Applet redirection for controlled access to non-orginating hosts

US 5,987,523 A
Filed: 06/04/1997
Issued: 11/16/1999
Est. Priority Date: 06/04/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A method for allowing a Java applet to access a server other than a first server from which said applet was downloaded, wherein said method operates to overcome a Java sandbox security restriction of said applet which prevents said applet from accessing said other server, said method comprising the steps of:

downloading a selected applet from said first server to a user workstation, said first server having a unique address;

detecting the address of said first server;

opening a first socket connection from said selected applet to a redirector function on said first server;

sending an address for a target host server from said selected applet to said redirector function;

opening a second socket connection from said redirector function to a host function on said target host server on behalf of said selected applet; and

accessing said host function from said selected applet indirectly by redirecting data through said redirector function using said first socket connection and said second socket connection.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for allowing dynamic applet access to servers from which the applet did not originate wherein an application on the originating server redirects communications between the applet and network resources.

199 Citations

25 Claims

1. A method for allowing a Java applet to access a server other than a first server from which said applet was downloaded, wherein said method operates to overcome a Java sandbox security restriction of said applet which prevents said applet from accessing said other server, said method comprising the steps of:
- downloading a selected applet from said first server to a user workstation, said first server having a unique address;
  
  detecting the address of said first server;
  
  opening a first socket connection from said selected applet to a redirector function on said first server;
  
  sending an address for a target host server from said selected applet to said redirector function;
  
  opening a second socket connection from said redirector function to a host function on said target host server on behalf of said selected applet; and
  
  accessing said host function from said selected applet indirectly by redirecting data through said redirector function using said first socket connection and said second socket connection.

2. A method for enabling applets in a computer network to communicate with one or more remote servers for the purpose of accessing one or more target resources, wherein said target resources are accessible from said remote servers, and wherein said remote servers are different than a first server from which said applet was downloaded, said method comprising the steps ofstoring one or more applets on said first server, wherein said applets have an inherent prohibition against directly exchanging messages with any other server except said first server;
- downloading a selected one of said applets onto a client machine;
  
  executing said downloaded selected applet on said client machine;
  
  executing a redirector function on said first server;
  
  establishing a first connection between said selected applet and said redirector function;
  
  sending a connect request from said applet to said redirector function, wherein said connect request specifies (i) a server host address of a selected one of said servers other than said first server and (ii) a port number on said selected server;
  
  receiving, by said redirector function, said connect request;
  
  checking a filter table, responsive to said receiving step, to determine if said client machine is authorized to access said selected server;
  
  establishing, by said redirector function, a second connection between said redirector function and said selected server when said checking step has a positive result, said second connection being on behalf of said applet; and
  
  indirectly exchanging messages between said applet and said selected server using said redirector function to transfer said exchanged messages between said first connection and said second connection.
- View Dependent Claims (3, 4, 5, 6)
- - 3. The method as claimed in claim 2, wherein said applets are Java applets, and wherein operation of a Java sandbox security restriction enforces said inherent prohibition.
  - 4. The method as claimed in claim 2 or 3, wherein:
    - said filter table comprises a plurality of entries, each of said entries comprising;
      
      an address of a particular one of said servers other than said first server, and a range of client machine addresses which are authorized to access said particular one; and
      
      said checking step further comprises the steps of;
      
      extracting a client address from said connect request;
      
      locating a particular entry in said table, wherein said address in said particular entry matches said server host address from said connect request; and
      
      comparing said extracted client address to said range of addresses from said located entry.
  - 5. The method as claimed in claim 2, further comprising:
    - executing an add-on function on said first server; and
      
      performing further processing of exchanged messages using said add-on function.
  - 6. The method as claimed in claim 5, wherein said add-on function is a cryptography function for providing secure data transmission between said client machine and said first server, and wherein said performing further processing step further comprises the steps ofreceiving encrypted data from said applet by said redirector function over said first connection;
    - forwarding said encrypted data from said redirector function to said add-on function;
      
      decrypting said encrypted data using said add-on function;
      
      returning said decrypted data from said add-on function to said redirector function;
      
      forwarding said decrypted data from said redirector function to said selected server over said second connection;
      
      receiving unencrypted data from said selected server by said redirector function over said second connection;
      
      forwarding said unencrypted data from said redirector function to said add-on function;
      
      encrypting said unencrypted data using said add-on function;
      
      returning said encrypted data from said add-on function to said redirector function; and
      
      forwarding said encrypted data from said redirector function to said applet.

