Policy service authorization and authentication

US 10,498,734 B2
Filed: 05/31/2013
Issued: 12/03/2019
Est. Priority Date: 05/31/2012
Status: Active Grant

First Claim

Patent Images

1. A method of applying network resource access policy, the method comprising:

receiving from a user agent a request for a remote network resource, the request being adapted to contain authorization data specific to the remote network resource;

obtaining from the request authorization data specific to the remote network resource when the request contains the authorization data;

determining a resource access policy for the request using the authorization data and a shared secret, wherein the shared secret is shared by a policy service and an authorization portal;

excluding the user agent from the shared secret;

preventing modification of tokens passed between the policy service and the authorization portal;

comparing the authorization data to assigned tokens and, if the authorization data matches one of the assigned tokens, determining the resource access policy to allow access by the user agent to the remote network resource;

applying the resource access policy to allow or deny access by the user agent to the remote network resource;

when denying access to the remote network resource, generating a request token using the shared secret and redirecting the user agent to the authorization portal, the redirection containing the request token;

after authorization by the authorization portal, receiving from the user agent an authorized request for the remote network resource, the authorized request including an authorization token generated by the authorization portal using the shared secret; and

in response to receiving the authorized request including the authorization token, storing the authorization data specific to the remote network resource at the user agent and redirecting the user agent to the remote network resource to cause the user agent to make another request for the remote network resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Requests for remote network resources can be denied by a policy service by redirecting a requesting user agent to an authorization portal. The authorization portal can authenticate the user agent and redirect the user agent to the originally requested resource with a token. The policy service can be configured to detect the token, and redirect the requesting user agent to the resource with a cookie. The policy service can be configured to reference such cookies when applying policy. Accordingly, an authenticated user agent can be allowed to access the remote network resource and resources at the same host/domain by virtue of the cookie and without additional authentication.

Citations

23 Claims

1. A method of applying network resource access policy, the method comprising:
- receiving from a user agent a request for a remote network resource, the request being adapted to contain authorization data specific to the remote network resource;
  
  obtaining from the request authorization data specific to the remote network resource when the request contains the authorization data;
  
  determining a resource access policy for the request using the authorization data and a shared secret, wherein the shared secret is shared by a policy service and an authorization portal;
  
  excluding the user agent from the shared secret;
  
  preventing modification of tokens passed between the policy service and the authorization portal;
  
  comparing the authorization data to assigned tokens and, if the authorization data matches one of the assigned tokens, determining the resource access policy to allow access by the user agent to the remote network resource;
  
  applying the resource access policy to allow or deny access by the user agent to the remote network resource;
  
  when denying access to the remote network resource, generating a request token using the shared secret and redirecting the user agent to the authorization portal, the redirection containing the request token;
  
  after authorization by the authorization portal, receiving from the user agent an authorized request for the remote network resource, the authorized request including an authorization token generated by the authorization portal using the shared secret; and
  
  in response to receiving the authorized request including the authorization token, storing the authorization data specific to the remote network resource at the user agent and redirecting the user agent to the remote network resource to cause the user agent to make another request for the remote network resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein storing the authorization data comprises setting a cookie at the user agent, the cookie indicating at least a domain or hostname of the remote network resource.
  - 3. The method of claim 2, wherein the cookie further indicates a unique identifier for the user agent.
  - 4. The method of claim 1, wherein determining the resource access policy for the request comprises determining a policy group associated with the remote network resource and the authorization data, and using the policy group to look up the resource access policy.
  - 5. The method of claim 1, comprising determining a most restrictive policy as the resource access policy when determining that the request does not contain the authorization data.
  - 6. The method of claim 1, wherein the authorization token represents a username, the method further comprising the authorization portal performing an authentication process with the user agent using the username.
  - 7. The method of claim 6, further comprising:
    - reading an authorization-portal cookie to determine whether a previous authentication remains valid; and
      
      when the previous authentication remains valid, redirecting the user agent to the remote network resource with the authorization token.
  - 8. The method of claim 1, further comprising the authorization portal redirecting the user agent to the remote network resource with the authorization token as the authorized request.
  - 9. The method of claim 1, wherein the authorization token includes information contained in an HTTP header.
  - 10. The method of claim 1, wherein the authorization token includes a unique identifier known to both the authorization portal and the policy service that applies the resource access policy.

