Method and apparatus for protection domain based security

Abstract

A first application instance is associated with a protection domain based on credentials (e.g.: a signed certificate) associated with a set of application code that, when executed, gives rise to the application instance. The first application instance executes in a first execution context. An indication is received that the first application instance seeks access to protected functionality associated with a second execution context. In response to receiving the indication, a determination is made as to whether the first application instance has permission to access the protected functionality. The determination is made by determining the protection domain with which the first application instance is associated, and determining if the protection domain with which the first application instance is associated is in the set of one or more protection domains.

Description

Background technique

[0001] There are many computing and runtime environments that have the need to interact with each other and with other software, such as libraries. A firewall or the like is a technology for protecting applications or other software. One type of firewall is to execute each application (or application package) in its own execution context. For example, some computing environments support isolation of application execution contexts.

[0002] The isolation of an application's execution context means that an application cannot access objects or data owned by an application in another context unless the other application explicitly provides an interface for access. Context isolation may be enforced by a firewall. For example, an application executing in the same context as an object instance created in (its own context) is allowed to access the object instance. Applications can provide interfaces for other applications to access in the form of shareable int...

Images