Controlling user access to content

US 10,178,098 B2
Filed: 05/11/2015
Issued: 01/08/2019
Est. Priority Date: 05/11/2015
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to content in a distributed storage environment, comprising:

tracking, by a server, access by a user to a plurality of Internet-accessible storage locations of the distributed storage environment;

compiling, by the server, a list ranking the Internet-accessible storage locations of the distributed storage environment accessed by the user based on a number of times the Internet-accessible storage locations are accessed by the user;

identifying, by the server, a predetermined number of top Internet-accessible storage locations on the list ranking the Internet-accessible storage locations accessed by the user, the predetermined number of top Internet-accessible storage locations comprising a subset of the plurality of Internet-accessible storage locations;

receiving, at the server, a first request by the user to access a content item at a first Internet-accessible storage location, access to the content item at the first Internet-accessible storage location requiring authentication of the user;

successfully authenticating, by the server, the user to access the content item at the first Internet-accessible storage location;

determining that the first Internet-accessible storage location is in the predetermined number of top Internet-accessible storage locations;

based on the successful authentication and in response to determining that the first Internet-accessible storage location is in the predetermined number of top Internet-accessible storage locations, augmenting, by the server, an authentication token for the user to indicate that the user is authorized to access the content item at the first Internet-accessible storage location by adding a location path of the content item at the first Internet-accessible storage location to the authentication token, the augmented authentication token comprising a plurality of location paths of content items at the predetermined number of top Internet-accessible storage locations;

receiving a second request by the user to access the content item at the first Internet-accessible storage location;

receiving the augmented authentication token in connection with the second request;

determining that the augmented authentication token comprises the location path to the first Internet-accessible storage location;

authenticating, by the server, the user to access the content item at the first Internet-accessible storage location in response to determining that the augmented authentication token comprises the location path to the first Internet-accessible storage location; and

providing, to the user, access to the content item at the first Internet-accessible storage location based on authenticating the user to access the content item using the augmented authentication token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for controlling access to content include an authentication process that provides for increased speed by reducing, or eliminating in some cases, steps in the authentication process. In particular, the systems and methods can encode content paths previously authenticated for a particular user into an authentication token. When the user attempts to access one of the top content paths, the systems and methods can verify the user based on the encoded authentication token rather than following a complete authentication process.

20 Citations

View as Search Results

20 Claims

1. A method of controlling access to content in a distributed storage environment, comprising:
- tracking, by a server, access by a user to a plurality of Internet-accessible storage locations of the distributed storage environment;
  
  compiling, by the server, a list ranking the Internet-accessible storage locations of the distributed storage environment accessed by the user based on a number of times the Internet-accessible storage locations are accessed by the user;
  
  identifying, by the server, a predetermined number of top Internet-accessible storage locations on the list ranking the Internet-accessible storage locations accessed by the user, the predetermined number of top Internet-accessible storage locations comprising a subset of the plurality of Internet-accessible storage locations;
  
  receiving, at the server, a first request by the user to access a content item at a first Internet-accessible storage location, access to the content item at the first Internet-accessible storage location requiring authentication of the user;
  
  successfully authenticating, by the server, the user to access the content item at the first Internet-accessible storage location;
  
  determining that the first Internet-accessible storage location is in the predetermined number of top Internet-accessible storage locations;
  
  based on the successful authentication and in response to determining that the first Internet-accessible storage location is in the predetermined number of top Internet-accessible storage locations, augmenting, by the server, an authentication token for the user to indicate that the user is authorized to access the content item at the first Internet-accessible storage location by adding a location path of the content item at the first Internet-accessible storage location to the authentication token, the augmented authentication token comprising a plurality of location paths of content items at the predetermined number of top Internet-accessible storage locations;
  
  receiving a second request by the user to access the content item at the first Internet-accessible storage location;
  
  receiving the augmented authentication token in connection with the second request;
  
  determining that the augmented authentication token comprises the location path to the first Internet-accessible storage location;
  
  authenticating, by the server, the user to access the content item at the first Internet-accessible storage location in response to determining that the augmented authentication token comprises the location path to the first Internet-accessible storage location; and
  
  providing, to the user, access to the content item at the first Internet-accessible storage location based on authenticating the user to access the content item using the augmented authentication token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method as recited in claim 1, wherein the location path of the content item at the first Internet-accessible storage location comprises a file path of the content item within a file structure on one or more content servers.
  - 3. The method as recited in claim 1, further comprising:
    - encrypting at least a portion of the augmented authentication token;
      
