Remote authentication and authorization in a distributed data processing system

US 5,560,008 A
Filed: 05/15/1989
Issued: 09/24/1996
Est. Priority Date: 05/15/1989
Status: Expired due to Term

First Claim

Patent Images

1. A method for determining credentials of a process, running at a first data processing system, when accessing a service at a second data processing system, said method comprising:

creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system;

returning a value to said first data processing system;

receiving, at the second data processing system, a second request from said first data processing system comprising said value; and

using the value to determine said set of credentials for said process during access to the service at the second data processing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The system and method of this invention authorizes a process running at a client data processing system to have access to a service at a server data processing system. The data processing systems are connected by a communication link in a distributed processing environment. A set of credentials for the process are created at the server in response to a message from the client requesting a service. The server returns a credentials id identifying the created set of credentials to the client process. The client uses this returned id in subsequent requests and is authorized access as controlled by the set of credentials identified by the returned id in the subsequent request. The server can deny access to the service by the process if the id returned in a subsequent request is determined by the server not to identify the set of credentials. The server denies the access if the server requires an authentication of the process.

546 Citations

24 Claims

1. A method for determining credentials of a process, running at a first data processing system, when accessing a service at a second data processing system, said method comprising:
- creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system;
  
  returning a value to said first data processing system;
  
  receiving, at the second data processing system, a second request from said first data processing system comprising said value; and
  
  using the value to determine said set of credentials for said process during access to the service at the second data processing system.

2. A method for authorizing a process running at a first data processing system to have access to a service at a second data processing system, said method comprising:
- creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system;
  
  returning a first value identifying said set of credentials to said first data processing system;
  
  receiving, at the second data processing system, a second request from said first data processing system comprising a second value;
  
  determining, at the second data processing system, if the second value identifies the set of credentials; and
  
  allowing the access to the service as controlled by the set of credentials if the second value identifies the set of credentials.
- View Dependent Claims (3, 4)
- - 3. The method of claim 2 wherein the second received request is received from the process.
  - 4. The method of claim 2 wherein the second received request is received from a child process of said process.

5. A method for authorizing a process running at a first data processing system to have access to a service at a second data processing system, said method comprising:
- creating, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system;
  
  returning a first value identifying said set of credentials to said first data processing system;
  
  receiving, at the second data processing system, a second request from said first data processing system comprising a second value;
  
  determining, at the second data processing system, if the second value identifies the set of credentials; and
  
  denying access to the service if the second value is determined not to identify the set of credentials.
- View Dependent Claims (6, 7)
- - 6. The method of claim 5 wherein the determining step determines that the second value does not identify the created set of credentials when the second data processing system requires an authentication of the process.
  - 7. The method of claim 6 wherein the determining step determines that the second value does not identify the created set of credentials when the second data processing system has previously discarded, and not yet re-authorized said process, at least one element of the set of credentials.

8. A method for obtaining authorization of a process running at a first data processing system to have access to a service at a second data processing system, said method comprising:
- sending, to said second data processing system, a first request from said first data processing system comprising information required by said second data processing system to construct a set of credentials for said process;
  
  receiving, by said first data processing system, a value from said second data processing system identifying said set of credentials;
  
  sending, to the second data processing system, a second request from said first data processing system comprising said value; and
  
  obtaining access to the service as controlled by the set of credentials if the second request identifies the set of credentials.
- View Dependent Claims (9, 10, 11)
- - 9. A method of claim 8 further comprising maintaining said value in a data area of said process after being received from said second data processing system.
  - 10. A method of claim 9 further comprising obtaining said value from said data area by a child process and sending said second request from said child process with said obtained value.
  - 11. A method of claim 9 further comprising discarding the value in said data area if the set of credentials corresponding to the value is changed.

12. A method, in a data processing system, for authenticating a user on a local client machine and for authorizing access to at least one resource of a remote server machine, wherein said local machine and said remote machine are connected by a communications link, said method comprising:
- sending a message having authentication information, from said client machine to said server machine, requesting service from said server machine;
  
  creating, by said server machine, a credentials structure, having security information of said user based on said authentication information from said sent message, for authorizing a use of said at least one resource by said server machine;
  
  returning, to said client machine from said server machine, a credential identifier identifying the user with said created credentials structure;
  
  using said credential identifier by said user in each subsequent request for service message from said user to said server machine; and
  
  reconstituting the security information, from said created credentials structure identified by said credential identifier in said each subsequent request for service message, for automatically establishing authentication of the user and authorization to use said authorized resources of said server machine.
- View Dependent Claims (13, 14, 15)
- - 13. A method of claim 12 further comprising storing said created credentials structure for a time determined by said server machine.
  - 14. A method of claim 13 further comprising determining the time to store said created credentials structure based on a length of time since a last activity from said user.
  - 15. A method of claim 12 further comprising determining by said server if said credential identifier in said each subsequent request is valid.

16. A method, in a data processing system, for authenticating a user on a local client machine and for authorizing access to at least one resource of a remote server machine, wherein said local machine and said remote machine are connected by a communications link, said method comprising:
- receiving, by said remote machine, a request for service message having authentication information from said user on said client machine;
  
  creating a credentials structure, having authorization information for resources at the server for the user, based on the authentication information of the received request;
  
  returning to the local client machine, by said remote machine, a credentials identifier corresponding to said created credentials structure;
  
  storing said created credentials structure by said server for a time determined by said server;
  
  discarding said created credentials structure after said determined time;
  
  determining, by the server machine, the validity of the credentials identifier received from the local client machine on a subsequent request for service dependent upon whether the request for service was received within the determined time and the credentials structure is stored at said server;
  
  honoring said subsequent request for service if the credentials identifier is determined to be valid; and
  
  requiring a new request for service and a new credentials structure if said credentials identifier is determined to be invalid, thereby enforcing a periodic authentication on said user.

