Remote authentication and authorization in a distributed data processing system
First Claim
1. A method for determining credentials of a process, running at a first data processing system, when accessing a service at a second data processing system, said method comprising:
- creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system;
returning a value to said first data processing system;
receiving, at the second data processing system, a second request from said first data processing system comprising said value; and
using the value to determine said set of credentials for said process during access to the service at the second data processing system.
1 Assignment
0 Petitions
Accused Products
Abstract
The system and method of this invention authorizes a process running at a client data processing system to have access to a service at a server data processing system. The data processing systems are connected by a communication link in a distributed processing environment. A set of credentials for the process are created at the server in response to a message from the client requesting a service. The server returns a credentials id identifying the created set of credentials to the client process. The client uses this returned id in subsequent requests and is authorized access as controlled by the set of credentials identified by the returned id in the subsequent request. The server can deny access to the service by the process if the id returned in a subsequent request is determined by the server not to identify the set of credentials. The server denies the access if the server requires an authentication of the process.
546 Citations
24 Claims
-
1. A method for determining credentials of a process, running at a first data processing system, when accessing a service at a second data processing system, said method comprising:
-
creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system; returning a value to said first data processing system; receiving, at the second data processing system, a second request from said first data processing system comprising said value; and using the value to determine said set of credentials for said process during access to the service at the second data processing system.
-
-
2. A method for authorizing a process running at a first data processing system to have access to a service at a second data processing system, said method comprising:
-
creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system; returning a first value identifying said set of credentials to said first data processing system; receiving, at the second data processing system, a second request from said first data processing system comprising a second value; determining, at the second data processing system, if the second value identifies the set of credentials; and allowing the access to the service as controlled by the set of credentials if the second value identifies the set of credentials. - View Dependent Claims (3, 4)
-
-
5. A method for authorizing a process running at a first data processing system to have access to a service at a second data processing system, said method comprising:
-
creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system; returning a first value identifying said set of credentials to said first data processing system; receiving, at the second data processing system, a second request from said first data processing system comprising a second value; determining, at the second data processing system, if the second value identifies the set of credentials; and denying access to the service if the second value is determined not to identify the set of credentials. - View Dependent Claims (6, 7)
-
-
8. A method for obtaining authorization of a process running at a first data processing system to have access to a service at a second data processing system, said method comprising:
-
sending, to said second data processing system, a first request from said first data processing system comprising information required by said second data processing system to construct a set of credentials for said process; receiving, by said first data processing system, a value from said second data processing system identifying said set of credentials; sending, to the second data processing system, a second request from said first data processing system comprising said value; and obtaining access to the service as controlled by the set of credentials if the second request identifies the set of credentials. - View Dependent Claims (9, 10, 11)
-
-
12. A method, in a data processing system, for authenticating a user on a local client machine and for authorizing access to at least one resource of a remote server machine, wherein said local machine and said remote machine are connected by a communications link, said method comprising:
-
sending a message having authentication information, from said client machine to said server machine, requesting service from said server machine; creating, by said server machine, a credentials structure, having security information of said user based on said authentication information from said sent message, for authorizing a use of said at least one resource by said server machine; returning, to said client machine from said server machine, a credential identifier identifying the user with said created credentials structure; using said credential identifier by said user in each subsequent request for service message from said user to said server machine; and reconstituting the security information, from said created credentials structure identified by said credential identifier in said each subsequent request for service message, for automatically establishing authentication of the user and authorization to use said authorized resources of said server machine. - View Dependent Claims (13, 14, 15)
-
-
16. A method, in a data processing system, for authenticating a user on a local client machine and for authorizing access to at least one resource of a remote server machine, wherein said local machine and said remote machine are connected by a communications link, said method comprising:
-
receiving, by said remote machine, a request for service message having authentication information from said user on said client machine; creating a credentials structure, having authorization information for resources at the server for the user, based on the authentication information of the received request; returning to the local client machine, by said remote machine, a credentials identifier corresponding to said created credentials structure; storing said created credentials structure by said server for a time determined by said server; discarding said created credentials structure after said determined time; determining, by the server machine, the validity of the credentials identifier received from the local client machine on a subsequent request for service dependent upon whether the request for service was received within the determined time and the credentials structure is stored at said server; honoring said subsequent request for service if the credentials identifier is determined to be valid; and requiring a new request for service and a new credentials structure if said credentials identifier is determined to be invalid, thereby enforcing a periodic authentication on said user.