      sending the encrypted, augmented authentication token to a client device from which the first request by the user to access the content item at the first Internet-accessible storage location was received; and
      
      decrypting the encrypted, augmented authentication token in response to receiving the encrypted, augmented authentication token in connection with the second request.
  - 4. The method as recited in claim 1, wherein augmenting the authentication token for the user to indicate that the user is authorized to access the content item at the first Internet-accessible storage location comprises:
    - identifying, at the server, a root path of the content item at the first Internet-accessible storage location;
      
      determining that the user has permissions to access the root path at the server; and
      
      encoding the root path into the authentication token.
  - 5. The method as recited in claim 4, wherein the root path at the server comprises a folder corresponding to the content item at the server.
  - 6. The method as recited in claim 5, wherein determining that the user has permissions to access the root path at the server comprises determining that the user has access to all content in the root path at the server.
  - 7. The method as recited in claim 4, further comprising:
    - receiving an additional request by the user to access a second content item at a second Internet-accessible storage location, the second Internet-accessible storage location being associated with the root path associated with the location path of the content item at the first Internet-accessible storage location;
      
      determining that the augmented authentication token comprises the root path at the server;
      
      authenticating the user to access the second content item at the second Internet-accessible storage location in response to determining that the augmented authentication token comprises the root path at the server; and
      
      providing, to the user, access to the second content item at the second Internet-accessible storage location based on authenticating the user to access the second content item using the augmented authentication token.
  - 8. The method as recited in claim 1, further comprising:
    - determining that a second Internet-accessible storage location is no longer in the predetermined number of the top Internet-accessible storage locations on the list ranking the Internet-accessible storage locations accessed by the user; and
      
      removing a second location path of a content item at the second Internet-accessible storage location from the authentication token in response to the second Internet-accessible storage location no longer being in the predetermined number of the top Internet-accessible storage locations on the list ranking the Internet-accessible storage locations accessed by the user.
  - 9. The method as recited in claim 1, wherein successfully authenticating, by the server, the user to access the content item at the first Internet-accessible storage location in response to the first request comprises:
    - extracting, from the authentication token, a user identifier from authentication credentials provided for the user;
      
      accessing an access list from a repository; and
      
      confirming that the access list indicates that the user identifier is authorized to access the content item at the first Internet-accessible storage location.
  - 10. The method as recited in claim 9, wherein authenticating, by the server, the user to access the content item at the first Internet-accessible storage location comprises:
    - determining that the augmented authentication token includes an indication that the user is authorized to access the content item at the first Internet-accessible storage location without accessing the repository to confirm that the access list indicates that the user identifier is authorized to access the content item at the first Internet-accessible storage location.

11. A non-transitory computer readable medium storing instructions thereon that, when executed by at least one processor, cause a computing device to perform steps comprising:
- tracking access by a user to a plurality of Internet-accessible storage locations of a distributed storage environment;
  
  compiling a list ranking the Internet-accessible storage locations of the distributed storage environment accessed by the user based on a number of times the Internet-accessible storage locations are accessed by the user with successful authentication;
  
  augmenting an authentication token by adding to the authentication token, a plurality of location paths of content items at a predetermined number of top Internet-accessible storage locations on the list ranking the Internet-accessible storage locations accessed by the user, the predetermined number of top Internet-accessible storage locations comprising a subset of the plurality of Internet-accessible storage locations;
  
  receiving the augmented authentication token in connection with a first request to access a content item at a first Internet-accessible storage location, access to the content at the first Internet-accessible storage location requiring authentication based on authentication credentials in the token;
  
  comparing a first location path of the content item at the first Internet-accessible storage location to the plurality of location paths in the token corresponding to the predetermined number of top Internet-accessible storage locations;
  
  determining that the first location path matches one of the plurality of location paths in the token; and
  
  providing, in response to a determination that the first location path matches one of the plurality of location paths in the token, access to the content item at the first Internet-accessible location without accessing an access list in a repository to authenticate the authentication credentials in the token.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory computer readable medium as recited in claim 11, the steps further comprising:
    - receiving the token in connection with a second request to access a second content item at a second Internet-accessible storage location, access to the second content item at the second Internet-accessible storage location requiring authentication;
      
