Method and system for authorizing and authenticating users
First Claim
1. A system for restricting access to a walled garden having network-based services identified by plot numbers and provided on a private network comprising:
- a plurality of servers coupled to the walled garden for providing network-based services;
a gateway server coupled to a network for issuing a ticket to a client, the ticket specifying with a set of bits the network-based services to which a user of the client has access; and
a walled garden proxy server coupled to the walled garden and the networks for receiving from the client the ticket and a request to access a network-based services identified by a plot number, and for determining from the ticket whether to grant the client access to the network-based services by using the plot number as an index into the set of bits in the ticket.
4 Assignments
0 Petitions
Accused Products
Abstract
A walled garden contains links to one or more servers providing network-based services. A walled garden proxy server (WGPS) controls access to the walled garden. When a user of a client wishes to access a service in the walled garden, the client sends a request to the WGPS including a plot number identifying the service and a ticket granting the client access to the service. The WGPS denies access to clients lacking a ticket or presenting invalid tickets. In response, the client contacts a gateway server (GS) having a database of users and associated access rights. The user presents authentication information to the GS. If the user positively authenticates, the GS generates a ticket containing a Box ID from the client, an expiration date, and set of bits representing the access rights of the user. The GS encrypts the ticket and gives it to the client. When the WGPS receives a request to access a service in the walled garden, it decrypts the ticket and uses the plot number as an index into the set of bits representing the user access rights. The indexed value indicates whether the WGPS allows the client to access the service. Accordingly, services provided by the walled garden can be sold individually or in tiers.
355 Citations
25 Claims
-
1. A system for restricting access to a walled garden having network-based services identified by plot numbers and provided on a private network comprising:
-
a plurality of servers coupled to the walled garden for providing network-based services;
a gateway server coupled to a network for issuing a ticket to a client, the ticket specifying with a set of bits the network-based services to which a user of the client has access; and
a walled garden proxy server coupled to the walled garden and the networks for receiving from the client the ticket and a request to access a network-based services identified by a plot number, and for determining from the ticket whether to grant the client access to the network-based services by using the plot number as an index into the set of bits in the ticket. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 22, 24)
a first database for holding information describing access rights for a plurality of users; and
a policy server in communication with the gateway server and the first database for accessing the first database responsive to requests received from the gateway server and retrieving information specifying the network-based services to which the user has access.
-
-
3. The system of claim 1, further comprising:
-
a program module executable by the gateway server for authenticating the user;
wherein the gateway server issues the ticket in response to a positive authentication of the user.
-
-
4. The system of claim 1, wherein the walled garden and the networks are logically derived from a single physical network.
-
5. The system of claim 1 wherein the gateway server issues the client a second ticket specifying Internet-based servers to which the user has access and further comprising:
an Internet proxy server coupled to the network for receiving from the client a request to access Interet-based services and the second ticket issued by the gateway server and determining from the second ticket whether to grant the client access to the Internet-based services.
-
6. The system of claim 1, further comprising:
-
a program module executable by the gateway server for encrypting the ticket issued to the client; and
a program module executable by the walled garden proxy server for decrypting the ticket received from the client.
-
-
7. The system of claim 6, further comprising:
a keymaster in secure communication with the gateway server and the walled garden proxy server for issuing keys for encrypting and decrypting the ticket.
-
8. The system of claim 1, wherein the plurality of servers providing network-based services comprise at least one server selected from the group consisting of:
-
a first application server directly coupled to the walled garden;
a second application server directly coupled to the walled garden and coupled via a dedicated connection to a remote application database for supporting the network-based services provided by the second application server;
a first remote application server coupled to the walled garden via a virtual network; and
a front end server coupled directly to the walled garden for providing a link to a second remote application server.
-
-
22. The system of claim 1, further comprising:
a second database in communication with the proxy server for identifying invalid tickets.
-
24. The system of claim 22, wherein the database holds at least one decryption key for decrypting an encrypted ticket received from the client.
