Method and apparatus for remotely administered authentication and access control

US 6,615,264 B1
Filed: 04/09/1999
Issued: 09/02/2003
Est. Priority Date: 04/09/1999
Status: Expired due to Term

First Claim

Patent Images

1. A system for controlling access by a user to sessions, comprising:

an authentication manager for obtaining an authentication request from said user, wherein said authentication request comprises at least one of a token and a pseudo token;

a plurality of authentication modules for authenticating said user, wherein said plurality authentication modules are distinct from said authentication manager and wherein said plurality authentication modules are not input devices; and

a session manager for obtaining notification of authentication from said plurality of authentication modules.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Authentication and session management can be used with a system architecture that partitions functionality between a human interface device (HID) and a computational service provider such as a server. An authentication manager executing on a server interacts with the HID to validate the user when the user connects to the system via the HID. The authentication manager interacts with authentication modules. Each authentication module may be configured to authenticate a user based on a different authentication mechanism (e.g., using a smart card, using a login and password, using biometric data, etc.) and may be utilized in connection with one or more sessions. The authentication manager and authentication modules are also responsible for controlling access to services/sessions and may remove/revoke or augment such access. A session manager executing on a server manages services running on computers providing computational services (e.g., programs) on behalf of the user. The session manager notifies each service in a session that the user is attached to the system using a given desktop machine. A service can direct display output to the HID while the user is attached to the system. When a user detaches from the system, each of the service'"'"'s executing for the user is notified via the authentication manager and the session manager. Upon notification that the user is detached from the system, a service continues to execute while stopping its display to the desktop machine.

387 Citations

21 Claims

1. A system for controlling access by a user to sessions, comprising:
- an authentication manager for obtaining an authentication request from said user, wherein said authentication request comprises at least one of a token and a pseudo token;
  
  a plurality of authentication modules for authenticating said user, wherein said plurality authentication modules are distinct from said authentication manager and wherein said plurality authentication modules are not input devices; and
  
  a session manager for obtaining notification of authentication from said plurality of authentication modules.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system of claim 1, wherein said plurality of authentication modules comprise an authentication module configured to only accept a connection with said user if said user has said token.
  - 3. The system of claim 1, wherein said plurality of authentication modules comprise an authentication module configured to only accept a connection with said user if said user has said pseudo token.
  - 4. The system of claim 1, wherein said plurality of authentication modules comprise a first authentication module for accepting users with tokens and a second authentication module for accepting users with pseudo tokens.
  - 5. The system of claim 1, wherein said plurality of authentication modules comprise a third authentication module for accepting all users.
  - 6. The system of claim 1, wherein said pseudo token comprises at least one of an Ethernet address and a media access controller address.
  - 7. The system of claim 1, wherein said authentication request comprises an ordered ASCII string and wherein said ordered ASCII string comprises a token type indication.

8. A system for controlling access by a user to sessions, comprising:
- an authentication manager for obtaining an authentication request from said user;
  
  first and second authentication modules for authenticating said user, wherein said first and second authentication modules are distinct from said authentication manager, wherein said first and second authentication modules are not input devices, wherein said first authentication module is configured to accept said authentication request if said authentication request is registered with the system, and wherein said second authentication module is configured to accept all authentication requests; and
  
  a session manager for obtaining notification of authentication from said first and second authentication modules.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein said authentication manager is configured to present said authentication request only to said first authentication module.
  - 10. The system of claim 9, wherein said first authentication module is configured to present said authentication request to said second authentication module.
  - 11. The system of claim 10, wherein said first authentication module is configured to present said authentication request to said second authentication module if said first authentication module does not want to accept responsibility for said authentication request.
  - 12. The system of claim 8, wherein said authentication request is presented to said second authentication module only if said authentication request is not registered with the system.
  - 13. The system of claim 8, wherein said second authentication module can register said authentication request with the system.

14. A system for controlling access by a user to sessions, comprising:
- an authentication manager for obtaining an authentication request from said user;
  
  an authentication module for authenticating said user, wherein said authentication module is distinct from said authentication manager, wherein said authentication module is not an input device, and wherein said authentication manager is configured to present said authentication request to said authentication module; and
  
  a session manager for obtaining notification of authentication from said authentication module, wherein said authentication manager is configured to provide said authentication module with a start session service for ensuring that a session is started.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
- - 15. The system of claim 14, wherein said authentication module comprises a plurality of cascaded authentication modules, wherein each of said plurality of cascaded authentication module is configured to accept responsibility for a particular type of authentication request, and wherein said authentication request is presented from one cascaded authentication module to another until said authentication request is presented to a cascaded authentication module that can accept responsibility for said authentication request.
  - 16. The system of claim 15, wherein at least one of said cascaded authentication modules is configured to revoke said authentication request.
  - 17. The system of claim 15, wherein at least one of said cascaded authentication modules is configured to request a first password from said user and a second password from said user.
  - 18. The system of claim 15, wherein at least one of said cascaded modules is configured to accept responsibility for an authentication request based on biometric data.
  - 19. The system of claim 15, wherein at least one of said cascaded authentication modules is configured to accept responsibility for an authentication request based on a smart card.
  - 20. The system of claim 15, wherein at least one of said cascaded authentication modules is configured to authenticate said authentication request for a specified period of time.
  - 21. The system of claim 14, wherein said authentication manager, said authentication module, and said session manager are configured using a computer readable program code.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Hanko, James G., Stoltz, Benjamin H.
Primary Examiner(s)
Etienne, Ario
Assistant Examiner(s)
NGUYEN, THU HA T

Application Number

US09/289,788
Time in Patent Office

1,607 Days
Field of Search

380/25, 380/255, 395/287.01, 713/200, 713/201, 713/225, 713/168, 713/155, 713/202, 709/227, 709/228, 709/229, 709/230, 709/231, 709/250, 705/35, 369/84
US Class Current

709/227
CPC Class Codes

G06F 21/31   User authentication

H04L 63/08   for authentication of entit...

H04L 63/0846   using time-dependent-passwo...

H04L 63/0853   using an additional device,...

H04L 63/0861   using biometrical features,...

H04L 67/1001   for accessing one among a p...

Method and apparatus for remotely administered authentication and access control

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

387 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for remotely administered authentication and access control

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

387 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links