System and method for secure web server gateway access using credential transform

US 6,067,623 A
Filed: 11/21/1997
Issued: 05/23/2000
Est. Priority Date: 11/21/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A middle-tier server (MTS) with facilities for automatically authenticating a request for a protected upper-tier resource, said MTS comprising:

an input facility that receives a request from a user at a lower-tier client requiring access to at least one upper-tier resource;

a first application program interface (API) that performs middle-tier authentication;

a second API that performs upper-tier authentication; and

a server program that;

utilizes said first API to associate a middle-tier user credential with said request if no middle-tier user credential is associated with said request;

utilizes said second API to associate an upper-tier user credential with said request if said middle-tier user credential is associated with said request and no upper-tier user credential is associated with said request; and

utilizes said upper-tier user credential to access said at least one upper-tier resource if said middle-tier user credential and said upper-tier user credential are associated with said request and then returns a response from said upper-tier resource to said lower-tier client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for controlling client access to enterprise resources through a middle tier server. Enterprise resource authorizations are maintained in a middle tier server. Users authenticate with the server causing it to map and transform the client access authorization into enterprise resource credentials. Enterprise resources are accessed after authorizing using the transformed credentials.

312 Citations

21 Claims

1. A middle-tier server (MTS) with facilities for automatically authenticating a request for a protected upper-tier resource, said MTS comprising:
- an input facility that receives a request from a user at a lower-tier client requiring access to at least one upper-tier resource;
  
  a first application program interface (API) that performs middle-tier authentication;
  
  a second API that performs upper-tier authentication; and
  
  a server program that;
  
  utilizes said first API to associate a middle-tier user credential with said request if no middle-tier user credential is associated with said request;
  
  utilizes said second API to associate an upper-tier user credential with said request if said middle-tier user credential is associated with said request and no upper-tier user credential is associated with said request; and
  
  utilizes said upper-tier user credential to access said at least one upper-tier resource if said middle-tier user credential and said upper-tier user credential are associated with said request and then returns a response from said upper-tier resource to said lower-tier client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A middle-tier server (MTS) according to claim 1, wherein said first application program interface (API) comprises an authentication manager that includes:
    - means for prompting said user for a middle-tier user identifier and a middle-tier user token;
      
      means for authenticating said request based on authentication data for said MTS, said middle-tier user identifier, and said middle-tier user token;
      
      means for rejecting said request if said middle-tier authentication fails; and
      
      means for associating said middle-tier user credential with said request if said middle-tier authentication succeeds.
  - 3. A middle-tier server (MTS) according to claim 2, wherein said second application program interface (API) comprises an access manager that includes:
    - means for mapping said middle-tier user identifier to an upper-tier user identifier and to a corresponding upper-tier user token for each at least one upper-tier resource;
      
      means for authenticating said request based on authentication data for each at least one upper-tier resource and based on each corresponding upper-tier user identifier and upper-tier user token;
      
      means for rejecting said request if said upper-tier authentication fails; and
      
      means for associating said upper-tier user credential with said request if said upper-tier authentication succeeds.
  - 4. A middle-tier server (MTS) according to claim 3, wherein:
    - said MTS has at least first and second security levels;
      
      said user is a first user with said second security level; and
      
      further comprising;
      
      means for allowing said first user to store and modify one or more of said upper-tier user tokens of said first user;
      
      means for allowing a second user with said first security level to store and modify one or more of said upper-tier user tokens of said first user; and
      
      means for preventing a third user with said second security level from storing and modifying any of said upper-tier user tokens of said first user.
  - 5. A middle-tier server (MTS) according to claim 3, wherein said means for authenticating said request based on authentication data for said at least one upper-tier resource comprises:
    - means for invoking a secondary logon mechanism associated with said at least one upper-tier resource; and
      
      means for passing said upper-tier user identifier and said upper-tier user token to said secondary logon mechanism without prompting said user for said upper-tier user identifier and without prompting said user for said upper-tier user token.
  - 6. A middle-tier server (MTS) according to claim 5, wherein said server program comprises a web server program.
  - 7. A middle-tier server (MTS) according to claim 1 further comprising a security application program interface (API) that includes said first API and said second API.

8. A method in a middle-tier server for automatically authenticating a request for a protected upper-tier resource, said method comprising:
- receiving, at server software executing on a middle-tier server (MTS), a request from a user at a lower-tier client requiring access to at least one upper-tier resource;
  
  if no middle-tier user credential is associated with said request, associating said middle-tier user credential with said request by utilizing a first application program interface (API) of said MTS to perform middle-tier authentication of said request;
  
  if said middle-tier user credential is associated with said request and no upper-tier user credential is associated with said request, associating said upper-tier user credential with said request by utilizing a second API of said MTS to perform upper-tier authentication of said request; and
  
  if said middle-tier user credential and said upper-tier user credential are associated with said request, utilizing said upper-tier user credential to access said at least one upper-tier resource and, thereafter, returning a response from said upper-tier resource to said lower-tier client.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. A method according to claim 8, wherein said step of utilizing said first application program interface (API) to perform middle-tier authentication comprises:
    - prompting said user for a middle-tier user identifier and a middle-tier user token;
      
      authenticating said request based on authentication data for said middle-tier server (MTS), said middle-tier user identifier, and said middle-tier user token;
      
