HOSTED APPLICATION SANDBOX MODEL

US 20100274910A1
Filed: 04/24/2009
Published: 10/28/2010
Est. Priority Date: 04/24/2009
Status: Active Grant

First Claim

Patent Images

1. A system configured to execute an application on behalf of a user of a computer connected to the system over a network, the system having a network address and comprising:

an application store configured to store the application;

an application registering component configured to allocate a distinct subdomain of the system for the application mapped to the network address of the system; and

an application executing component configured to, upon receiving a request to execute the application on behalf of the user;

execute the application on the system, andpresent to the user an application user interface of the application served from the distinct subdomain.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user'"'"'s computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user'"'"'s computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.

199 Citations

20 Claims

1. A system configured to execute an application on behalf of a user of a computer connected to the system over a network, the system having a network address and comprising:
- an application store configured to store the application;
  
  an application registering component configured to allocate a distinct subdomain of the system for the application mapped to the network address of the system; and
  
  an application executing component configured to, upon receiving a request to execute the application on behalf of the user;
  
  execute the application on the system, andpresent to the user an application user interface of the application served from the distinct subdomain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system of claim 1:
    - the system comprising a web application server;
      
      the application comprising a web application;
      
      the computer of the user having a web browser; and
      
      the application user interface comprising a web page embedding the application sent to the computer, the web page to be rendered in the web browser.
  - 3. The system of claim 2, the application executing component configured to present to the user the application user interface within the web browser within an isolation construct configured to isolate the application user interface from other applications executing on the computer.
  - 4. The system of claim 3, the isolation construct comprising a hypertext markup language IFRAME element associated with the distinct subdomain allocated for the application.
  - 5. The system of claim 1:
    - the system configured to execute a first instance of the application and a second instance of the application;
      
      the application registering component configured to;
      
      allocate a first distinct subdomain of the system for the first instance of the application mapped to the network address of the system, andallocate a second distinct subdomain of the system for the second instance of the application mapped to the network address of the system; and
      
      the application executing component configured to;
      
      associate the first instance of the application with the first distinct subdomain, andassociate the second instance of the application with the second distinct subdomain.
  - 6. The system of claim 5:
    - the first instance of the application executed on behalf of a first user, andthe second instance of the application executed on behalf of a second user.
  - 7. The system of claim 1, the application executing component configured, before executing the application, to authenticate the user according to at least one user authentication credential received from the user.
  - 8. The system of claim 7, comprising:
    - a user login interface configured to;
      
      present to the user a user login interface configured to receive from the user at least one user login credential, andupon receiving from the user the at least one user login credential;
      
      verify the at least one user login credential, andupon verifying the at least one user login credential;
      
      generate the at least one user authentication credential, andsend to the computer the at least one user authentication credential.
  - 9. The system of claim 1, the application executing component configured to, before executing the application, authenticate the application according to at least one application authentication credential received from the application.
  - 10. The system of claim 1, the system having access to a computing environment store configured to store at least one data object comprising a computing environment of the user.
  - 11. The system of claim 10:
    - the application comprising instructions configured to perform at least one operation applicable to the computing environment of the user according to at least one permission;
      
      the computer of the user configured to store at least one permission token representing a permission to apply the at least one operation of the application to the computing environment of the user; and
      
      the application executing component configured to execute the application by;
      
      receiving the at least one permission token with the request to execute the application on behalf of the user;
      
      validating the at least one permission token; and
      
      upon validating the at least one permission token, applying the operation of the application to the computing environment of the user.
  - 12. The system of claim 11:
    - the system comprising a web application server;
      
      the application comprising a web application;
      
      the at least one permission token comprising a permission cookie; and
      
      the computer of the user having a web browser configured to;
      
      store the permission cookie, andsend the permission cookie to the web application server with the request to execute the application.
  - 13. The system of claim 11, the system comprising:
    - a permission token generating component configured to, upon receiving from the user an authorization of the permission to apply the at least one operation of the application to the computing environment;
      
