TECHNIQUES FOR MANAGING COMMUNICATION SESSIONS

US 20100088698A1
Filed: 10/03/2008
Published: 04/08/2010
Est. Priority Date: 10/03/2008
Status: Abandoned Application

First Claim

Patent Images

1. A machine-implemented method, comprising:

detecting an access authorization received from an identity service, wherein the access authorization is generated by the identity service in response to a request issued by a principal for access to a protected resource and the request is initially handled by a first virtual machine that redirected the request to the identity service for authentication; and

broadcasting the access authorization within a secure network, the secure network includes the first virtual machine and second virtual machines, the first virtual machine and each of the second virtual machines capable of servicing the request for access to the protected resource, and wherein the access authorization includes a first virtual machine identifier and a first virtual machine assigned session identifier to uniquely identify a communication session between the principal and the protected resource that is to be initially handled by the first virtual machine.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for managing communication sessions are provided. Secure communication sessions are authenticated via a third-party service and the authenticated responses are broadcasts to multiple virtual machines within a secure network. Each session associated with a principal that is accessing a protected resource of the secure network. The virtual machines assume ownership roles and backup roles for managing the communication session to provide failover support for the communication sessions and in some instances load balancing of the communication sessions.

234 Citations

24 Claims

1. A machine-implemented method, comprising:
- detecting an access authorization received from an identity service, wherein the access authorization is generated by the identity service in response to a request issued by a principal for access to a protected resource and the request is initially handled by a first virtual machine that redirected the request to the identity service for authentication; and
  
  broadcasting the access authorization within a secure network, the secure network includes the first virtual machine and second virtual machines, the first virtual machine and each of the second virtual machines capable of servicing the request for access to the protected resource, and wherein the access authorization includes a first virtual machine identifier and a first virtual machine assigned session identifier to uniquely identify a communication session between the principal and the protected resource that is to be initially handled by the first virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising, processing the method as a Transmission Control Protocol (TCP) socket listener service on a gateway of the secure network.
  - 3. The method of claim 2, wherein broadcasting further includes broadcasting the access authorization and the request within the secure network to a plurality of UNIX datagram socket listeners, each UNIX datagram socket listener processing on a unique one of the virtual machines.
  - 4. The method of claim 3 further comprising recognizing the first virtual machine and each of the second virtual machines as virtual machines accessible to the gateway for servicing the request and to provide failover support for the request in the event that the first virtual machine fails to handle the request for the principal.
  - 5. The method of claim 1, wherein detecting further includes recognizing the request as a World-Wide Web (WWW) browser activated link that is directed to the protected resource, wherein the principal is a user of the WWW browser and the protected resource is a WWW page that the user is attempting to access.
  - 6. The method of claim 1, wherein detecting further includes listening on a common communication back channel within the secure network for the access authorization, wherein the common communication back channel is used by the identity service to provide authentication notifications to requesters.
  - 7. The method of claim 6, wherein listening further includes listening on a gateway device used to communicate with the identity service from the secure network.

8. A machine-implemented method, comprising:
- receiving a request from a principal to access a protected resource on a first virtual machine of a secure network;
  
  producing session authentication information for a communication session between the principal and the protected resource, wherein the session authentication information includes a session identifier for the communication session and a first virtual machine identifier for the first virtual machine that is to handle the communication session once the request is properly authenticated for access to the protected resource; and
  
  redirecting the request with the session authentication information to an identity service for authentication.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8 further comprising, receiving a broadcast message over the secure network that includes an authentication response from the identity service and the session authentication information and matching the session authentication information in the broadcast message with the session authentication information originally produced and in response thereto initiating an active communication session between the principal and the protected resource on the first virtual machine.
  - 10. The method of claim 9, wherein matching further includes changing an attribute for the communication session from a pending value to an active value.
  - 11. The method of claim 8, wherein receiving further includes identifying the principal as a user that is using a World-Wide Web (WWW) browser to access a protected page of the secure network, wherein the protected page is the protected resource.
  - 12. The method of claim 11, wherein producing further includes creating a WWW browser cookie as the session authentication information.
  - 13. The method of claim 12, wherein redirecting further includes setting the cookie within a header that accompanies the redirected request.
  - 14. The method of claim 8 further comprising, managing the session authentication information in a table accessible to the first virtual machine that includes other session authentication information associated with other virtual machines of the secure network having other communication sessions, wherein the table provides a mechanism for providing failover support and load balancing for each of those other communication sessions.

15. A machine-implemented method, comprising:
- receiving an authentication authorization associated with a request for access to a protected resource of a secure network;
  
  identifying with the authentication authorization a first virtual machine identifier and a session identifier that a first virtual machine assigned to a communication session between a principal and the protected resource;
  
  determining that the first virtual machine identifier and the session identifier are not present in a session table; and
  
  creating session metadata for the communication session and associating the session metadata with the communication session in the session table for subsequent use if the first virtual machine experiences processing loads beyond a threshold or if the first virtual machine fails during the communication session.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, wherein receiving further includes receiving the authentication authorization as a broadcast message from a socket listener that listens on a gateway device of the secure network for the authentication authorization to be sent from an identity service back to the first virtual machine of the secure network.
  - 17. The method of claim 15, wherein creating further includes setting an owner for the communication session to initially be the first virtual machine within the session metadata.
  - 18. The method of claim 15, wherein creating further includes managing the session metadata as a list of lists, wherein a first list is based on identifiers for communication sessions, and each first list entry of the first list associated with its own second list based on identifiers for virtual machines that initially handled those corresponding communication sessions.
  - 19. The method of claim 15 further comprising, receiving a request to take over the communication session for the first virtual machine and setting a status for the communication session within the session metadata to active and permitting the principal and the protected resource to continue to interact with one another on a virtual machine that is different from the first virtual machine during the communication session.
  - 20. The method of claim 15 further comprising, detecting a non responsive first virtual machine and setting a status for the communication session within the session metadata to active and automatically transitioning the principal and the protected resource to continue to interact with one another on a virtual machine that is different from the first virtual machine during the communication session.

21. A machine-implemented system, comprising:
- a gateway device processing as an intermediary between a secure and insecure network; and
  
  an authorization socket listener service implemented in a computer-readable storage medium and to process on the gateway device;
  
  wherein authorization socket listener service detects authentication authorizations for principals by listening on a specific port that an identity service uses to send the authentication authorizations, wherein the principals have requested interaction to protected resources of the secure network, which prompts authentication to occur via the identity service and the authentication authorizations to be sent on the specific port, and wherein the authorization socket listener service broadcasts the authentication authorizations over the secure network to a plurality of virtual machines, and wherein the virtual machines cooperate to provide load balancing and failover service for communication sessions between the principals and the protected resources within the secure network.
- View Dependent Claims (22, 23, 24)
- - 22. The system of claim 21, wherein the virtual machines process on the gateway device.
  - 23. The system of claim 22, wherein each virtual machine includes its own datagram socket listener that receives the broadcasts.
  - 24. The system of claim 22, wherein the specific port is common back channel used for communication with the identity service within the secure network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Krishnamurthy, Ravishankar

Application Number

US12/244,855
Publication Number

US 20100088698A1
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 9/5011   the resources being hardwar...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

TECHNIQUES FOR MANAGING COMMUNICATION SESSIONS

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

234 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNIQUES FOR MANAGING COMMUNICATION SESSIONS

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

234 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links