Secure resource access in a distributed environment

US 20040010682A1
Filed: 07/10/2002
Published: 01/15/2004
Est. Priority Date: 07/10/2002
Status: Active Grant

First Claim

Patent Images

1. In a computer network, a method for granting a request from a first resource to access a second resource, comprising:

receiving a request to access the second resource;

verifying that the request was received from the first resource;

verifying that the request was originated by a user; and

authenticating credentials presented for a user.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing a first network resource with secure but limited access to a second network resource. A method embodying the invention includes receiving a request to access the second resource. It is verified that the source of the request is the first resource. It is then verified that the request was originated by a user through, for example, a web browser, and then a user'"'"'s credentials are authenticated. Only when the request can be properly verified and the user credentials authenticated, is access to the second resource granted. Beneficially, the first resource cannot access the second without the user'"'"'s knowledge or, at least, implicit consent.

87 Citations

View as Search Results

33 Claims

1. In a computer network, a method for granting a request from a first resource to access a second resource, comprising:
- receiving a request to access the second resource;
  
  verifying that the request was received from the first resource;
  
  verifying that the request was originated by a user; and
  
  authenticating credentials presented for a user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the act of verifying that the request was received from the first resource comprises authenticating credentials for the first resource presented with the received request.
  - 3. The method of claim 2, wherein the request to access the second resource includes a digital certificate, and wherein authenticating credentials for the first resource comprises verifying that the digital certificate identifies the first resource.
  - 4. The method of claim 1, wherein the act of verifying that the request was originated by a user comprises receiving a session identifier from a client, receiving a session identifier from the first resource, and verifying that the received session identifiers match.
  - 5. The method of claim 4, wherein the act of verifying that the request was originated by a user further comprises receiving credentials from the client, the credentials uniquely identifying the client or a user, and authenticating those credentials.
  - 6. The method of claim 5, wherein communications between the first resource and the second resource and between the client and the second resource are encrypted for privacy.
  - 7. The method of claim 6, wherein encryption is accomplished utilizing secure sockets layer protocol.

8. In a computer network, a method for granting a request from a first resource to access a second resource, comprising:
- receiving, from a client, directions for the first resource to access the second resource;
  
  directing the client to access the second resource;
  
  receiving, from the client, a first request to access the second resource;
  
  obtaining user credentials from the client;
  
  authenticating the user credentials;
  
  receiving, from the first resource, a second request to access the second resource;
  
  verifying the second request was received from the first resource; and
  
  verifying that the second request was originated by the client.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein the act of verifying that the second request was received from the first resource comprises authenticating credentials for the first resource presented with the second request.
  - 10. The method of claim 9, wherein the request to access the second resource includes a digital certificate, and wherein authenticating credentials for the first resource comprises verifying that the digital certificate identifies the first resource.
  - 11. The method of claim 8, further comprising:
    - the first resource presenting the client with a session identifier after receiving the client'"'"'s request to access the first resource;
      
      the client presenting the session identifier upon requesting access to the second resource;
      
      the first resource presenting the session identifier to the second resource upon requesting access to the second resource; and
      
      wherein the act of verifying that the second request originated with the client comprises matching the session identifier presented by the client to the second resource with the session identifier presented by first resource to the second resource.
  - 12. The method of claim 11, wherein communications between the first resource and the second resource and between the client and the second resource are encrypted for privacy.
  - 13. The method of claim 12, wherein encryption is accomplished utilizing secure sockets layer protocol.

14. A method for providing a distributed application access to a network resource, comprising:
- receiving, from a client, user credentials and a session identifier;
  
  receiving, from the distributed application, application credentials and the session identifier;
  
  authenticating the application credentials;
  
  authenticating the user credentials; and
  
  matching the session identifier received from the client with the session identifier received from the distributed application.

15. A method for providing a distributed application with access to a network resource, comprising:
- a client, requesting the distributed application to access the network resource;
  
  establishing an application session;
  
  providing the client with a session identifier;
  
  directing the client to access the network resource;
  
  the client, requesting access to the network resource;
  
  the client, presenting user credentials and the session identifier to the network resource;
  
  the distributed application, requesting access to the network resource presenting application credentials and the session identifier;
  
  authenticating the application credentials;
  
  authenticating the user credentials;
  
  matching the session identifier presented by the client with the session identifier presented by the distributed application; and
  
  granting the distributed application access to the network resource only where the application credentials and the user credentials are properly authenticated and where the session identifiers presented by the client and the distributed application are matched.

16. A computer readable medium having instructions for:
- receiving a request from a first resource to access a second resource;
  
  verifying that the request was received from the first resource;
  
  verifying that the request was originated by a user;
  
  authenticating credentials presented for a user; and
  
  granting the first resource access to the second resource.
- View Dependent Claims (17, 18, 19)
- - 17. The medium of claim 16, wherein the instructions for verifying that the request was received from the first resource comprise instructions for authenticating credentials for the first resource presented with the received request.
  - 18. The medium of claim 16, wherein the instructions for verifying that the request was originated by a user comprise instructions for matching a session identifier presented by the client with a session identifier presented by the first resource.
  - 19. The medium of claim 18, wherein the instructions for verifying that the request was originated by a user further comprise instructions for authenticating credentials presented for the client.

