Dynamic credential refresh in a distributed system
First Claim
Patent Images
1. A computer program product embodied on a computer-readable medium, for dynamically refreshing user credentials without disruption of an on-going secure process, comprising:
- computer-readable code means for generating a user credential for a user of a client machine, wherein said user credential comprises authorization data for said user, an authenticated identity of said user, an expiration time of said credential, and a last authentication time of said user;
computer-readable code means for requesting, by said user, an execution of a secure process on a server connected to said client machine through a network;
computer-readable code means for providing said user credential to said server for use with said requested execution;
computer-readable code means for performing said requested execution; and
computer-readable code means for refreshing said credential if said credential is determined to be expired during operation of said computer-readable code means for performing, wherein said expiration is determined by checking said expiration time, and wherein said computer-readable code means for performing continues by using said refreshed credential.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, and computer program product code for dynamically refreshing user credentials in a distributed processing environment. The present invention provides for fast, local refresh of credentials by a server if the credentials expire during an on-going secure operation. This technique avoids the need for rolling back the operation and requiring the client to restart after acquiring fresh credentials. The ability for a systems administrator to invalidate credentials which have been compromised is maintained.
105 Citations
27 Claims
-
1. A computer program product embodied on a computer-readable medium, for dynamically refreshing user credentials without disruption of an on-going secure process, comprising:
-
computer-readable code means for generating a user credential for a user of a client machine, wherein said user credential comprises authorization data for said user, an authenticated identity of said user, an expiration time of said credential, and a last authentication time of said user;
computer-readable code means for requesting, by said user, an execution of a secure process on a server connected to said client machine through a network;
computer-readable code means for providing said user credential to said server for use with said requested execution;
computer-readable code means for performing said requested execution; and
computer-readable code means for refreshing said credential if said credential is determined to be expired during operation of said computer-readable code means for performing, wherein said expiration is determined by checking said expiration time, and wherein said computer-readable code means for performing continues by using said refreshed credential. - View Dependent Claims (2, 3, 4)
computer-readable code means for comparing said last authentication time to a system-wide invalidation time and to a user-specific invalidation time for said user to determine whether said user credential is refreshable;
computer-readable code means for generating said refreshed credential from said user credential, wherein said expiration time is set to a new expiration time, when said user credential is refreshable; and
computer-readable code means for generating an error condition and halting further operation of said computer-readable code means for performing when said user credential is not refreshable.
-
-
3. The computer program product for dynamically refreshing user credentials according to claim 1, further comprising:
-
computer-readable code means for comparing said last authentication time to a system-wide invalidation time; and
computer-readable code means for halting operation of said computer-readable code means for performing when said computer-readable code means for comparing determines that said last authentication time is earlier than said system-wide invalidation time.
-
-
4. The computer program product for dynamically refreshing user credentials according to claim 2, wherein said computer-readable code means for comparing further comprises computer-readable code means for ensuring that an account of said user is still valid and if not, concluding that said user credential is not refreshable.
-
5. A computer program product embodied on a computer-readable medium, for dynamically refreshing user credentials without disruption of an on-going secure process, comprising:
-
computer-readable code means for generating a user credential for a user of a client machine, wherein said user credential comprises authorization data for said user, an authenticated identity of said user, and a time value for said credential;
computer-readable code means for requesting, by said user, an execution of a secure process on a server connected to said client machine through a network;
computer-readable code means for providing said user credential to said server for use with said requested execution;
computer-readable code means for performing said requested execution; and
computer-readable code means for refreshing said credential if said credential is determined to be expired during operation of said computer-readable code means for performing, wherein said expiration is determined by checking said time value, and wherein said computer-readable code means for performing continues by using said refreshed credential. - View Dependent Claims (6, 7, 8, 9, 10)
computer-readable code means for comparing said time value to a system-wide invalidation time and to a user-specific invalidation time for said user to determine whether said user credential is refreshable;
computer-readable code means for generating said refreshed credential from said user credential, wherein said time value is set to a new time value, when said user credential is refreshable; and
computer-readable code means for generating an error condition and halting further operation of said computer-readable code means for performing when said user credential is not refreshable.
-
-
7. The computer program product for dynamically refreshing user credentials according to claim 5, further comprising:
-
computer-readable code means for comparing said time value to a system-wide invalidation time; and
computer-readable code means for halting operation of said computer-readable code means for performing when said computer-readable code means for comparing determines that said time value is less than said system-wide invalidation time.
-
-
8. The computer program product for dynamically refreshing user credentials according to claim 6, wherein said computer-readable code means for comparing further comprises computer-readable code means for ensuring that an account of said user is still valid and if not, concluding that said user credential is not refreshable.
-
9. The computer program product for dynamically refreshing user credentials according to claim 5, wherein said time value is an expiration time computed by adding a predetermined credential validity period to a last authentication time of said user.
-
10. The computer program product for dynamically refreshing user credentials according to claim 5, wherein said time value is a credential creation time set to a last authentication time of said user, and wherein said expiration of said time value is computed by adding a predetermined credential validity period to said time value.
-
11. A computer system for dynamically refreshing user credentials without disruption of an on-going secure process, comprising:
-
means for generating a user credential for a user of a client machine, wherein said user credential comprises authorization data for said user, an authenticated identity of said user, an expiration time of said credential, and a last authentication time of said user;
means for requesting, by said user, an execution of a secure process on a server connected to said client machine through a network;
means for providing said user credential to said server for use with said requested execution;
means for performing said requested execution; and
means for refreshing said credential if said credential, is determined to be expired during operation of said means for performing, wherein said expiration is determined by checking said expiration time, and wherein said means for performing continues by using said refreshed credential. - View Dependent Claims (12, 13, 14)
means for comparing said last authentication time to a system-wide invalidation time and to a user-specific validation time for said user to determine whether said user credential is refreshable;
means for generating said refreshed credential from said user credential, wherein said expiration time is set to a new expiration time, when said user credential is refreshable; and
means for generating an error condition and halting further operation of said means for performing when said user credential is not refreshable.
