System and method for enforcing user policies on a web server

US 20040054791A1
Filed: 09/17/2002
Published: 03/18/2004
Est. Priority Date: 09/17/2002
Status: Abandoned Application

First Claim

Patent Images

1. ) A method for accessing information comprising:

a) using a generic policy agent to intercept a request made by a client for a resource accessible from a server;

b) accessing a token in the header portion of said request;

c) accessing a user policy associated with said token from a database;

d) evaluating if said client is allowed access to said requested resource based on said user policy; and

e) if said client is allowed access to said requested information, directing said user to said requested resource, wherein said d) and e) are performed by said generic policy agent.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for enforcing user policies on web servers. Embodiments of the present invention include a policy agent that enforces user policies on web servers that is generic to any web server platform. In one embodiment, a generic policy engine comprises a core policy level that caches the policy definitions by fetching user policies from an identity server and returns the policy values and an interface layer that interfaces the policy library with the web server and enforces the policies for specific users and applications. In one embodiment of the present invention, one core policy library can be shared by a plurality of policy agents running on different web servers.

Citations

31 Claims

1. ) A method for accessing information comprising:
- a) using a generic policy agent to intercept a request made by a client for a resource accessible from a server;
  
  b) accessing a token in the header portion of said request;
  
  c) accessing a user policy associated with said token from a database;
  
  d) evaluating if said client is allowed access to said requested resource based on said user policy; and
  
  e) if said client is allowed access to said requested information, directing said user to said requested resource, wherein said d) and e) are performed by said generic policy agent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. ) A method as described in claim 1 further comprising storing said user policy in a cache memory.
  - 3. ) A method as described in claim 1 wherein said request is an HTTP request.
  - 4. ) A method as described in claim 1 wherein step a) further comprises validating an IP address of said client.
  - 5. ) A method as described in claim 1 wherein said user policy comprises a subject field and an object field.
  - 6. ) A method as described in claim 5 wherein said subject field is a role assignment associated with said client.
  - 7. ) A method as described in claim 1 further comprising directing said client to an authentication application.
  - 8. ) A method as described in claim 1 wherein said database is stored on a remote identity server.
  - 9. ) A method as described in claim 1 wherein said generic policy agent comprises:
    - a generic policy library storing user policies for a plurality of clients;
      
      a generic policy engine that returns said user policies;
      
      a generic interface layer enforcing said user policies based on said policy values; and
      
      server specific software instructions for interfacing said generic policy agent with a specific server.
  - 10. ) A method as described in claim 9 wherein said server system is a web server.

11. ) A computer implemented system for regulating access to information comprising:
- a) a generic agent interface coupled to a server for intercepting an incoming HTTP request associated with a user and for enforcing user policies for a predetermined resource;
  
  b) a generic policy library for fetching and storing said user policies for a plurality of users and HTTP resources; and
  
  c) a generic policy engine that accesses said policy library and uses said user policies to determine a policy value, wherein said policy value is sent to said generic agent interface wherein said policy is enforced and wherein further said generic policy engine is not application specific.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. ) A system as described in claim 11 wherein said agent interface comprises a server specific set of computer instructions for interfacing said policy agent with a specific server.
  - 13. ) A system as described in claim 11 further comprising a cache memory for storing said user policies.
  - 14. ) A system as described in claim 11 wherein said agent interface is application specific and verifies an IP address of said incoming HTTP request.
  - 15. ) A system as described in claim 11 wherein said generic policy library communicates with an identity server to retrieve said user policies.
  - 16. ) A system as described in claim 15 wherein said remote identity server is protected by a firewall.
  - 17. ) A system as described in claim 11 wherein said server is a web server.
  - 18. ) A system as described in claim 11 wherein a plurality of agent interfaces access a centralized policy library.
  - 19. ) A system as described in claim 11 wherein said policy value indicates access allowance or access denied.

20. ) In a server system comprising a processor coupled to a bus and a memory coupled to said bus, a computer readable medium comprising instructions that when executed implement a method of accessing information said method comprising:
- a) using a generic policy agent to intercept an HTTP request made by a client for a resource accessible from said server system;
  
  b) accessing a token in a header portion of said HTTP request to determine if a cookie is present and if no cookie is present, directing said client to an authentication application;
  
  c) provided said cookie is present, accessing a user policy associated with said token from a database;
  
  d) using a generic policy agent to determine if said client is allowed access to said requested resource based on said user policy wherein said generic policy agent comprises an application inspecific policy engine; and
  
  e) if said client is allowed access to said requested resource, using an application specific policy agent to direct said user to said requested resource.
- View Dependent Claims (21, 22, 23, 24, 25)
- - 21. ) A computer readable medium as described in claim 20 further comprising instructions for storing said user policy in a cache memory.
  - 22. ) A computer readable medium as described in claim 20 further comprising instructions for verifying an IP address of said client.
  - 23. ) A computer readable medium as described in claim 20 wherein said user policy comprises a subject entry and an object entry and wherein said subject entry is a user classification and said object entry is a resource.
  - 24. ) A computer readable medium as described in claim 23 wherein said user classification is a role assignment.
  - 25. ) A computer readable medium as described in claim 20 wherein said database for storing policies is a directory server.

26. ) A communication system comprising:
- an application specific agent interface module for enforcing a policy regarding a user access request for resources and wherein said agent interface module comprises server-specific instructions;
  
  a generic policy engine for evaluating said user access request and for determining said policy based thereon and wherein said generic policy engine is application inspecific and wherein further said user access request identifies said user and said resources and wherein said policy indicates allowance or rejection of said request; and
  
  an identity server coupled to communicate with said policy engine and for containing mapping information.
- View Dependent Claims (27, 28, 29, 30, 31)
- - 27. ) A communication system as described in claim 26 wherein said agent interface is resident on a first server computer system.
  - 28. ) A communication system as described in claim 27 wherein said generic policy engine is resident on a second server computer system in communication with said first server computer system.
  - 29. ) A communication system as described in claim 28 wherein said user access request originates from a third computer system in communication with said first server computer system.
  - 30. ) A communication system as described in claim 28 wherein said identity server is resident on a fourth server computer system.
  - 31. ) A communication system as described in claim 30 wherein said first server computer system is a web server, said third computer system is a web browser and said fourth server computer system is an identity server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Chakraborty, Krishnendu, Dong, Xuesi, Thiyagaranjan, Pirasenna

Application Number

US10/246,072
Publication Number

US 20040054791A1
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/20 for managing network securi...

System and method for enforcing user policies on a web server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for enforcing user policies on a web server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links