Controlling exposure of sensitive data and operation using process bound security tokens in cloud computing environment
First Claim
1. A method comprising:
- receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server;
endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and
responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages;
determining, by the downstream server process, that the second or more message has a single sign-on cookie attached;
looking up, by the downstream server process, a user token associated with the attached single sign-on cookie;
endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and
forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server;
thereby binding the plurality of request messages together through endorsement by the downstream server process.
1 Assignment
0 Petitions
Accused Products
Abstract
Exposure of sensitive information to users is controlled using a first security token containing user identity and user credentials to represent the user who requests services, and a second security token containing two other identities, one identifying the token issuer and the other identifying the owning process. When requesting services, the token-owning process sends a security token to indicate who is making the request, and uses its key to digitally sign the request. The token-owning process signs the request to indicate that it endorses the request. A receiving server accepts a request if (1) the token-owning process endorses the request by signing the request; (2) the token is valid (token is signed by its issuer and the digital signature is verified and unexpired); (3) user entity, which can be a real user or a deployment or a server process, that is represented by the token has the authorization to access the specified resources; and (4) the token-owning process is authorized to endorse the user entity represented by the token to access the specified resources.
28 Citations
15 Claims
-
1. A method comprising:
-
receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server; endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages; determining, by the downstream server process, that the second or more message has a single sign-on cookie attached; looking up, by the downstream server process, a user token associated with the attached single sign-on cookie; endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server; thereby binding the plurality of request messages together through endorsement by the downstream server process. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product comprising:
-
a computer-readable storage memory which is not a propagating signal per se; and program instructions embodied by the computer-readable storage memory which cause one or more processors to, when executed, perform the steps comprising; receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server; endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages; determining, by the downstream server process, that the second or more message has a single sign-on cookie attached; looking up, by the downstream server process, a user token associated with the attached single sign-on cookie; endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server; thereby binding the plurality of request messages together through endorsement by the downstream server process. - View Dependent Claims (9, 10, 11)
-
-
12. A system comprising:
-
a computing system having one or more processors; a computer-readable storage memory which is not a propagating signal per se; and program instructions embodied by the computer-readable storage memory which cause the one or more processors to, when executed, perform the steps comprising; receiving, by a downstream server process from an owning process, a first request message for a separate requester to access or communicate to a targeted server; endorsing, by the downstream server process, the first request message by attaching a security token representing the downstream server; and responsive to receiving, by the downstream server process, from the requester via an inlet server, a second or more request messages; determining, by the downstream server process, that the second or more message has a single sign-on cookie attached; looking up, by the downstream server process, a user token associated with the attached single sign-on cookie; endorsing, by the downstream server process, the second or more message by attaching a security token representing the downstream server; and forwarding, by the downstream server process, the endorsed second or more requests including the user tokens to the targeted server; thereby binding the plurality of request messages together through endorsement by the downstream server process. - View Dependent Claims (13, 14, 15)
-
Specification