11. A system for applying network resource access policy, the system comprising:
- a filter configured to apply resource access policy to a request from a user agent for access to a remote network resource by redirecting the user agent to an authorization portal when denying the request for the remote network resource, wherein the request is adapted to contain authorization data specific to the remote network resource, and wherein the filter is further configured to respond to an authorized request having an authorization token generated using a shared secret by storing authorization data at the user agent and redirecting the user agent to the requested network resource; and
  
  a policy server configured to determine resource access policy based on the request as provided by the filter and further based on any authorization data contained in the request, the authorization data being specific to the remote network resource, the policy server configured to;
  
  determine a resource access policy for the request using the authorization data and a shared secret, wherein the shared secret is shared by a policy service and an authorization portal;
  
  exclude the user agent from the shared secret;
  
  prevent modification of tokens passed between the policy service and the authorization portal;
  
  compare the authorization data to assigned tokens and, if the authorization data matches one of the assigned tokens, determine the resource access policy to allow access by the user agent to the remote network resource;
  
  apply the resource access policy to allow or deny access by the user agent to the remote network resource;
  
  when denying access to the remote network resource, generate a request token using the shared secret and redirect the user agent to the authorization portal, the redirection containing the request token;
  
  after authorization by the authorization portal, receive from the user agent an authorized request for the remote network resource, the authorized request including an authorization token generated by the authorization portal using the shared secret; and
  
  in response to receiving the authorized request including the authorization token, store the authorization data specific to the remote network resource at the user agent and redirecting the user agent to the remote network resource to cause the user agent to make another request for the remote network resource.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the filter is configured to store the authorization data at the user agent by setting a cookie at the user agent, the cookie indicating at least a domain or hostname of the remote network resource.
  - 13. The system of claim 12, the cookie further indicating a unique identifier for the user agent.
  - 14. The system of claim 11, wherein the policy server is configured to determine the resource access policy by determining a policy group associated with the remote network resource and the authorization data, and by using the policy group to look up the resource access policy.
  - 15. The system of claim 11, wherein the policy server is configured to determine a most restrictive policy as the resource access policy when determining that the request does not contain the authorization data.
  - 16. The system of claim 11, wherein the authorization token represents a username with which the authorization portal performs an authentication process with the user agent.
  - 17. The system of claim 16, wherein the policy server is further configured to read an authentication-portal cookie to determine whether a previous authentication remains valid, and redirect the user agent to the requested remote network resource with the authorization token when the previous authentication remains valid.
  - 18. The system of claim 11, further comprising the authorization portal, the authorization portal configured to redirect the user agent to the requested remote network resource with the authorization token.
  - 19. The system of claim 11, wherein the authorization token includes information contained in an HTTP header.
  - 20. The system of claim 11, wherein the authorization token includes a unique identifier known to both the authorization portal and the filter.

21. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to:
- receive from a user agent a request for a remote network resource, the request being adapted to contain authorization data specific to the remote network resource;
  
  obtain from the request authorization data specific to the remote network resource when the request contains the authorization data;
  
  determine a resource access policy for the request using the authorization data and a shared secret, wherein the shared secret is shared by a policy service and an authorization portal;
  
  exclude the user agent from the shared secret;
  
  prevent modification of tokens passed between the policy service and the authorization portal;
  
  compare the authorization data to assigned tokens and, if the authorization data matches one of the assigned tokens, determining the resource access policy to allow access by the user agent to the remote network resource;
  
  apply the resource access policy to allow or deny access by the user agent to the remote network resource;
  
  when denying access to the remote network resource, generate a request token using the shared secret and redirecting the user agent to the authorization portal, the redirection containing the request token;
  
  after authorization by the authorization portal, receive from the user agent an authorized request for the remote network resource, the authorized request including an authorization token generated by the authorization portal using the shared secret; and
  
  in response to receiving the authorized request including the authorization token, store the authorization data specific to the remote network resource at the user agent and redirect the user agent to the remote network resource to cause the user agent to make another request for the remote network resource.
- View Dependent Claims (22, 23)
- - 22. The medium of claim 21, wherein the authorization portal is configured to provide the authorization token in an HTTP header when redirecting the user agent.
  - 23. The medium of claim 21, wherein the unique identifier represents a username, and the authorization portal is configured to perform an authentication process with the user agent using the username.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Netsweeper Incorporated
Original Assignee
Netsweeper Barbados Incorporated
Inventors
Erb, Jeremy
Primary Examiner(s)
Shaw, Peter C

Application Number

US14/401,543
Publication Number

US 20150143453A1
Time in Patent Office

2,377 Days
Field of Search

726 1
US Class Current
CPC Class Codes

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0245   Filtering by information in...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

Policy service authorization and authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Policy service authorization and authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links