Security framework bridge

US 7,346,930 B1
Filed: 10/31/2002
Issued: 03/18/2008
Est. Priority Date: 10/31/2002
Status: Active Grant

First Claim

Patent Images

1. A method for bridging requests for access to resources between requestors in a distributed network and an authenticator servicing the distributed network:

initiating a request for access to a resource through an application on a requestor in accordance with a request from a user, wherein the requestor has an IP address;

intercepting the request for access to the resource;

identifying the IP address of the requestor;

verifying the requestor is allowed to initiate requests based on the IP address;

identifying a type of the request for access to the resource as one of a plurality of types of requests;

identifying the application initiating the request for access to the resource;

verifying the application is an application that the requestor is allowed to use;

verifying the type of the request is a type of request that the application has permission to initiate; and

forwarding the request for access to the resource to the authenticator based on successfully verifying the requestor, verifying the application, and verifying the type of the request, wherein the authenticator verifies the identity of the user and authorizes the request for access to the resource based on successfully verifying the identity of the user.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present disclosure is a method for bridging requests for access to resources between requesters in a distributed network and an authenticator servicing the distributed network. The bridging mechanism has security features including a naming service for machine authentication and machine process rules to authorize what process machines can perform. The security proxy bridge intercepts an access request, and checks the IP address for machine authentication as well as the machine process rules and if both verifications are successful, the bridge then forwards the request for access to the authenticator. The security proxy framework utilizes a data structure that provides a method for storing selected security information stored as data records supporting an authentication and authorization system for users to access resources on multiple components of a distributed network supporting multiple business units of an enterprise. Primary authentication information stored herein includes general user information, security information, and contact information.

47 Citations

View as Search Results

20 Claims

1. A method for bridging requests for access to resources between requestors in a distributed network and an authenticator servicing the distributed network:
- initiating a request for access to a resource through an application on a requestor in accordance with a request from a user, wherein the requestor has an IP address;
  
  intercepting the request for access to the resource;
  
  identifying the IP address of the requestor;
  
  verifying the requestor is allowed to initiate requests based on the IP address;
  
  identifying a type of the request for access to the resource as one of a plurality of types of requests;
  
  identifying the application initiating the request for access to the resource;
  
  verifying the application is an application that the requestor is allowed to use;
  
  verifying the type of the request is a type of request that the application has permission to initiate; and
  
  forwarding the request for access to the resource to the authenticator based on successfully verifying the requestor, verifying the application, and verifying the type of the request, wherein the authenticator verifies the identity of the user and authorizes the request for access to the resource based on successfully verifying the identity of the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the plurality of types of requests include a request to view information stored on the requested resource, delete information on the requested resource, add information on the requested resource, and to modify information on the requested resource.
  - 3. The method of claim 1, wherein information stored on the resource is one of information of access rights, passwords, identifications, authorizations, or data records.
  - 4. The method of claim 1, further comprising:
    - requesting additional authorization information for protected resources, wherein the additional authorization information is obtained from one of a token card or a digital certificate.
  - 5. The method of claim 1, further comprising:
    - comparing, by the authenticator, an authorization policy for the user with the requested resource and the type of the request to the requested resource, wherein the authenticator further authorizes the request for access to the resource based on successfully performing the comparison.
  - 6. The method of claim 5, further comprising:
    - identifying groups the user belongs to,wherein comparing the authorization policy for the user with the requested resource and the type of request to the requested resource further comprises comparing the authorization policy for the user'"'"'s groups with the requested resource and the type of the request to the requested resource.
  - 7. The method of claim 1, further comprising:
    - identifying identification and authorization information of the user, wherein the authenticator verifies the identity of the user based on the identification and authorization information.
  - 8. The method of claim 7, further comprising:
    - verifying a format of the identification and authorization information of the user.
  - 9. The method of claim 7, wherein verifying the requestor, verifying the application, and verifying the type of the request is performed prior to the authenticator verifying the identity of the user when the user is an internal user.
  - 10. The method of claim 7, wherein the authenticator verifying the identity of the user is bypassed when the user is an internal user.
  - 11. The method of claim 7, wherein the authenticator verifying the identity of the user is performed prior to verifying the requestor when the user is an external user.

12. A system for bridging requests for access to resources, comprising:
- an application server configured to execute an application that initiates a request for access to a resource in accordance with a user request, wherein the application server has an IP address;
  
  a security bridge coupled to the application server that intercepts the request and is configured to identify the IP address of the application server, identify a type of the request as one of a plurality of types of requests; and
  
  identify the application that initiates the request, and further configured to verify the application server is allowed to initiate requests based on the IP address, verify the application is an application that the application server is allowed to execute, and verify the type of the request for the requested resource is a type of request that the application has permission to initiate, wherein the security bridge forwards the request for access to the resource based on successfully verifying the requester, verifying the application, and verifying the type of the request; and
  
  an authenticator server coupled to the security bridge and configured to receive the forwarded request for access to the resource from the security bridge, verify the identity of the user, and authorize the request for access to the resource based on successfully verifying the identity of the user.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the security bridge further comprises:
    - a naming service for storing a set of IP addresses of servers that are allowed to initiate request;
      
      a process rules set for storing what applications are allowed to be executed on the servers that are allowed to initiate requests; and
      
      a password rules set for storing a proper format for user identification and authorization information.
  - 14. The system of claim 12, wherein the security bridge is further configured to identify the format of any user identification and authorization information provided with the request and verify the format of the user identification and authorization information provided.
  - 15. The system of claim 12, further comprising:
    - a web server coupled to the authenticator server configured to provide the authenticator server with identification and authorization information for external users, wherein the authenticator server verifies the identity of the user based on the identification and authorization information, and wherein the web server is further coupled to the application server for enabling the external users to execute the application.
  - 16. The system of claim 15, further comprising:
    - a main policy store coupled to the authenticator server for storing a proper format for user identification and authorization information,wherein the authenticator server is further configured to verify the format of the identification and authorization information for the external users in accordance with the proper format stored in the main policy store.
  - 17. The system of claim 12, wherein the application server exclusively executes the application for internal users, andwherein the user is an internal user.
  - 18. The system of claim 17, wherein the internal user does not provide any identification and authorization information.
  - 19. The system of claim 12, further comprising:
    - a security database coupled to the authenticator server configured to retrieve correct authorization information based on identification information of the user retrieved by the authenticator server.
  - 20. The system of claim 19, wherein the authenticator server verifies the identity of the user by comparing authorization information of the user retrieved by the authenticator server with the correct authorization information provided by the security database.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
T-Mobile Innovations LLC (Deutsche Telekom AG)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Nguyen, Hiep, Boydstun, Ken, Perez, Richard, Balasubramanian, Bala
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Lipman; Jacob

Application Number

US10/284,680
Time in Patent Office

1,965 Days
Field of Search

726 11- 15, 726/29
US Class Current

726/29
CPC Class Codes

H04L 63/02   for separating internal fro...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Security framework bridge

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

47 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Security framework bridge

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links