Method and system for session based authorization and access control for networked application objects

US 7,441,265 B2
Filed: 05/12/2001
Issued: 10/21/2008
Est. Priority Date: 08/04/2000
Status: Expired due to Fees

First Claim

Patent Images

1. An ingress-session-based authorization and access control method in a data processing system to control access from an initiator-host to objects on a target host comprising the steps of:

(i) receiving an access-request originally coming from the initiator-host, that references an object on the target host to access,(ii) assigning the access-request to an ingress-session and selecting a session context belonging to that ingress-session,(iii) checking whether the access to the referenced object is authorized in the selected session-context or not,(iv) denying the access to the referenced object if the access to said object on the target host is not authorized in the selected session context,(v) granting the access to the referenced object if the access to said object on the target host is allowed in the selected session context,(vi) handing over references to objects on the target host to the initiator-host as a response to a granted access-request, and(vii) authorizing the handed over reference for access in that session-context.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention relates to an ingress-session-based authorization and access control method and system to control access from an initiator-host (IH) to objects (Target 1, Target 2) on a target host (TH) by receiving an access-request, preferably a request-message (M1), originally coming from the initiator-host (IH), that references an object (Target 1, Target 2) on the target host (TH) to access, assigning the access-request (M1) to an ingress-session and selecting a session-context (SC-U, SC-W, SC-Y) belonging to that ingress-session, checking whether the access to the referenced object (Target 1, Target 2) is authorized in the selected session-context (SC-U, SC-W, SC-Y)or not wherein references to objects (Target 1, Target 2) on the target host (TH) were handed over to the initiator-host (IH) as a response to an access-request already granted and wherein the object the reference is handed over for is authorized for access under the handed over reference in that session-context (SC-U, SC-W, SC-Y)the already granted access-request is assigned to.

139 Citations

21 Claims

1. An ingress-session-based authorization and access control method in a data processing system to control access from an initiator-host to objects on a target host comprising the steps of:
- (i) receiving an access-request originally coming from the initiator-host, that references an object on the target host to access,(ii) assigning the access-request to an ingress-session and selecting a session context belonging to that ingress-session,(iii) checking whether the access to the referenced object is authorized in the selected session-context or not,(iv) denying the access to the referenced object if the access to said object on the target host is not authorized in the selected session context,(v) granting the access to the referenced object if the access to said object on the target host is allowed in the selected session context,(vi) handing over references to objects on the target host to the initiator-host as a response to a granted access-request, and(vii) authorizing the handed over reference for access in that session-context.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. An ingress-session-based authorization and access control method according to claim 1 characterized in that the assignment of the access-request to the ingress-session and the selection of the session-context belonging to that ingress-session is independent of an underlying data transport session.
  - 3. An ingress-session-based authorization and access control method according to claim 1 characterized in that the assignment of the access-request to the ingress-session and the selection of the session-context belonging to that ingress-session is independent of the structure, the format and content of the object references handed over to the initiator host.
  - 4. An ingress-session-based authorization and access control method according to claim 1 characterized in that the object the reference is handed over for is authorized for access for a maximum number of accesses under the handed over reference in that session-context the already granted access request is assigned to.
  - 5. An ingress-session-based authorization and access control method according to claim 1 characterized in that the object the reference is handed over for is authorized for access for an access-validity time period so that access is granted during said access-validity time period under the handed over reference in that session context the already granted access-request is assigned to.
  - 6. An ingress-session-based authorization and access control method according to claim 1 characterized in that the access-request coming from the initiator host is received via a public-key encrypted channel.

