Method and system for restricting access to user resources
First Claim
Patent Images
1. A computer program product comprising:
- a computer usable medium having computer readable code embodied therein for passing messages from a server to a client, the computer program product comprising;
a first module for receiving a message from the server intended for the client;
a second module for determining permissions of the server with respect to the client;
a third module for including the determined permissions with the message; and
a fourth module for passing the message and the determined permissions to the client.
4 Assignments
0 Petitions
Accused Products
Abstract
A user'"'"'s set top box (STB), or other client, executes a shell and has an application programming interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS), which controls access to a walled garden. The walled garden contains links to one or more servers providing network-based services. The client sends a request to the WGPS to access a service provided by a site in the garden. To provide the service, the site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The ACL is a bit-map that specifies which functions of the client'"'"'s API can be invoked by code from the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. The shell uses the ACL to determine whether the code has permission to execute any called functions in the API. If the code lacks permission, the shell stops execution and sends a message to the site indicating that the site lacks permission. Otherwise, the shell allows the code to call the function.
-
Citations
21 Claims
-
1. A computer program product comprising:
-
a computer usable medium having computer readable code embodied therein for passing messages from a server to a client, the computer program product comprising;
a first module for receiving a message from the server intended for the client;
a second module for determining permissions of the server with respect to the client;
a third module for including the determined permissions with the message; and
a fourth module for passing the message and the determined permissions to the client. - View Dependent Claims (2, 3, 4, 5, 6)
a module for determining an identity of the server originating the message;
a module for determining a user agent of the client; and
a module for retrieving the permissions of the server from a permissions table using the determined identity and user agent.
-
-
3. The computer program product of claim 2, wherein the permissions table is stored in a database and the module for retrieving the permissions of the server comprises:
a module for interfacing with the database to access the permissions table.
-
4. The computer program product of claim 1, wherein the third module comprises:
a module for adding a hypertext transport protocol (HTTP) header specifying the determined permissions to the message.
-
5. The computer program product of claim 1, further comprising:
a fifth module for scanning the message from the server for potential security violations.
-
6. The computer program product of claim 5, further comprising:
a sixth module for removing headers identified as potential security violations from the message.
-
7. A computer program product comprising:
-
a computer usable medium having computer readable code embodied therein for managing access to an application program interface (API) comprising a plurality of functions, the computer program product comprising;
a first module for receiving a message containing code calling a function in the API and an access control list (ACL) indicating API function execution rights of an originator of the message;
a second module for determining whether the ACL indicates that the originator of the message has die right to execute tie called function; and
a third module for sending a response to the originator of the message indicating whether the code successfully called the function. - View Dependent Claims (8, 9, 10, 11)
a value identifying API functions that can be executed by the originator of the message.
-
-
9. The computer program product of claim 7, wherein the ACL indicating API function execution rights comprises:
a value restricting the API functions that can be executed by the originator of the message based on time.
-
10. The computer program product of claim 7, wherein the message pertains to television and wherein the ACL indicating API function execution rights comprises:
a value restricting the API functions that can be executed by the originator of the message based on a television channel.
-
11. The computer program product of claim 7, wherein the message pertains to television and wherein the ACL indicating APT function execution rights comprises:
a value restricting the API functions that can be executed by the originator of the message based on a television network.
-
12. A system comprising:
-
a client having an application programing interface (API) having functions for controlling resources of the client;
a walled garden having at least one walled garden site for sending a message to the client, the message containing code for calling a function in the API; and
a proxy server in communication with the client and the walled garden for receiving the message from the walled garden site, adding an access control list (ACL) to the message specifying which functions in the API the walled garden site has permission to call, and passing the message and ACL to the client. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
a module in the client for interpreting the ACL to determine whether the walled garden site has permission to call the function in the API.
-
-
14. The system of claim 13, further comprising:
a module in the client for sending a message to the walled garden site indicating a result of the function call by the code in the message.
-
15. The system of claim 12, further comprising:
a database in communication with the proxy server for holding a walled garden permissions table holding the ACL for the at least one walled garden site.
-
16. The system of claim 12, wherein the walled garden site, proxy server, and client communicate using the hypertext transport protocol (HTTP) and the proxy server adds the ACL as a HTTP header to the message from the walled garden site.
-
17. The system of claim 16, wherein the proxy server examines the message from the walled garden site for potential security violations.
-
18. The system of claim 17, wherein the proxy server removes any HTTP headers identified as potential security violations from the message.
-
19. The system of claim 12, wherein the client is a set top box in communication with a display and wherein the APT functions comprise functions for controlling images on the display.
-
20. The system of claim 12, wherein the API functions comprise functions for performing electronic commerce transactions at the client.
-
21. The system of claim 12, wherein the API functions comprise functions for accessing an electronic program guide stored at the client.
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeAt Home Bondholders Liquidating Trust (At Home Corporation)
-
Original AssigneeAt Home Corporation
-
InventorsTemkin, David, Brown, Ralph W., Medin, Milo S., Keller, Robert
-
Primary Examiner(s)NEURAUTER, GEORGE C
-
Application NumberUS09/427,778Time in Patent Office1,652 DaysField of Search709/229, 709/238, 709/217, 709/225, 709/245, 713/200, 713/201, 713/202, 725/114, 725/118, 725/120, 725/37, 725/2, 725/110, 707/4, 380/33, 719/328US Class Current709/229CPC Class CodesG06F 21/10 Protecting distributed prog...H04L 12/1836 with heterogeneous network ...H04L 12/1845 broadcast or multicast in a...H04L 12/1854 with non-centralised forwar...H04L 12/1877 Measures taken prior to tra...H04L 12/2801 Broadband local area networksH04L 12/2856 Access arrangements, e.g. I...H04L 12/2861 Point-to-multipoint connect...H04L 12/287 Remote access server, e.g. ...H04L 12/2883 ATM DSLAMH04L 63/0807 using tickets, e.g. Kerbero...H04L 63/101 Access control lists [ACL]H04L 67/2885 Hierarchically arranged int...H04L 67/52 specially adapted for the l...H04L 67/568 Storing data temporarily at...H04L 69/329 in the application layer [O...H04L 9/40 Network security protocolsH04N 21/2225 Local VOD serversH04N 21/23106 involving caching operation...