7. A method for enabling applets in a computer network to communicate with one or more remote servers for the purpose of accessing one or more target resources, wherein said target resources are accessible from said remote servers, and wherein said remote servers are different than a first server from which said applet was downloaded, said method comprising the steps of:
- storing one or more applets on said first server, wherein said applets have an inherent prohibition against directly exchanging messages with any other server except said first server;
  
  downloading a selected one of said applets onto a client machine;
  
  executing said downloaded selected applet on said client machine;
  
  executing a redirector function on said first server;
  
  establishing a first connection between said selected applet and said redirector function;
  
  sending a connect request from said applet to said redirector function, wherein said connect request does not specify a server host address of a target server;
  
  receiving, by said redirector function, said connect request;
  
  checking a filter table, responsive to said receiving step, to determine a default target server to be used with said client machine;
  
  establishing, by said redirector function, a second connection between said redirector function and said default target server on behalf of said applet; and
  
  indirectly exchanging messages between said applet and said default target server using said redirector function to transfer said exchanged messages between said first connection and said second connection.
- View Dependent Claims (8, 9)
- - 8. The method as claimed in claim 7, wherein said applets are Java applets, and wherein operation of a Java sandbox security restriction enforces said inherent prohibition.
  - 9. The method as claimed in claim 7 or 8, wherein:
    - said filter table comprises a plurality of entries, each of said entries comprising;
      
      an address of a particular one of said servers other than said first server, and a range of client machine addresses which are authorized to access said particular one; and
      
      said checking step further comprises the steps of;
      
      extracting a client address from said connect request; and
      
      locating a particular entry in said table, wherein said address in said particular entry matches said extracted client address.

10. A system in a computer network for enabling applets to communicate with a different server than a first server from which said applet was downloaded, comprising:
- one or more applets, each of said applets stored on a first server, wherein said applets have an inherent prohibition against directly exchanging messages with any other server except said first server;
  
  one or more target resources, each of said target resources being accessible from a server other than said first server;
  
  a client machine, onto which a selected one of said applets is downloaded;
  
  means for executing said downloaded selected applet on said client machine;
  
  means for executing a redirector function on said first server,means for establishing a first connection between said selected applet and said redirector function;
  
  means for sending a connect request from said applet to said redirector function, wherein said connect request specifies (i) a server host address of a selected one of said servers other than said first server and (ii) a port number on said selected server;
  
  means for receiving, by said redirector function, said connect request;
  
  means for checking a filter table, responsive to said means for receiving, to determine if said client machine is authorized to access said selected server;
  
  means for establishing, by said redirector function, a second connection between said redirector function and said selected server when said means for checking has a positive result, said second connection being on behalf of said applet; and
  
  means for indirectly exchanging messages between said applet and said selected server using said redirector function to transfer said exchanged messages between said first connection and said second connection.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The system as claimed in claim 10, wherein said applets are Java applets, and wherein operation of a Java sandbox security restriction enforces said inherent prohibition.
  - 12. The system as claimed in claim 10 or 11, wherein:
    - said filter table comprises a plurality of entries, each of said entries comprising;
      
      an address of a particular one of said servers other than said first server, and a range of client machine addresses which are authorized to access said particular one; and
      
      said means for checking further comprises;
      
      means for extracting a client address from said connect request;
      
      means for locating a particular entry in said table, wherein said address in said particular entry matches said server host address from said connect request; and
      
      means for comparing said extracted client address to said range of addresses from said located entry.
  - 13. The system as claimed in claim 10, further comprising:
    - means for executing an add-on function on said first server; and
      
      means for performing further processing of exchanged messages using said add-on function.
  - 14. The system as claimed in claim 13, wherein said add-on function is a cryptography function for providing secure data transmission between said client machine and said first server, and wherein said means for performing further processing further comprises:
    - means for receiving encrypted data from said applet by said redirector function over said first connection;
      
      means for forwarding said encrypted data from said redirector function to said add-on function;
      
      means for decrypting said encrypted data using said add-on function;
      
      means for returning said decrypted data from said add-on function to said redirector function;
      
      means for forwarding said decrypted data from said redirector function to said selected server over said second connection;
      
      means for receiving unencrypted data from said selected server by said redirector function over said second connection;
      
      means for forwarding said unencrypted data from said redirector function to said add-on function;
      
      means for encrypting said unencrypted data using said add-on function;
      
      means for returning said encrypted data from said add-on function to said redirector function; and
      
      means for forwarding said encrypted data from said redirector function to said applet.