      comparing a second location path of the second content item at the second Internet-accessible storage location to the plurality of location paths in the token;
      
      determining that the second location path does not match one of the plurality of location paths in the token;
      
      in response to determining that the second location path does not match one of the plurality of location paths in the token;
      
      accessing the access list from the repository; and
      
      confirming that the access list indicates that a user identifier extracted from the token is authorized to access the content item at the second Internet-accessible location.
  - 13. The non-transitory computer readable medium as recited in claim 12, the steps further comprising:
    - determining, in response to a successful authentication of the user for the second content item, that the second Internet-accessible storage location is in the predetermined number of top Internet-accessible storage locations; and
      
      in response to determining that the second Internet-accessible storage location is in the predetermined number of top Internet-accessible location paths, augmenting the authentication token by adding, to the authentication token, the second location path of the second content item.
  - 14. The non-transitory computer readable medium as recited in claim 13, further comprising:
    - identifying a root path of a content item at an Internet-accessible storage location of the predetermined number of top Internet-accessible storage locations;
      
      determining that the user has permissions to access the root path; and
      
      encoding the root path into the authentication token.
  - 15. The non-transitory computer readable medium as recited in claim 14, wherein determining that the user has permissions to access the root path comprises determining that the user has access to all content in the root path.
  - 16. The non-transitory computer readable medium as recited in claim 11, the steps further comprising:
    - receiving, at a server, the token in connection with a second request to access the content item at the first Internet-accessible storage location;
      
      determining that the token has expired based on an expiration indicator; and
      
      in response to determining that the token has expired;
      
      accessing an access list from a repository; and
      
      confirming that the access list indicates that a user identifier extracted from the token is authorized to access the content item at the first Internet-accessible storage location.

17. A system for controlling access to content in a distributed storage environment, comprising:
- at least one processor; and
  
  at least one non-transitory computer readable storage medium storing instructions thereon, that, when executed by the at least one processor, cause the system to;
  
  track access by a user to a plurality of location paths of content items on one or more content servers;
  
  compile a list ranking the plurality of location paths accessed by the user based on a number of times each of the plurality of location paths is accessed by the user;
  
  identify a predetermined number of top location paths on the list ranking the plurality of location paths accessed by the user, the predetermined number of top location paths comprising a subset of the plurality of location paths;
  
  receive a first request to access a content item at a first location path of the content item on one or more content servers, access to the content item at the first location path requiring authentication;
  
  successfully authenticate access to the content item at the first location path based on accessing an access list at a repository;
  
  determine that the first location path is in the predetermined number of top location paths;
  
  based on the successful authentication and in response to determining that the first location path is in the predetermined number of top location paths, augment a token to authorize access to the content item at the first location path by adding the first location path of the content item on the one or more content servers to the token, the token comprising the predetermined number of top location paths;
  
  receive the augmented token in connection with a second request to access the content item at the first location path on the one or more servers;
  
  compare the first location path to one or more location paths encoded within the token;
  
  determine that the first location path is encoded within the token; and
  
  provide access to the content item at the first location path on the one or more servers based on the first location path being encoded within the token.
- View Dependent Claims (18, 19, 20)
- - 18. The system as recited in claim 17, further comprising instructions that, when executed by the at least one processor, cause the system to:
    - determine that a second location path in the augmented token is no longer in the predetermined number of top location paths on the list ranking the plurality of location paths accessed by the user; and
      
      removing the second location path from the augmented token in response to the second location path no longer being in the predetermined number of top location paths.
  - 19. The system as recited in claim 17, further comprising instructions that, when executed by the at least one processor, cause the system to:
    - identify a root path of the content item at the first location path at the one or more content servers;
      
      determine that the user has permissions to access all content in the root path at the one or more content servers; and
      
      encode the root path into the augmented token in response to determining that the user has permissions to access all content in the root path.
  - 20. The system as recited in claim 19, wherein the root path comprises a folder corresponding to the content item at the one or more content servers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Sanso, Antonio
Primary Examiner(s)
Colin, Carl G
Assistant Examiner(s)
Lavelle, Gary E

Application Number

US14/709,257
Publication Number

US 20160337369A1
Time in Patent Office

1,338 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/00   Network architectures or ne...

H04L 63/04   for providing a confidentia...

H04L 63/0442   wherein the sending and rec...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/1097   for distributed storage of ...

Controlling user access to content

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

20 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling user access to content

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

20 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links