Secure resource access in a distributed environment

US 7,444,414 B2
Filed: 07/10/2002
Issued: 10/28/2008
Est. Priority Date: 07/10/2002
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer network, a method for granting a request from a first resource to access a second resource, comprising:

receiving, from a client, a request to access the first resource;

directing the client to an authorization service;

the authorization service generating an authorization ticket and providing the authorization ticket to the first resource;

on behalf of the first resource, presenting the authorization ticket and requesting access to the second resource; and

granting the first resource access to the second resource only upon verification that the authorization ticket was generated by a source trusted by the second resource.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for providing a first network resource with secure but limited access to a second network resource. A method embodying the invention includes receiving, from a client, a request to access the first resource. The client is then directed to an authorization service. The authorization service generates an authorization ticket and provides the authorization ticket to the first resource. On behalf of the first resource, the authorization ticket is presented to the second resource with a request to access the second resource. The request is granted only if it can be verified that the authorization ticket was generated by a source trusted by the second resource.

56 Citations

View as Search Results

26 Claims

1. In a computer network, a method for granting a request from a first resource to access a second resource, comprising:
- receiving, from a client, a request to access the first resource;
  
  directing the client to an authorization service;
  
  the authorization service generating an authorization ticket and providing the authorization ticket to the first resource;
  
  on behalf of the first resource, presenting the authorization ticket and requesting access to the second resource; and
  
  granting the first resource access to the second resource only upon verification that the authorization ticket was generated by a source trusted by the second resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising providing the authorization service with user credentials and the authorization service verifying the credentials before generating the authorization ticket.
  - 3. The method of claim 1, further comprising acquiring an URL for the authorization service, and wherein directing the client to the authorization service comprises directing the client to the acquired URL.
  - 4. The method of claim 1, wherein generating an authorization ticket comprises generating an authorization ticket that includes a trust indicator, and access indicator and a digital certificate identifying the source of the authorization ticket.
  - 5. The method of claim 1, wherein providing the first resource with the authorization ticket comprises:
    - acquiring an URL for the first resource;
      
      modifying the acquired URL by adding the authorization ticket; and
      
      directing the client to the modified URL.
  - 6. The method of claim 1, further comprising acquiring an URL for the authorization service, modifying the URL by adding data for locating and accessing the first resource, wherein directing the client to the authorization service comprises directing the client to the modified URL, and wherein providing the authorization ticket to the first resource comprises the authorization service providing the authorization ticket to the first resource utilizing the data added to the URL.
  - 7. The method of claim 1, further comprising acquiring an URL for the first resource, and wherein presenting the authorization ticket to the first resource comprises:
    - modifying the URL by adding data for locating and accessing the authorization ticket;
      
      directing the client to the modified URL; and
      
      acquiring, on behalf of the first resource, the authorization ticket using the data added to the URL.
  - 8. The method of claim 1, further comprising the authorization service acquiring an URL for the first resource, modifying the URL by adding the authorization ticket to the URL, and wherein the authorization service directing the client to the first resource comprises with instructions for the client to provide the first resource with the authorization ticket comprises directing the client to the modified URL.
  - 9. The method of claim 1, further comprising the authorization service acquiring an access indicator for the first resource, and wherein generating an authorization ticket comprises generating an authorization ticket containing the access indicator, and wherein granting the first resource access to the second resource includes granting access according to the access indicator.
  - 10. The method of claim 9, further comprising the authorization service acquiring an URL for the first resource modifying the URL by adding the authorization ticket to the URL, and wherein the authorization service directing the client to the first resource comprises with instructions for the client to provide the first resource with the authorization ticket comprises directing the client to the modified URL.
  - 11. The method of claim 1, further comprising the authorization service acquiring a trust indicator for the first resource, and granting or denying authorization for the first resource to access the second resource as specified by the trust indicator, and wherein the authorization service generating an authorization ticket comprises the authorization service generating an authorization ticket only when authorization is granted.
  - 12. The method of claim 11, wherein the trust indicator specifies that a user is to grant authorization, the method further comprising providing the client with interface content enabling a user to grant or deny authorization.
  - 13. The method of claim 10, wherein the trust indicator specifies that the authorization service is to grant or deny authorization, the method further comprising the authorization service granting authorization.
  - 14. The method of claim 1, wherein presenting the authorization ticket comprises presenting data used to retrieve the authorization ticket, the method further comprising retrieving the authorization ticket using the data presented.

