CONTROLLING ACCESS OF A CLIENT SYSTEM TO ACCESS PROTECTED REMOTE RESOURCES SUPPORTING RELATIVE URLS

US 20090217354A1
Filed: 02/25/2009
Published: 08/27/2009
Est. Priority Date: 02/27/2008
Status: Active Grant

First Claim

Patent Images

1. A method for controlling access of a client system to access protected remote resources comprising:

receiving a response from an access protected remote resource in response to a client request to said access protected remote resource, wherein said access protected remote resource is configured in such a way that a client system is not allowed to directly access said access protected remote resource but all client requests are rerouted via a web application which is authorized to access said access protected remote resource;

identifying in said response all references that are defined by absolute URLS and point to access protected remote resources;

generating a rewritten URL for each original URL of said identified reference to an access protected remote resource by;

splitting the original URL into a base part and a resource part;

generating an authentication identifier by applying an authentication method to at least said base part; and

concatenating the URL of said web application, the base part, authentication identifier, and resource part;

replacing the original URL of said references contained in said response by said rewritten URL including said authentication identifier; and

sending said response including rewritten URL and authentication identifier to said client system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A response can be received from an access protected remote resource in response to a client request to the access protected remote resource. The access protected remote resource is configured in such a way that the client system is not allowed to directly access the access protected remote resource but all client requests are rerouted via the web application which is authorized to access the access protected remote resource. All references that are defined by absolute URLS and point to access protected remote resources can be identified within responses. A rewritten URL replaces each original URL of the identified reference to an access protected remote resource. Generation of the rewritten URL can occur by splitting the original URL into a base part and a resource part, by generating an authentication identifier by applying an authentication method to at least the base part, and by concatenating the URL of the web application, the base part, authentication identifier, and resource part. The original URL of the references contained in the response can be replaced by the rewritten URL including the authentication identifier. The response including rewritten URL and authentication identifier can be sent to the client system. When the client system triggers said rewritten URL, the web application extracts the base part and authentication identifier from the URL and verifies the authentication identifier by applying the same authentication method on the base part in order to ensure that the base part has not been changed. Only if the authentication identifier is verified correctly, the web application builds the full resource URL from the rewritten URL and returns the respective resource to the client system.

56 Citations

View as Search Results

20 Claims

1. A method for controlling access of a client system to access protected remote resources comprising:
- receiving a response from an access protected remote resource in response to a client request to said access protected remote resource, wherein said access protected remote resource is configured in such a way that a client system is not allowed to directly access said access protected remote resource but all client requests are rerouted via a web application which is authorized to access said access protected remote resource;
  
  identifying in said response all references that are defined by absolute URLS and point to access protected remote resources;
  
  generating a rewritten URL for each original URL of said identified reference to an access protected remote resource by;
  
  splitting the original URL into a base part and a resource part;
  
  generating an authentication identifier by applying an authentication method to at least said base part; and
  
  concatenating the URL of said web application, the base part, authentication identifier, and resource part;
  
  replacing the original URL of said references contained in said response by said rewritten URL including said authentication identifier; and
  
  sending said response including rewritten URL and authentication identifier to said client system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, further comprising the steps of:
    - said web application receiving a client request with a request URL, extracting from said request URL the base part, the authentication identifier, and the resource part;
      
      applying an authentication validation to said base part for determination whether said base part has not been changed; and
      
