Authentication and authorization pipeline architecture for use in a web server

US 6,985,946 B1
Filed: 05/12/2000
Issued: 01/10/2006
Est. Priority Date: 05/12/2000
Status: Expired due to Term

First Claim

Patent Images

1. A method for providing an authentication and authorization pipeline in a web server having access to userID-roles data including a plurality of data entries for each user who may access resources present on the web server, and having access to resource-roles data including a plurality of data entries for each resource that may be accessed on the web server, the pipeline uses the userID-roles data and the resource-roles data to grant access to web resources to users, the method comprising:

receiving a plurality of resource access requests for a resource on the web server;

authenticating the identity of each user accessing the resource on the web server using a userID, and one or more authentication parameters;

for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles data; and

authorizing access to a resource identified within one of the resource access requests if one or more access roles contained within the data object correspond to the resource roles listed within the resource-roles data for the identified resource, where, in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and the data object is received by the operation authorizing access to the resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system, and article of manufacture for providing an authentication and authorization pipeline for use in a web server to grant access to web resources to users. The server creates an entry within an userID to roles database for each user who may access resources present on the web server and creates an entry within the roles to resource database for each resource that may be accessed on the web server. The server then authenticates the identify of each user accessing a resource on the web server using a userID, one or more authentication parameters, and a resource access request, creates a data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID to roles database, and authorizes access to a resource identified within the resource access request if one or more roles within the data object correspond to an access role corresponding to the roles listed within the roles to resource database for the identified resource.

100 Citations

View as Search Results

35 Claims

1. A method for providing an authentication and authorization pipeline in a web server having access to userID-roles data including a plurality of data entries for each user who may access resources present on the web server, and having access to resource-roles data including a plurality of data entries for each resource that may be accessed on the web server, the pipeline uses the userID-roles data and the resource-roles data to grant access to web resources to users, the method comprising:
- receiving a plurality of resource access requests for a resource on the web server;
  
  authenticating the identity of each user accessing the resource on the web server using a userID, and one or more authentication parameters;
  
  for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles data; and
  
  authorizing access to a resource identified within one of the resource access requests if one or more access roles contained within the data object correspond to the resource roles listed within the resource-roles data for the identified resource, where, in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and the data object is received by the operation authorizing access to the resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the method further comprises passing the resource access request to the identified resource for servicing.
  - 3. The method according to claim 1, wherein authenticating the identity of each user further comprises generating a response to the resource access request indicating an authentication error when the identity of the user cannot be successfully authenticated.
  - 4. The method according to claim 1, wherein authorizing access to a resource further comprises generating a response to the resource access request indicating an authorization error when access to the resource may not be provided to the authenticated userID.
  - 5. The method according to claim 4, wherein authenticating the identity of each user operation is performed within a separate operation from the authorizing access to a resource operation.
  - 6. The method according to claim 5, wherein the data object is passed between the operation authenticating the identity of each user operation to the operation authorizing access to a resource operation.
  - 7. The method according to claim 1, wherein the authentication parameters include one or more of the following:
    - a password, a digital signature, a digital certificate obtained from a source trusted by the server, and a public key encrypted message.
  - 8. The method according to claim 1, wherein the web resource being accessed includes a web page.
  - 9. The method according to claim 1, wherein the web resource being accessed includes a data file located on the web server.
  - 10. The method according to claim 1, wherein the web resource being accessed includes an executable software module.

11. A method for providing an authentication and authorization pipeline having a userID-roles database and a resource-roles database for use in a web server to grant access to web resources to users, the method comprising:
- creating an entry within the userID-roles database for each user who may access resources present on the web server;
  
  creating an entry within the resource-roles database for each resource that may be accessed on the web server;
  
  receiving a plurality of resource access requests for one of the resources on the web server;
  
  authenticating the identity of each user accessing a resource on the web server using a userID, and one or more authentication parameters;
  
  for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database; and
  
  authorizing access to a resource identified within one of the resource access request if one or more roles contained within the corresponding data object correspond to an access role corresponding to the roles listed within the resource-roles database for the identified resource;
  
  wherein authenticating the identity of each user operation is performed within a separate operation from the authorizing access to a resource operation; and
  
  in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and is received by the operation authorizing access to a resource.

