Method for enabling a web server running a “closed” native operating system to impersonate a user of a web client to obtain a protected file

US 6,338,064 B1
Filed: 05/14/1998
Issued: 01/08/2002
Est. Priority Date: 05/14/1998
Status: Expired due to Fees

First Claim

Patent Images

1. A method of enabling a server supporting a closed native operating system to impersonate a user of a client to obtain a resource located in a file system of a distributed computer environment, the distributed computer environment including a security service for returning a credential to a user authenticated to access the distributed file system, comprising the steps of:

in response to a request from the user to access the resource, obtaining a credential from the security service;

associating the credential to a temporary operating system user identifier selected from a pool of such identifiers; and

having the server use the temporary operating system user identifier to assume the user'"'"'s identity to service the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of authenticating a Web client to a Web server connectable to a distributed file system of a distributed computing environment. The distributed computing environment includes a security service for returning a credential to a user authenticated to access the distributed file system. The method preferably operates within the context of a native operating system environment such as “Windows NT”. Upon initialization of the Web server, a session manager creates a pool of temporary Windows NT user identities. In response to a Web client browser request, a temporary NT user identity is associated with proper DCE credentials. A server process then impersonates the returned NT user identity on a thread which is attempting to access the requested resource.

Citations

35 Claims

1. A method of enabling a server supporting a closed native operating system to impersonate a user of a client to obtain a resource located in a file system of a distributed computer environment, the distributed computer environment including a security service for returning a credential to a user authenticated to access the distributed file system, comprising the steps of:
- in response to a request from the user to access the resource, obtaining a credential from the security service;
  
  associating the credential to a temporary operating system user identifier selected from a pool of such identifiers; and
  
  having the server use the temporary operating system user identifier to assume the user'"'"'s identity to service the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as described in claim 1 wherein the step of associating the credential to a temporary operating system user identifier includes adding a key to a registry of the operating system identifying a name of the temporary operating system user.
  - 3. The method as described in claim 2 wherein the step of associating the credential to the temporary operating system user identifier also includes adding a value to the registry of the operating system representing a path to a file supporting the credential.
  - 4. The method as described in claim 1 wherein the closed native operating system is Windows NT.
  - 5. The method as described in claim 4 wherein the server is a Web server, the client includes a browser that initiates the request, the distributed file system is Open Group Distributed File Services (DFS), and the resource is a Web object.
  - 6. The method as described in claim 1 wherein the step of obtaining the credential includes the steps of:
7. The method as described in claim 1 further including the step of creating the pool of temporary operating system user identifiers.
8. The method as described in claim 7 wherein the associating step includes the steps of:
- selecting an unused temporary operating system user identifier from the pool; and
  
  identifying the selected temporary operating system user identifier as in use.
9. The method as described in claim 8 further including the step of returning the selected temporary operating system identifier back to the pool after the request is serviced.

10. A method of enabling a Web server to impersonate a user of a client to obtain a Web document located in a distributed file system of a distributed computer environment, the client and server supporting a closed native operating system, and the distributed computer environment including a security service for returning a credential to a user authenticated to access the distributed file system, comprising the steps of:
- creating a pool of temporary native operating system user identifiers;
  
  in response to a request from the user to access the Web document, obtaining a credential from the security service;
  
  associating the credential to a temporary native operating system user identifier selected from a pool; and
  
  having the Web server use the temporary native operating system user identifier to assume the user'"'"'s identity to service the request.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method as described in claim 10 wherein the step of associating the credential to a temporary native operating system user identifier includes the steps of:
12. The method as described in claim 11 wherein the closed native operating system is Windows NT.
13. The method as described in claim 12 wherein the distributed file system is Open Group Distributed File Services (DFS).
14. The method as described in claim 10 wherein the step of obtaining the credential includes the steps of:
- prompting the user to enter a userid and password associated with the distributed computing environment; and
  
  performing a programmatic login to the security service using the userid and password to obtain the credential.
15. The method as described in claim 10 wherein the associating step includes the steps of:
- selecting an unused temporary native operating system user identifier from the pool; and
  
  identifying the selected temporary native operating system user identifier as in use.
16. The method as described in claim 15 further including the step of returning the selected temporary native operating system user identifier back to the pool after the request is serviced.

17. A method of enabling a Web server supporting a closed native operating system to impersonate a user of client to obtain a Web document located in a distributed file system of a distributed computer environment, the distributed computer environment including a security service for returning a credential to a user authenticated to access the distributed file system, comprising the steps of:
- in response to a request from the user to access the Web document, setting up a temporary user identity with a credential; and
  
  having the Web server use the temporary user identity to assume the user'"'"'s identity to service the request.
- View Dependent Claims (18, 19)
- - 18. The method as described in claim 17 wherein the step of setting up the temporary user identity with a credential includes the steps of:
19. The method as described in claim 18 further including the step of returning the selected user identity back to the pool after the request is serviced.