      generate the permission token indicating the permission to apply the at least one operation of the application to the computing environment, andsend the permission token to the computer.
  - 14. The system of claim 10, comprising:
    - an application installing component configured to, upon receiving a request from the user to install the application, install the application within the computing environment of the user.
  - 15. The system of claim 14, comprising:
    - an application cataloging component configured to present to the user at least one application stored in the application store and installable within the computing environment of the user.
  - 16. The system of claim 14, comprising:
    - an application receiving component configured to, upon receiving an application from an application developer;
      
      store the application in the application store, andinvoke the application registering component to allocate the distinct subdomain of the system for the application.
  - 17. The system of claim 16, the application receiving component configured to, upon receiving the application from the application developer, issue to the application at least one application authentication credential.
  - 18. The system of claim 14:
    - the application instructions configured to perform at least one operation applicable to the computing environment of the user according to at least one permission, andthe application installing component configured, while installing the application on behalf of the user, to;
      
      present to the user at least one permission request query requesting an authorization of the permission of the application, andupon receiving the authorization from the user, store the authorization.

19. A computer-readable storage medium, the medium comprising instructions that, when executed by at least one processor of a system connected to a network and having a network address and an application store, cause the at least one processor to execute an application on behalf of a user of a computer by:
- storing the application in the application store;
  
  allocating a distinct subdomain of the system for the application mapped to the network address of the system; and
  
  upon receiving a request to execute the application on behalf of the user;
  
  executing the application on the system, andpresenting to the user an application user interface of the application served from the distinct subdomain.

20. A system comprising a web application server configured to execute an application comprising a web application on behalf of a user of a computer connected to the system over a network, the system having a network address and having access to a computing environment store configured to store at least one data object comprising a computing environment of the user, the application instructions that, when executed by at least one processor of the system, cause the at least one processor to execute at least one operation applicable to the computing environment of the user according to at least one permission, and the system comprising:
- an application store configured to store the application;
  
  an application registering component configured to allocate a distinct subdomain of the system for the application mapped to the network address of the system;
  
  an application installing component configured to, upon receiving a request from the user to install the application, install the application within the computing environment of the user;
  
  an application cataloging component configured to present to the user at least one application stored in the application store and installable within the computing environment of the user;
  
  an application receiving component configured to, upon receiving an application from an application developer;
  
  store the application in the application store, andinvoke the application registering component to allocate the distinct subdomain of the system for the application;
  
  a user login interface configured to;
  
  present to the user a user login interface configured to receive from the user at least one user login credential, andupon receiving from the user the at least one user login credential;
  
  verify the at least one user login credential, andupon verifying the at least one user login credential;
  
  generate the at least one user authentication credential, andsend to the computer the at least one user authentication credential;
  
  a permission token generating component configured to, upon receiving from the user an authorization of the permission to apply the at least one operation of the application to the computing environment;
  
  generate the permission token indicating the permission to apply the at least one operation of the application to the computing environment, andsend the permission token to the computer; and
  
  an application executing component configured to, upon receiving a request to execute the application on behalf of the user;
  
  authenticate the user according to at least one user authentication credential received from the user;
  
  authenticate the application according to the at least one application authentication credential received from the application;
  
  after authenticating the user and after authenticating the application, execute the application on the system by;
  
  receiving the at least one permission token with the request to execute the application on behalf of the uservalidating the at least one permission token; and
  
  upon validating the at least one permission token, applying the operation of the application to the computing environment of the user; and
  
  present to the user an application user interface of the application, comprising a web page embedding the application rendered in a web browser of the computer, the application user interface served from the distinct subdomain and presented within an isolation construct configured to isolate the application user interface from other applications executing on the computer, the isolation construct comprising a hypertext markup language IFRAME element associated with the distinct subdomain allocated for the application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
S., Hari Krishnan, Augustine, Matthew S., Burdick, Matthew J., Shukla, Dharma K., Ghanaie-Sichanie, Arash

Granted Patent

US 9,197,417 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 40/143   Markup, e.g. Standard Gener...

H04L 2209/80   Wireless network architectu...

H04L 47/70   Admission control; Resource...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 67/01   Protocols

H04L 9/3234   involving additional secure...

HOSTED APPLICATION SANDBOX MODEL

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

199 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HOSTED APPLICATION SANDBOX MODEL

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links