Web service gateway filtering

US 20050228984A1
Filed: 04/07/2004
Published: 10/13/2005
Est. Priority Date: 04/07/2004
Status: Abandoned Application

First Claim

Patent Images

1. A firewall device that receives and passes messages to and from a destination web service comprising:

one or more web service filters to verify that a message received by the firewall device is from an authorized client, wherein the one or more filters use policies to verify the message and to define access rights of the authorized client if the message is verified;

a first logical web service processing module to monitor services available from the destination web service, and to determine if a request in the message for a particular service is available from the destination web service; and

a second logical web service processing module to process data representing the request in the message based on the policies that define access rights of the authorized client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall device implements policies for a destination web service, where the policies determine the access rights of clients and other web services to services that are available at the destination web service. The clients and web services send requests in the form of web service messages which are processed by the firewall server based on the policies.

119 Citations

42 Claims

1. A firewall device that receives and passes messages to and from a destination web service comprising:
- one or more web service filters to verify that a message received by the firewall device is from an authorized client, wherein the one or more filters use policies to verify the message and to define access rights of the authorized client if the message is verified;
  
  a first logical web service processing module to monitor services available from the destination web service, and to determine if a request in the message for a particular service is available from the destination web service; and
  
  a second logical web service processing module to process data representing the request in the message based on the policies that define access rights of the authorized client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The firewall device of claim 1 wherein the one or more web service filters validates that the message has not been altered since originating from the authorized client.
  - 3. The firewall device of claim 1 wherein the one or more web service filters validates that the message is well formed.
  - 4. The firewall device of claim 1 wherein the one or more web service filters comprise one or more transportation protocol layer filters.
  - 5. The firewall device of claim 4, wherein the one or more transportation protocol layer filters use one of the protocols HTTP, SMTP, FTP, or TCP.
  - 6. The firewall device of claim 4, wherein the one or more transportation protocol layer filters changes the transportation protocol of a received or passed message.
  - 7. The firewall device of claim 1 wherein the web service message is an XML listing.
  - 8. The firewall device of claim 1 wherein the web service message is a SOAP message comprising a header and body.
  - 9. The firewall device of claim 8 wherein the one or more web service filters perform verification on the header of the SOAP message.
  - 10. The firewall device of claim 1 wherein the policies are maintained in a separate storage device and are provided to the firewall device.
  - 11. The firewall device of claim 1 wherein the policies are defined by WS-Policy.
  - 12. The firewall device of claim 1 wherein the services provided by the destination web service are described in WSDL, and the first logical web service processing module processes WSDL listings when monitoring the web service.
  - 13. The firewall device of claim 1 wherein the second logical web service processing module validates that the message has not be altered since originating from the authorized client.
  - 14. The firewall device of claim 1 wherein the second logical web service processing module validates that the message is well formed.
  - 15. The firewall device of claim 1 further comprising a third logical web service processing module to perform security negotiation between the destination web service and clients.
  - 16. The firewall device of claim 15 wherein the third logical web service processing module determines whether the message received at the firewall device has been signed and/or encrypted and whether to pass the message received at the firewall device to the destination web service.
  - 17. The firewall device of claim 15 wherein the third logical web service processing module encrypts and signs a digital signature for a message sent by the destination web service.
  - 18. The firewall device of claim 1 further comprising a fourth logical web service processing module that validates that data in the message has not been altered since originally sent from the authorized client.
  - 19. The firewall device of claim 1 further comprising a fifth logical web service processing module used for extensibility for additional data-inspection algorithms separate from the policies.

20. A method of managing policy for a destination web service implemented at a firewall server comprising:
- receiving a web service message containing a request for a service at the destination web service;
  
  verifying that the web service message is from an authorized particular client;
  
  applying policies which define access rights to applications of the destination web service that are available to the particular client;
  
  inspecting the request contained in the message as to whether the request is valid per the access rights available to the particular client; and
  
  providing an application if the message is verified, the particular client has access rights, and the request is valid per the access rights available to the particular client.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 21. The method of claim 20 wherein the web service message is an XML listing.
  - 22. The method of claim 20 wherein the web service message is a SOAP envelope.
  - 23. The method of claim 20 wherein the receiving is performed over a particular transportation protocol layer.
  - 24. The method of claim 20 wherein the verifying is performed by using a digital signature contained in the web service message.
  - 25. The method of claim 20 wherein the applying policies is based on WS-Policy defining the particular client as a “
    - policy subject” and
      
      assigning “
      
      policy assertions”
      
      that define the access rights of the particular client to applications of the destination web service.
  - 26. The method of claim 20 wherein the inspecting is based on the policies that define the access rights available to the particular client.
  - 27. The method of claim 20 wherein the inspecting comprises determining actual services available from the destination web service and determining if the request in the web service message is included in the actual services available from the destination web service.
  - 28. The method of claim 20 wherein the inspecting comprises validating the web service message.
  - 29. The method of claim 20 wherein the inspecting comprises determining if the request is well formed.
  - 30. The method of claim 20 wherein the providing uses a SOAP envelope that includes the application.
  - 31. The method of claim 20 wherein the providing comprises encrypting the application that is sent to the particular client.
  - 32. The method of claim 20 further comprising sending a message to the particular client if the request in the web service message is denied.
  - 33. The method of claim 20 further comprising validating the web service message.
  - 34. The method of claim 20 further comprising performing security negotiating between the destination web service and clients based on the policies.

35. For use with a firewall device, a storage medium having instructions that, when executed on the firewall computer, performs acts comprising:
- receiving requests from clients for applications in a destination web service;
  
  verifying the clients submitting the requests;
  
  determining access rights of the clients to the applications based on policies implemented at the firewall computer; and
  
  providing applications to a client if a request is valid.
- View Dependent Claims (36, 37, 38)
- - 36. The storage medium as recited in claim 35, wherein the determining access rights comprises identifying actual applications available at the destination web service.
  - 37. The storage medium as recited in claim 35 further comprising validating the requests.
  - 38. The storage medium as recited in claim 35 further comprising encrypting the application prior to providing the application to the client.

39. A firewall device comprising:
- means for receiving web service messages from clients, wherein the web service messages are destined to a web service;
  
  means for verifying that the web service messages are from authorized clients; and
  
  means for applying policies as to applications available to authorized clients from the web service.
- View Dependent Claims (40, 41, 42)
- - 40. The firewall device of claim 39 further comprising means for validating that messages are not altered since being sent from the authorized clients.
  - 41. The firewall device of claim 39 further comprising means for providing applications from the web service to the authorized clients if policies allow applications to be provided.
  - 42. The firewall device of claim 39 further comprising means for security negotiation between the web service and the authorized clients.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Mondri, Ron, Edery, Yigal

Application Number

US10/819,567
Publication Number

US 20050228984A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

Web service gateway filtering

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

Web service gateway filtering

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others