Multiple remote data access security mechanism for multitiered internet computer networks

US 6,052,785 A
Filed: 11/21/1997
Issued: 04/18/2000
Est. Priority Date: 11/21/1997
Status: Expired due to Term

First Claim

Patent Images

1. A computer implemented method for managing security in a multitiered networked computer system having multiple clients, a middle tier server, and one or more remote data repositories, the method including the steps of:

authenticating client access to said middle tier server;

intercepting in said server a client request for access to a remote data repository;

testing for stored client credentials to access said remote data repository;

if not found, requesting client credentials and validating said credentials with said remote data repository, and storing and associating said validated credentials with a client user identifier and a client session identifier; and

processing said request for accessing using stored client credentials.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for managing client authorization to access remote data repositories through a middle tier server such as a web server. Client remote data repository access is intercepted by the middle tier server and the server is searched for stored credentials permitting client access to the remote data repository. If found, the stored credentials are used to authenticate access without further interaction with the client system. If no stored credentials are found, the server requests credentials from the client and passes them to the remote data repository for validation. Validated credentials are stored by the server for future use and indexed by a client identifier. Permitted remote data repository access is stored with the validated credentials. Access to a mounted remote file system is not permitted without authorization even if the remote file system would not otherwise require authorization.

Citations

24 Claims

1. A computer implemented method for managing security in a multitiered networked computer system having multiple clients, a middle tier server, and one or more remote data repositories, the method including the steps of:
- authenticating client access to said middle tier server;
  
  intercepting in said server a client request for access to a remote data repository;
  
  testing for stored client credentials to access said remote data repository;
  
  if not found, requesting client credentials and validating said credentials with said remote data repository, and storing and associating said validated credentials with a client user identifier and a client session identifier; and
  
  processing said request for accessing using stored client credentials.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the step of authenticating client access operates according to the secure sockets layer protocol (SSL) or the secure hypertext transfer protocol (SHTTP).
  - 3. The method of claim 1, wherein the step of storing said validated credentials includes the steps of:
    - creating a table entry containing a client user identification from said authenticating step, a client session identifier based on a method used for said authentication, the validated credentials, and the remote data repository access permitted;
      
      storing said table entry in a security table indexed by said client user identifier;
      
      updating an index based on said client user identifier.
  - 4. The method of claim 3, wherein the remote data repository access permitted is stored as a computer system drive letter.
  - 5. The method of claim 3, wherein the remote data repository access permitted is stored as a file system mount point.
  - 6. The method of claim 3, wherein the remote data repository is a distributed file system managed by a distributed file system protocol.
  - 7. The method of claim 6, wherein the distributed file system protocol is DFS.
  - 8. The method of claim 1, wherein the remote data repository is a database server.
  - 9. The method of claim 1, wherein the remote data repository is a transaction processing system server.
  - 10. The method of claim 1, wherein the remote data repository is a groupware server.
  - 11. The method of claim 8, wherein the distributed file system protocol is NFS.
  - 12. The method of claim 1, further comprising the steps of:
    - sharing said stored client credentials with at least a second middle tier server;
      
      transferring a client session from said middle tier server to said second server having access to said stored client credentials without reauthorization from said client.

13. A system for managing secure remote data repository access in a multitiered distributed network having a plurality of clients, a middle tier server, and one or more remote data repositories, the system comprising:
- storage means in said server for storing client credentials for access to one or more of said remote data repositories;
  
  authentication means in said server for authenticating client access to said middle tier server;
  
  means for intercepting client remote data repository access requests;
  
  means for retrieving client authentication from said storage means in response to said means for intercepting;
  
  means for requesting client credentials from said client and validating said credentials with said one or more remote data repositories, if said means for retrieving is unable to locate stored client credentials for the requested remote data repository; and
  
  means for storing and associating validated client credentials with a client user identifier and a client session identifier in said storage means.
- View Dependent Claims (14, 15, 16)
- - 14. The system of claim 13 wherein the authentication means includes secure socket layer authentication and secure hypertext transfer protocol authorization.
  - 15. The system of claim 13 wherein said means for storing includes:
    - means for creating a client credential record including at least a client identifier, a session identifier, the validated credentials, and remote data repository access permitted;
      
      means for storing said client credential record in said storage means, andmeans for updating an index to said client credential record based on said client identifier.
  - 16. The system of claim 13, wherein said one or more remote data repositories include zero, one or more of a database server, a transaction processing system server, a groupware server, or a distributed file system server.

17. A method of controlling access to mounted remote file systems in a computer system having a processor and storage means, the method including the steps of:
- intercepting a requester request to access a mounted remote file system;
  
  testing said request to determine whether stored remote file system mount permissions exist for said requester;
  
  if not, requesting credentials from said requester and validating them with the remote file system, and storing and associating the credentials with a client user identifier and a client session identifier and a validated mounted file system reference;
  
  if credentials exists, passing said request to said remote file system.
- View Dependent Claims (18)
- - 18. The method of claim 17, wherein the mounted remote file system is mounted as a network drive letter and said validated mounted file system reference is said drive letter.

19. A computer program product having a computer readable medium having computer program logic recorded thereon for managing security in a multitiered networked computer system having multiple clients, a middle tier server, and one or more remote data repositories, said computer program product comprising:
- computer program product means for authenticating client access to said middle tier server;
  
  computer program product means for intercepting in said server a client request for access to a remote data repository;
  
  computer program product means for testing for stored client credentials to access said remote data repository;
  
  computer program product means for requesting client credentials and validating said credentials with said remote data repository, andstoring and associating said validated credentials with a client user identifier and a client section identifier, if no stored client credentials are found; and
  
  computer program product means for processing said request for accessing using stored client credentials.
- View Dependent Claims (20, 21, 22, 23, 24)
- - 20. The computer program product of claim 19, wherein the computer program product means for storing said validated credentials includes:
    - computer program product means for creating a table entry containing a client user identification from said authenticating, a client session identifier based on a method used for said authentication, the validated credentials, and the remote data repository access permitted;
      
      computer program product means for storing said table entry in a security table indexed by said client user identifier; and
      
      computer program product means for updating an index based on said client user identifier.
  - 21. The computer program product of claim 19, wherein the remote data repository is a database server.
  - 22. The computer program product of claim 19, wherein the remote data repository is a transaction processing system server.
  - 23. The computer program product of claim 19, wherein the remote data repository is a distributed file system managed by a distributed file system protocol.
  - 24. The computer program product of claim 19, wherein the remote data repository is a groupware server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cloud Software Group Switzerland GmbH
Original Assignee
International Business Machines Corporation
Inventors
Lin, David Dah-Haur, Shaheen, Amal Ahmed, Yellepeddy, Krishna Kishore
Primary Examiner(s)
Palys, Joseph E.
Assistant Examiner(s)
OMAR, OMAR B

Application Number

US08/976,401
Time in Patent Office

879 Days
Field of Search

713/201, 714/1, 709/223, 709/225, 709/227, 709/249, 380/4
US Class Current

726/5
CPC Class Codes

G06F 21/33 using certificates

Multiple remote data access security mechanism for multitiered internet computer networks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Multiple remote data access security mechanism for multitiered internet computer networks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links