Single system user identity

US 7,552,222 B2
Filed: 08/05/2002
Issued: 06/23/2009
Est. Priority Date: 10/18/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for validating a user on an application server, comprising:

receiving a request for access from an external user with an external user identity at an access point of an application on an application server, wherein an internal user identity is configured to provide access to resources at the application server for users with that internal user identity;

authenticating the external user based at least on user credentials associated with the external user in response to the request for access;

upon successful authentication, switching the identity of the external user to the internal user identity for the application by pushing internal user information on a user stack for the external user, so that the internal user identity governs access to resources at the application server for the external user, wherein switching the identity of the external user to the internal user identity includes adding internal user context information to the external user identity;

upon the external user exiting the application server, popping the internal user information from the user stack, so that the external user is switched back to the external user identity; and

providing, by the internal user identity, to the external user, a higher level of privilege in the application server, that is unavailable for the external user as the external user identity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When an external user such as a trading partner makes a request into an access point of an application on an application server, that external user can be authenticated as a valid user on the system. The identity of the external user can then be switched to an internal system user identity, such as by pushing new user information on the user stack or by adding internal user context. This internal system user identity allows the user to access resources and applications on the application server that are not available to an external user. The use of this single internal system user identity allows for a single login process that can be used for all resources and applications on the server. The use of an internal user also prevents an external user from accessing those resources unless the user is first authenticated through a proper entry point.

Citations

19 Claims

1. A method for validating a user on an application server, comprising:
- receiving a request for access from an external user with an external user identity at an access point of an application on an application server, wherein an internal user identity is configured to provide access to resources at the application server for users with that internal user identity;
  
  authenticating the external user based at least on user credentials associated with the external user in response to the request for access;
  
  upon successful authentication, switching the identity of the external user to the internal user identity for the application by pushing internal user information on a user stack for the external user, so that the internal user identity governs access to resources at the application server for the external user, wherein switching the identity of the external user to the internal user identity includes adding internal user context information to the external user identity;
  
  upon the external user exiting the application server, popping the internal user information from the user stack, so that the external user is switched back to the external user identity; and
  
  providing, by the internal user identity, to the external user, a higher level of privilege in the application server, that is unavailable for the external user as the external user identity.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. A method according to claim 1, wherein:
    - authenticating the external user involves checking information for the user against user information in a database in communication with the application server.
  - 3. A method according to claim 1, further comprising:
    - limiting access for application resources to users with an internal user identity.
  - 4. A method according to claim 1, further comprising:
    - selecting a single internal user identity to be used to provide access for each application and resource on the application server.
  - 5. A method according to claim 1, further comprising:
    - allowing a user to access certain resources on the application server without switching the identity of the user.
  - 6. A method according to claim 1, wherein:
    - the identity of the external user is switched only after the user attempts access requiring an internal user identity.

7. A system embodied on computer readable storage medium comprising:
- an application server; and
  
  multiple applications on the application server, each of the multiple applications having an access point including a validation mechanism for validating an external user with an external user identity, the validation mechanism of an application on the application server switching the identity of a validated external user to an internal user identity after the external user is validated by pushing internal user information on a user stack for the external user, so that the internal user identity governs access to resources at the application server for the external user, wherein switching the identity of the external user to the internal user identity includes adding internal user context information to the external user identity, and upon the external user exiting the application server, popping the internal user information from the user stack, so that the external user is switched back to the external user identity;
  
  wherein the internal user identity is configured to provide access to resources at the application server for users with that internal user identity including a higher level of privilege in the application server that is unavailable for the external user as the external user identity.
- View Dependent Claims (8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 8. The system according to claim 7, wherein:
    - the multiple applications are integration applications.
  - 9. A system according to claim 7, further comprising:
    - at least one trading partner having permissions on the application server and the multiple applications running on the application server.
  - 10. The system according to claim 7, further comprising:
    - a database in communication with the application server for storing information related to any user of an application.
  - 11. The system according to claim 7, wherein:
    - the multiple applications running on the application server have access mechanisms that is a portal component.
  - 12. The system according to claim 7, further comprising:
    - application resources that are accessible only to a user with an internal user identity.
  - 13. The system according to claim 7, wherein:
    - a single internal user identity is used for each of the multiple applications.
  - 14. The system according to claim 7, wherein:
    - each application of the multiple applications communicates with any other application running on the application server without re-validating the external user.
  - 15. The system according to claim 7, wherein:
    - at least one of the multiple applications has multiple access mechanisms.
  - 16. The system according to claim 7, wherein:
    - the multiple applications have access mechanisms selected from the group consisting of databases, queues, and administrative frameworks.
  - 17. The system according to claim 7, further comprising:
    - application resources accessed by an external user without the identity of the external user being switched.
  - 18. The system according to claim 7, wherein:
    - the validation mechanism switches the identity of a validated user only after the user attempts access requiring an internal user identity.

19. A method for validating a user on an application server, comprising:
- receiving a request for access from an external user with an external user identity at an access point of an application on an application server, wherein an internal user identity is configured to provide access to resources at the application server for users with that internal user identity;
  
  authenticating the external user based at least on user credentials associated with the external user in response to the request for access;
  
  upon successful authentication, switching the identity of the external user to the internal user identity for the application by pushing internal user information on a user stack for the external user, so that the internal user identity governs access to resources at the application server for the external user, wherein switching the identity of the external user to the internal user identity includes adding internal user context information to the external user identity,;
  
  forwarding the request for access to a second application on the application server, wherein the internal user identity allows the external user access to the second application without needing a separate valid username and password for the second applicationupon the external user exiting the application server, popping the internal user information from the user stack, so that the external user is switched back to the external user identity; and
  
  providing, by the internal user identity, to the external user, a higher level of privilege in the application server, that is unavailable for the external user as the external user identity;
  
  wherein configuring access rights for the internal user identity also modifies access to those resources as subsequently provided to each user switched to the internal user identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Dalal, Sanjay, Garimella, Sandilya
Primary Examiner(s)
BOUTAH, ALINA A

Application Number

US10/212,303
Publication Number

US 20030079029A1
Time in Patent Office

2,514 Days
Field of Search

709/229, 709/219, 709/216, 709/225, 726/15, 726/26, 726/150, 707/8, 719/314, 717/120
US Class Current

709/229
CPC Class Codes

G06F 21/31   User authentication

G06F 21/41   where a single sign-on prov...

G06F 2221/2115   Third party

G06Q 10/06   Resources, workflows, human...

H04L 63/102   Entity profiles

Y10S 707/99939   Privileged access

Single system user identity

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Single system user identity

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links