20. A computer readable medium having instruction for:
- receiving, from a client, directions for a first resource to access a second resource;
  
  directing the client to access the second resource;
  
  receiving, from the client, a first request to access the second resource;
  
  obtaining user credentials from the client;
  
  authenticating the user credentials;
  
  receiving, from the first resource, a second request to access the second resource;
  
  verifying the second request was received from the first resource; and
  
  verifying that the second request was originated by the client.
- View Dependent Claims (21, 22)
- - 21. The medium of claim 20, wherein the instructions for verifying that the second request was received from the first resource comprise instructions for authenticating credentials for the first resource presented with the second request.
  - 22. The medium of claim 20, having further instructions for:
    - presenting the client with a session identifier upon receiving the client'"'"'s request to access the first resource;
      
      presenting the session identifier upon requesting access to the second resource;
      
      presenting the session identifier to the second resource upon requesting access to the second resource; and
      
      wherein the instructions for verifying that the second request originated with the client comprise instructions for matching the session identifier presented by the client to the second resource with the session identifier presented by first resource to the second resource.

23. A computer readable medium having instructions for:
- receiving, from a client, user credentials and a session identifier;
  
  receiving, from a distributed application, application credentials and the session identifier;
  
  authenticating the application credentials;
  
  authenticating the user credentials; and
  
  matching the session identifier received from the client with the session identifier received from the distributed application.

24. A computer readable medium having instructions for:
- receiving instruction to access a network resource;
  
  establishing an application session;
  
  providing a client with a session identifier;
  
  directing the client to access the network resource to present user credentials and the session identifier; and
  
  requesting access to the network resource presenting application credentials and the session identifier.

25. A computer readable medium having instructions for:
- receiving instruction to access a network resource;
  
  establishing an application session;
  
  providing a client with a session identifier;
  
  directing the client to access the network resource to present user credentials and the session identifier;
  
  requesting access to the network resource presenting application credentials and the session identifier;
  
  authenticating the application credentials;
  
  authenticating the user credentials; and
  
  matching the session identifier presented by the client with the session identifier presented by the distributed application.

26. An authentication system used to grant a first resource'"'"'s request to access to a second resource, comprising:
- a request verifier operable to verify that the request was received from the first resource;
  
  an origin verifier operable to verify that the request originated from a user; and
  
  a gate keeper operable to grant a request to access the second resource only where the request verifier and the origin verifier each verify that request.
- View Dependent Claims (27)
- - 27. The system of claim 26, further comprising a user verifier operable to authenticate a user'"'"'s credentials and a client verifier operable to verify client credentials, and wherein the gate keeper is further operable to grant a request to access the second resource only where the request verifier and the origin verifier each verify that request, the user verifier authenticates the user'"'"'s credentials, and the client verifier verifies the client credentials.

28. A data access system, comprising:
- a client;
  
  a first resource;
  
  a second resource operable to request access to the first resource according to directions initiated by the client;
  
  a request verifier operable to verify that a request to access the first resource was received from the second resource;
  
  an origin verifier operable to verify that the request originated from the client; and
  
  a gate keeper operable to grant a request to access the first resource only where the request verifier and the origin verifier each verify that request.
- View Dependent Claims (29, 30)
- - 29. The system of claim 28, wherein the second resource is further operable to direct the client to access the first resource in order to present user credentials;
    - the system further comprising a user verifier operable to authenticate a user'"'"'s credentials; and
      
      wherein the gate keeper is further operable to grant a request to access the first resource only where the request verifier and the origin verifier each verify that request and the user verifier authenticates the user'"'"'s credentials.
  - 30. The system of claim 28, wherein:
    - the second resource is further operable, when accessed by the client, to provide the client with a session identifier, to direct the client to access the first resource to present the session identifier, and to request access to the first resource presenting the session identifier;
      
      the origin verifier is operable to match a session identifier presented by the client with a session identifier presented by the second resource; and
      
      the gate keeper is further operable to grant a request to access the first resource only where the origin verifier is able to match session identifiers presented by the client and the second resource.

31. A data access system, comprising:
- a client;
  
  a first resource operable to manage user data;
  
  a second resource operable, when accessed by the client, provide the client with a session identifier, to direct the client to access the first resource in order to present the session identifier and to present user credentials, and to request access to user data presenting the session identifier to the first resource;
  
  a request verifier operable to verify that a request to access the first resource was received from the second resource;
  
  an origin verifier operable to match a session identifier presented by the client with a session identifier presented by the second resource;
  
  a user verifier operable to authenticate user credentials presented by the client; and
  
  a gate keeper operable to grant a request to access user data only where the request verifier verifies that the request was received from the second resource, the origin verifier matches session identifiers presented by the client and the second resource, and the user identifier authenticates user credentials presented by the client.

32. An authentication system used to grant a first resource'"'"'s request to access to a second resource, comprising:
- a means for verifying that the request was received from the first resource;
  
  a means for verifying that the request originated from a user; and
  
  a means for granting the request to access the second resource only where it can be verified that the request was received from the first resource and that the request originated from a user.

33. A data access system, comprising:
- a client;
  
  a first resource operable to manage user data;
  
  a second resource operable, when accessed by the client, to provide the client with a session identifier, to direct the client to access the first resource in order to present the session identifier and to present user credentials, and to request access to user data presenting the session identifier to the first resource;
  
  a means for verifying that a request to access the first resource was received from the second resource;
  
  a means for matching a session identifier presented by the client with a session identifier presented by the second resource;
  
  a means for authenticating user credentials presented by the client; and
  
  a means for granting a request to access user data only where the request verifier verifies that the request was received from the second resource, the origin verifier matches session identifiers presented by the client and the second resource, and the user identifier authenticates user credentials presented by the client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Madril, Robert John Jr., Simpson, Shell Sterling, Foster, Ward Scott

Granted Patent

US 9,621,538 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/156
CPC Class Codes

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/126   the source of the received ...

Secure resource access in a distributed environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

87 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Secure resource access in a distributed environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

87 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links