20. A method of impersonating a user identity, comprising the steps of:
- creating a pool of userids for a first operating system for use by a managing process;
  
  selecting a userid from the pool and marking the userid as in use;
  
  creating a credential file for a first process;
  
  adding the selected userid to a registry of userids for the first operating system;
  
  associating the selected userid to the credential file; and
  
  using the selected userid and the credential file to impersonate a user identity in the first operating system.

21. A computer program product in a computer readable medium for use in obtaining a protected file in a computer network having a client and a server each of which support a closed native operating system, the server connectable to a file system of a distributed computing environment including a security service for returning a credential to a user authenticated to access the distributed file system, the computer program product comprising:
- means, responsive to a service request from a user of a process on the client, for associating a temporary closed native operating system user identity with a credential returned from the security service; and
  
  means for controlling the server to use the temporary closed native operating system user identity to assume the user'"'"'s identity to service the request.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 30, 31, 32)
- - 22. The computer program product as described in claim 21 wherein the closed native operating system is Windows NT.
  - 23. The computer program product as described in claim 21 further including means for creating a pool of temporary native operating system user identities.
  - 24. The computer program product as described in claim 23 further including means for selecting a temporary native operating system user identity and for limiting its use by another server thread during servicing of the request.
  - 25. The computer program product as described in claim 21 further including means for prompting the user to enter a userid and password required by the distributed computing environment security service.
  - 26. The computer program product as described in claim 21 wherein the associating means includes means for adding an entry to a registry of the native operating system.
  - 27. The computer program product as described in claim 26 wherein the entry includes information identifying the temporary native operating system user identity and a path specifying a location of the credential.
  - 30. The computer as described in claim 21 wherein the closed native operating system is Windows NT.
  - 31. The computer as described in claim 21 wherein the server plug-in further includes means for creating a pool of temporary native operating system user identities.
  - 32. The computer as described in claim 31 wherein the server plug-in further includes means for selecting a temporary native operating system user identity and for limiting its use by another Web server thread during servicing of the request.

28. A computer program product for enabling a Web server supporting a closed native operating system to impersonate a user of a client to obtain a Web document located in a distributed file system of a distributed computer environment, the distributed computer environment including a security service for returning a credential to a user authenticated to access the distributed file system, the computer program product comprising:
- means for creating a pool of temporary user identities;
  
  means responsive to a request from a user of a browser of the Web client for prompting the user to enter a userid and password associated with the distributed computing environment;
  
  means for performing a login to the security service using the userid and password to obtain a credential;
  
  means for selecting an unused user identity from the pool of temporary user identities;
  
  means for identifying the selected user identity as in use;
  
  means for adding a key to a registry identifying the temporary user identity; and
  
  means for adding a value to the registry specifying a path to a file supporting the credential; and
  
  means for returning the selected user identity back to the pool after the request is serviced.

29. A computer connectable to a distributed computing environment including a security service for returning a credential to a user authenticated to access the distributed file system, comprising:
- a processor;
  
  a closed native operating system;
  
  a Web server program for providing World Wide Web information retrieval to Web clients connectable to the Web server program via a computer network;
  
  a server plug-in for authenticating Web clients to the Web server program, comprising;
  
  means, responsive to a service request from a user of a browser on the Web client, for associating a temporary native operating system user identity with a credential returned from the security service; and
  
  means for controlling the Web server to use the temporary native operating system user identity to assume the user'"'"'s identity to service the request.
- View Dependent Claims (33, 34, 35)
- - 33. The computer as described in claim 29 wherein the server plug-in further includes means for prompting the user to enter a userid and password required by the distributed computing environment security service.
  - 34. The computer as described in claim 29 wherein the associating means includes means for adding an entry to a registry of the closed native operating system.
  - 35. The computer as described in claim 34 wherein the entry includes information identifying the temporary native operating system user identity and a path specifying a location of the credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Shrader, Theodore Jack London, Rich, Bruce Arland, Ault, Michael Bradford, Soper, Davis Kent, Plassmann, Ernst Robert, Child, Garry L.
Primary Examiner(s)
Amsbury, Wayne
Assistant Examiner(s)
PARDO, THUY N

Application Number

US09/078,931
Time in Patent Office

1,335 Days
Field of Search

713/201, 713/202, 713/164, 713/168, 709/229, 709/304, 709/404, 709/225, 709/300, 380/277, 707/10, 707/9, 707/7
US Class Current

1/1
CPC Class Codes

G06F 16/972   Access to data in other rep...

G06F 21/31   User authentication

G06F 21/6218   to a system of files or obj...

Y10S 707/99937   Sorting

Y10S 707/99939   Privileged access

Method for enabling a web server running a “closed” native operating system to impersonate a user of a web client to obtain a protected file

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Method for enabling a web server running a “closed” native operating system to impersonate a user of a web client to obtain a protected file

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links