System and method for authenticating a subject

US 7,610,618 B2
Filed: 02/24/2003
Issued: 10/27/2009
Est. Priority Date: 02/24/2003
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a subject based on authentication information, comprising the steps of:

providing a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application;

receiving authentication information containing a user name and password associated with the subject by the client application;

initiating a stacked login sequence including the one or more authentication providers specified in the configuration file to authenticate said subject, each authentication provider having a control flag that indicates whether said authentication provider is one of;

required, requisite, optional and sufficient in said stacked login sequence;

generating a callback handler containing the authentication information by said client application;

passing the callback handler to a remote method invocation (RMI) container of a server;

providing the callback handler by the RMI container to a security service framework of the server wherein the security service framework creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider;

performing, by each said authentication provider, authentication of the subject based on the authentication information contained in the internal callback handler, wherein successful authentication of the subject results in creating a principal for the subject, the principal providing an identity for the subject that has been authenticated;

ensuring the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a keV that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key;

storing the principal that has been signed into the subject that has been authenticated;

reading said control flag of said authentication provider in order to determine whether to proceed with said stacked login sequence and invoke a next authentication provider in said stacked login sequence;

receiving a programmatic server invocation from the client application a period of time after the stacked login sequence completes; and

determining whether the principal was tampered with between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code which was originally computed upon signing the principal, wherein a change to the principal is detected based on the signing.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for adaptively authenticating a subject based on authentication information, comprising the steps of providing for the receipt of the authentication information; providing for the performance of Java Authentication and Authorization Service (JAAS) authentication of the subject based on the authentication information and wherein successful authentication of the subject results in the association of a principal with the subject; providing for the signing of the principal by determining an authentication code for the principal that is a function of the principal and a key.

Citations

25 Claims

1. A method for authenticating a subject based on authentication information, comprising the steps of:
- providing a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application;
  
  receiving authentication information containing a user name and password associated with the subject by the client application;
  
  initiating a stacked login sequence including the one or more authentication providers specified in the configuration file to authenticate said subject, each authentication provider having a control flag that indicates whether said authentication provider is one of;
  
  required, requisite, optional and sufficient in said stacked login sequence;
  
  generating a callback handler containing the authentication information by said client application;
  
  passing the callback handler to a remote method invocation (RMI) container of a server;
  
  providing the callback handler by the RMI container to a security service framework of the server wherein the security service framework creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider;
  
  performing, by each said authentication provider, authentication of the subject based on the authentication information contained in the internal callback handler, wherein successful authentication of the subject results in creating a principal for the subject, the principal providing an identity for the subject that has been authenticated;
  
  ensuring the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a keV that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key;
  
  storing the principal that has been signed into the subject that has been authenticated;
  
  reading said control flag of said authentication provider in order to determine whether to proceed with said stacked login sequence and invoke a next authentication provider in said stacked login sequence;
  
  receiving a programmatic server invocation from the client application a period of time after the stacked login sequence completes; and
  
  determining whether the principal was tampered with between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code which was originally computed upon signing the principal, wherein a change to the principal is detected based on the signing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein:
    - the authentication code is generated via a secret key authentication algorithm.
  - 3. The method of claim 1 wherein:
    - the authentication information is received from a client and wherein the subject is passed back to the client after storing the principal.
  - 4. The method of claim 1 wherein:
    - the step of performing authentication of the subject includes invoking one or more authentication mechanisms.
  - 5. The method of claim 1 wherein:
    - the step of performing authentication of the subject includes invoking one or more login modules.
  - 6. The method of claim 1 wherein:
    - the step of performing authentication of the subject is within the context of a security realm.
  - 7. The method of claim 1 wherein:
    - the authentication information further includes biometric data.
  - 8. The method of claim 7 wherein:
    - the biometric data can include includes at least one of (1) a finger print, (2) a voice print, (3) a retina scan, (4) an image, (5) a sound, (6) a sample of human deoxyribonucleic acid, (7) human saliva, and (8) human blood.
  - 9. The method of claim 1 wherein for each of said authentication providers, an internal server-side callback handler is generated, said callback handler containing the user name, password and uniform resource locator (URL) that was passed in.
  - 10. The method of claim 1 wherein the method implements management extensions architecture by exposing managed resources through one or more managed beans.