17. A method, in a data processing system, for authenticating a user on a local client machine and for authorizing access to at least one resource of a remote server machine, wherein said local machine and said remote machine are connected by a communications link, said method comprising:
- creating, by the server machine, a credentials structure having authorization information in response to authentication information provided by said user requesting a resource of said server machine;
  
  storing said credentials structure for a period of time determined by said server machine;
  
  discarding, by said server machine, said credentials structure after said determined period of time;
  
  honoring, by said server machine, a subsequent request for service from said local client machine, having a credentials identifier corresponding to said credentials structure, in immediate response to said credentials identifier if said subsequent request is received within the predetermined time; and
  
  rejecting, by said server machine, said subsequent request for service from said local client machine in immediate response to said credentials identifier in said subsequent request if said subsequent request is received after the predetermined time and the credentials structure has been discarded.

18. A local data processing system having means for authenticating a remote user on a remote client data processing system and for authorizing access to at least one resource of said data processing system by said remote user, wherein said local data processing system and said remote client data processing system are connected by a communications link, said means comprising:
- means for storing a credentials structure having authorization information for the resources of the local data processing system based upon authentication information received from said remote user during a request for service;
  
  means, coupled to said means for storing, for discarding said credentials structure after a period of time determined by said local data processing system;
  
  means, coupled to said means for storing, for immediately honoring a subsequent request for service from said remote client data processing system in response to an identifier, corresponding to said credentials structure, received with said subsequent request if said request is received within said determined time and said credentials structure is stored in said local data processing system; and
  
  means, coupled to said means for storing, for immediately rejecting said subsequent request for service from said remote client data processing system in response to said identifier received with said subsequent request if said subsequent request is received after said determined time and said credentials structure is discarded.
- View Dependent Claims (19)
- - 19. A local data processing system of claim 18 further comprising means for requiring a new request for service having authentication information if said subsequent request is rejected after said determined time, thereby enforcing a periodic authentication of said remote user.

20. A computer program product, residing on a medium in a form intelligible only by a computer input means, having means for operating a computer system to authorize a process, running at a first data processing system, to have access to a service at a second data processing system, said computer program product comprising:
- means for operating said computer system to create, at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system;
  
  means, coupled to said means for creating, for operating said computer system to return a value identifying said set of credentials to said first data processing system;
  
  means, coupled to said means for returning, for operating said computer system to receive, at the second data processing system, a second request received from said first data processing system comprising a second value;
  
  means, coupled to said means for receiving, for operating said computer system to determine, at the second data processing system, if the second value identifies the set of credentials; and
  
  means, coupled to said means for determining, for operating said computer system to allow the access to the service as controlled by the set of credentials if the second value identifies the set of credentials.

21. A computer program product, residing on a medium in a form intelligible only by a computer input means, having means for authorizing a process running at a first data processing system to have access to a service at a second data processing system, said computer program product comprising:
- means for creating at the second data processing system, a set of credentials for said process in response to a first request received from said first data processing system;
  
  means, coupled to said means for creating, for returning a first value identifying said set of credentials to said first data processing system;
  
  means, coupled to said means for returning, for receiving at the second data processing system a second request received from said first data processing system comprising a second value;
  
  means, coupled to said means for receiving, for determining, at the second data processing system, if the second value identifies the set of credentials; and
  
  means, coupled to said means for determining, for denying access to the service if the second value is determined not to identify the set of credentials.
- View Dependent Claims (22, 23)
- - 22. The computer program product of claim 21 wherein the means for determining determines that the second value does not identify the created set of credentials when the second data processing system requires an authentication of the process.
  - 23. The computer program product of claim 22 wherein the means for determining determines that the second value does not identify the created set of credentials when the second data processing system has previously discarded, and not yet re-authorized said process, at least one element of the set of credentials.

24. A computer program product, residing on a computer readable medium, having means for obtaining authorization of a process running at a first data processing system to have access to a service at a second data processing system, said computer program product comprising:
- means for sending, to said second data processing system, a first request from said first data processing system comprising information required by said second data processing system to construct a set of credentials for said process;
  
  means, coupled to said means for sending a first request, for receiving, by said first data processing system, a value from said second data processing system identifying said set of credentials;
  
  means, coupled to said means for receiving, for sending, to the second data processing system, a second request from said first data processing system comprising said value; and
  
  means, coupled to said means for send a second request, for obtaining access to the service as controlled by the set of credentials if the second request identifies the set of credentials.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Johnson, Donavon W., Smith, Todd A.
Primary Examiner(s)
Heckler, Thomas M.

Application Number

US07/352,075
Time in Patent Office

2,689 Days
Field of Search

364/200, 364/900, 395/650, 395/725
US Class Current

726/5
CPC Class Codes

G06F 21/6218 to a system of files or obj...

Remote authentication and authorization in a distributed data processing system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

546 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

Remote authentication and authorization in a distributed data processing system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

546 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others