15. A system in a computer network for enabling applets to communicate with a different server than a first server from which said applet was downloaded, comprising:
- one or more applets, each of said applets stored on a first server, wherein said applets have an inherent prohibition against directly exchanging messages with any other server except said first server;
  
  one or more target resources, each of said target resources being accessible from a server other than said first server;
  
  a client machine, onto which a selected one of said applets is downloaded;
  
  means for executing said downloaded selected applet on said client machine;
  
  means for executing a redirector function on said first server;
  
  means for establishing a first connection between said selected applet and said redirector function;
  
  means for sending a connect request from said applet to said redirector function, wherein said connect request does not specify a server host address of a target server;
  
  means for receiving, by said redirector function, said connect request;
  
  means for checking a filter table, responsive to said means for receiving, to determine a default target server to be used with said client machine;
  
  means for establishing, by said redirector function, a second connection between said redirector function and said default target server on behalf of said applet; and
  
  means for indirectly exchanging messages between said applet and said default target server using said redirector function to transfer said exchanged messages between said first connection and said second connection.
- View Dependent Claims (16, 17)
- - 16. The system as claimed in claim 15, wherein said applets are Java applets, and wherein operation of a Java sandbox security restriction enforces said inherent prohibition.
  - 17. The system as claimed in claim 15 or 16, wherein:
    - said filter table comprises a plurality of entries, each of said entries comprising;
      
      an address of a particular one of said servers other than said first server, and a range of client machine addresses which are authorized to access said particular one; and
      
      said means for checking further comprises;
      
      means for extracting a client address from said connect request; and
      
      means for locating a particular entry in said table, wherein said address in said particular entry matches said extracted client address.

18. A computer program product on a computer-readable medium in a computer network for enabling applets to communicate with a different server than a first server from which said applet was downloaded, comprising:
- one or more applets, each of said applets stored on a first server, wherein said applets have an inherent prohibition against directly exchanging messages with any other server except said first server;
  
  one or more target resources, each of said target resources being accessible from a server other than said first server;
  
  a client machine, onto which a selected one of said applets is downloaded;
  
  computer-readable program code means for executing said downloaded selected applet on said client machine;
  
  computer-readable program code means for executing a redirector function on said first server;
  
  computer-readable program code means for establishing a first connection between said selected applet and said redirector function;
  
  computer-readable program code means for sending a connect request from said applet to said redirector function, wherein said connect request specifies (i) a server host address of a selected one of said servers other than said first server and (ii) a port number on said selected server;
  
  computer-readable program code means for receiving, by said redirector function, said connect request;
  
  computer-readable program code means for checking a filter table, responsive to said computer-readable program code means for receiving, to determine if said client machine is authorized to access said selected server;
  
  computer-readable program code means for establishing, by said redirector function, a second connection between said redirector function and said selected server when said computer-readable program code means for checking has a positive result, said second connection being on behalf of said applet; and
  
  computer-readable program code means for indirectly exchanging messages between said applet and said selected server using said redirector function to transfer said exchanged messages between said first connection and said second connection.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The computer program product as claimed in claim 18, wherein said applets are Java applets, and wherein operation of a Java sandbox security restriction enforces said inherent prohibition.
  - 20. The computer program product as claimed in claim 19 or 18, wherein:
    - said filter table comprises a plurality of entries, each of said entries comprising;
      
      an address of a particular one of said servers other than said first server, and a range of client machine addresses which are authorized to access said particular one; and
      
      said computer-readable program code means for checking further comprises;
      
      computer-readable program code means for extracting a client address from said connect request;
      
      computer-readable program code means for locating a particular entry in said table, wherein said address in said particular entry matches said server host address from said connect request; and
      
      computer-readable program code means for comparing said extracted client address to said range of addresses from said located entry.
  - 21. The computer program product as claimed in claim 18, further comprising:
    - computer-readable program code means for executing an add-on function on said first server; and
      
