Authorization system for obtaining in single step both identification and access rights of client to server directly from encrypted authorization ticket
First Claim
1. In a data processing system including a client mechanism, a server mechanism including a server resource, and an authorization mechanism, the authorization mechanism including a directory server for storing and providing access rights of the client mechanism to the server resource and the client mechanism generating operation requests for operations to be performed by the server with respect to the server resource, wherein the client mechanism generates a request to the authorization mechanism for an authorization ticket to the server resource and the authorization mechanism responds to a request for an authorization ticket by returning an authorization ticket containing an identification of the client, the authorization ticket being encrypted with an encryption key derived from the password of the server, the client mechanism providing the authorization ticket to the server mechanism is associated with an operation request, the server mechanism decrypting the authorization ticket with the server password and using the client identification to obtain the client access rights of the client mechanism to the server resource, an improved authorization mechanism, comprising:
- a directory server for storing access rights of the client mechanism and information regarding the client mechanism and required by the server mechanism in executing the operation request,a client mechanism for generating a request for an authorization ticket to the server mechanism, the request for an authorization ticket including an identification of the client mechanism,an authorization mechanism for generating a corresponding authorization ticket wherein the authorization ticket includes the access rights of the client mechanism and the information regarding the client mechanism and required by the server mechanism in executing the operation request and is encrypted with an encryption key derived from the password of the server, andthe client mechanism being responsive to the authorization ticket for sending the authorization ticket to the server mechanism in association with the operation request, anda server mechanism for decrypting the authorization ticket with the server mechanism password and obtaining directly the access rights of the client mechanism to the server resource and the information regarding the client mechanism and required by the server mechanism in executing the operation request, whereinthe client information including the client access rights are stored in the directory server in fields identified by generic field tags,the authorization ticket request generated by the client mechanism identifies the client information by tag names identifying the fields containing the required client information,the requested information is stored in the encrypted authorization ticket in fields identified by the corresponding tag names, andthe server mechanism reads the client information from the decrypted authorization ticket by parsing the decrypted authorization ticket with the tag names of the fields containing the necessary client information.
11 Assignments
0 Petitions
Accused Products
Abstract
An authorization mechanism for providing authorization information for a client requesting access to a server resource in a server, including a directory server for storing client information required by the server in executing an operation call, including client access rights, and a generating a request for an authorization ticket to the server. The request for an authorization ticket includes an identification of the client and an identification of the client information required by the server and is in association with an operation call. The authorization mechanism generates an authorization ticket including the identified information and encrypted with an encryption key derived from the password of the server. The authorization ticket is sent to the server and the server decrypts the authorization ticket with the server password and obtains the client information directly, including the client access rights. Client information is stored in directory server fields identified by generic field tags. The authorization ticket request identifies client information by tag names identifying the fields, the requested information in stored in the authorization ticket in fields identified by the tag names, and the server mechanism then reads the client information by parsing the ticket with the tag names.
-
Citations
6 Claims
-
1. In a data processing system including a client mechanism, a server mechanism including a server resource, and an authorization mechanism, the authorization mechanism including a directory server for storing and providing access rights of the client mechanism to the server resource and the client mechanism generating operation requests for operations to be performed by the server with respect to the server resource, wherein the client mechanism generates a request to the authorization mechanism for an authorization ticket to the server resource and the authorization mechanism responds to a request for an authorization ticket by returning an authorization ticket containing an identification of the client, the authorization ticket being encrypted with an encryption key derived from the password of the server, the client mechanism providing the authorization ticket to the server mechanism is associated with an operation request, the server mechanism decrypting the authorization ticket with the server password and using the client identification to obtain the client access rights of the client mechanism to the server resource, an improved authorization mechanism, comprising:
-
a directory server for storing access rights of the client mechanism and information regarding the client mechanism and required by the server mechanism in executing the operation request, a client mechanism for generating a request for an authorization ticket to the server mechanism, the request for an authorization ticket including an identification of the client mechanism, an authorization mechanism for generating a corresponding authorization ticket wherein the authorization ticket includes the access rights of the client mechanism and the information regarding the client mechanism and required by the server mechanism in executing the operation request and is encrypted with an encryption key derived from the password of the server, and the client mechanism being responsive to the authorization ticket for sending the authorization ticket to the server mechanism in association with the operation request, and a server mechanism for decrypting the authorization ticket with the server mechanism password and obtaining directly the access rights of the client mechanism to the server resource and the information regarding the client mechanism and required by the server mechanism in executing the operation request, wherein the client information including the client access rights are stored in the directory server in fields identified by generic field tags, the authorization ticket request generated by the client mechanism identifies the client information by tag names identifying the fields containing the required client information, the requested information is stored in the encrypted authorization ticket in fields identified by the corresponding tag names, and the server mechanism reads the client information from the decrypted authorization ticket by parsing the decrypted authorization ticket with the tag names of the fields containing the necessary client information.
