Transport-level web application security on a resource-constrained device
First Claim
1. A method, implemented in a resource-constrained device, comprising:
- providing, at the resource-constrained device, an application container which includes a plurality of server applications executing therein, wherein each server applicationexecutes within its own application context,is capable of conducting transactions with client applications executing on a remote device, andincludes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application;
providing one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications;
providing a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container;
during deployment of each server application to the resource-constrained device,dynamically allocating a secure port and a virtual host associated with that server application, which receives requests directed to that server application, andadding an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map;
providing a secure port redirector within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirectorlistens on the default port for an incoming request directed to a particular server application,determines, using the redirection map, the secure port associated with the virtual host for that particular server application, andrebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application;
receiving, at a security layer which executes within the application contexts of the server applications, a rebuilt request, from the client application executing on the client device, directed to the particular server application; and
using the security tokens that are specific to the particular server application toauthenticate the client application that initially sent the request, andestablish an application-specific secure connection between the client application and the server application for conducting a transaction.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method is provided to facilitate secure communications for a server-application executing on a resource-constrained device. A request, from a client application executing on a client device to access a server application executing on the resource-constrained device is received on an application-specific secure port of a resource-constrained device. The request is authenticated using a security token stored in an application context of the server application. The authentication is performed by a transport security layer protocol executing within the application context of the server application. The security token is specific for the server application. A secure connection is established directly between the secure port and the client application upon the authentication being successful.
92 Citations
19 Claims
-
1. A method, implemented in a resource-constrained device, comprising:
-
providing, at the resource-constrained device, an application container which includes a plurality of server applications executing therein, wherein each server application executes within its own application context, is capable of conducting transactions with client applications executing on a remote device, and includes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application; providing one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications; providing a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container; during deployment of each server application to the resource-constrained device, dynamically allocating a secure port and a virtual host associated with that server application, which receives requests directed to that server application, and adding an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map; providing a secure port redirector within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirector listens on the default port for an incoming request directed to a particular server application, determines, using the redirection map, the secure port associated with the virtual host for that particular server application, and rebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application; receiving, at a security layer which executes within the application contexts of the server applications, a rebuilt request, from the client application executing on the client device, directed to the particular server application; and using the security tokens that are specific to the particular server application to authenticate the client application that initially sent the request, and establish an application-specific secure connection between the client application and the server application for conducting a transaction. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18)
-
-
9. A resource-constrained device, comprising:
-
an application container, which includes a plurality of server applications executing therein, wherein each server application executes within its own application context, is capable of conducting transactions with client applications executing on a remote device, and includes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application; one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications; a plurality of virtual hosts, wherein, during deployment of each server application to the resource-constrained device, the resource-constrained device dynamically allocates a secure port and a virtual host associated with that server application, which receives requests directed to that server application, and adds an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map; a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container; a secure port redirector provided within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirector listens on the default port for an incoming request directed to a particular server application, determines, using the redirection map, the secure port associated with the virtual host for that particular server application, and rebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application; and a security layer which executes within the application contexts of the server applications, wherein upon receiving a rebuilt request directed to a particular server application, the security layer uses the security tokens that are specific to the particular server application to authenticate the client application that initially sent the request, and establish an application-specific secure connection between the client application and the server application for conducting the transaction. - View Dependent Claims (10, 11, 12, 13, 16, 17)
-
-
14. A tangible computer product having stored thereon computer-readable instructions, which when executed by a resource-constrained device generates a method comprising:
-
providing, at the resource-constrained device, an application container which includes a plurality of server applications executing therein, wherein each server application executes within its own application context, is capable of conducting transactions with client applications executing on a remote device, and includes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application; providing one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications; providing a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container; during deployment of each server application to the resource-constrained device, dynamically allocating a secure port and a virtual host associated with that server application, which receives requests directed to that server application, and adding an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map; providing a secure port redirector within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirector listens on the default port for an incoming request directed to a particular server application, determines, using the redirection map, the secure port associated with the virtual host for that particular server application, and rebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application; receiving, at a security layer which executes within the application contexts of the server applications, a rebuilt request, from the client application executing on the client device, directed to the particular server application; and using the security tokens are specific to that the particular server application to authenticate the client application that initially sent the request, and establish an application-specific secure connection between the client application and the server application for conducting a transaction. - View Dependent Claims (15, 19)
-
Specification