Method and apparatus for providing access to an application-resource

US 20080148351A1
Filed: 12/18/2006
Published: 06/19/2008
Est. Priority Date: 12/18/2006
Status: Active Grant

First Claim

Patent Images

1. A method for providing access to an application-resource, comprising:

receiving a request to access an application-resource associated with an application, wherein the request is received at an application-server that hosts the application;

determining an authentication-level required to access the application-resource;

sending the required authentication-level to an authentication-server;

in response to sending the required authentication-level, receiving an authentication-response from the authentication-server;

determining if the authentication-response specifies that the user is authenticated to access the application-resource; and

if so, granting the user access to the application-resource.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention provides a system that provides access to an application-resource. During operation, the system receives a request to access an application-resource associated with an application, wherein the request is received at an application-server that hosts the application. The system then determines an authentication-level required to access the application-resource. Next, the system sends the required authentication-level to an authentication-server. In response, the system receives an authentication-response from the authentication-server. Next, the system determines if the authentication-response specifies that the user is authenticated to access the application-resource. If so, the system grants the user access to the application-resource.

One embodiment of the present invention provides a system that provides an authentication-token associated with a lower authentication-level in response to an authentication-token associated with a higher authentication-level expiring. Note that the lower authentication-level meets or exceeds a required authentication-level and does not require a user to re-authenticate.

109 Citations

32 Claims

1. A method for providing access to an application-resource, comprising:
- receiving a request to access an application-resource associated with an application, wherein the request is received at an application-server that hosts the application;
  
  determining an authentication-level required to access the application-resource;
  
  sending the required authentication-level to an authentication-server;
  
  in response to sending the required authentication-level, receiving an authentication-response from the authentication-server;
  
  determining if the authentication-response specifies that the user is authenticated to access the application-resource; and
  
  if so, granting the user access to the application-resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the application-resource can include:
    - a set of data;
      
      an application-screen;
      
      a set of operations supported by the application; and
      
      the application.
  - 3. The method of claim 1, wherein receiving the authentication-response involves receiving an authentication-token, which can include:
    - a user authentication-level, which specifies a level of authentication for a user associated with the request;
      
      an expiration time, which specifies when the user authentication-level expires; and
      
      an authentication-criteria indicator, which specifies authentication-criteria used to authenticate the user.
  - 4. The method of claim 3, further comprising saving the authentication-token, thereby enabling the application to determine the user authentication-level without contacting the authentication-server again.
  - 5. The method of claim 4, wherein upon receiving a subsequent request to access a second application-resource, the method further comprises:
    - determining if the user authentication-level matches a second authentication-level required to access the second application-resource;
      
      if so, granting the user access to the second application-resource; and
      
      if not,sending the required second authentication-level to the authentication-server;
      
      in response to sending the required second authentication-level, receiving a second authentication-response from the authentication-server; and
      
      if the second authentication-response specifies that the user is authenticated to access the second application-resource, granting the user access to the second application-resource.
  - 6. The method of claim 5, wherein determining if the user authentication-level matches the required second authentication-level involves determining if the expiration time has not been reached.
  - 7. The method of claim 3, wherein the authentication-criteria can include:
    - a user name/password pair;
      
      a digital certificate;
      
      a cryptographic key;
      
      a hardware-token; and
      
      a biometric identifier.

8. A method for providing fine-grained multi-level dynamic authentication, comprising:
- receiving an authentication-request token at an authentication-server, wherein the authentication-request token is received from an application-server;
  
  identifying a set of authentication-criteria associated with the authentication-request token;
  
  requesting the set of authentication-criteria from a user associated with the authentication-request token to determine a user authentication-level;
  
  creating an authentication-token associated with the user authentication-level; and
  
  sending the authentication-token to the application-server.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8, wherein the authentication-request token can include:
    - a user identifier, which identifies the user;
      
      an authentication-criteria selection, which specifies the authentication-criteria with which to authenticate the user; and
      
