Authentication and authorization in a multi-tier relational database management system

US 6,286,104 B1
Filed: 08/04/1999
Issued: 09/04/2001
Est. Priority Date: 08/04/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of enabling a middle-tier server to perform database operations on behalf of a client in a multi-tier relational database system, wherein the multi-tier relational database system includes said database server, a plurality of clients, and a set of one or more middle-tier servers, the method comprising:

establishing a first session at a database server in the multi-tier relational database system from a first middle-tier server, wherein during said first session said first middle-tier server may perform database operations for one of the set of middle-tier servers;

providing a credential to said first middle-tier server from said database server;

granting said first middle-tier server a first set of privileges on said database server for use in said first session;

establishing a second session at said database server from said first middle-tier server on behalf of a first client, wherein said establishing a second session comprises;

receiving from said first middle-tier server an identity of said first client; and

receiving said credential from said first middle-tier server;

wherein said first middle-tier server may perform database operations for said first client in said second session; and

granting a second set of privileges for use by said first middle-tier server on behalf of said first client in said second session;

wherein said first middle-tier server is configured to switch between said first session and said second session.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for ensuring effective and accurate authentication and authorization in an N-tier relational database management system. An N-tier relational database management system comprises a set of clients, one or more data servers and one or more middle-tier servers through which the clients may access the data servers. A method is provided for enabling a middle-tier server to connect to a data server and perform database operations on behalf of a client while promoting the ability to ensure the middle-tier server does not exceed its authorized privileges or roles. In this method a middle-tier server first establishes a session with the data server using the middle-tier server'"'"'s own identity (e.g., username) and verification (e.g., password). The middle-tier server may be granted limited roles when acting under its own identity in order to prevent it from performing unauditable or unaccountable operations on behalf of clients. The middle-tier server receives from the data server a credential that it provides when it needs to operate on behalf of a client. In this method, after the middle-tier server establishes its own session and receives a credential, it may then establish a session with the data server using the identity (e.g., username) of a client. Instead of storing and using the client'"'"'s password, however, the middle-tier server presents the credential to the data server as verification of its authorization to access the database. The middle-tier server may then switch between clients'"'"' sessions and its own session to perform database operations.

392 Citations

22 Claims

1. A method of enabling a middle-tier server to perform database operations on behalf of a client in a multi-tier relational database system, wherein the multi-tier relational database system includes said database server, a plurality of clients, and a set of one or more middle-tier servers, the method comprising:
- establishing a first session at a database server in the multi-tier relational database system from a first middle-tier server, wherein during said first session said first middle-tier server may perform database operations for one of the set of middle-tier servers;
  
  providing a credential to said first middle-tier server from said database server;
  
  granting said first middle-tier server a first set of privileges on said database server for use in said first session;
  
  establishing a second session at said database server from said first middle-tier server on behalf of a first client, wherein said establishing a second session comprises;
  
  receiving from said first middle-tier server an identity of said first client; and
  
  receiving said credential from said first middle-tier server;
  
  wherein said first middle-tier server may perform database operations for said first client in said second session; and
  
  granting a second set of privileges for use by said first middle-tier server on behalf of said first client in said second session;
  
  wherein said first middle-tier server is configured to switch between said first session and said second session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising, prior to said establishing a second session at said database server, receiving a connection at said first middle-tier server from said first client.
  - 3. The method of claim 2, wherein said first client is connected to one or more other middle-tier servers of the set of middle-tier servers prior to said first middle-tier server.
  - 4. The method of claim 3, wherein a true identity of said first client is passed from said one or more other middle-tier servers to said first middle-tier server.
  - 5. The method of claim 2, further comprising authenticating said first client prior to said establishing a second session at said database server.
  - 6. The method of claim 1, further comprising authenticating said first middle-tier server to said database server prior to said establishing a first session at a database server.
  - 7. The method of claim 6, further comprising authenticating said database server to said first middle-tier server prior to said establishing a first session at a database server.
  - 8. The method of claim 1, wherein said first client is a browser and said first middle-tier server is an application server.
  - 9. The method of claim 1, wherein said first set of privileges is insufficient to allow said first middle-tier server to perform a database operation on behalf of a client during said first session.
  - 10. The method of claim 1, wherein said second set of privileges is different from a third set of privileges granted to said first client when said first client connects directly to said data server.
  - 11. The method of claim 1, wherein said granting a second set of privileges comprises:
12. The method of claim 1, wherein said granting a second set of privileges comprises:
- consulting an authorization server to identify one or more privileges authorized for said first client.
13. The method of claim 1, further comprising auditing a database operation performed by said first middle-tier server for said first client during said second session.

