Authorizing service requests in multi-tiered applications

US 20070255841A1
Filed: 04/28/2006
Published: 11/01/2007
Est. Priority Date: 04/28/2006
Status: Active Grant

First Claim

Patent Images

1. At an upstream service in a computerized environment in which the upstream service and one or more downstream services comprise a multi-tiered application system, a method of proving authority to communicate with the one or more downstream services, comprising the acts of:

receiving an end-user request at an upstream service for one or more actions to be performed by a multi-tiered application system;

determining that the end-user request involves an action to be performed by a downstream service;

requesting one or more security tokens from a security token service, wherein the one or more security tokens identify the upstream service;

creating a secure communication channel with the downstream service using at least one of the one or more security tokens, wherein the upstream service proves authority to communicate with the downstream service as a trusted subsystem; and

sending the end-user request to the downstream service over the secure communication channel.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Services of a multi-tier application can authorize (e.g., including authenticating) each other with one or more service access tokens provided by a security token service. In one implementation, an end-user can authenticate with the security token service to obtain one or more security tokens for communicating with an upstream application service. Requests that involve further processing from downstream services of the application can also involve service authorization/authentication measures. Thus, the upstream application service can also authenticate with the security token service to obtain one or more security tokens, such as a session token, and a service access token. The service access token for the upstream service can also include one or more signed policy settings. The upstream service can then use the one or more security tokens to prove authority to communicate with a downstream service in accordance with the policy settings.

51 Citations

View as Search Results

20 Claims

1. At an upstream service in a computerized environment in which the upstream service and one or more downstream services comprise a multi-tiered application system, a method of proving authority to communicate with the one or more downstream services, comprising the acts of:
- receiving an end-user request at an upstream service for one or more actions to be performed by a multi-tiered application system;
  
  determining that the end-user request involves an action to be performed by a downstream service;
  
  requesting one or more security tokens from a security token service, wherein the one or more security tokens identify the upstream service;
  
  creating a secure communication channel with the downstream service using at least one of the one or more security tokens, wherein the upstream service proves authority to communicate with the downstream service as a trusted subsystem; and
  
  sending the end-user request to the downstream service over the secure communication channel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, wherein the end-user request comprises one or more different security tokens that identify the end-user, the one or more different security tokens including any one or more of a session token and a service access token for the end-user.
  - 3. The method as recited in claim 1, wherein the one or more security tokens requested from the security token service comprise a session token and a service access token for the upstream service.
  - 4. The method as recited in claim 3, wherein creating the secure communication channel further comprises an act of exchanging one or more session keys with the downstream service.
  - 5. The method as recited in claim 4, further comprising an act of sending one or more identity claims with application data transmitted to the downstream service.
  - 6. The method as recited in claim 4, further comprising an act of signing the one or more identity claims with one of the one or more exchanged session keys.
  - 7. The method as recited in claim 4, further comprising an act of encrypting at least a portion of the application data with an encryption key derived from one of the one or more exchanged session keys.
  - 8. The method as recited in claim 3, wherein the act of requesting one or more security tokens further comprises the acts of:
    - requesting a session token from the security token service, the request including authentication information for the upstream service; and
      
      requesting a service access token from the security token service, wherein the request for the service access token includes the session token previously requested from the security token service.
  - 9. The method as recited in claim 8, wherein the service access token comprises one or more trusted subsystem claims.
  - 10. The method as recited in claim 9, wherein the one or more trusted subsystem claims have been signed by the security token service, such that a different party is prevented from modifying the one or more trusted subsystem claims.
  - 11. The method as recited in claim 9, wherein the one or more trusted subsystem claims comprise one or more policy settings for any one or more of the upstream service or downstream service, wherein the one or more policy settings limit access by the upstream service to the downstream service.

12. At a downstream service in a computerized environment in which the downstream service and one or more upstream services comprise a multi-tiered application system, a method of authorizing and/or authenticating communications from the one or more upstream services, comprising the acts of:
- establishing a secure communication channel with an upstream service;
  
  receiving a request from the upstream service to process data, wherein the request includes at least one identifier of the upstream service;
  
  determining that the at least one identifier proves authority to make the request based on one or more policy settings; and
  
  returning a result to the upstream service over the secure communication channel, wherein the result is processed based on authority provided from the at least one identifier for the upstream service.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The method as recited in claim 12, further comprising an act of decrypting at least a portion of the request received from the upstream service using one or more previously exchanged session keys.
  - 14. The method as recited in claim 12, further comprising an act of receiving one or more security tokens from the upstream service, the one or more security tokens including the at least one identifier and the one or more policy settings.
  - 15. The method as recited in claim 14, wherein the one or more security tokens are provided to the upstream service by a security token service, the one or more security tokens including a session token and a service access token.
  - 16. The method as recited in claim 15, further comprising the acts of:
    - receiving the service access token from the upstream service; and
      
      identifying the at least one identifier and the one or more policy settings within a signed trusted subsystem claim of the service access token.
  - 17. The method as recited in claim 16, further comprising the acts of:
    - caching the trusted subsystem claim;
      
      receiving one or more different requests from the upstream service to process data; and
      
      authorizing the upstream service based on the cached trusted subsystem claim.
  - 18. The method as recited in claim 12, further comprising the acts of:
    - receiving one or more identity claims from the upstream service; and
      
      verifying the presence of a signature associated with the one or more identity claims;
      
      wherein the signature is provided by one of the upstream service, an end-user, or a security token service.
  - 19. The method as recited in claim 18, further comprising an act of verifying that the upstream service is authorized to send the one or more identity claims at least in part by identifying a trusted subsystem claim sent by the upstream service.

20. At an upstream service in a computerized environment in which the upstream service and one or more downstream services comprise a multi-tiered application system, a computer program product having computer-executable instructions stored thereon that, when executed, cause one or more processors to perform a method of proving authority to communicate with the one or more downstream services, comprising the acts of:
- receiving an end-user request at an upstream service for one or more actions to be performed by a multi-tiered application system;
  
  determining that the end-user request involves an action to be performed by a downstream service;
  
  requesting one or more security tokens from a security token service, wherein the one or more security tokens identify the upstream service;
  
  creating a secure communication channel with the downstream service using at least one of the one or more security tokens, wherein the upstream service proves authority to communicate with the downstream service as a trusted subsystem; and
  
  sending the end-user request to the downstream service over the secure communication channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chong, Frederick

Granted Patent

US 8,161,164 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/0807 using tickets, e.g. Kerbero...

Authorizing service requests in multi-tiered applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Authorizing service requests in multi-tiered applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links