Integrating heterogeneous authentication and authorization mechanisms into an application access control system
DCFirst Claim
1. A method of selectively authenticating and authorizing a client seeking access to one or more networked computer systems that are protected by an access control system, the method comprising the computer-implemented steps of:
- receiving a request of a client to access one of the computer systems;
requesting a proxy security server to authenticate the client using information identifying the client;
receiving an authorization of the client from the proxy security server based on authentication results received from a remote security server that is coupled to the proxy security server;
establishing access rights of the client, based on one or more access information records received from the remote security server through the proxy security server, for use by the access control system in determining whether to grant the client access to the computer systems.
7 Assignments
Litigations
0 Petitions
Accused Products
Abstract
A method and apparatus are provided for selectively authenticating and authorizing a client seeking access to one or more protected computer systems over a network. A request of a client to access one of the computer systems is received. A proxy security server is requested to authenticate the client using information identifying the client. An authorization of the client from the proxy security server is received, based on authentication results received from a remote security server that is coupled to the proxy security server. In response, access rights of the client are established, based on one or more access information records received from remote security server through the proxy security server. As a result, one or more legacy security servers may be easily integrated into an application access system without complicated modifications to the application access system.
-
Citations
29 Claims
-
1. A method of selectively authenticating and authorizing a client seeking access to one or more networked computer systems that are protected by an access control system, the method comprising the computer-implemented steps of:
-
receiving a request of a client to access one of the computer systems;
requesting a proxy security server to authenticate the client using information identifying the client;
receiving an authorization of the client from the proxy security server based on authentication results received from a remote security server that is coupled to the proxy security server;
establishing access rights of the client, based on one or more access information records received from the remote security server through the proxy security server, for use by the access control system in determining whether to grant the client access to the computer systems. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 29)
-
-
11. A method of providing a security mechanism for one or more computer systems, the method comprising the steps:
-
a first server receiving a message specifying a request to register a user that is unregistered on the first server;
wherein the first server is configured to receive requests to authenticate users and supply information that indicates access rights of users;
the first server causing a transmission to a second server requesting data that indicates access rights specified by the second server for the user;
wherein the second server is configured to receive requests to authenticate users and supply information that indicates access rights of users;
the first server receiving data, transmitted by the second server in response to receiving the transmission, that indicates access rights specified by the second server for the user including at least one authorization;
storing data that indicates the at least one authorization;
persistently storing data in one or more access information records that indicates;
the user is registered on the first server, and whether access rights for the user should be obtained from the second server;
the first server subsequently receiving a request to login the user; and
in response to receiving the request to login the user, establishing access rights based on the one or more access information records. - View Dependent Claims (12, 13, 14, 15)
persistently storing data in the one or more access information records that indicates that access rights of the user should be obtained from the second server;
wherein the step of establishing access rights based on the one or more access information records includes;
examining at least a portion of the one or more access information records to determine that information about access rights of the user should be obtained from the second server; and
in response to determining that information indicating that access rights of the user should be obtained from the second server, the first server causing the second server to supply the at least one authorization.
-
-
13. The method of claim 11,
wherein the step of storing data that indicates the at least one authorization includes persistently storing data in the one or more access information records that indicates the at least one authorization; wherein the step establishing access rights based on the one or more access information records includes generating, from the one or more access information records that indicates the at least one authorization, data that establishes the authorization as an access right.
-
14. The method of claim 11, wherein the step of the first server causing a transmission includes transmitting to a third server that is dedicated to providing the first server data specifying the access rights specified by the second server for a set of users.
-
15. The method of claim 12, further including the step of transmitting a message to one or more other servers that specifies a request for access rights specified by each of the one or more other servers for a set of users, and
wherein the third server and the one or more other servers communicates with the first server through a API.
-
16. A method of providing a security mechanism for one or more computer systems, the method comprising the steps:
-
a first server receiving a message specifying a request to determine access rights of a user registered on the first server;
wherein the first server is configured to receive requests to authenticate users and supply information that indicates access rights of the users;
the first server causing a transmission to a second server that requests data that indicates the access rights specified by the second server for the user;
wherein the second server is configured to receive requests to authenticate users and supply information that indicates access rights of users;
the first server receiving data, transmitted by the second server in response to receiving the transmission, that indicates a first set of authorizations specified by the second server for the user;
the first server translating data that indicates the first set of access rights specified by the second server to one or more records that indicates a second set of access rights recognized by the first server; and
establishing a third set of access rights based on the one or more records. - View Dependent Claims (17, 18)
persistently storing data representing the second set of authorizations;
after persistently storing, the first security server subsequently receiving a request to login the user; and
in response to receiving the request to login the user, establishing access rights that include the second set of authorizations based on the persistently stored data.