11. A system comprising at least one processor and a computer readable storage medium having one or more sequences of instructions that are executed by the processor causing the processor to implement:
- a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application;
  
  an authentication stack containing the set of authentication providers coupled to the framework, each authentication provider having a control flag that indicates whether said each authentication provider is at least one of;
  
  required, requisite, sufficient and optional in said authentication stack;
  
  a remote method invocation (RMI) container of a server that receives a callback handler from a client application;
  
  a security framework that receives the callback handler from the RMI container, creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider;
  
  login module coupled to the authentication provider, the login module authenticating the subject based on authentication information contained in the internal callback handler, wherein the login module creates a principal for the subject if authentication of the subject is successful, the principal providing an identity for the subject that has been authenticated; and
  
  a principal validator coupled to the authentication provider, wherein the principal validator ensures the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a key that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key and wherein the signed principal is thereafter stored into the subject, embodied in a computer readable medium; and
  
  wherein the server receives a programmatic server invocation from the client application a period of time after the stacked login sequence completes, and determines whether the principal has been altered between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code previously computed during signing the principal, wherein a change to the principal is detected based on the signing.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The system of claim 11 wherein:
    - the authentication code is generated via a secret key authentication algorithm.
  - 13. The system of claim 11 wherein:
    - the authentication information is received from a client and wherein the subject is passed back to the client after storing the principal.
  - 14. The system of claim 11 wherein:
    - more than one login modules are employed.
  - 15. The system of claim 11 wherein:
    - the login modules coupled with the authentication provider are within the context of a security realm.
  - 16. The system of claim 11 wherein:
    - the authentication information further includes biometric data.
  - 17. The system of claim 16 wherein:
    - the biometric data includes at least one of (1) a finger print, (2) a voice print, (3) a retina scan, (4) an image, (5) a sound, (6) a sample of human deoxyribonucleic acid, (7) human saliva, and (8) human blood.

18. A computer readable storage medium having instructions stored thereon that when executed by a processor cause a system to:
- provide a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, and wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application;
  
  receive authentication information containing a user name and password associated with the subject by the client application;
  
  initiate a stacked login sequence including the one or more authentication providers specified in the configuration file to authenticate said subject, each authentication provider having a control flag that indicates whether said authentication provider is one of;
  
  required, requisite, optional and sufficient in said stacked login sequence;
  
  generate a callback handler containing the authentication information by said client application;
  
  provide the callback handler, by the RMI container to a security service framework of the server wherein the security service framework creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider;
  
  perform authentication of the subject based on the authentication information contained in the internal callback handler, wherein successful authentication of the subject results in creating a principal for the subject, the principal providing an identity for the subject that has been authenticated;
  
  ensure the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a key that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key;
  
  store the principal that has been signed into the subject that has been authenticated;
  
  read said control flag of said authentication provider in order to determine whether to proceed with said stacked login sequence;
  
  receive a programmatic server invocation from the client application a period of time after the stacked login sequence completes; and
  
  determine whether the principal was tampered with between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code which was originally computed upon signing the principal, wherein a change to the principal is detected based on the signing.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The computer readable storage medium of claim 18 wherein:
    - the authentication code is generated via a secret key authentication algorithm.
  - 20. The computer readable storage medium of claim 18 wherein:
    - the authentication information is received from a client and wherein the subject is passed back to the client after storing the principal.
  - 21. The computer readable storage medium of claim 18 wherein:
    - the authentication of the subject includes invoking one or more authentication mechanisms.
  - 22. The computer readable storage medium of claim 18 wherein:
    - the authentication of the subject includes invoking one or more login modules.
  - 23. The computer readable storage medium of claim 18 wherein:
    - the authentication of the subject is within the context of a security realm.
  - 24. The computer readable storage medium of claim 18 wherein:
    - the authentication information further includes biometric data.
  - 25. The computer readable storage medium of claim 24 wherein:
    - the biometric data includes at least one of (1) a finger print, (2) a voice print, (3) a retina scan, (4) an image, (5) a sound, (6) a sample of human deoxyribonucleic acid, (7) human saliva, and (8) human blood.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
BEA Systems Incorporated (Oracle Corporation)
Inventors
Patrick, Paul
Primary Examiner(s)
Dinh; Minh

Application Number

US10/373,533
Publication Number

US 20040168060A1
Time in Patent Office

2,437 Days
Field of Search

713168- 76, 713/181, 713/183, 713185- 6, 709/219, 709/227, 709/229
US Class Current

726/7
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/0861   using biometrical features,...

System and method for authenticating a subject

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for authenticating a subject

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links