Method and data processing system for intercepting communication between a client and a service

US 8,024,785 B2
Filed: 01/05/2007
Issued: 09/20/2011
Est. Priority Date: 01/16/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of intercepting communication between a user and an application server, said method comprising:

an authentication component receiving, from a client system, a user request of a user logged into the client system, said user request being directed to the application server, said authentication component being disposed between the client system and a proxy;

after said authentication component receiving the user request, said authentication component authenticating the user through use of a directory service to which both the application server and the authentication component are directly connected, wherein a service provider infrastructure comprises the application server and the directory service;

after said authenticating the user through use of the directory service, said authentication component adding a user-specific token to the user request to generate a tokenized request comprising the user request and the token added thereto, said user-specific token comprising a unique user identifier that identifies the user uniquely;

said authentication component sending the tokenized request to the proxy;

said proxy receiving the tokenized request sent by the authentication component;

said proxy sending the tokenized request received from the authentication component to the application server via a HTTP server disposed between the proxy and the application server, wherein the directory service is configured to be used by the application server for authenticating the user;

after said sending the tokenized request from the proxy, said proxy receiving a response to the user request from the application server;

after said proxy receiving the response from the application server, said proxy forwarding the response to the authentication component;

said authentication component receiving the response sent by the proxy and subsequently sending the response to the client system;

said proxy invoking an interceptor plug-in plugged into the proxy for processing the tokenized request received by the proxy from the authentication component;

storing, in an interceptor manager, an interception control list comprising a plurality of unique user identifiers, said interceptor manager being external to and coupled to the interceptor plugin;

said interceptor manager sending the interception control list to the interceptor plug-in;

said interceptor plug-in receiving the interception control list sent by the interceptor manager;

loading, into the interceptor plug-in, the interception control list received by the interceptor plug-in from the interceptor manager;

after said loading the interception control list, said interceptor plug-in ascertaining that the unique user identifier in the tokenized request is present in the interception control list loaded into and accessible to the interceptor plug-in;

after said ascertaining, said interceptor plug-in sending the tokenized request to an interceptor manager; and

said interceptor manager storing the tokenized request;

said interceptor manager transferring the tokenized request to a network controlled by a law enforcement agency for further analysis by the law enforcement agency, said network being directly connected to the interceptor manager and external to the service provider infrastructure.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and data processing system for intercepting communication between a user and a service. An authentication component receives, from the user, a user request directed to the service. The authentication component adds a user-specific token to the user request to generate a tokenized request. The tokenized request includes the user request and the token. The token includes a unique user identifier that identifies the user. The authentication component sends the tokenized request to a proxy. The proxy sends the tokenized request to the service. The proxy invokes an interceptor plug-in that is plugged into the proxy. The interceptor plug-in ascertains that the unique user identifier in the tokenized request is present in an interception control list of unique user identifiers. The interception control list is accessible to the interceptor plug-in. The interceptor plug-in sends the tokenized request to an interceptor manager who stores the tokenized request.

Citations

15 Claims

1. A method of intercepting communication between a user and an application server, said method comprising:
- an authentication component receiving, from a client system, a user request of a user logged into the client system, said user request being directed to the application server, said authentication component being disposed between the client system and a proxy;
  
  after said authentication component receiving the user request, said authentication component authenticating the user through use of a directory service to which both the application server and the authentication component are directly connected, wherein a service provider infrastructure comprises the application server and the directory service;
  
  after said authenticating the user through use of the directory service, said authentication component adding a user-specific token to the user request to generate a tokenized request comprising the user request and the token added thereto, said user-specific token comprising a unique user identifier that identifies the user uniquely;
  
  said authentication component sending the tokenized request to the proxy;
  
  said proxy receiving the tokenized request sent by the authentication component;
  
  said proxy sending the tokenized request received from the authentication component to the application server via a HTTP server disposed between the proxy and the application server, wherein the directory service is configured to be used by the application server for authenticating the user;
  
