Declarative trust model between reverse proxy server and websphere application server

US 20050154886A1
Filed: 01/12/2004
Published: 07/14/2005
Est. Priority Date: 01/12/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for allowing an application server to enforce a trust evaluation of a third party, comprising:

receiving a user request from a third party;

extracting authentication data from the third party;

validating the authentication data at the application server, wherein the validation allows the application server to enforce the trust evaluation; and

performing credential mapping using the validated authentication data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing a declarative trust association model that formalizes the way trust is established and requires corresponding authentication information to be presented in a standard format. Consequently, the application server may provide a guaranteed level of protection. The mechanism of the present invention provides a framework that allows an application server to enforce a trust evaluation and allows reverse proxy security server to assert a client'"'"'s security identity, as well as other client security credential information. A known trust association interceptor model is extended to allow the reverse proxy security server to assert the authenticated user'"'"'s security attributes. Such security attributes include, for example, group information, authentication strength, and location (i.e., where does the user enter the request, intranet vs. internet, IP address, etc.,). The security attributes can be used in making authorization decisions.

Citations

39 Claims

1. A method for allowing an application server to enforce a trust evaluation of a third party, comprising:
- receiving a user request from a third party;
  
  extracting authentication data from the third party;
  
  validating the authentication data at the application server, wherein the validation allows the application server to enforce the trust evaluation; and
  
  performing credential mapping using the validated authentication data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein different levels of trust and authentication strengths are used to enforce the trust evaluation.
  - 3. The method of claim 2, wherein the different levels of trust and authentication strengths are enforced by using at least one of a Callbackhandler plug-in and LoginModule plug-in.
  - 4. The method of claim 1, wherein the application server defines a standard set of Hypertext Transfer Protocol (HTTP) headers.
  - 5. The method of claim 4, wherein authentication data in the set of Hypertext Transfer Protocol (HTTP) headers is passed to the application server from the third party.
  - 6. The method of claim 1, wherein the third party is at least one of a reverse proxy server and a web server plug-in.
  - 7. The method of claim 1, wherein the authentication data comprises third party server authentication data and client id.
  - 8. The method of claim 7, wherein the third party server authentication data includes at least one of an id/password, security token, and digital signature.
  - 9. The method of claim 1, wherein the authentication data comprises client authentication data.
  - 10. The method of claim 9, wherein the client authentication data includes at least one of an id/password, security token, and digital signature.
  - 11. The method of claim 1, wherein the third party directly propagates client security credentials to the application server via a pluggable authentication framework.
  - 12. The method of claim 1, wherein allowing the application server to enforce the trust evaluation includes allowing the reverse proxy security server to assert an authenticated user'"'"'s security attributes.
  - 13. The method of claim 12, wherein the security attributes includes group information, authentication strength, and location.

14. A data processing system for allowing an application server to enforce a trust evaluation of a third party, comprising:
- receiving means for receiving a user request from a third party;
  
  extracting means for extracting authentication data from the third party;
  
  validating means for validating the authentication data at the application server, wherein the validation allows the application server to enforce the trust evaluation; and
  
  performing means for performing credential mapping using the validated authentication data.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The data processing system of claim 14, wherein different levels of trust and authentication strengths are used to enforce the trust evaluation.
  - 16. The data processing system of claim 15, wherein the different levels of trust and authentication strengths are enforced by using at least one of a Callbackhandler plug-in and LoginModule plug-in.
  - 17. The data processing system of claim 14, wherein the application server defines a standard set of Hypertext Transfer Protocol (HTTP) headers.
  - 18. The data processing system of claim 17, wherein authentication data in the set of Hypertext Transfer Protocol (HTTP) headers is passed to the application server from the third party.
  - 19. The data processing system of claim 14, wherein the third party is at least one of a reverse proxy server and a web server plug-in.
  - 20. The data processing system of claim 14, wherein the authentication data comprises third party server authentication data and client id.
  - 21. The data processing system of claim 20, wherein the third party server authentication data includes at least one of an id/password, security token, and digital signature.
  - 22. The data processing system of claim 14, wherein the authentication data comprises client authentication data.
  - 23. The data processing system of claim 22, wherein the client authentication data includes at least one of an id/password, security token, and digital signature.
  - 24. The data processing system of claim 14, wherein the third party directly propagates client security credentials to the application server via a pluggable authentication framework.
  - 25. The data processing system of claim 14, wherein allowing the application server to enforce the trust evaluation includes allowing the reverse proxy security server to assert an authenticated user'"'"'s security attributes.
  - 26. The data processing system of claim 25, wherein the security attributes includes group information, authentication strength, and location.

27. A computer program product in a computer readable medium for allowing an application server to enforce a trust evaluation of a third party, comprising:
- first instructions for receiving a user request from a third party;
  
  second instructions for extracting authentication data from the third party;
  
  third instructions for validating the authentication data at the application server, wherein the validation allows the application server to enforce the trust evaluation; and
  
  fourth instructions for performing credential mapping using the validated authentication data.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 28. The computer program product of claim 27, wherein different levels of trust and authentication strengths are used to enforce the trust evaluation.
  - 29. The computer program product of claim 28, wherein the different levels of trust and authentication strengths are enforced by using at least one of a Callbackhandler plug-in and LoginModule plug-in.
  - 30. The computer program product of claim 27, wherein the application server defines a standard set of Hypertext Transfer Protocol (HTTP) headers.
  - 31. The computer program product of claim 30, wherein authentication data in the set of Hypertext Transfer Protocol (HTTP) headers is passed to the application server from the third party.
  - 32. The computer program product of claim 27, wherein the third party is at least one of a reverse proxy server and a web server plug-in.
  - 33. The computer program product of claim 27, wherein the authentication data comprises third party server authentication data and client id.
  - 34. The computer program product of claim 33, wherein the third party server authentication data includes at least one of an id/password, security token, and digital signature.
  - 35. The computer program product of claim 27, wherein the authentication data comprises client authentication data.
  - 36. The computer program product of claim 35, wherein the client authentication data includes at least one of an id/password, security token, and digital signature.
  - 37. The computer program product of claim 27, wherein the third party directly propagates client security credentials to the application server via a pluggable authentication framework.
  - 38. The computer program product of claim 27, wherein allowing the application server to enforce the trust evaluation includes allowing the reverse proxy security server to assert an authenticated user'"'"'s security attributes.
  - 39. The computer program product of claim 38, wherein the security attributes includes group information, authentication strength, and location.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Karkala, Ajay Reddy, Venkataramappa, Vishwanath, Chao, Ching-Yun, Smith, Brian Keith, Nagaratnam, Nataraj, Birk, Peter Daniel, Chung, Hyen Vui, Mason, Carlton Keith

Application Number

US10/755,828
Publication Number

US 20050154886A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

H04L 63/0209   Architectural arrangements,...

H04L 63/0815   providing single-sign-on or...

H04L 63/105   Multiple levels of security

Declarative trust model between reverse proxy server and websphere application server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Declarative trust model between reverse proxy server and websphere application server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links