Dynamic Cache Lookup Based on Dynamic Data
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method for tracking user security credentials in a distributed computing environment. The security credentials of an authenticated user includes not just his unique user identifier, but also a set of security attributes such as the time of authentication, the location where the user is authenticated (i.e., intranet user v. internet user), the authentication strength, and so on. The security attributes are used in access control decisions. The same user can be given different authorization if he has a different security attribute value. Security credentials may be generated either by WebSphere security code or by third party security provider code. This invention stores the user credentials in a distributed cache and provides a system and method to compute the unique key based on the dynamic security credentials for cache lookup
16 Citations
27 Claims
-
1-7. -7. (canceled)
-
8. A system for authenticating a user, comprising:
-
a server in a computer network, the server comprising; means for receiving an access request by a login user; means for authenticating the login user based on security credentials forwarded by the login user and for sending a token back to the login user, wherein the token comprises a single-sign on token and contains the security credentials forwarded by the login user; means for receiving a later access request by the login user, the later access request including the token; means for generating a unique lookup key using the token, the unique lookup key comprising a one-way hash of unique security attributes, wherein the unique security attributes comprises static security attributes including an accessID, and dynamic security attributes including a login time and a login location, and wherein the dynamic security attributes are selected based on a login module; means for using the generated unique lookup key to find security credentials of the login user in a distributed cache; and means for granting the later access request by granting access rights to the login user according to the security credentials in the distributed cache, wherein the security credentials in the distributed cache vary according to both the static security attributes and the dynamic security attributes, such that the login user having the same static security attributes is granted different access rights according to differences in the dynamic security attributes. - View Dependent Claims (12, 14)
-
-
9-11. -11. (canceled)
-
13. (canceled)
-
15. (canceled)
-
16. (canceled)
-
17. A computer program product in a tangible computer readable storage medium, the computer program product comprising:
-
first instructions for a server in a computer network to receive an access request by a login user; second instructions for the server to authenticate the login user based on security credentials forwarded by the login user and to send a token back to the login user, wherein the token comprises a single-sign on token and contains the security credentials forwarded by the login user; third instructions for the server to receive a later access request by the login user, the later access request including the token; fourth instructions for the server to generate a unique lookup key using the token, the unique lookup key comprising a one-way hash of unique security attributes, wherein the unique security attributes comprises static security attributes including an accessID, and dynamic security attributes including a login time and a login location, and wherein the dynamic security attributes are selected based on a login module; fifth instructions for the server to use the generated unique lookup key to find security credentials of the login user in a distributed cache; and sixth instructions for the server to grant the later access request by granting access rights to the login user according to the security credentials in the distributed cache, wherein the security credentials in the distributed cache vary according to both the static security attributes and the dynamic security attributes, such that the login user having the same static security attributes is granted different access rights according to differences in the dynamic security attributes. - View Dependent Claims (21, 22)
-
-
18-20. -20. (canceled)
-
23. (canceled)
-
24. A method of caching authentication data on a computer network, comprising the steps of:
-
receiving an access request by a third party security provider from a login user; collecting, by the third party security provider, authentication data and dynamic security attributes from the login user; authenticating, by the third party security provider, the login user based on the authentication data and the dynamic security attributes; receiving by a login configuration module the authentication data and the dynamic security attributes; creating by a login module a plurality of tokens based on the authentication data and the dynamic security attributes received by the login module; and creating by the login module a unique key for a distributed cache lookup. - View Dependent Claims (25, 26, 27)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsChao, Ching-Yun, Birk, Peter Daniel, Chung, Hyen Vui
-
Granted Patent
-
Time in Patent OfficeDays
-
Field of Search
-
US Class Current726/7
-
CPC Class CodesG06F 21/31 User authenticationH04L 63/0815 providing single-sign-on or...H04L 63/083 using passwords cryptograph...