  after said sending the tokenized request from the proxy, said proxy receiving a response to the user request from the application server;
  
  after said proxy receiving the response from the application server, said proxy forwarding the response to the authentication component;
  
  said authentication component receiving the response sent by the proxy and subsequently sending the response to the client system;
  
  said proxy invoking an interceptor plug-in plugged into the proxy for processing the tokenized request received by the proxy from the authentication component;
  
  storing, in an interceptor manager, an interception control list comprising a plurality of unique user identifiers, said interceptor manager being external to and coupled to the interceptor plugin;
  
  said interceptor manager sending the interception control list to the interceptor plug-in;
  
  said interceptor plug-in receiving the interception control list sent by the interceptor manager;
  
  loading, into the interceptor plug-in, the interception control list received by the interceptor plug-in from the interceptor manager;
  
  after said loading the interception control list, said interceptor plug-in ascertaining that the unique user identifier in the tokenized request is present in the interception control list loaded into and accessible to the interceptor plug-in;
  
  after said ascertaining, said interceptor plug-in sending the tokenized request to an interceptor manager; and
  
  said interceptor manager storing the tokenized request;
  
  said interceptor manager transferring the tokenized request to a network controlled by a law enforcement agency for further analysis by the law enforcement agency, said network being directly connected to the interceptor manager and external to the service provider infrastructure.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein said interceptor manager storing the tokenized request comprises said interceptor manager storing the tokenized request via a message queue disposed between the interceptor plug-in and the interceptor manager.
  - 3. The method of claim 1, wherein said storing the tokenized request comprises storing the tokenized request in an encrypted way.
  - 4. The method of claim 1, wherein the method further comprises said interceptor plug-in storing the tokenized request in a transient memory of the interceptor plug-in.
  - 5. The method of claim 1, wherein the method further comprises said interceptor plug-in storing the tokenized request in a cache of the interceptor plug-in.
  - 6. The method of claim 1, wherein said storing the interception control list in the interceptor manager comprises storing the interception control list in the interceptor manager in an unencrypted way.
  - 7. The method of claim 1, wherein said storing the interception control list in the interceptor manager comprises storing the interception control list in the interceptor manager in an encrypted way.
  - 8. The method of claim 1, wherein the method further comprises:
    - said proxy invoking the interceptor plug-in for processing the response; and
      
      said interceptor plug-in determining that the response relates to the user request.
  - 9. The method of claim 8, wherein the method further comprises storing the response in a transient memory of the interceptor plug-in in an unencrypted way.
  - 10. The method of claim 8, wherein the method further comprises storing the response in the transient memory of the interceptor plug-in in an encrypted way.
  - 11. The method of claim 8, wherein the method further comprises said proxy sending the response to the interceptor manager.
  - 12. The method of claim 11, wherein the method further comprises storing the response in the interceptor manager.
  - 13. The method of claim 11, wherein the method further comprises said interceptor manager sending the response to the law enforcement agency.
  - 14. A computer program product comprising computer executable instructions stored in a tangible, non-transitory computer readable medium of a data processing system, wherein said instructions are configured to be executed by the data processing system to perform the method of claim 1.
  - 15. A data processing system comprising a tangible, non-transitory computer readable medium on which computer executable instructions are stored, wherein said instructions are configured to be executed to perform the method of claim 1, said data processing system further comprising the authentication component, the proxy, and the interceptor manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
von Kulessa, Thomas, Andress, Jiri, Heine, Stefan
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
LAUZON, THOMAS C

Application Number

US11/620,218
Publication Number

US 20070174469A1
Time in Patent Office

1,719 Days
Field of Search

None
US Class Current

726/12
CPC Class Codes

H04L 63/08 for authentication of entit...

H04L 63/0884 by delegation of authentica...

Method and data processing system for intercepting communication between a client and a service

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and data processing system for intercepting communication between a client and a service

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links