15. A computer readable medium having instructions for:
- receiving, from a client, a request to access a first resource;
  
  directing the client to an authorization service to request an authorization ticket;
  
  acquiring from the authorization service an authorization ticket following a request from the client; and
  
  requesting, on behalf of the first resource, access to the second resource presenting the acquired authorization ticket.
- View Dependent Claims (16, 17)
- - 16. The medium of claim 15, wherein the instructions for directing comprise acquiring an URL for the authorization service and directing the client to the URL.
  - 17. The medium of claim 15, wherein:
    - the instructions for directing comprise acquiring a first URL for the authorization service, modifying the first URL by adding a second URL for the first resource, and directing the client to the modified first URL; and
      
      the instructions for acquiring comprise instructions for receiving the authorization ticket from the client after the client has been directed by the authorization service back to the second URL.

18. A system for authorizing a first resource'"'"'s request to access a second resource, comprising:
- an authorization service operable to generate and provide an authorization ticket for accessing the second resource;
  
  a server for the first resource operable to receive, from a client, a request to access the first resource;
  
  a resource module for the first resource operable to direct the client to the authorization service to request an authorization ticket to enable the first resource to access the second resource, the resource module being further operable to acquire an authentication ticket generated by the authorization service following a request from the client and to request access to the second resource presenting an acquired authorization ticket; and
  
  a security module for the second resource operable to grant the first resource access to the second resource only upon verification that an authorization ticket presented by the resource module was generated by a trusted source.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The system of claim 18, wherein the authentication service is further operable to acquire and authenticate credentials before generating an authorization ticket.
  - 20. The system of claim 18, wherein the resource module is further operable to acquire an URL for the authorization service to direct the client to the authorization service by directing the client to the acquired URL.
  - 21. The system of claim 18, wherein the authentication service is further operable to acquiring an URL for the first resource, to modify the acquired URL by adding the authorization ticket, and to direct the client to the modified URL, and wherein the resource module is operable to acquire the authorization ticket from the modified URL.
  - 22. The system of claim 18, wherein the resource module is further operable to acquire an URL for the authorization service, to modify the URL by adding data for locating and accessing the first resource, and to direct the client to the modified URL, and wherein the authorization service is further operable to present a generated authorization ticket to the first resource using the data for locating and accessing the first resource.
  - 23. The system of claim 18, wherein the authorization service is further operable to acquire an URL for the first resource, to modifying the URL by adding data for locating and accessing the authorization ticket, and to direct the client to the modified URL, and wherein the resource module is operable to acquire the authorization ticket using the data added to the URL.
  - 24. The system of claim 18, wherein the authorization service is further operable to acquire an access indicator for the first resource and to generate an authorization ticket containing the access indicator, and wherein the security module is further operable to grant access according to the access indicator.
  - 25. The system of claim 18, wherein the authorization service is further operable to acquire a trust indicator for the first resource, to provide the client with interface content enabling a user to grant or deny authorization and where the trust indicator specifies that a user is to grant authorization, to grant authorization where the trust data specifies that the authorization service is to do so, and to generate an authorization ticket only after authorization has been granted.

26. A system for authorizing a first resource'"'"'s request to access a second resource, comprising:
- a means for generating and providing an authorization ticket for accessing the second resource;
  
  a means for receiving, from a client, a request to access the first resource;
  
  a means for directing the client to the means for generating an authorization ticket to request an authorization ticket to enable the first resource to access the second resource;
  
  a means for acquiring an authentication ticket generated following a request from the client;
  
  a means for requesting, on behalf of the first resource, access to the second resource presenting an acquired authorization ticket; and
  
  a means for granting the first resource access to the second resource only upon verification that a presented authorization ticket was generated by a trusted source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Foster, Ward S., Simpson, Shell
Primary Examiner(s)
Follansbee; John
Assistant Examiner(s)
Daftuar; Saket K

Application Number

US10/193,000
Publication Number

US 20040010603A1
Time in Patent Office

2,302 Days
Field of Search

709224-229, 726/2, 726 4- 5, 726/10, 713/182, 713200-202
US Class Current

709/229
CPC Class Codes

H04L 2463/081   applying self-generating cr...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

Secure resource access in a distributed environment

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Secure resource access in a distributed environment

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links