ACCESS CONTROL OF REMOTE COMMUNICATION INTERFACES BASED ON SYSTEM-SPECIFIC KEYS

US 20130191882A1
Filed: 01/19/2012
Published: 07/25/2013
Est. Priority Date: 01/19/2012
Status: Abandoned Application

First Claim

Patent Images

1. A computer program product, the computer program product being tangibly embodied on a computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:

receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;

validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;

determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and

send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method, computer program product, and computer system is provided for receiving a service request to obtain service from a second application, the service request including a client context and a signed ticket obtained by the first application from a system computer, validating the received signed ticket based on the key associated with the system, determining that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of one or more attributes of the received client context to an access control list associated with the second application, and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.

68 Citations

View as Search Results

23 Claims

1. A computer program product, the computer program product being tangibly embodied on a computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
- receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;
  
  validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;
  
  determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and
  
  send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer program product of claim 1 wherein a system includes the system computer including a central system database, the first application server and the first application, and the second application server and the second application.
  - 3. The computer program product of claim 1 wherein a system includes the system computer that stores the key associated with the system, the system also including the first application server and the first application and the second application server and the second application, and wherein the executable code further causes a remote access engine running on the first application server to obtain the signed ticket from the system computer based on the following:
    - send the client context to the system computer; and
      
      receive, by the remote access engine running on the first application server, a signed ticket from the system computer that is based on the client context and the key associated with the system.
  - 4. The computer program product of claim 1 wherein the signed ticket received by the remote access engine from the first application comprises a first signed ticket, and wherein the executable code causing the data processing apparatus to validate comprises executable code causing the data processing apparatus to:
    - send, from the remote access engine, the client context to the system computer;
      
      receive, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context;
      
      validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
  - 5. The computer program product of claim 4 wherein:
    - the executable code causing the data processing apparatus to send comprises executable code causing the data processing apparatus to send, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context; and
      
      the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system.
  - 6. The computer program product of claim 1 wherein the system computer comprises:
    - a processor; and
      
      a central database for the system to securely store the key associated with the system;
      
      wherein the signed ticket includes a signed client context that was signed by the system computer using the key associated with the system.
  - 7. The computer program product of claim 1 wherein the client context comprises at least a system identifier (ID) that identifies the system.
  - 8. The computer program product of claim 1 wherein the client context comprises at least a system identifier (ID) that identifies the system, an application ID that identifies the first application, and an address associated with the first application server or the first application.
  - 9. The computer program product of claim 1 wherein the client context comprises at least one of:
    - a system identifier (ID) that identifies the system of the first application, a user ID that identifies a user of the first application, a client ID or application ID that identifies the first application (or identifies an instance of the first application), an application server ID that identifies the server on which the first application is running, a transaction ID associated with a transaction for the requesting application, a software package ID that identifies the software package of the first application.
  - 10. The computer program product of claim 1 wherein the service request received by the remote access engine from the first application is sent by the first application to the second application to fulfill a client request received by the first application from a client application, the service(s) of the second application being accessible through the first application after validation and are not directly accessible to the client application.
  - 11. The computer program product of claim 1 wherein, the system computer comprises a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer;
    - andwherein the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key.
  - 12. The computer program product of claim 11, wherein the signed ticket received from the first application comprises a first signed ticket, wherein the executable code causing the data processing apparatus to validate comprises executable code causing the data processing apparatus to:
    - send, from the remote access engine, the received client context to the second system computer;
      
      receive, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context;
      
      validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
  - 13. The computer program product of claim 1 wherein the access control list associated with second application comprises at least one of:
    - a white list or accept list that identifies one or more entities that are authorized to access the remote interface of the second application; and
      
      /ora black list or deny list that identifies one or more entities that are not authorized to access the remote interface of the second application.

14. A computer implemented method comprising:
- receiving, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;
  
  validating, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;
  
  determining, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and
  
  sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The computer implemented method of claim 14 wherein the receiving comprises receiving, by a remote access engine running on the second application server from a remote access engine on the first application server that is part of or operating on behalf of the first application, the service request.
  - 16. The computer implemented method of claim 14 wherein a system includes the system computer, the first application server and the first application, and the second application server and the second application, wherein the signed ticket received from the first application, if validated, indicates that the first application has indirect access to the key associated with the system via the system computer and, thus, indicates that the first application is authorized to obtain or access services from the second application.
  - 17. The computer implemented method of claim 14 wherein the signed ticket received by the remote access engine from the first application comprises a first signed ticket, and wherein the validating comprises:
    - sending, from the remote access engine, the client context to the system computer;
      
      receiving, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context; and
      
      validating, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
  - 18. The computer implemented method of claim 17 wherein the sending comprises sending, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context;
    - andthe receiving comprises receiving, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system.
  - 19. The computer implemented method of claim 14 wherein the system computer comprises a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer;
    - andwherein the receiving comprises receiving, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key.
  - 20. The computer implemented method of claim 19, wherein the signed ticket received from the first application comprises a first signed ticket, wherein the validating comprises:
    - sending, from the remote access engine, the received client context to the second system computer;
      
      receiving, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context; and
      
      validating, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.

21. An apparatus comprising:
- receiving logic configured to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;
  
  validation logic configured to validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;
  
  determining logic configured to determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and
  
  sending logic configured to send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
- View Dependent Claims (22, 23)
- - 22. The apparatus of claim 21 wherein the system computer comprises:
    - a processor; and
      
      a database to store the key associated with the system;
      
      wherein the signed ticket includes a signed client context that was signed by the system computer using the key associated with the system.
  - 23. The apparatus of claim 21 wherein the client context comprises at least a system identifier (ID) that identifies the system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP AG (SAP SE)
Original Assignee
SAP AG (SAP SE)
Inventors
Jolfaei, Masoud Aghadavoodi

Application Number

US13/353,558
Publication Number

US 20130191882A1
Time in Patent Office

Days
Field of Search
US Class Current

726/4
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

ACCESS CONTROL OF REMOTE COMMUNICATION INTERFACES BASED ON SYSTEM-SPECIFIC KEYS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

ACCESS CONTROL OF REMOTE COMMUNICATION INTERFACES BASED ON SYSTEM-SPECIFIC KEYS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links