14. A method of connecting a client to a database server through one or more middle-tier servers in a multi-tier relational database system, comprising:
- authenticating a first database client at a first authentication server in a multi-tier relational database system;
  
  receiving a connection from said first client at a first middle-tier server;
  
  receiving at said first middle-tier server an identity of said first client provided by said first authentication server;
  
  authenticating said first middle-tier server to a first database server at a second authentication server;
  
  receiving at said first database server an identity of said first middle-tier server from said second authentication server;
  
  establishing a first session on said first database server for said first middle-tier server during which said first middle-tier server may perform database operations on behalf of a middle-tier server;
  
  granting a first set of privileges for said first middle-tier server for use in said first session;
  
  providing said first middle-tier server a credential from said first database server;
  
  receiving at said first database server said identity of said first client and said credential;
  
  establishing a second session on said first database server for said first middle-tier server under said identity of said first client, wherein during said second session said first middle-tier server may perform database operations on behalf of said first client; and
  
  granting a second set of privileges for use by said middle-tier server under the identity of said first client in said second session.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method of claim 14, further comprising forwarding said first client connection through one or more middle-tier servers other than said first middle-tier server.
  - 16. The method of claim 15, wherein each of said middle-tier servers from which said first client connection is forwarded also forwards a true identity of said first client.
  - 17. The method of claim 14, further comprising querying an authorization server to retrieve one of said first set of privileges and said second set of privileges.
  - 18. The method of claim 14, wherein said second set of privileges is identified to said first database server by said first middle-tier server.

19. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of enabling a middle-tier server to perform database operations on behalf of a client in a multi-tier relational database system, wherein the multi-tier relational database system includes said database server, a plurality of clients, and a set of one or more middle-tier servers, the method comprising:
- establishing a first session at a database server in the multi-tier relational database system from a first middle-tier server, wherein during said first session said first middle-tier server may perform database operations for one of the set of middle-tier servers;
  
  providing a credential to said first middle-tier server from said database server;
  
  granting said first middle-tier server a first set of privileges on said database server for use in said first session;
  
  establishing a second session at said database server from said first middle-tier server on behalf of a first client, wherein said establishing a second session comprises;
  
  receiving from said first middle-tier server an identity of said first client; and
  
  receiving said credential from said first middle-tier server;
  
  wherein said first middle-tier server may perform database operations for said first client in said second session; and
  
  granting a second set of privileges for use by said first middle-tier server on behalf of said first client in said second session;
  
  wherein said first middle-tier server is configured to switch between said first session and said second session.

20. A multi-tier relational database system, comprising:
- a database server configured to store data;
  
  a plurality of clients configured to access said data via one or more middle-tier servers; and
  
  a first middle-tier server configured to access said data on behalf of said clients;
  
  wherein said first middle-tier server establishes a first connection with said database server and receives a credential from said database server and wherein said middle-tier server establishes a second connection to said database server for a first client using said credential in place of a password of said first client; and
  
  wherein said middle-tier server auditably accesses said data with different sets of privileges in said first connection and said second connection.
- View Dependent Claims (21, 22)
- - 21. The multi-tier relational database system of claim 20, further comprising:
22. The multi-tier relational database system of claim 20, further comprising an authorization server coupled to said database server, wherein said authorization server is configured to identify privileges authorized for one of said first client and said first middle-tier server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle Corporation
Inventors
Wessman, Richard R., Buhle, Gordon
Primary Examiner(s)
Homere, Jean R.
Assistant Examiner(s)
Wassum, Luke S

Application Number

US09/369,047
Time in Patent Office

762 Days
Field of Search

707/1-5, 707/9-10, 709/200-203, 709/227-229, 713/200-202
US Class Current

726/4
CPC Class Codes

H04L 63/105 Multiple levels of security

Y10S 707/99939 Privileged access

Authentication and authorization in a multi-tier relational database management system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

392 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication and authorization in a multi-tier relational database management system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

392 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links