12. A computer data product readable by a computing system and encoding a set of computer instructions for providing an authentication and authorization pipeline having a userID-roles database and a resource-roles database for use in a web server to grant access to web resources to users, comprising:
- receiving a plurality of resource access requests for at least one resource on the web server;
  
  authenticating the identity of each user accessing the at least one resource on the web server using a userID, and one or more authentication parameters;
  
  for each of the resource access requests by each user, creating a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database; and
  
  authorizing access to a resource identified within one of the resource access requests if one or more roles within the corresponding data object correspond to an access role corresponding to the roles listed within the resource-roles database for the identified resource, where, in pipeline fashion, the data object is passed from the operation authenticating the identity of each user and the data object is received by the operation authorizing access to the resource.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 13. The computer data product according to claim 12, wherein the method further comprises:
    - creating an entry within the userID-roles database for each user who may access resources present on the web server;
      
      creating an entry within the resource-roles database for each resource that may be accessed on the web server; and
      
      passing the resource access request to the identified resource for servicing.
  - 14. The computer data product according to claim 12, wherein authenticating the identity of each user further comprises generating a response to the resource access request indicating an authentication error when the identity of the user cannot be successfully authenticated.
  - 15. The computer data product according to claim 12, wherein authorizing access to a resource further comprises generating a response to the resource access request indicating an authorization error when access to the resource may not be provided to the authenticated.
  - 16. The computer data product according to claim 15, wherein authenticating the identity of each user operation is performed within a separate operation from the authorizing access to a resource operation.
  - 17. The computer data product according to claim 16, wherein the data object is passed between the operation authenticating the identity of each user operation to the operation authorizing access to a resource operation.
  - 18. The computer data product according to claim 12, wherein the authentication parameters include one or more of the following:
    - a password, a digital signature, a digital certificate obtained from a source trusted by the server, and a public key encrypted message.
  - 19. The computer data product according to claim 12, wherein the web resource being accessed includes a web page.
  - 20. The computer data product according to claim 12, wherein the web resource being accessed includes a data file located on the web server.
  - 21. The computer data product according to claim 12, wherein the web resource being accessed includes an executable software module.

22. A system for providing an authentication and authorization pipeline having a userID-roles database and a resource-roles database for use in a web server to grant access to web resources to users, comprising:
- a plurality of resource access requests from at least one user for at least one resource on the web server;
  
  an authentication module for verifying the identity of the user sending each of the resource access requests using a userID, and one or more authentication parameters;
  
  an authorization module for determining whether the user is granted access to the requested resource; and
  
  wherein for each of the resource access requests by each user, the authentication module creates a distinct data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database, where, in pipeline fashion, said authentication module passing the data objects and the authorization module receiving the data objects for use in determining whether to grant access to the requested resource.
- View Dependent Claims (23, 24, 25, 26, 27)
- - 23. The system according to claim 22, wherein the authorization module authorizes access to the resource identified within the resource access request if one or more roles within the data object correspond to an access role corresponding to the roles listed within the resource-roles database for the identified resource.
  - 24. The system according to claim 23, wherein the authentication parameters include one or more of the following:
    - a password, a digital signature, a digital certificate obtained from a source trusted by the server, and a public key encrypted message.
  - 25. The system according to claim 23, wherein the web resource being accessed includes a web page.
  - 26. The system according to claim 23, wherein the web resource being accessed includes a data file located on the web server.
  - 27. The system according to claim 23, wherein the web resource being accessed includes an executable software module.

28. A web server for providing a response to an HTTP request for access to at least one resource available to the web server comprising:
- a plurality of processing modules interconnected in a pipelined fashion to form an HTTP pipeline that performs various tasks on the HTTP request prior to passing the HTTP request onto a content storage and retrieval module, the plurality of processing modules comprising;
  
  a replaceable authentication module adapted to receive a user identifier and at least one additional authentication parameter and further adapted to create a data object containing the user identifier and at least one role a user associated with the identifier is allowed to perform; and
  
  an authorization module adapted to receive the object and determine whether the user associated with the identifier is authorized to access the at least one resource requested in the HTTP request; and
  
  wherein a content and retrieval module is adapted to receive the HTTP request if the authorization module determines that the user is authorized to access at least one resource and adapted to formulate a response containing at least one resource, where, in pipeline fashion, the data object is passed from the replaceable authentication module and the data object is received by the authorization module.

