System and method for authenticating a subject
First Claim
Patent Images
1. A method for authenticating a subject based on authentication information, comprising the steps of:
- providing a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application;
receiving authentication information containing a user name and password associated with the subject by the client application;
initiating a stacked login sequence including the one or more authentication providers specified in the configuration file to authenticate said subject, each authentication provider having a control flag that indicates whether said authentication provider is one of;
required, requisite, optional and sufficient in said stacked login sequence;
generating a callback handler containing the authentication information by said client application;
passing the callback handler to a remote method invocation (RMI) container of a server;
providing the callback handler by the RMI container to a security service framework of the server wherein the security service framework creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider;
performing, by each said authentication provider, authentication of the subject based on the authentication information contained in the internal callback handler, wherein successful authentication of the subject results in creating a principal for the subject, the principal providing an identity for the subject that has been authenticated;
ensuring the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a keV that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key;
storing the principal that has been signed into the subject that has been authenticated;
reading said control flag of said authentication provider in order to determine whether to proceed with said stacked login sequence and invoke a next authentication provider in said stacked login sequence;
receiving a programmatic server invocation from the client application a period of time after the stacked login sequence completes; and
determining whether the principal was tampered with between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code which was originally computed upon signing the principal, wherein a change to the principal is detected based on the signing.
2 Assignments
0 Petitions
Accused Products
Abstract
A method for adaptively authenticating a subject based on authentication information, comprising the steps of providing for the receipt of the authentication information; providing for the performance of Java Authentication and Authorization Service (JAAS) authentication of the subject based on the authentication information and wherein successful authentication of the subject results in the association of a principal with the subject; providing for the signing of the principal by determining an authentication code for the principal that is a function of the principal and a key.
-
Citations
25 Claims
-
1. A method for authenticating a subject based on authentication information, comprising the steps of:
-
providing a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application; receiving authentication information containing a user name and password associated with the subject by the client application; initiating a stacked login sequence including the one or more authentication providers specified in the configuration file to authenticate said subject, each authentication provider having a control flag that indicates whether said authentication provider is one of;
required, requisite, optional and sufficient in said stacked login sequence;generating a callback handler containing the authentication information by said client application; passing the callback handler to a remote method invocation (RMI) container of a server; providing the callback handler by the RMI container to a security service framework of the server wherein the security service framework creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider; performing, by each said authentication provider, authentication of the subject based on the authentication information contained in the internal callback handler, wherein successful authentication of the subject results in creating a principal for the subject, the principal providing an identity for the subject that has been authenticated; ensuring the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a keV that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key; storing the principal that has been signed into the subject that has been authenticated; reading said control flag of said authentication provider in order to determine whether to proceed with said stacked login sequence and invoke a next authentication provider in said stacked login sequence; receiving a programmatic server invocation from the client application a period of time after the stacked login sequence completes; and determining whether the principal was tampered with between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code which was originally computed upon signing the principal, wherein a change to the principal is detected based on the signing. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system comprising at least one processor and a computer readable storage medium having one or more sequences of instructions that are executed by the processor causing the processor to implement:
-
a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application; an authentication stack containing the set of authentication providers coupled to the framework, each authentication provider having a control flag that indicates whether said each authentication provider is at least one of;
required, requisite, sufficient and optional in said authentication stack;a remote method invocation (RMI) container of a server that receives a callback handler from a client application; a security framework that receives the callback handler from the RMI container, creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider; login module coupled to the authentication provider, the login module authenticating the subject based on authentication information contained in the internal callback handler, wherein the login module creates a principal for the subject if authentication of the subject is successful, the principal providing an identity for the subject that has been authenticated; and a principal validator coupled to the authentication provider, wherein the principal validator ensures the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a key that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key and wherein the signed principal is thereafter stored into the subject, embodied in a computer readable medium; and wherein the server receives a programmatic server invocation from the client application a period of time after the stacked login sequence completes, and determines whether the principal has been altered between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code previously computed during signing the principal, wherein a change to the principal is detected based on the signing. - View Dependent Claims (12, 13, 14, 15, 16, 17)
-
-
18. A computer readable storage medium having instructions stored thereon that when executed by a processor cause a system to:
-
provide a front-end application programming interface (API), a back-end service provider interface (SPI), and a configuration file, wherein a client application accesses authentication services via the front-end API, and wherein a set of authentication providers write to the back-end SPI, and wherein the configuration file specifies one or more authentication providers to perform authentication for the client application; receive authentication information containing a user name and password associated with the subject by the client application; initiate a stacked login sequence including the one or more authentication providers specified in the configuration file to authenticate said subject, each authentication provider having a control flag that indicates whether said authentication provider is one of;
required, requisite, optional and sufficient in said stacked login sequence;generate a callback handler containing the authentication information by said client application; provide the callback handler, by the RMI container to a security service framework of the server wherein the security service framework creates an internal callback handler for each authentication provider in the stacked login sequence and invokes said each authentication provider; perform authentication of the subject based on the authentication information contained in the internal callback handler, wherein successful authentication of the subject results in creating a principal for the subject, the principal providing an identity for the subject that has been authenticated; ensure the authenticity of the principal between programmatic server invocations by signing the principal that has been created during successful authentication, wherein signing is performed by including an algorithm within a sign method or by having the sign method call out to the server for a token containing a key that is used to sign said principal, wherein an authentication code is determined for the principal that is a function of the principal and the key; store the principal that has been signed into the subject that has been authenticated; read said control flag of said authentication provider in order to determine whether to proceed with said stacked login sequence; receive a programmatic server invocation from the client application a period of time after the stacked login sequence completes; and determine whether the principal was tampered with between a time of associating the principal with the subject and receiving the programmatic server invocation, wherein determining includes generating a second code and comparing the second code to the authentication code which was originally computed upon signing the principal, wherein a change to the principal is detected based on the signing. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
Specification