Authentication and authorization pipeline architecture for use in a web server
First Claim
1. A method for providing an authentication and authorization pipeline in a web server having access to userID-roles data including a plurality of data entries for each user who may access resources present on the web server, and having access to resource-roles data including a plurality of data entries for each resource that may be accessed on the web server, the pipeline uses the userID-roles data and the resource-roles data to grant access to web resources to users, the method comprising:
- receiving a plurality of resource access requests for a resource on the web server;
authenticating the identity of each user accessing the resource on the web server using a userID, and one or more authentication parameters;
for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles data; and
authorizing access to a resource identified within one of the resource access requests if one or more access roles contained within the data object correspond to the resource roles listed within the resource-roles data for the identified resource, where, in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and the data object is received by the operation authorizing access to the resource.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, system, and article of manufacture for providing an authentication and authorization pipeline for use in a web server to grant access to web resources to users. The server creates an entry within an userID to roles database for each user who may access resources present on the web server and creates an entry within the roles to resource database for each resource that may be accessed on the web server. The server then authenticates the identify of each user accessing a resource on the web server using a userID, one or more authentication parameters, and a resource access request, creates a data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID to roles database, and authorizes access to a resource identified within the resource access request if one or more roles within the data object correspond to an access role corresponding to the roles listed within the roles to resource database for the identified resource.
100 Citations
35 Claims
-
1. A method for providing an authentication and authorization pipeline in a web server having access to userID-roles data including a plurality of data entries for each user who may access resources present on the web server, and having access to resource-roles data including a plurality of data entries for each resource that may be accessed on the web server, the pipeline uses the userID-roles data and the resource-roles data to grant access to web resources to users, the method comprising:
receiving a plurality of resource access requests for a resource on the web server; authenticating the identity of each user accessing the resource on the web server using a userID, and one or more authentication parameters; for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles data; and authorizing access to a resource identified within one of the resource access requests if one or more access roles contained within the data object correspond to the resource roles listed within the resource-roles data for the identified resource, where, in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and the data object is received by the operation authorizing access to the resource. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
11. A method for providing an authentication and authorization pipeline having a userID-roles database and a resource-roles database for use in a web server to grant access to web resources to users, the method comprising:
-
creating an entry within the userID-roles database for each user who may access resources present on the web server; creating an entry within the resource-roles database for each resource that may be accessed on the web server; receiving a plurality of resource access requests for one of the resources on the web server; authenticating the identity of each user accessing a resource on the web server using a userID, and one or more authentication parameters; for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database; and authorizing access to a resource identified within one of the resource access request if one or more roles contained within the corresponding data object correspond to an access role corresponding to the roles listed within the resource-roles database for the identified resource; wherein authenticating the identity of each user operation is performed within a separate operation from the authorizing access to a resource operation; and in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and is received by the operation authorizing access to a resource.
-
-
12. A computer data product readable by a computing system and encoding a set of computer instructions for providing an authentication and authorization pipeline having a userID-roles database and a resource-roles database for use in a web server to grant access to web resources to users, comprising:
-
receiving a plurality of resource access requests for at least one resource on the web server; authenticating the identity of each user accessing the at least one resource on the web server using a userID, and one or more authentication parameters; for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database; and authorizing access to a resource identified within one of the resource access requests if one or more roles within the corresponding data object correspond to an access role corresponding to the roles listed within the resource-roles database for the identified resource, where, in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and the data object is received by the operation authorizing access to the resource. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system for providing an authentication and authorization pipeline having a userID-roles database and a resource-roles database for use in a web server to grant access to web resources to users, comprising:
-
a plurality of resource access requests from at least one user for at least one resource on the web server; an authentication module for verifying the identity of the user sending each of the resource access requests using a userID, and one or more authentication parameters; an authorization module for determining whether the user is granted access to the requested resource; and wherein for each of the resource access requests by each user, the authentication module creates a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database, where, in pipeline fashion, said authentication module passing the data objects and the authorization module receiving the data objects for use in determining whether to grant access to the requested resource. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A web server for providing a response to an HTTP request for access to at least one resource available to the web server comprising:
-
a plurality of processing modules interconnected in a pipelined fashion to form an HTTP pipeline that performs various tasks on the HTTP request prior to passing the HTTP request onto a content storage and retrieval module, the plurality of processing modules comprising; a replaceable authentication module adapted to receive a user identifier and at least one additional authentication parameter and further adapted to create a data object containing the user identifier and at least one role a user associated with the identifier is allowed to perform; and an authorization module adapted to receive the object and determine whether the user associated with the identifier is authorized to access the at least one resource requested in the HTTP request; and wherein a content and retrieval module is adapted to receive the HTTP request if the authorization module determines that the user is authorized to access at least one resource and adapted to formulate a response containing at least one resource, where, in pipeline fashion, the data object is passed from the replaceable authentication module and the data object is received by the authorization module.
-
-
29. A web server for providing a response to an HTTP request for access to at least one resource available to the web server comprising:
-
a plurality of processing modules interconnected in a pipelined fashion to form an HTTP pipeline that performs various tasks on the HTTP request prior to passing the HTTP request onto a content storage and retrieval module, the plurality of processing modules comprising; a replaceable authentication module adapted to receive a user identifier and at least one additional authentication parameter and further adapted to creates and pass in pipeline fashion, an object containing the user identifier and at least one role a user associated with the identifier is allowed to perform; and an authorization module adapted to receive in pipeline fashion the object and determine whether the user associated with the identifier is authorized to access the at least one resource requested in the HTTP request; and the content storage and retrieval module is adapted to receive the HTTP request if the authorization module determines that the user is authorized to access the at least one resource and adapted to formulate a response containing the at least one resource. - View Dependent Claims (30, 31, 32, 33)
-
-
34. A web server for providing a response to an HTTP request for access to at least one resource available to the web server comprising:
-
a plurality of processing modules interconnected in a pipelined fashion to form an HTTP pipeline that performs various tasks on the HTTP request prior to passing the HTTP request onto a content storage and retrieval module, the plurality of processing modules comprising; at least two different authentication modules, each of the at least two different authentication modules adapted to receive a user identifier and at least one additional authentication parameter and further adapted to create, and pass in pipeline fashion, an object containing the user identifier and at least one role a user associated with the identifier is allowed to perform; and at least two different authorization modules, each of the at least two different authorization modules adapted to receive, in pipeline fashion, the object and determine whether the user associated with the identifier is authorized to access the at least one resource requested in the HTTP request; and the content storage and retrieval module adapted to receive the HTTP request if the authorization module determines that the user is authorized to access the at least one resource and adapted to formulate a response containing the at least one resource.
-
-
35. A computer data product readable by a computing system and encoding a set of computer instructions for providing access to resources on a web server to users using a pipeline having a userID-roles database with an entry for each user who may access the resources and a resource-roles database with an entry for each of the resources that may be accessed by the user, comprising:
-
authenticating the identity of each user accessing a resource on the web server using a userID, and one or more authentication parameters; creating a data object corresponding to each resource access request, said data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database; and authorizing access to a resource identified within one of the resource access requests if one or more access roles contained within the data object correspond to the resource roles listed within the resource-roles data for the identified resource; wherein authenticating the identity of each user operation is performed within a separate operation from the authorizing access to a resource; and the data object is passed from the operation authenticating the identity of each user operation and is received by the operation authorizing access to a resource.
-
Specification