29. A web server for providing a response to an HTTP request for access to at least one resource available to the web server comprising:
- a plurality of processing modules interconnected in a pipelined fashion to form an HTTP pipeline that performs various tasks on the HTTP request prior to passing the HTTP request onto a content storage and retrieval module, the plurality of processing modules comprising;
  
  a replaceable authentication module adapted to receive a user identifier and at least one additional authentication parameter and further adapted to creates and pass in pipeline fashion, an object containing the user identifier and at least one role a user associated with the identifier is allowed to perform; and
  
  an authorization module adapted to receive in pipeline fashion the object and determine whether the user associated with the identifier is authorized to access the at least one resource requested in the HTTP request; and
  
  the content storage and retrieval module is adapted to receive the HTTP request if the authorization module determines that the user is authorized to access the at least one resource and adapted to formulate a response containing the at least one resource.
- View Dependent Claims (30, 31, 32, 33)
- - 30. The web server of claim 29 further comprising an authenticate error module adapted to generate error responses if the user identifier is unknown.
  - 31. The web server of claim 29 further comprising an authorize error module adapted to generate error responses if the user associated with the identifier is not authorized to access the at least one resource requested in the HTTP request.
  - 32. The web server of claim 29 wherein the replaceable authentication module is at least one of either third-party modules, enhoused modules, extended modules, and custom developed modules that provide a desired level of security for the web server.
  - 33. The web server of claim 29 wherein the replaceable authentication module is interchangeable with another replaceable authentication module without affecting functionality and operation of other modules.

34. A web server for providing a response to an HTTP request for access to at least one resource available to the web server comprising:
- a plurality of processing modules interconnected in a pipelined fashion to form an HTTP pipeline that performs various tasks on the HTTP request prior to passing the HTTP request onto a content storage and retrieval module, the plurality of processing modules comprising;
  
  at least two different authentication modules, each of the at least two different authentication modules adapted to receive a user identifier and at least one additional authentication parameter and further adapted to create, and pass in pipeline fashion, an object containing the user identifier and at least one role a user associated with the identifier is allowed to perform; and
  
  at least two different authorization modules, each of the at least two different authorization modules adapted to receive, in pipeline fashion, the object and determine whether the user associated with the identifier is authorized to access the at least one resource requested in the HTTP request; and
  
  the content storage and retrieval module adapted to receive the HTTP request if the authorization module determines that the user is authorized to access the at least one resource and adapted to formulate a response containing the at least one resource.

35. A computer data product readable by a computing system and encoding a set of computer instructions for providing access to resources on a web server to users using a pipeline having a userID-roles database with an entry for each user who may access the resources and a resource-roles database with an entry for each of the resources that may be accessed by the user, comprising:
- authenticating the identity of each user accessing a resource on the web server using a userID, and one or more authentication parameters;
  
  creating a data object corresponding to each resource access request, said data object having an authenticated userID and one or more roles corresponding to the authenticated userID obtained from the userID-roles database; and
  
  authorizing access to a resource identified within one of the resource access requests if one or more access roles contained within the data object correspond to the resource roles listed within the resource-roles data for the identified resource;
  
  wherein authenticating the identity of each user operation is performed within a separate operation from the authorizing access to a resource; and
  
  the data object is passed from the operation authenticating the identity of each user operation and is received by the operation authorizing access to a resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Robsman, Dmitry, Vasandani, Manu, Alam, Bilal
Primary Examiner(s)
LIN, WEN TAI

Application Number

US09/569,464
Time in Patent Office

2,069 Days
Field of Search

709/225, 709/229, 709/227, 709/217, 709/219, 709/203, 713/200, 713/168, 713/166, 713/164, 713/161, 713/160, 713/155, 713/152, 713/151, 713/150, 713/202, 713/201, 705/1, 705/16, 705/18, 705/35, 705/39, 705/44, 707/1, 707/10, 707/9
US Class Current

709/225
CPC Class Codes

G06F 21/31 User authentication

Y10S 707/99939 Privileged access

Authentication and authorization pipeline architecture for use in a web server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

100 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

Authentication and authorization pipeline architecture for use in a web server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

100 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others