-
-
17. A method, in a data processing system, for authenticating a user on a local client machine and for authorizing access to at least one resource of a remote server machine, wherein said local machine and said remote machine are connected by a communications link, said method comprising:
-
creating, by the server machine, a credentials structure having authorization information in response to authentication information provided by said user requesting a resource of said server machine; storing said credentials structure for a period of time determined by said server machine; discarding, by said server machine, said credentials structure after said determined period of time; honoring, by said server machine, a subsequent request for service from said local client machine, having a credentials identifier corresponding to said credentials structure, in immediate response to said credentials identifier if said subsequent request is received within the predetermined time; and rejecting, by said server machine, said subsequent request for service from said local client machine in immediate response to said credentials identifier in said subsequent request if said subsequent request is received after the predetermined time and the credentials structure has been discarded.
-
-
18. A local data processing system having means for authenticating a remote user on a remote client data processing system and for authorizing access to at least one resource of said data processing system by said remote user, wherein said local data processing system and said remote client data processing system are connected by a communications link, said means comprising:
-
means for storing a credentials structure having authorization information for the resources of the local data processing system based upon authentication information received from said remote user during a request for service; means, coupled to said means for storing, for discarding said credentials structure after a period of time determined by said local data processing system; means, coupled to said means for storing, for immediately honoring a subsequent request for service from said remote client data processing system in response to an identifier, corresponding to said credentials structure, received with said subsequent request if said request is received within said determined time and said credentials structure is stored in said local data processing system; and means, coupled to said means for storing, for immediately rejecting said subsequent request for service from said remote client data processing system in response to said identifier received with said subsequent request if said subsequent request is received after said determined time and said credentials structure is discarded. - View Dependent Claims (19)
-
-
20. A computer program product, residing on a medium in a form intelligible only by a computer input means, having means for operating a computer system to authorize a process, running at a first data processing system, to have access to a service at a second data processing system, said computer program product comprising:
-
means for operating said computer system to create, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system; means, coupled to said means for creating, for operating said computer system to return a value identifying said set of credentials to said first data processing system; means, coupled to said means for returning, for operating said computer system to receive, at the second data processing system, a second request received from said first data processing system comprising a second value; means, coupled to said means for receiving, for operating said computer system to determine, at the second data processing system, if the second value identifies the set of credentials; and means, coupled to said means for determining, for operating said computer system to allow the access to the service as controlled by the set of credentials if the second value identifies the set of credentials.
-
-
21. A computer program product, residing on a medium in a form intelligible only by a computer input means, having means for authorizing a process running at a first data processing system to have access to a service at a second data processing system, said computer program product comprising:
-
means for creating at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system; means, coupled to said means for creating, for returning a first value identifying said set of credentials to said first data processing system; means, coupled to said means for returning, for receiving at the second data processing system a second request received from said first data processing system comprising a second value; means, coupled to said means for receiving, for determining, at the second data processing system, if the second value identifies the set of credentials; and means, coupled to said means for determining, for denying access to the service if the second value is determined not to identify the set of credentials. - View Dependent Claims (22, 23)
-
-
24. A computer program product, residing on a computer readable medium, having means for obtaining authorization of a process running at a first data processing system to have access to a service at a second data processing system, said computer program product comprising:
-
means for sending, to said second data processing system, a first request from said first data processing system comprising information required by said second data processing system to construct a set of credentials for said process; means, coupled to said means for sending a first request, for receiving, by said first data processing system, a value from said second data processing system identifying said set of credentials; means, coupled to said means for receiving, for sending, to the second data processing system, a second request from said first data processing system comprising said value; and means, coupled to said means for send a second request, for obtaining access to the service as controlled by the set of credentials if the second request identifies the set of credentials.
-
Specification