Method and system for session based authorization and access control for networked application objects

US 20030145094A1
Filed: 11/22/2002
Published: 07/31/2003
Est. Priority Date: 08/04/2000
Status: Active Grant

First Claim

Patent Images

1. An ingress-session-based authorization and access control method in a data processing system to control access from an initiator-host (IH) to objects Target1, Target2) on a target host (TH) comprising the steps of:

(i) receiving an access-request, preferably a request-message (M1), originally coming from the initiator-host (IH), that references an object (Target1, Target2) on the target host (TH) to access, (ii) assigning the access-request (M1) to an ingress-session and selecting a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session, (iii) checking whether the access to the referenced object Target1, Target2) is authorized in the selected session-context (SC-U, SC-W, SC-Y) or not, and (iv) denying the access to the referenced object Target1, Target2) if the access to said object on the target host (TH) is not authorized in the selected session-context (SC-U, SC-W, SC-Y), (v) granting the access to the referenced object Target1, Target2) if the access to said object on the target host (TH) is allowed in the selected session-context. (SC-U, SC-W, SC-Y) wherein references to objects (Target1, Target2) on the target host (TH) were handed over to the initiator-host (IH) as a response to an access-request already granted and wherein the object the reference is handed over for is authorized for access under the handed over reference in that session-context (SC-U, SC-W, SC-Y) the already granted access-request is assigned to.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to an ingress-session-based authorization and access control method and system to control access from an initiator-host (IH) to objects (Target 1, Target 2) on a target host (TH) by receiving an access-request, preferably a request-message (M1), originally coming from the initiator-host (IH), that references an object (Target 1, Target 2) on the target host (TH) to access, assigning the access-request (M1) to an ingress-session and selecting a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session, checking whether the access to the referenced object (Target 1, Target 2) is authorized in the selected session-context (SC-U, SC-W, SC-Y)or not wherein references to objects (Target 1, Target 2) on the target host (TH) were handed over to the initiator-host (IH) as a response to an access-request already granted and wherein the object the reference is handed over for is authorized for access under the handed over reference in that session-context (SC-U, SC-W, SC-Y)the already granted access-request is assigned to.

58 Citations

View as Search Results

15 Claims

1. An ingress-session-based authorization and access control method in a data processing system to control access from an initiator-host (IH) to objects Target1, Target2) on a target host (TH) comprising the steps of:
- (i) receiving an access-request, preferably a request-message (M1), originally coming from the initiator-host (IH), that references an object (Target1, Target2) on the target host (TH) to access, (ii) assigning the access-request (M1) to an ingress-session and selecting a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session, (iii) checking whether the access to the referenced object Target1, Target2) is authorized in the selected session-context (SC-U, SC-W, SC-Y) or not, and (iv) denying the access to the referenced object Target1, Target2) if the access to said object on the target host (TH) is not authorized in the selected session-context (SC-U, SC-W, SC-Y), (v) granting the access to the referenced object Target1, Target2) if the access to said object on the target host (TH) is allowed in the selected session-context. (SC-U, SC-W, SC-Y) wherein references to objects (Target1, Target2) on the target host (TH) were handed over to the initiator-host (IH) as a response to an access-request already granted and wherein the object the reference is handed over for is authorized for access under the handed over reference in that session-context (SC-U, SC-W, SC-Y) the already granted access-request is assigned to.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. An ingress-session-based authorization and access control method according to claim 1 characterized in that the assignment of the access-request (M1) to the ingress-session and the selection of the session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session is independent of an underlying data transport session.
  - 3. An ingress-session-based authorization and access control method according to claim 1 or 2 characterized in that the assignment of the access-request (M1) to the ingress-session and the selection of the session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session is independent of the structures, the format and content of the object references handed over to the initiator host (IH).
  - 4. An ingress-session-based authorization and access control method according to claim 1, 2 or 3 characterized in that the object the reference is handed over for is authorized for access for a maximum number of accesses under the handed over reference in that session-context (SC-U, SC-W, SC-Y) the already granted access-request is assigned to.
  - 5. An ingress-session-based authorization and access control method according to claim 1, 2, 3 or 4 characterized in that the object the reference is handed over for is authorized for access for an access-validity time period so that access is granted during said access-validity time period under the handed over reference in that session-context (SC-U, SC-W, SC-Y) the already granted access-request is assigned to.
  - 6. An ingress-session-based authorization and access control method according to one of the claims 1-5 characterized in that the access-request (M1) coming from the initiator host (IH) is received via a safe communication channel, preferably via a channel communication is encrypted on, most preferably public-key encrypted.