      an authentication-level requirement, which specifies a level of authentication required to access an application-resource associated with the application-server.
  - 10. The method of claim 8, wherein the authentication-token can include:
    - the user authentication-level;
      
      an expiration time, which specifies when the user authentication-level expires; and
      
      an authentication-criteria indicator, which specifies the authentication-criteria used to authenticate the user.
  - 11. The method of claim 8, further comprising saving the authentication-token at the authentication-server, which enables the authentication-server to determine a second user authentication-level associated with the user without contacting the user again.
  - 12. The method of claim 11, wherein after receiving the second authentication-request token, the method further comprises:
    - comparing the user authentication-level to a required second authentication-level associated with the second authentication-request token; and
      
      if the user authentication-level is lower than the required second authentication-level, proceeding with identifying a second set of authentication-criteria associated with the second authentication-request token.
  - 13. The method of claim 12, wherein if the user authentication-level matches the required second authentication-level, the method further comprises:
    - determining if the expiration time has been reached,if not, sending the authentication-token to the application-server, andif so, proceeding with identifying the second set of authentication-criteria associated with the second authentication-request token.
  - 14. The method of claim 12, wherein if the user authentication-level is greater than the second authentication-level requirement, the method further comprises:
    - determining if the expiration time has been reached,if not, sending the authentication-token to the application-server, andif so, determining if an unexpired authentication-level exists which is lower than the user authentication-level and is greater than or equal to the second authentication-level requirement,if so, sending a second authentication-token associated with the authentication-level to the application-server, andif not, proceeding with identifying the second set of authentication-criteria associated with the second authentication-request token.
  - 15. The method of claim 8, wherein the authentication-criteria can include:
    - a user name/password pair;
      
      a digital certificate;
      
      a cryptographic key;
      
      a hardware-token; and
      
      a biometric identifier.

16. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for providing access to an application-resource, wherein the method further comprises:
- receiving a request to access an application-resource associated with an application, wherein the request is received at an application-server that hosts the application;
  
  determining an authentication-level required to access the application-resource;
  
  sending the required authentication-level to an authentication-server;
  
  in response to sending the required authentication-level, receiving an authentication-response from the authentication-server;
  
  determining if the authentication-response specifies that the user is authenticated to access the application-resource; and
  
  if so, granting the user access to the application-resource.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The computer-readable storage medium of claim 16, wherein the application-resource can include:
    - a set of data;
      
      an application-screen;
      
      a set of operations supported by the application; and
      
      the application.
  - 18. The computer-readable storage medium of claim 16, wherein receiving the authentication-response involves receiving an authentication-token, which can include:
    - a user authentication-level, which specifies a level of authentication for a user associated with the request;
      
      an expiration time, which specifies when the user authentication-level expires; and
      
      an authentication-criteria indicator, which specifies authentication-criteria used to authenticate the user.
  - 19. The computer-readable storage medium of claim 18, wherein the method further comprises saving the authentication-token, thereby enabling the application to determine the user authentication-level without contacting the authentication-server again.
  - 20. The computer-readable storage medium of claim 19, wherein upon receiving a subsequent request to access a second application-resource, the method further comprises:
    - determining if the user authentication-level matches a second authentication-level required to access the second application-resource;
      
      if so, granting the user access to the second application-resource; and
      
      if not,sending the required second authentication-level to the authentication-server;
      
      in response to sending the required second authentication-level, receiving a second authentication-response from the authentication-server; and
      
      if the second authentication-response specifies that the user is authenticated to access the second application-resource, granting the user access to the second application-resource.
  - 21. The computer-readable storage medium of claim 20, wherein determining if the user authentication-level matches the required second authentication-level involves determining if the expiration time has not been reached.
  - 22. The computer-readable storage medium of claim 19, wherein the authentication-criteria can include:
    - a user name/password pair;
      
      a digital certificate;
      
      a cryptographic key;
      
      a hardware-token; and
      
      a biometric identifier.

23. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for providing fine-grained multi-level dynamic authentication, wherein the method comprises:
- receiving an authentication-request token at an authentication-server, wherein the authentication-request token is received from an application-server;
  
  identifying a set of authentication-criteria associated with the authentication-request token;
  
  requesting the set of authentication-criteria from a user associated with the authentication-request token to determine a user authentication-level;
  
  creating an authentication-token associated with the user authentication-level; and
  
  sending the authentication-token to the application-server.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The computer-readable storage medium of claim 23, wherein the authentication-request token can include:
    - a user identifier, which identifies the user;
      
      an authentication-criteria selection, which specifies the authentication-criteria with which to authenticate the user; and
      
      an authentication-level requirement, which specifies a level of authentication required to access an application-resource associated with the application-server.
  - 25. The computer-readable storage medium of claim 23, wherein the authentication-token can include:
    - the user authentication-level;
      
      an expiration time, which specifies when the user authentication-level expires; and
      
      an authentication-criteria indicator, which specifies the authentication-criteria used to authenticate the user.
  - 26. The computer-readable storage medium of claim 23, wherein the method further comprises saving the authentication-token at the authentication-server, which enables the authentication-server to determine a second user authentication-level associated with the user without contacting the user again.
  - 27. The computer-readable storage medium of claim 26, wherein after receiving the second authentication-request token, the method further comprises:
    - comparing the user authentication-level to a required second authentication-level associated with the second authentication-request token; and
      
      if the user authentication-level is lower than the required second authentication-level, proceeding with identifying a second set of authentication-criteria associated with the second authentication-request token.
  - 28. The computer-readable storage medium of claim 27, wherein if the user authentication-level matches the required second authentication-level, the method further comprises:
    - determining if the expiration time has been reached,if not, sending the authentication-token to the application-server, andif so, proceeding with identifying the second set of authentication-criteria associated with the second authentication-request token.
  - 29. The computer-readable storage medium of claim 27, wherein if the user authentication-level is greater than the second authentication-level requirement, the method further comprises:
    - determining if the expiration time has been reached,if not, sending the authentication-token to the application-server, andif so, determining if an unexpired authentication-level exists which is lower than the user authentication-level and is greater than or equal to the second authentication-level requirement,if so, sending a second authentication-token associated with the authentication-level to the application-server, andif not, proceeding with identifying the second set of authentication-criteria associated with the second authentication-request token.
  - 30. The computer-readable storage medium of claim 23, wherein the authentication-criteria can include:
    - a user name/password pair;
      
      a digital certificate;
      
      a cryptographic key;
      
      a hardware-token; and
      
      a biometric identifier.

31. An apparatus that provides access to an application-resource, comprising:
- a receiving mechanism configured to receive a request to access an application-resource associated with an application, wherein the request is received at an application-server that hosts the application;
  
  a determination mechanism configured to determine an authentication-level required to access the application-resource;
  
  a sending mechanism configured to send the required authentication-level to an authentication-server;
  
  the receiving mechanism further configured to receive an authentication-response from the authentication-server;
  
  the determination mechanism further configured to determine if the authentication-response specifies that the user is authenticated to access the application-resource; and
  
  a granting mechanism configured to grant the user access to the application-resource.

32. An apparatus that provides fine-grained multi-level dynamic authentication, comprising:
- a receiving mechanism configured to receive an authentication-request token at an authentication-server, wherein the authentication-request token is received from an application-server;
  
  an identification mechanism configured to identify a set of authentication-criteria associated with the authentication-request token;
  
  a requesting mechanism configured to request the set of authentication-criteria from a user associated with the authentication-request token to determine a user authentication-level;
  
  a creation mechanism configured to create an authentication-token associated with the user authentication-level; and
  
  a sending mechanism configured to send the authentication-token to the application-server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Bhatia, Gaurav, Wilson, David, Biswas, Kamalendu

Granted Patent

US 8,032,922 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/2
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2113   Multi-level security, e.g. ...

G06F 2221/2137   Time limited access, e.g. t...

Method and apparatus for providing access to an application-resource

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing access to an application-resource

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links