident at a second computer. The Service Access Manager object includes a first security identification, e.g., a Security Certificate object, which is specific to the user. A reference for the Service Access Manager object is returned to the client. A service request method call requesting a service is performed to the Service Access Manager object from the client. A user-specific Service object is instantiated at the computer if the first security identification identifies a user authorized to invoke a constructor method of the Service object's class, the Service object including a second security identification specific to the user identified in the first security identification. A reference for the user-specific Service object is returned to the client, which may then perform an operation request method call to the Service object, the operation request method call requesting an operation by the Service object. The operation is conditionally performed based on whether the user identified in the second security identification is authorized to invoke the operation request method. Responses to the service request and operation request methods calls preferably are conditioned upon validation calls to a Security Manager object that checks a security identification and a required method invocation right against an access control list. Related systems and computer program products are discussed.