Access system interface

US 20070044144A1
Filed: 10/27/2006
Published: 02/22/2007
Est. Priority Date: 03/21/2001
Status: Active Grant

First Claim

Patent Images

1-60. -60. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An access system provides identity management and/or access management services for a network. An application program interface for the access system enables an application without a web agent front end to read and use contents of an existing encrypted cookie to bypass authentication and proceed to authorization. A web agent is a component (usually software, but can be hardware or a combination of hardware and software) that plugs into (or otherwise integrates with) a web server (or equivalent) in order to participate in providing access services.

Citations

88 Claims

1-60. -60. (canceled)

61. A method for providing access services, the method comprising:
- receiving user session state information for a first user, the user session state information is from an application without a web agent front end, the user session state information is from a cookie stored on a client for the first user, the user session state information is encrypted, and receiving the user session state information includes decrypting the user session state information;
  
  receiving a request to authorize the first user to access a first resource, the request to authorize is from the application without a web agent front end;
  
  providing authorization services to the application without a web agent front end in an attempt to authorize the first user to access the first resource without requiring the first user to re-submit authentication credentials;
  
  receiving a request from the application without a web agent front end for unencrypted data from the user session state information; and
  
  providing the unencrypted data from the user session state information to the application without a web agent front end, the application without a web agent front end does not have access to a key to decrypt the user session state information.
- View Dependent Claims (62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82)
- - 62. The method of claim 61, wherein the unencrypted data includes an identity for the first user.
  - 63. The method of claim 61, wherein:
    - the session state information was created by an access system; and
      
      the access system performs attempting to authorize.
  - 64. The method of claim 61, wherein:
    - the user session state information was created by an access system and provided to the application without a web agent front end by the access system;
      
      the application without a web agent front end caused the session token to be stored in the cookie; and
      
      the access system attempts to authorize the first user.
  - 65. The method of claim 61, wherein the user session state information includes:
    - an identity for the first user;
      
      an authentication level for the first user; and
      
      a session start time for the first user.
  - 66. The method of claim 61, wherein the resource request information includes:
    - an identification of a resource type;
      
      an identification of a resource; and
      
      an identification of an operation.
  - 67. The method of claim 61, wherein the resource request information includes:
    - an identification of a resource type;
      
      an identification of a resource;
      
      an identification of an operation; and
      
      query string information.
  - 68. The method of claim 61, wherein the resource request information includes:
    - an identification of a resource type;
      
      an identification of a resource;
      
      an identification of an operation; and
      
      post data information.
  - 69. The method of claim 61, wherein the attempt to authorize is based on the user session state information and the resource request information.
  - 70. The method of claim 61, further comprising:
    - creating a resource request object, the resource request object represents a request to access the first resource; and
      
      creating a user session object, the user session object represents the first user after the first user has been authenticated.
  - 71. The method of claim 61, further comprising:
    - determining whether the first resource is protected;
      
      determining an authentication scheme for the first resource; and
      
      determining whether the authentication scheme is satisfied based on the user session state information.
  - 72. The method of claim 71, further comprising:
    - making available to the application without a web agent front end an indication of whether the first resource is protected; and
      
      making available to the application without a web agent front end an indication of the authentication scheme.
  - 73. The method of claim 61, further comprising determining one or more authentication actions for the first resource.
  - 74. The method of claim 73, further comprising making available to the application without a web agent front end an indication of the one or more authentication actions for the first resource.
  - 75. The method of claim 73, further comprising performing at least one of the authentication actions for the first resource.
  - 76. The method of claim 61, further comprising determining one or more authorization actions for the first resource.
  - 77. The method of claim 76, further comprising making available to the application without a web agent front end an indication of the one or more authorization actions for the first resource.
  - 78. The method of claim 76, further comprising performing at least one of the authorization actions for the first resource.
  - 79. The method of claim 61, further comprising determining one or more audit rules for the first resource.
  - 80. The method of claim 79, further comprising making available to the application without a web agent front end an indication of the one or more audit rules for the first resource.
  - 81. The method of claim 79, further comprising performing at least one of the audit rules for the first resource.
  - 82. The method of claim 61, further comprising allowing the first user to access the first resource if the first user is authorized to access the first resource.

83. One or more processor readable storage devices having processor readable code embodied on the processor readable storage devices, the processor readable code for programming one or more processors to perform a method comprising:
- receiving user session state information for a first user, the user session state information is from an application without a web agent front end, the user session state information is from a cookie stored on a client for the first user, the user session state information is encrypted, and receiving the user session state information includes decrypting the user session state information;
  
  receiving a request to authorize the first user to access a first resource, the request to authorize is from the application without a web agent front end;
  
  providing authorization services to the application without a web agent front end in an attempt to authorize the first user to access the first resource without requiring the first user to re-submit authentication credentials;
  
  receiving a request from the application without a web agent front end for unencrypted data from the user session state information; and
  
  providing the unencrypted data from the user session state information to the application without a web agent front end, the application without a web agent front end does not have access to a key to decrypt the user session state information.
- View Dependent Claims (84, 85, 86, 87)
- - 84. One or more processor readable storage devices according to claim 83, wherein:
    - the session state information was created by an access system; and
      
      the access system attempts to authorize the first user.
  - 85. One or more processor readable storage devices according to claim 83, wherein the method further comprises:
    - determining whether the first resource is protected;
      
      determining an authentication scheme for the first resource;
      
      determining whether the authentication scheme is satisfied based on the user session state information;
      
      making available to the application without a web agent front end an indication of whether the first resource is protected; and
      
      making available to the application without a web agent front end an indication of the authentication scheme.
  - 86. One or more processor readable storage devices according to claim 83, wherein the method further comprises:
    - determining one or more authorization actions for the first resource; and
      
      making available to the application without a web agent front end an indication of the one or more authorization actions for the first resource.
  - 87. One or more processor readable storage devices according to claim 83, further comprising:
    - allowing the first user to access the first resource if the first user is authorized to access the first resource.

88. A system comprising:
- a client;
  
  at least one application without a web agent front end adapted to receive a request from the client for a first user to access a first resource, the request includes information from a cookie wherein the information from the cookie is encrypted and the application without a web agent front end does not have access to a key for decrypting the information from the cookie;
  
  an access server adapted to provide authorization services for requests to access the first resource wherein the access server is adapted to receive the information from the cookie and a request from the at least one application without a web agent front end to authorize the first user to access the first resource, provide the authorization services to the at least one application without a web agent front end by attempting to authorize the first user to access the first resource based on information from the request from the first user and based on the information from the cookie wherein the application without a web agent front end requests unencrypted data from the information from the cookie and the application without a web agent front end receives the unencrypted data uses the unencrypted data for an access system service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Gupta, Minoo, Knouse, Charles

Granted Patent

US 7,458,096 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 67/14   Session management for real...

H04L 67/142   Managing session states for...

H04L 67/146   Markers for unambiguous ide...

Access system interface

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

88 Claims

Specification

Solutions

Use Cases

Quick Links

Access system interface

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

88 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links