Secure data broker

US 7,620,980 B1
Filed: 07/21/1999
Issued: 11/17/2009
Est. Priority Date: 07/21/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a networked computing environment, a method of securing access to an information resource behind a security barrier, the method comprising:

predefining a request message specification corresponding to a structured request language including extensible markup language;

formatting an access request in accordance with the structured request language;

supplying the formatted access request to a first intermediary, the intermediary validating the formatted access request in accordance with the request message specification; and

forwarding the validated access request across the security barrier.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure data broker has been developed, which provides a restricted message based data exchange between a client application and a secured information resource by allowing registered or verified messages to be brokered across a security barrier. In some configurations, both requests and responses are validated and brokered across the security barrier. In other configuration, either requests or responses are validated. To support validation, messages are formatted in accordance with a predefined message specification for at least part of a transaction path between a client application and an information resource accessed by the client application.

49 Citations

View as Search Results

33 Claims

1. In a networked computing environment, a method of securing access to an information resource behind a security barrier, the method comprising:
- predefining a request message specification corresponding to a structured request language including extensible markup language;
  
  formatting an access request in accordance with the structured request language;
  
  supplying the formatted access request to a first intermediary, the intermediary validating the formatted access request in accordance with the request message specification; and
  
  forwarding the validated access request across the security barrier.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method as in claim 1, further comprising:
    - accessing the information resource in accordance with the validated access request.
  - 3. A method as in claim 1, further comprising:
    - receiving, at an application proxy, an access request targeting the information resource; and
      
      performing the access request formatting at the application proxy.
  - 4. A method as in claim 1, further comprising:
    - predefining a response message specification corresponding to a structured response language;
      
      formatting a response to the access request in accordance with the structured language;
      
      supplying the formatted response to a second intermediary, the second intermediary validating the formatted response in accordance with the response message specification; and
      
      forwarding a validated response across the security barrier.
  - 5. A method as in claim 4, further comprising:
    - accessing the information resource in accordance with an access request from a client; and
      
      supplying the client with a response in accordance with the validated response.

6. In a networked computing environment, a method of securing access to an information resource behind a security barrier, the method comprising:
- predefining a response message specification corresponding to a structured response language including extensible markup language;
  
  formatting a response to an access request targeting the information resource, the formatted response being in accordance with the structured response language;
  
  supplying the formatted response to an intermediary, the intermediary validating the formatted response in accordance with the response message specification; and
  
  forwarding a validated response across the security barrier.
- View Dependent Claims (7)
- - 7. A method as in claim 6, further comprising:
    - accessing the information resource in accordance with the access request from a client;
      
      supplying the client with a response in accordance with the validated response.

8. An information security system comprising:
- a security barrier;
  
  a proxy for an information resource, the proxy and the information resource on opposing first and second sides, respectively, of the security barrier;
  
  a data broker on the first side of the security barrier, wherein, in response to an access request targeting the information resource, the data broker validates a request message encoded in a structured request language including extensible markup language against a predefined request message specification therefor and forwards only validated request messages across the security barrier.
- View Dependent Claims (9, 10)
- - 9. An information security system as in claim 8, further comprising:
    - a second data broker on the second side of the security barrier, wherein, in response to an access targeting the information resource, the second data broker validates a response message against a predefined response message specification and forwards only validated response messages across the security barrier.
  - 10. An information security system as in claim 8, further comprising:
    - the information resource.

11. A computer program product encoded in computer readable media, the computer program product comprising:
- data broker code and parser code executable on a first network server separated from an information resource by a security barrier;
  
  the data broker code including instructions executable as a first instance thereof to receive access requests in a structured language including extensible markup language corresponding to a predefined request message specification and to forward validated ones of the access requests across the security barrier toward the information resource; and
  
  the parser code including instructions executable as a first instance thereof to validate the received access requests against the predefined request message specification.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer program product of claim 11, further comprising:
    - an encoding of the predefined request message specification.
  - 13. The computer program product of claim 11,wherein the data broker code and parser code are also executable on a second network server separated from a client application by the security barrier;
    - wherein the data broker code includes instructions executable as a second instance thereof to receive responses in a structured language corresponding to a predefined response message specification and to forward validated ones of the responses across the security barrier toward the client application; and
      
      wherein the parser code includes instructions executable as a second instance thereof to validate the received responses against the predefined response message specification.
  - 14. The computer program product of claim 13, further comprising:
    - an encoding of the predefined response message specification.
  - 15. The computer program product of claim 11, further comprising:
    - application proxy code including instructions executable to format the access requests in accordance with the structured language corresponding to the predefined request message specification.
  - 16. The computer program product of claim 11, encoded by or transmitted in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical, or electronic storage medium and a network, wireline, wireless or other communications medium.