-
-
18. The method of claim 17, wherein the step of the first server translating data includes generating data representing access roles that correspond to the first set of authorizations.
-
19. A method of providing a security mechanism for one or more computer systems, the method comprising the steps:
-
causing start up of a plurality of proxy servers that provide to a first server data that indicates access rights specified for users by a respective server from a second set of servers that are each configured to receive requests to authenticate users and supply information that indicates access rights of users;
the first server transmitting, to each proxy server of the plurality of proxy servers, a request for data indicating the access rights specified by the respective server from the second set of servers for a particular user by invoking a function of an application programmer interface that includes a common set of functions that;
is associated with the plurality of proxy servers, and provides an interface between the first server and the second set of servers; and
in response to each proxy server of the plurality of proxy servers receiving the request for data indicating access rights of the particular user;
the each proxy server obtaining information about access rights of the particular user from a server of the set of servers, and the each proxy server supplying information about access rights of the particular user to the first server. - View Dependent Claims (20, 21, 22, 23, 24, 25)
a second server from the set of servers transmitting to a first proxy server from the plurality of proxy servers a user prompt message that specifies how additional user input should be elicited from a user;
the first server receiving the user prompt message; and
the first server causing a user interface to obtain user input in a manner specified by the user prompt message.
-
-
22. The method of claim 21, wherein the step of obtaining user input includes obtaining user input that specifies a user profile for the user.
-
23. The method of claim 21, wherein the step of obtaining user input includes obtaining user input that specifies authentication input for the user.
-
24. The method of claim 19, further including the steps of:
-
the first server receiving data from the first proxy server from the plurality of proxy servers that is supplying information about access rights of the particular user including data indicating that the particular user is registered on the respective server from the second set of servers; and
in response to the first server receiving the data from a first proxy server, the first server registering the particular user.
-
-
25. The method of claim 24,
wherein the method further includes the steps of presenting a user with a selection of names that each correspond to a proxy server from the plurality of proxy servers; -
selecting a name corresponding to the first proxy server;
transmitting a request to the proxy server to authenticate the particular user; and
wherein the data from a first proxy server was transmitted by the first proxy server in response to the request to authenticate.
-
-
26. An access security system, comprising
a first server configured to receive requests to authenticate users and supply information that indicates access rights of users; -
a set of one or more servers that are each configured to receive requests to authenticate users and supply information that indicates access rights for users;
a plurality of proxy servers configured to provide to the first server data that indicates the access rights specified for users by a respective server from the set of one or more servers;
the plurality of proxy servers each configured as instantiations of a subclass belonging to a base class that defines an application program interface through which the plurality of proxy servers and the first server interact to provide the first server with information that indicates access rights for users;
a topology mechanism configured to transmit to the first server information specifying which proxy server of the plurality of proxy servers are running; and
an access server configured to collect authentication input from a user attempting to log into the access security system and to transmit data representing the collected authentication input to the first server.
-
-
27. A computer-readable medium carrying one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to selectively authenticate and authorize a client seeking access to one or more protected computer systems over a network, by:
-
receiving a request of a client to access one of the computer systems;
requesting a proxy security server to authenticate the client using information identifying the client;
receiving an authorization of the client from the proxy security server based on authentication results received from a remote security server that is coupled to the proxy security server;
establishing access rights of the client based on one or more access information records received from the remote security server through the proxy security server.
-
-
28. An apparatus for selectively authenticating and authorizing a client seeking access to one or more protected computer systems over a network, comprising:
-
a processor; and
a memory having one or more sequences of instructions stored therein which, when executed by the processor, cause the processor to carry out the computer-implemented steps of;
receiving a request of a client to access one of the computer systems;
requesting a proxy security server to authenticate the client using information identifying the client;
receiving an authorization of the client from the proxy security server based on authentication results received from a remote security server that is coupled to the proxy security server;
establishing access rights of the client based on one or more access information records received from the remote security server through the proxy security server.
-
Specification