      rejecting said request if said middle-tier authentication fails; and
      
      associating said middle-tier user credential with said request if said authentication succeeds.
  - 10. A method according to claim 9, wherein said step of utilizing said second application program interface (API) to perform upper-tier authentication comprises:
    - mapping said middle-tier user identifier to an upper-tier user identifier and to a corresponding upper-tier user token for each at least one upper-tier resource;
      
      authenticating said request based on authentication data for each at least one upper-tier resource and based on each corresponding upper-tier user identifier and upper-tier user token;
      
      rejecting said request if said upper-tier authentication fails; and
      
      associating said upper-tier user credential with said request if said upper-tier authentication succeeds.
  - 11. A method according to claim 10, said middle-tier server (MTS) having at least first and second security levels, wherein:
    - said user is a first user with said second security level; and
      
      said method further comprises;
      
      allowing said first user to store and modify one or more of said upper-tier user tokens of said first user;
      
      allowing a second user with said first security level to store and modify one or more of said upper-tier user tokens of said first user; and
      
      preventing a third user with said second security level from storing and modifying any of said upper-tier user tokens of said first user.
  - 12. A method according to claim 10, wherein said step of authenticating said request based on authentication data for each at least one upper-tier resource comprises:
    - invoking a secondary logon mechanism associated with said at least one upper-tier resource; and
      
      passing said upper-tier user identifier and said upper-tier user token to said secondary logon mechanism without prompting said user for said upper-tier user identifier and without prompting said user for said upper-tier user token.
  - 13. A method according to claim 8, wherein said server software comprises a web server program.
  - 14. A method according to claim 8, wherein said middle-tier server (MTS) utilizes a security application program interface (API) that includes said first API and said second API to perform said middle-tier authentication and said upper-tier authentication.

15. A program product that enables a middle-tier server (MTS) to authenticate a request for a protected upper-tier resource automatically, said program product comprising:
- an input facility that receives a request from a user at a lower-tier client requiring access to at least one upper-tier resource;
  
  a first application program interface (API) that performs middle-tier authentication;
  
  a second API that performs upper-tier authentication;
  
  a server program that;
  
  utilizes said first API to associate a middle-tier user credential with said request if no middle-tier user credential is associated with said request;
  
  utilizes said second API to associate an upper-tier user credential with said request if said middle-tier user credential is associated with said request and no upper-tier user credential is associated with said request; and
  
  utilizes said upper-tier user credential to access said at least one upper-tier resource if said middle-tier user credential and said upper-tier user credential are associated with said request and then returns a response from said upper-tier resource to said lower-tier client; and
  
  a computer usable medium encoding said input facility, said first API, said second API, and said server program.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. A program product according to claim 15, wherein said first application program interface (API) comprises an authentication manager that includes:
    - means for prompting said user for a middle-tier user identifier and a middle-tier user token;
      
      means for authenticating said request based on authentication data for said middle-tier server (MTS), said middle-tier user identifier, and said middle-tier user token;
      
      means for rejecting said request if said middle-tier authentication fails; and
      
      means for associating said middle-tier user credential with said request if said middle-tier authentication succeeds.
  - 17. A program product according to claim 16, wherein said second application program interface (API) comprises an access manager that includes:
    - means for mapping said middle-tier user identifier to an upper-tier user identifier and to a corresponding upper-tier user token for each at least one upper-tier resource;
      
      means for authenticating said request based on authentication data for each at least one upper-tier resource and based on each corresponding upper-tier user identifier and upper-tier user token;
      
      means for rejecting said request if said upper-tier authentication fails; and
      
      means for associating said upper-tier user credential with said request if said upper-tier authentication succeeds.
  - 18. A program product according to claim 17, wherein:
    - said middle-tier server (MTS) has at least first and second security levels;
      
      said user is a first user with said second security level; and
      
      said program product further comprises;
      
      means for allowing said first user to store and modify one or more of said upper-tier user tokens of said first user;
      
      means for allowing a second user with said first security level to store and modify one or more of said upper-tier user tokens of said first user; and
      
      means for preventing a third user with said second security level from storing and modifying any of said upper-tier user tokens of said first user.
  - 19. A program product according to claim 17, wherein said means for authenticating said request based on authentication data for said at least one upper-tier resource comprises:
    - means for invoking a secondary logon mechanism associated with said at least one upper-tier resource; and
      
      means for passing said upper-tier user identifier and said upper-tier user token to said secondary logon mechanism without prompting said user for said upper-tier user identifier and without prompting said user for said upper-tier user token.
  - 20. A program product according to claim 15, wherein said server program comprises a web server program.
  - 21. A program product according to claim 15, wherein said computer usable medium encodes a security application program interface (API) that includes said first API and said second API.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Milman, Ivan Matthew, Blakley, George Robert III, Cohen, Richard Jay
Primary Examiner(s)
Beausoliel, Jr., Robert W.
Assistant Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US08/976,400
Time in Patent Office

914 Days
Field of Search

713/201, 713/202, 713/200, 713/151, 713/152, 709/229, 709/226, 709/230, 709/302, 707/1, 707/9, 707/10
US Class Current

726/5
CPC Class Codes

G06F 21/6236   between heterogeneous systems

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

Y10S 707/99939   Privileged access

System and method for secure web server gateway access using credential transform

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

312 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure web server gateway access using credential transform

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

312 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links