Pluggable authentication and access control for a messaging system
First Claim
1. A method comprising:
- determining an authentication type to be used between a first node and a second node in a networked computer system;
plugging in a first authentication protocol handler module on the first node for the determined authentication type, wherein the first authentication protocol handler module is configured for use in generating authentication information for the first node for sending to the second node;
plugging in a second authentication protocol handler module on the second node for the determined authentication type, wherein the second authentication protocol handler module is configured for use in determining if the first node is authentic using the first node authentication information;
determining an access control model to be used by the second node in controlling access to resources of the second node by the first node; and
plugging in an access control context module for the determined access control model on the second node, wherein the access control context module is configured for use in controlling access to resources of the second node by the first node using the access control model.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for providing pluggable authentication and access control in computer systems and services are described. The authentication and access control process may be categorized into three components: an authentication protocol, a user repository and an access control model. In one embodiment, the authentication and access control mechanism may be implemented as three pluggable modules: an authentication protocol handler module for the authenticator side, an authentication protocol handler for the side to be authenticated, and an access control context module on the authenticator side. The pluggable modules may be exchangeable to support a variety of authentication types, user repositories, and access control models. The authentication protocol handlers provide symmetrical methods to handle requests and responses in the authentication process that reflect the symmetrical nature of the authentication process.
124 Citations
70 Claims
-
1. A method comprising:
-
determining an authentication type to be used between a first node and a second node in a networked computer system;
plugging in a first authentication protocol handler module on the first node for the determined authentication type, wherein the first authentication protocol handler module is configured for use in generating authentication information for the first node for sending to the second node;
plugging in a second authentication protocol handler module on the second node for the determined authentication type, wherein the second authentication protocol handler module is configured for use in determining if the first node is authentic using the first node authentication information;
determining an access control model to be used by the second node in controlling access to resources of the second node by the first node; and
plugging in an access control context module for the determined access control model on the second node, wherein the access control context module is configured for use in controlling access to resources of the second node by the first node using the access control model. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 50, 51, 52, 53, 54, 55, 57, 58, 59, 60, 61, 62)
-
-
14. A method for authenticating nodes in a networked computer system, comprising:
-
a first node initiating a connection to a second node in the networked computer system;
determining an authentication type to be used by the first node and the second node;
initializing a first authentication protocol handler on the first node for the determined authentication type;
initializing a second authentication protocol handler on the second node for the determined authentication type;
the second node sending a challenge to the first node, wherein the challenge is in accordance with the determined authentication type;
the first authentication protocol handler generating response data in response to the challenge, wherein the response data includes information for use in authenticating the first node;
the first node sending the response data to the second node; and
the second authentication protocol handler authenticating the first node using the received response data;
wherein the first authentication protocol handler and the second authentication protocol handler are pluggable modules configured to be replaced to support different authentication types.
-
-
26. A method comprising:
-
a second node determining an authentication type to be used by the second node to authenticate a first node in a networked computer system;
the second node plugging in a second authentication protocol handler module for the determined authentication type, wherein the second authentication protocol handler module is configured for use in determining if the first node is authentic using authentication information associated with the first node, wherein the first node authentication information is generated by a pluggable first authentication protocol handler module on the first node for the determined authentication type;
the second node determining an access control model to be used by the second node for the first node; and
the second node plugging in an access control context module for the determined access control model, wherein the access control context module is configured for use in controlling access to resources of the second node by the first node using the access control model.
-
-
37. A system comprising:
-
a first node comprising a first memory, wherein the first memory comprises first program instructions executable within the first node to initiate a connection request to the second node;
a second node comprising a second memory, wherein the second memory comprises second program instructions;
wherein the second program instructions are executable within the second node to;
determine an authentication type for use in authentication of the first node in response to the first program instructions initiating a connection request to the second node;
initialize a second authentication protocol handler module on the second node for the determined authentication type;
determine an access control model to be used by the second node; and
initialize an access control context module for the determined access control model, wherein the access control context module is configured for use in controlling access to resources of the second node by the first node using the access control model;
wherein the first program instructions are further executable within the first node to initialize a first authentication protocol handler module on the first node for the determined authentication type; and
wherein the first authentication protocol handler module and the second authentication protocol handler module are pluggable modules configured to be replaced to support different authentication types.
-
-
49. A system comprising:
-
a first node comprising a first memory, wherein the first memory comprises first program instructions executable within the client node to implement a client application;
a second node comprising a second memory, wherein the second memory comprises second program instructions executable within the second node to implement a server;
wherein the server is executable within the server node to;
receive a connection request from the client application;
determine an authentication type for use in authentication of the client application in response to the connection request;
plug in a server-side authentication protocol handler module for the determined authentication type;
wherein the client application is executable within the client node to plug in a client-side authentication protocol handler module for the determined authentication type;
wherein the client-side authentication protocol handler module is executable within the client node to;
receive a challenge from the server, wherein the challenge is in accordance with the determined authentication type;
generate response data in response to the received challenge, wherein the response data includes information for use in authenticating the client application;
wherein the server-side authentication protocol handler module is executable within the server node to;
receive the generated response data; and
authenticate the client application using the received response data.
-
-
56. A server system comprising:
-
a memory, wherein the memory comprises program instructions executable within the server node to implement a server;
wherein the server is executable within the server node to;
receive a connection request from a client application;
determine an authentication type for use in authentication of the client application in response to the connection request;
plug in a server-side authentication protocol handler module for the determined authentication type; and
send a challenge to the client application, wherein the challenge is in accordance with the determined authentication type;
wherein the server-side authentication protocol handler module is executable within the server system to receive response data from the client application, wherein the response data was generated by a pluggable client-side authentication protocol handler module in response to the challenge, wherein the response data includes information for use in authenticating the client application; and
authenticate the client application using the received response data.
-
-
63. A carrier medium comprising program instructions, wherein the program instructions are computer-executable to implement:
-
a first node initiating a connection to a second node in a networked computer system;
determining an authentication type to be used by the first node and the second node;
initializing a first authentication protocol handler on the first node for the determined authentication type;
initializing a second authentication protocol handler on the second node for the determined authentication type;
the second node sending a challenge to the first node, wherein the challenge is in accordance with the determined authentication type;
the first authentication protocol handler generating response data in response to the challenge, wherein the response data includes information for use in authenticating the first node;
the first node sending the response data to the second node; and
the second authentication protocol handler authenticating the first node using the received response data;
wherein the first authentication protocol handler and the second authentication protocol handler are pluggable modules configured to be replaced to support different authentication types. - View Dependent Claims (64, 65, 66, 67, 68, 69, 70)
-
Specification