7. An ingress-session-based authorization and access control data processing system to control access from an initiator-host (IH) to objects (Target1, Target2) on a target host (TH) comprising, means to receive an access-request, preferably a request-message (M1), originally coming from the initiator-host (IH), that references an object (Target1, Target2) on the target host (TH) to access, means to assign the access-request (M1) to an ingress-session and selecting a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session, means to check whether the access to the referenced object (Target1, Target2) is authorized in the selected session-context (SC-U, SC-W, SC-Y) or not, that deny the access to the referenced object (Target1, Target2) if the access to said object on the target host (TH) is not authorized in the selected session-context (SC-U, SC-W, SC-Y) and that grants the access to the referenced object (Target1, Target2) if the access to said object on the target host (TH) is allowed in the selected session-context (SC-U, SC-W, SC-Y) wherein the system also comprises means that hand over references to objects (Target1, Target2) on the target host (TH) to the initiator-host (IH) as a response to an access-request already granted and wherein the system comprises means that authorize objects the reference is handed over for, for access under the handed over reference in that session-context (SC-U, SC-W, SC-Y) the already granted access-request is assigned to.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that said means to assign the access-request (M1) to an ingress-session and to select a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session do assign the access-request (M1) to the ingress-session and do select the session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session independently from any underlying data transport session
  - 9. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that said means to assign the access-request (M1) to an ingress-session and to select a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session do assign the access-request (M1) to the ingress-session and do select the session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session independently from the structure, the format and content of the object references handed over to the initiator host (IH).
  - 10. An ingress-session-based authorization and access control data processing system according to claim 7, 8, or 9 characterized in that the system also comprises means that authorize objects the reference is handed over for, for access for a maximum number of accesses under the handed over reference in that session-context (SC-U, SC-W, SC-Y) the already granted access-request is assigned to.
  - 11. An ingress-session-based authorization and access control data processing system according to claim 7, 8, 9 or 10 characterized in that the system also comprises means that authorize objects the reference is handed over for, for access for an access-validity time period so that access is granted during said access-validity time period under the handed over reference in that session-context (SC-U, SC-W, SC-Y) the already granted access-request is assigned to.
  - 12. An ingress-session-based authorization and access control data processing system according to one of the claims 7-11 characterized in that the access-request (M1) coming from the initiator host (IH) is received by safe communication means, preferably cryptographic means that operate a safe channel to the initiator-host (IH).
  - 13. An ingress-session-based authorization and access control data processing system according to one of the claims 7-12 characterized in that the target host (TH) is implemented as an application-module (APP), preferably a first software module, comprising target objects (Target1, Target2) and wherein said authorization and control system is implemented as an application-level-interceptor (ALI), preferably as a second software-module, both installed on one computer system, preferably on a server machine.
  - 14. An ingress-session-based authorization and access control data processing system according to one of the claims 7-13 characterized in that said authorization and control system is implemented as a gateway-machine (GWM) installed on a computer system comprising communication means that connect the gateway-machine (GWM) to an external network (EN) and an internal network (IN) wherein the initiator-host (IH) is connected as a client machine (CM1) to said external network (EN) and the target host, (IH) is connected as a server machine (SM1) to said internal network (IN).
  - 15. A communication network comprising an ingress-session-based authorization and access control data processing system according to one of the claims 7-14 comprising bootstrapping target-objects on the target-host (TH) as initial contact points to establish access communication wherein the access to said bootstrapping target-objects is granted or denied via explicit authorization means different from said means that check whether the access to the referenced object (Target1, Target2) is authorized in the selected session-context (SC-U, SC-W, SC-Y) or not.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Prismtech GmbH
Original Assignee
Prismtech GmbH
Inventors
Staamann, Sebastian, Eckhardt, Tim

Granted Patent

US 7,441,265 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 9/465   Distributed object oriented...

G06F 9/468   Specific access rights for ...

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

Method and system for session based authorization and access control for networked application objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

58 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for session based authorization and access control for networked application objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

58 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links