-
9. A method of restricting access to a walled garden having network-based services identified by plot numbers and available on a private network, comprising the steps of:
-
receiving a request from a client to access a plot number of a network-based service available on the walled garden;
receiving a ticket from the client describing with a set of bits the network-based services to which a user of the client has access;
determining from the ticket whether the user has access to the requested network-based service by using the plot number as an index into the set of bits in the ticket; and
responsive to a positive determination that the user has access to the requested network-based service, allowing the client to access the network-based service. - View Dependent Claims (10, 11, 12, 13, 14, 15, 23, 25)
responsive to a negative determination that the user has access to the requested network-based service, denying the client access to tile network service.
-
-
11. The method of claim 9, wherein the request from the client to access a network-based service available on the walled garden is not accompanied by a ticket and further comprising the step of:
denying the client access to the network service.
-
12. The method of claim 9, further comprising the steps of:
-
receiving a request from the client to issue the ticket;
receiving authentication information from the user of the client;
authenticating the user of the client with the authentication information;
responsive to a successful authentication of the user, generating the ticket; and
transmitting the generated ticket to the client.
-
-
13. The method of claim 12, wherein the step of generating the ticket comprises the steps of:
-
storing information in the ticket indicating a box ID of the client;
storing information in the ticket indicating an expiration date for the ticket; and
storing information in the ticket indicating the network services with which the ticket is affiliated.
-
-
14. The method of claim 12, wherein the step of generating the ticket further comprises the step of:
encrypting the ticket.
-
15. The method of claim 11, wherein the ticket received from the client is encrypted and the determining step comprises the step of:
decrypting the ticket.
-
23. The method of claim 9, wherein the determining step comprises the step of:
checking a database of invalid tickets to determine whether the received ticket is invalid.
-
25. The method of claim 23, further comprising the step of:
checking the database to determine whether the received ticket is affiliated with the network-based services available on the walled garden;
wherein the client is denied access to the network services responsive to a negative determination that the received ticket is affiliated with the network-based services available on the walled garden.
-
16. A system for restricting access by clients to a walled garden providing a plurality of services, the services identified by plot numbers, comprising:
-
a gateway server for authenticating users of the clients requesting access to the plurality of services by plot numbers and issuing tickets to the clients responsive to positive authentications of the users, the tickets including sets of bits granting the clients access to at least one of the plurality of services provided by the walled garden; and
a walled garden proxy server for receiving the requests from the clients to access the plurality of services provided by the walled garden, wherein the walled garden proxy server grants a client request to access a service if the request includes a ticket granting access to the requested service as determined by using the plot number of the service as an index into the set of bits in the ticket. - View Dependent Claims (17, 18, 19, 20, 21)
a database in communication with the gateway server for identifying access rights to the plurality of services in the walled garden of the users of the clients.
-
-
18. The system of claim 16, further composing:
-
a keymaster in secure communication with the gateway server and the walled garden proxy server for issuing secret keys;
wherein the gateway server encrypts at least portions of issued tickets using the secret keys and the walled garden proxy server decrypts the encrypted portions of the tickets using the secret keys.
-
-
19. The system of claim 16, wherein the walled garden comprises at least one server selected from the group consisting of:
-
a first application server directly coupled to the walled garden;
a second application server directly coupled to the walled garden and coupled via a dedicated connection to a remote application database for supporting the network services provided by the second application server;
a first remote application server coupled to the walled garden via a virtual network; and
a front end server coupled directly to the walled garden for providing a link to a second remote application server.
-
-
20. The system of claim 16, wherein the gateway server authenticates users of the clients requesting access to sites on the Internet and issues tickets to the clients responsive to positive authentications of the users, the tickets granting the clients access to the sites on the Internet, the system further comprising:
an Internet server for receiving requests from the clients to access sites on the Internet, wherein the Internet server grants a client request to access a site on the Internet if the request includes a ticket granting access to the requested site.
-
21. The system of claim 16, wherein the walled garden proxy server restricts access to a plurality of walled gardens and wherein the tickets issued by the gateway server specify the walled garden of the plurality of walled gardens with which the ticket is affiliated.
Specification