-
-
2. In a data processing system including a client mechanism, a server mechanism including a server resource, and an authorization mechanism, the authorization mechanism including a directory server for storing and providing access rights of the client mechanism to the server resource and the client mechanism generating operation requests for operations to be performed by the server with respect to the server resource, wherein the client mechanism generates a request to the authorization mechanism for an authorization ticket to the server resource and the authorization mechanism responds to a request for an authorization ticket by returning an authorization ticket containing an identification of the client, the authorization ticket being encrypted with an encryption key derived from the password of the server, the client mechanism providing the authorization ticket to the server mechanism is associated with an operation request, the server mechanism decrypting the authorization ticket with the server password and using the client identification to obtain the client access rights of the client mechanism to the server resource, an improved method for providing client information to the server mechanism, comprising the steps of:
-
storing client information including access rights of the client mechanism and information regarding the client mechanism and required by the server mechanism in executing an operation request in the directory server in fields identified by generic field tags, in the client mechanism and in response to a request from a user for an operation by the server mechanism, generating a request for an authorization ticket to the server mechanism, the request for an authorization ticket including an identification of the client mechanism and including identifying the client information in the authorization ticket request by tag names identifying the fields containing the required client information, in the authorization mechanism and in response to the request for an authorization mechanism, generating a corresponding authorization ticket wherein the authorization ticket includes the access rights of the client mechanism and the information regarding the client mechanism and required by the server mechanism in executing the operation request and is encrypted with an encryption key derived from the password of the server, including storing the requested information in the encrypted authorization ticket in fields identified by the corresponding tag names by operation of the client mechanism, sending the authorization ticket to the server mechanism in association with the operation request, and in the server mechanism, decrypting the authorization ticket with the server mechanism password, parsing the decrypted authorization ticket with the tag names of the fields containing the necessary client information to obtain the client information, and obtaining directly the access rights of the client mechanism to the server resource and the information regarding the client mechanism and required by the server mechanism in executing the operation request.
-
-
3. In a data processing system including a client mechanism, a server mechanism including a server resource, and an authorization mechanism, the authorization mechanism including a directory server for storing and providing access rights of the client mechanism to the server resource and the client mechanism generating operation requests for operations to be performed by the server with respect to the server resource, wherein the client mechanism generates a request to the authorization mechanism for an authorization ticket to the server resource and the authorization mechanism responds to a request for an authorization ticket by returning an authorization ticket containing an identification of the client, the authorization ticket being encrypted with an encryption key derived from the password of the server, the client mechanism providing the authorization ticket to the server mechanism is associated with an operation request, the server mechanism decrypting the authorization ticket with the server password, an improved authorization mechanism, comprising:
-
a directory server for storing access rights of the client mechanism, a client mechanism for generating a request for an authorization ticket to the server mechanism, the request for an authorization ticket including an identification of the client mechanism, an authorization mechanism for generating a corresponding authorization ticket wherein the authorization ticket further includes the access rights of the client mechanism and is encrypted with an encryption key derived from the password of the server, and the client mechanism being responsive to the authorization ticket for sending the authorization ticket to the server mechanism in association with the operation request, and a server mechanism for decrypting the authorization ticket with the server mechanism password and obtaining the identification of the client and the access rights of the client mechanism to the server resource directly from the authorization ticket. - View Dependent Claims (4)
-
-
5. In a data processing system including a client mechanism, a server mechanism including a server resource, and an authorization mechanism, the authorization mechanism including a directory server for storing and providing access rights of the client mechanism to the server resource and the client mechanism generating operation requests for operations to be performed by the server with respect to the server resource, wherein the client mechanism generates a request to the authorization mechanism for an authorization ticket to the server resource and the authorization mechanism responds to a request for an authorization ticket by returning an authorization ticket containing an identification of the client, the authorization ticket being encrypted with an encryption key derived from the password of the server, the client mechanism providing the authorization ticket to the server mechanism is associated with an operation request, the server mechanism decrypting the authorization ticket with the server password, an improved method for providing client information to the server mechanism, comprising the steps of:
-
storing access rights of the client mechanism in the directory server, by operation of the client server and in response to a user request, generating a request for an authorization ticket to the server mechanism, the request for an authorization ticket including an identification of the client mechanism, in the authorization mechanism and in response to a request for an authorization ticket, generating a corresponding authorization ticket wherein the authorization ticket further includes the access rights of the client mechanism and is encrypted with an encryption key derived from the password of the server, and by operation of the client mechanism, sending the authorization ticket to the server mechanism in association with the operation request, and in the server mechanism, decrypting the authorization ticket with the server mechanism password and obtaining the identification of the client and the access rights of the client mechanism to the server resource directly from the authorization ticket. - View Dependent Claims (6)
-
Specification