Hosted application sandbox model

US 10,447,684 B2
Filed: 11/19/2015
Issued: 10/15/2019
Est. Priority Date: 04/24/2009
Status: Active Grant

First Claim

Patent Images

1. A server configured to execute an application on behalf of a user of a device connected to the server over a network, the server having a network address and comprising:

an application memory that stores the application; and

an application domain allocator that allocates at least two subdomains of the server for respective instances of the application, where the at least two subdomains are mapped to the network address of the server through one routing rule in a routing table;

an application instantiator comprising instructions that, when executed by the server, cause the server to;

receive a request from a user to execute the application;

select, from among the at least two subdomains of the server allocated for respective instances of the application, a subdomain that has not yet been selected for another instance of the application;

instantiate a new instance of the application; and

serve the new instance of the application to the device of the user through the selected subdomain.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user'"'"'s computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user'"'"'s computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.

Citations

20 Claims

1. A server configured to execute an application on behalf of a user of a device connected to the server over a network, the server having a network address and comprising:
- an application memory that stores the application; and
  
  an application domain allocator that allocates at least two subdomains of the server for respective instances of the application, where the at least two subdomains are mapped to the network address of the server through one routing rule in a routing table;
  
  an application instantiator comprising instructions that, when executed by the server, cause the server to;
  
  receive a request from a user to execute the application;
  
  select, from among the at least two subdomains of the server allocated for respective instances of the application, a subdomain that has not yet been selected for another instance of the application;
  
  instantiate a new instance of the application; and
  
  serve the new instance of the application to the device of the user through the selected subdomain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The server of claim 1:
    - the server comprising a web application server;
      
      the application comprising a web application; and
      
      the device of the user executing a web browser, whereinserving of the new instance of the application comprises providing a web page embedding the application to the device, the web page to be rendered in the web browser.
  - 3. The server of claim 2, wherein the web page embeds the application within an isolation construct that isolates the application other applications executing on the computer.
  - 4. The server of claim 3, the isolation construct comprising a hypertext markup language IFRAME element associated with the distinct subdomain allocated for the application.
  - 5. The server of claim 1:
    - the server configured to execute a first instance of the application and a second instance of the application;
      
      the application instantiator further to;
      
      allocate a first distinct subdomain of the server for the first instance of the application mapped to the network address of the server;
      
      allocate a second distinct subdomain of the server for the second instance of the application mapped to the network address of the server;
      
      associate the first instance of the application with the first distinct subdomain; and
      
      associate the second instance of the application with the second distinct subdomain.
  - 6. The server of claim 5:
    - the first instance of the application executed on behalf of a first user, andthe second instance of the application executed on behalf of a second user.
  - 7. The server of claim 1, wherein the application instantiator further authenticates the user according to at least one user authentication credential received from the user before executing the application.
  - 8. The server of claim 7, comprising:
    - a user login interface that;
      
      presents to the user a user login interface configured to receive from the user at least one user login credential;
      
      receives from the user the at least one user login credential;
      
      verifies the at least one user login credential; and
      
      responsive to verifying the at least one user login credential;
      
      generates the at least one user authentication credential, andsends to the device the at least one user authentication credential.
  - 9. The server of claim 1, wherein the application instantiator further authenticates the application according to at least one application authentication credential received from the application before executing the application.
  - 10. The server of claim 1, the server having access to a computing environment memory that stores at least one data object comprising a computing environment of the user.
  - 11. The server of claim 10:
    - the application comprising instructions configured to perform at least one operation applicable to the computing environment of the user according to at least one permission;
      
      the device of the user that stores at least one permission token representing a permission to apply the at least one operation of the application to the computing environment of the user; and
      
      the application instantiator executes the application by;
      
      receiving the at least one permission token with the request to execute the application on behalf of the user;
      
      validating the at least one permission token; and
      
      upon validating the at least one permission token, applying the operation of the application to the computing environment of the user.
  - 12. The server of claim 11:
    - the server comprising a web application server;
      
      the application comprising a web application;
      
      the at least one permission token comprising a permission cookie; and
      
      the device of the user executing a web browser that;
      
      stores the permission cookie, andsends the permission cookie to the web application server with the request to execute the application.
  - 13. The server of claim 11, the server comprising:
    - a permission token generator that;
      
      receives from the user an authorization of the permission to apply the at least one operation of the application to the computing environment;
      
      generates the permission token indicating the permission to apply the at least one operation of the application to the computing environment; and
      
      sends the permission token to the device.
  - 14. The server of claim 10, comprising:
    - an application installer that;
      
      receives a request from the user to install the application, andinstalls the application within the computing environment of the user.
  - 15. The server of claim 14, comprising:
    - an application catalog that presents to the user at least one application stored in the application memory and installable within the computing environment of the user.
  - 16. The server of claim 14, comprising:
    - an application receiver that;
      
      receives an application from an application developer;
      
      stores the application in the application memory; and
      
      invokes the application registering component to allocate the distinct subdomain of the system for the application.
  - 17. The server of claim 16, wherein the application receiver, responsive to receiving the application from the application developer, issues to the application at least one application authentication credential.
  - 18. The server of claim 14, wherein:
    - the application performs at least one operation applicable to the computing environment of the user according to at least one permission, andthe application installer further, while installing the application on behalf of the user, to;
      
      presents to the user at least one permission request query requesting an authorization of the permission of the application;
      
      receives the authorization from the user; and
      
      stores the authorization.

19. A computer-readable storage memory device storing instructions that, when executed by at least one processor of a device connected to a network and having a network address and an application memory, cause the device to execute an application by:
- storing the application in the application memory;
  
  allocating at least two subdomains of the device for respective instances of the application, where the at least two subdomains are mapped to the network address of the device through one routing rule in a routing table;
  
  receiving a request from a user to execute the application;
  
  selecting, from among the at least two subdomains of the device allocated for respective instances of the application, a subdomain that has not yet been selected for another instance of the application;
  
  instantiating a new instance of the application; and
  
  serving the new instance of the application to a user device of the user through the selected subdomain.

20. A system that serves an application hosted by a network address and provided to users over a network, the system having a network address and comprising:
- a processor; and
  
  a memory storing instructions that, when executed by the processor, cause the system to;
  
  allocate at least two subdomains of the system for respective instances of the application, where the at least two subdomains are mapped to the network address of the system through one routing rule in a routing table;
  
  receive a request from a user to execute the application;
  
  instantiate a new instance of the application;
  
  select, from among the at least two subdomains of the server allocated for respective instances of the application, a subdomain that has not yet been selected for another instance of the application; and
  
  serve the new instance of the application to a device of the user through the selected subdomain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Ghanaie-Sichanie, Arash, Augustine, Matthew S., Shukla, Dharma K., Krishnan, Hari, Burdick, Matthew J.
Primary Examiner(s)
Survillo, Oleg

Application Number

US14/946,142
Publication Number

US 20160080358A1
Time in Patent Office

1,426 Days
Field of Search

709226, 709229, 713167
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 40/143   Markup, e.g. Standard Gener...

H04L 2209/80   Wireless

H04L 47/70   Admission control; Resource...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/01   Protocols

H04L 9/3234   involving additional secure...

Hosted application sandbox model

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Hosted application sandbox model

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links