      ,creating the URL of the remote resource by concatenating the base part and the resource part and granting access to said access protected remote resource only when the authentication validation succeeded.
  - 3. The method according to claim 1, wherein said web application is a portal application.
  - 4. The method according to claim 1, wherein said access protected remote resource is protected by a firewall.
  - 5. The method according to claim 1, wherein said response contains content in a markup language.
  - 6. The method according to claim 1, wherein said authentication method is applied to the base part and a set of parameters.
  - 7. The method according to claim 6, wherein said set of parameters is derived from the resource part.
  - 8. The method according to claim 6, wherein said set of parameters is provided by the web application.
  - 9. The method according to claim 1, wherein said authentication method uses a HASH algorithm.
  - 10. The method according to claim 1, wherein said authentication method uses a secret key.
  - 11. The method according to claim 1, wherein said authentication method uses a secret key and a HASH algorithm.
  - 12. The method according to claim 1, wherein said authentication method uses an encryption method.
  - 13. The method according to claim 1, wherein said authentication identifier is extended by at least one of a nonce and a timestamp.
  - 14. The method according to claim 1, wherein at least one of said base part and the authentication identifier is at least one of encoded and compressed before concatenation.
  - 15. The method according to claim 2, wherein said web application is configured to selectively reject access to a particular protected remote resource depending on the resource part according to the decision of an additional configuration module despite a successful validation of the authentication identifier.

16. A server system in a client-server environment comprising:
- a Web application running on said server system in a client-server environment;
  
  a communication link to a client system;
  
  a communication link to an access protected remote resource allowing communication of said Web application with said access protected remote resource;
  
  a rewriter proxy for identifying references to absolute URLs in said response from said access protected remote resource pointing to access protected remote resources, generating a rewritten URL for each such reference including the URL of said rewriter proxy and replacing the original URL of said reference in said response by said rewritten URL;
  
  a URL utility module for splitting the original URL into a base part and a resource part and concatenating the base part, an authentication identifier, and the resource part to the rewritten URL before the original URL is replaced by said rewritten URL, and for splitting each URL of each client request into the base part, the authentication identifier, and the resource part to validate the authentication identifier for at least the base part and create the URL of the remote resource from the base part and the resource part; and
  
  a security module for generating an authentication identifier by applying an authentication method to at least said base part and returning said authentication identifier to said URL utility module, and for validating the authentication identifier for at least the base part, returning the validation result to the URL utility module, wherein said Web application provides said response including said rewritten URLs to said client system.
- View Dependent Claims (17, 18, 19)
- - 17. The server system according to claim 16, wherein said web application is a portal application.
  - 18. The server system according to claim 16, wherein rewriter proxy, said URL utility module, and said security module are integrated part of said portal application.
  - 19. The server system according to claim 16, wherein said rewriter proxy, said URL utility module, and said security module are implemented in said portal application as a single portlet or integrated portlet.

20. A computer program product stored on a computer usable medium comprising computer readable program which when executed on a computer cause said computer to:
- receive response from an access protected remote resource in response to a client request to said access protected remote resource, wherein said access protected remote resource is configured in such a way that a client system is not allowed to directly access said access protected remote resource but all client requests are rerouted via a web application which is authorized to access said access protected remote resource;
  
  identify in said response all references that are defined by absolute URLS and point to access protected remote resources;
  
  generate a rewritten URL for each original URL of said identified reference to an access protected remote resource by;
  
  splitting the original URL into a base part and a resource part;
  
  generating an authentication identifier by applying an authentication method to at least said base part; and
  
  concatenating the URL of said web application, the base part, authentication identifier, and resource part;
  
  replace the original URL of said references contained in said response by said rewritten URL including said authentication identifier; and
  
  send said response including rewritten URL and authentication identifier to said client system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
THEN, OLIVER, BLUM, DANIEL, JACOB, RICHARD, BUCHWALD, JAN PAUL, KUSSMAUL, TIMO

Granted Patent

US 8,365,271 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/3
CPC Class Codes

H04L 61/30   Managing network names, e.g...

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

H04L 67/563   Data redirection of data ne...

H04L 67/565   Conversion or adaptation of...

CONTROLLING ACCESS OF A CLIENT SYSTEM TO ACCESS PROTECTED REMOTE RESOURCES SUPPORTING RELATIVE URLS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

56 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CONTROLLING ACCESS OF A CLIENT SYSTEM TO ACCESS PROTECTED REMOTE RESOURCES SUPPORTING RELATIVE URLS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links