7. An ingress-session-based authorization and access control data processing system to control access from an initiator-host to objects on a target host comprising:
- means to receive an access-request originally coming from the initiator-host, that references an object on the target host to access,means to assign the access-request to an ingress-session and selecting a session-context belonging to that ingress-session,means to check whether the access to the referenced object is authorized in the selected session-context or not, that deny the access to the referenced object if the access to said object on the target host is not authorized in the selected session-context and that grants the access to the referenced object if the access to said object on the target host is allowed in the selected session-context,means that hand over references to objects on the target host to the initiator-host as a response to a granted access-request, andmeans that authorize objects the reference is handed over for, for access under the handed over reference in that session-context the already granted access request is assigned to.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15)
- - 8. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that said means to assign the access request to an ingress-session and to select a session-context belonging to that ingress-session do assign the access-request to the ingress session and do select the session-context belonging to that ingress-session independently from any underlying data transport session.
  - 9. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that said means to assign the access request to an ingress-session and to select a session-context belonging to that ingress-session do assign the access-request to the ingress session and do select the session-context belonging to that ingress-session independently from the structure, the format and content of the object references handed over to the initiator host.
  - 10. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that the system also comprises means that authorize objects the reference is handed over for, for access for a maximum number of accesses under the handed over reference in that session-context the already granted access-request is assigned to.
  - 11. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that the system also comprises means that authorize objects the reference is handed over for, for access for an access-validity time period so that access is granted during said access-validity time period under the handed over reference in that session-context the already granted access-request is assigned to.
  - 12. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that the access-request coming from the initiator host is received by cryptographic means that operate a safe channel to the initiator-host.
  - 13. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that the target host is implemented as an application-module, comprising target objects and wherein said authorization and control system is implemented as an application level-interceptor both installed on one computer system.
  - 14. An ingress-session-based authorization and access control data processing system according to claim 7 characterized in that said authorization and control system is implemented as a gateway-machine installed on a computer system comprising communication means that connect the gateway-machine to an external network and an internal network wherein the initiator-host is connected as a client machine to said external network and the target host is connected as a server machine to said internal network.
  - 15. A communication network comprising an ingress-session based authorization and access control data processing system according to claim 7 comprising bootstrapping target-objects on the target-host as initial contact points to establish access communication wherein the access to said bootstrapping target-objects is granted or denied via explicit authorization means different from said means that check whether the access to the referenced object is authorized in the selected session-context or not.

16. A computer-readable storage medium having stored thereon instructions to cause a processor to execute an ingress-session-based authorization and access control method in a data processing system to control access from an initiator-host to objects on a target host, the method comprising:
- (i) receiving an access-request originally coming from the initiator-host, that references an object on the target host to access,(ii) assigning the access-request to an ingress-session and selecting a session-context belonging to that ingress-session,(iii) checking whether the access to the referenced object is authorized in the selected session-context or not,(iv) denying the access to the referenced object if the access to said object on the target host is not authorized in the selected session-context,(v) granting the access to the referenced object if the access to said object on the target host is allowed in the selected session-context,(vi) handing over references to objects on the target host to the initiator host as a response to a granted access-request, and(vii) authorizing the handed over references for access in that session-context.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. A computer-readable storage medium of claim 16, the method characterized in that the assignment of the access-request to the ingress-session and the selection of the session-context belonging to that ingress-session is independent of an underlying data transport session.
  - 18. A computer-readable storage medium of claim 16, the method characterized in that the assignment of the access-request to the ingress-session and the selection of the session-context belonging to that ingress-session is independent of the structure, the format and content of the object references handed over to the initiator host.
  - 19. A computer-readable storage medium of claim 16, the method characterized in that the object the reference is handed over for is authorized for access for a maximum number of accesses under the handed over reference in that session-context the already granted access-request is assigned to.
  - 20. A computer-readable storage medium of claim 16, the method characterized in that the object the reference is handed over for is authorized for access for an access validity time period so that access is granted during said access-validity time period under the handed over reference in that session-context the already granted access-request is assigned to.
  - 21. A computer-readable storage medium of claim 16, the method characterized in that the access-request coming from the initiator host is received via a public-key encrypted channel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Prismtech GmbH
Original Assignee
Prismtech GmbH
Inventors
Staamann, Sebastian, Eckardt, Tim
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
LASHLEY, LAUREL L

Application Number

US10/296,613
Publication Number

US 20030145094A1
Time in Patent Office

2,719 Days
Field of Search

709/229, 709/203, 709/227, 726/4
US Class Current

726/4
CPC Class Codes

G06F 9/465   Distributed object oriented...

G06F 9/468   Specific access rights for ...

H04L 63/0281   Proxies

H04L 63/10   for controlling access to d...

H04L 63/168   above the transport layer

Method and system for session based authorization and access control for networked application objects

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

139 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for session based authorization and access control for networked application objects

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

139 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links