-
-
13. The system for dynamically refreshing user credentials according to claim 11, further comprising:
-
means for comparing said last authentication time to a system-wide invalidation time; and
means for halting operation of said means for performing when said means for comparing determines that said last authentication time is earlier than said system-wide invalidation time.
-
-
14. The system for dynamically refreshing user credentials according to claim 12, wherein said means for comparing further comprises means for ensuring that an account of said user is still valid and if not, concluding that said user credential is not refreshable.
-
15. A system for dynamically refreshing user credentials without disruption of an on-going secure process, comprising:
-
means for generating a user credential for a user of a client machine, wherein said user credential comprises authorization data for said user, an authenticated identity of said user, and an expiration time of said credential, and wherein said expiration time is computed using a last authentication time of said user;
means for requesting, by said user, an execution of a secure process on a server connected to said client machine through a network;
means for providing said user credential to said server for use with said requested execution;
means for performing said requested execution; and
means for refreshing said credential if said credential is determined to be expired during operation of said means for performing, wherein said expiration is determined by checking said expiration time, and wherein said means for performing continues by using said refreshed credential. - View Dependent Claims (16, 17, 18)
means for comparing said expiration time to a system-wide invalidation time and to a user-specific invalidation time for said user to determine whether said user credential is refreshable;
means for generating said refreshed credential from said user credential, wherein said expiration time is set to a new expiration time, when said user credential is refreshable; and
means for generating an error condition and halting further operation of said means for performing when said user credential is not refreshable.
-
-
17. The system for dynamically refreshing user credentials according to claim 15, further comprising:
-
means for comparing said expiration time to a system-wide invalidation time; and
means for halting operation of said means for performing when said means for comparing determines that said expiration time is less than said system-wide invalidation time.
-
-
18. The system for dynamically refreshing user credentials according to claim 16, wherein said means for comparing further comprises means for ensuring that an account of said user is still valid and if not, concluding that said user credential is not refreshable.
-
19. A method for dynamically refreshing user credentials without disruption of an on-going secure process, comprising the steps of:
-
generating a user credential for a user of a client machine, wherein said user credential comprises authorization data for said user, an authenticated identity of said user, an expiration time of said credential, and a last authentication time of said user;
requesting, by said user, an execution of a secure process on a server connected to said client machine through a network;
providing said user credential to said server for use with said requested execution;
performing said requested execution; and
refreshing said credential if said credential is determined to be expired during operation of said performing step, wherein said expiration is determined by checking said expiration time, and wherein said performing step continues by using said refreshed credential. - View Dependent Claims (20, 21, 22)
comparing said last authentication time to a system-wide invalidation time and to a user-specific invalidation time for said user to determine whether said user credential is refreshable;
generating said refreshed credential from said user credential, wherein said expiration time is set to a new expiration time, when said user credential is refreshable; and
generating an error condition and halting further operation of said performing step when said user credential is not refreshable.
-
-
21. The method for dynamically refreshing user credentials according to claim 19, further comprising the steps of:
-
comparing said last authentication time to a system-wide invalidation time; and
halting operation of said performing step when said comparing step determines that said last authentication time is earlier than said system-wide invalidation time.
-
-
22. The method for dynamically refreshing user credentials according to claim 20, wherein said comparing step further comprises the step of ensuring that an account of said user is still valid and if not, concluding that said user credential is not refreshable.
-
23. A method for dynamically refreshing user credentials without disruption of an on-going secure process, comprising the steps of:
-
generating a user credential for a user of a client machine, wherein said user credential comprises authorization data for said user, an authenticated identity of said user, and a credential creation time set to a last authentication time of said user;
requesting, by said user, an execution of a secure process on a server connected to said client machine through a network;
providing said user credential to said server for use with said requested execution;
performing said requested execution; and
refreshing said credential if said credential is determined to be expired during operation of said performing step, wherein said expiration is determined by adding a predetermined credential validity period to said credential creation time, and wherein said performing step continues by using said refreshed credential. - View Dependent Claims (24, 25, 26)
comparing a result of adding said credential creation time and said predetermined credential validity period to a system-wide invalidation time and to a user-specific invalidation time for said user to determine whether said user credential is refreshable;
generating said refreshed credential from said user credential, wherein said credential creation time is set to a new credential creation time, when said user credential is refreshable; and
generating an error condition and halting further operation of said performing step when said user credential is not refreshable.
-
-
25. The method for dynamically refreshing user credentials according to claim 23, further comprising the steps of:
-
comparing a result of adding said credential creation time and said predetermined credential validity period to a system-wide invalidation time; and
halting operation of said performing step when said comparing step determines that said result is less than said system-wide invalidation time.
-
-
26. The method for dynamically refreshing user credentials according to claim 24, wherein said comparing step further comprises the step of ensuring that an account of said user is still valid and if not, concluding that said user credential is not refreshable.
-
27. A method for dynamically refreshing user credentials in a computing environment, comprising steps of:
-
determining, during execution of a secure process, that a user credential has expired, the user credential representing a user on whose behalf the secure process is executed;
transparently refreshing the expired user credential, responsive to the determining step, without requesting input from the user and without discontinuing execution of the secure process; and
continuing execution of the secure process using the refreshed user credential.
-
Specification