17. A method of securing a data transaction across a security barrier, the method comprising:
- validating a request message encoded in a structured request language including extensible markup language against a predefined request message specification therefor;
  
  transmitting the validated request message across the security barrier;
  
  validating a response message encoded in a structured response language including extensible markup language against a predefined response message specification therefor, the response message corresponding to the validated request; and
  
  transmitting the validated response message across the security barrier.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 18. A method as in claim 17,wherein the request and the response message validatings are respectively performed at first and second secure data brokers on opposing sides of the security barrier;
    - andwherein the validated request and response message transmissions are between the first and second secure data brokers.
  - 19. A method as in claim 17,wherein the request message validating includes:
    - parsing the request message using Data Type Definitions (DTDs) encoding a hierarchy of valid tag-value pairs in accordance with syntax of a valid request message; and
      
      if the request message is not successfully parsed, forwarding a response message without transmission of the request message across the security barrier.
  - 20. A method as in claim 17,wherein the response message validating includes:
    - parsing the response message using Data Type Definitions (DTDs) encoding a hierarchy of tag-value pairs in accordance with syntax of a valid response message.
  - 21. A method as in claim 17,wherein the request and response message specifications are predefined in accordance with valid request and response message constraints specific to an information resource.
  - 22. A method as in claim 17,wherein at least one of the request and response message specifications is cryptographically secured.
  - 23. A method as in claim 17, further comprising:
    - receiving, at an application proxy, an access request targeting an information resource;
      
      formatting the request message in a structured language corresponding to the request message specification; and
      
      transmitting the formatted request message to a secure data broker for the request message validating.
  - 24. A method as in claim 17, further comprising:
    - formatting the response message in a structured language corresponding to the response message specification; and
      
      transmitting the formatted response message to a secure data broker for the response message validating.
  - 25. A method as in claim 17, further comprising:
    - accessing an information resource in accordance with the validated request message; and
      
      preparing the response message in accordance with the access.
  - 26. A method as in claim 25,wherein the response message is formatted in a structured language corresponding to the response message specification.
  - 27. A method as in claim 17,wherein at least one of the validated request message transmitting and the validated response message transmitting is via a secure protocol.
  - 28. A method as in claim 17,wherein at least one of the validated request message and the validated response message is encoded in a markup language.
  - 29. A method as in claim 17,wherein the security barrier includes a firewall.
  - 30. A method as in claim 17,wherein the security barrier includes a secure communication channel between servers.

31. In a networked information environment including a client and an information resource separated by a security barrier, an information security system comprising:
- means for proxying an access request by the client targeting the information resource and for preparing a request message corresponding to the access request in a structured language including extensible markup language corresponding to a predefined request message specification;
  
  means for validating the request message against the predefined request message specification and forwarding only validated request messages across the security barrier.
- View Dependent Claims (32, 33)
- - 32. An information security system as in claim 31, further comprising:
    - means for validating a response message against a predefined response message specification and forwarding only validated response messages across the security barrier.
  - 33. An information security system as in claim 31, further comprising the security barrier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Pratt, Thomas, Wood, David L., Norton, Derk, Shurygailo, Stan D., Dilger, Michael B.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Moorthy; Aravind K

Application Number

US09/357,726
Time in Patent Office

3,772 Days
Field of Search

713/201, 713/200, 713/151, 713/153, 713/168, 709/229, 709/230, 709/246, 726/11, 726/14, 715/239
US Class Current

726/14
CPC Class Codes

H04L 63/0245 Filtering by information in...

H04L 63/0281 Proxies

Secure data broker

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

49 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Secure data broker

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

49 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links