      computer-readable program code means for performing further processing of exchanged messages using said add-on function.
  - 22. The computer program product as claimed in claim 21, wherein said add-on function is a cryptography function for providing secure data transmission between said client machine and said first server, and wherein said computer-readable program code means for performing further processing further comprises:
    - computer-readable program code means for receiving encrypted data from said applet by said redirector function over said first connection;
      
      computer-readable program code means for forwarding said encrypted data from said redirector function to said add-on function;
      
      computer-readable program code means for decrypting said encrypted data using said add-on function;
      
      computer-readable program code means for returning said decrypted data from said add-on function to said redirector function;
      
      computer-readable program code means for forwarding said decrypted data from said redirector function to said selected server over said second connection;
      
      computer-readable program code means for receiving unencrypted data from said selected server by said redirector function over said second connection;
      
      computer-readable program code means for forwarding said unencrypted data from said redirector function to said add-on function;
      
      computer-readable program code means for encrypting said unencrypted data using said add-on function;
      
      computer-readable program code means for returning said encrypted data from said add-on function to said redirector function; and
      
      computer-readable program code means for forwarding said encrypted data from said redirector function to said applet.

23. A computer program product on a computer-readable medium in a computer network for enabling applets to communicate with a different server than a first server from which said applet was downloaded, comprising:
- one or more applets, each of said applets stored on a first server, wherein said applets have an inherent prohibition against directly exchanging messages with any other server except said first server;
  
  one or more target resources, each of said target resources being accessible from a server other than said first server;
  
  a client machine, onto which a selected one of said applets is downloaded;
  
  computer-readable program code means for executing said downloaded selected applet on said client machine;
  
  computer-readable program code means for executing a redirector function on said first server;
  
  computer-readable program code means for establishing a first connection between said selected applet and said redirector function;
  
  computer-readable program code means for sending a connect request from said applet to said redirector function, wherein said connect request does not specify a server host address of a target server;
  
  computer-readable program code means for receiving, by said redirector function, said connect request;
  
  computer-readable program code means for checking a filter table, responsive to said computer-readable program code means for receiving, to determine a default target server to be used with said client machine;
  
  computer-readable program code means for establishing, by said redirector function, a second connection between said redirector function and said default target server on behalf of said applet; and
  
  computer-readable program code means for indirectly exchanging messages between said applet and said default target server using said redirector function to transfer said exchanged messages between said first connection and said second connection.
- View Dependent Claims (24, 25)
- - 24. The computer program product as claimed in claim 23, wherein said applets are Java applets, and wherein operation of a Java sandbox security restriction enforces said inherent prohibition.
  - 25. The computer program product as claimed in claim 23 or 24, wherein:
    - said filter table comprises a plurality of entries, each of said entries comprising;
      
      an address of a particular one of said servers other than said first server, and a range of client machine addresses which are authorized to access said particular one; and
      
      said computer-readable program code means for checking further comprises;
      
      computer-readable program code means for extracting a client address from said connect request; and
      
      computer-readable program code means for locating a particular entry in said table, wherein said address in said particular entry matches said extracted client address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Nanavati, Pratik Biharilal, Wesley, Ajamu Akinwunmi, Hind, John Raithel, Lindquist, David Bruce, Tan, Yih-Shin
Primary Examiner(s)
Rinehart, Mark H.
Assistant Examiner(s)
Thompson, Marc D

Application Number

US08/868,611
Time in Patent Office

895 Days
Field of Search

395/200.3, 395/200.33, 395/200.32, 395/200.57, 395/200.75, 395/200.79, 395/200.8, 395/186, 395/187.01, 709/200, 709/203, 709/202, 709/227, 709/245, 709/249, 709/250, 713/200, 713/201, 713/202
US Class Current

709/245
CPC Class Codes

G06F 9/465   Distributed object oriented...

H04L 63/0428   wherein the data content is...

H04L 63/101   Access control lists [ACL]

H04L 63/168   above the transport layer

H04L 67/561   Adding application-function...

H04L 67/563   Data redirection of data ne...

H04L 69/16   Implementation or adaptatio...

H04L 69/162   involving adaptations of so...

H04L 9/40   Network security protocols

Applet redirection for controlled access to non-orginating hosts

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

199 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Applet redirection for controlled access to non-orginating hosts

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

199 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links