Transport-level web application security on a resource-constrained device

US 8,245,285 B1
Filed: 09/22/2006
Issued: 08/14/2012
Est. Priority Date: 09/22/2006
Status: Active Grant

First Claim

Patent Images

1. A method, implemented in a resource-constrained device, comprising:

providing, at the resource-constrained device, an application container which includes a plurality of server applications executing therein, wherein each server applicationexecutes within its own application context,is capable of conducting transactions with client applications executing on a remote device, andincludes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application;

providing one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications;

providing a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container;

during deployment of each server application to the resource-constrained device,dynamically allocating a secure port and a virtual host associated with that server application, which receives requests directed to that server application, andadding an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map;

providing a secure port redirector within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirectorlistens on the default port for an incoming request directed to a particular server application,determines, using the redirection map, the secure port associated with the virtual host for that particular server application, andrebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application;

receiving, at a security layer which executes within the application contexts of the server applications, a rebuilt request, from the client application executing on the client device, directed to the particular server application; and

using the security tokens that are specific to the particular server application toauthenticate the client application that initially sent the request, andestablish an application-specific secure connection between the client application and the server application for conducting a transaction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is provided to facilitate secure communications for a server-application executing on a resource-constrained device. A request, from a client application executing on a client device to access a server application executing on the resource-constrained device is received on an application-specific secure port of a resource-constrained device. The request is authenticated using a security token stored in an application context of the server application. The authentication is performed by a transport security layer protocol executing within the application context of the server application. The security token is specific for the server application. A secure connection is established directly between the secure port and the client application upon the authentication being successful.

92 Citations

View as Search Results

19 Claims

1. A method, implemented in a resource-constrained device, comprising:
- providing, at the resource-constrained device, an application container which includes a plurality of server applications executing therein, wherein each server applicationexecutes within its own application context,is capable of conducting transactions with client applications executing on a remote device, andincludes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application;
  
  providing one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications;
  
  providing a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container;
  
  during deployment of each server application to the resource-constrained device,dynamically allocating a secure port and a virtual host associated with that server application, which receives requests directed to that server application, andadding an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map;
  
  providing a secure port redirector within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirectorlistens on the default port for an incoming request directed to a particular server application,determines, using the redirection map, the secure port associated with the virtual host for that particular server application, andrebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application;
  
  receiving, at a security layer which executes within the application contexts of the server applications, a rebuilt request, from the client application executing on the client device, directed to the particular server application; and
  
  using the security tokens that are specific to the particular server application toauthenticate the client application that initially sent the request, andestablish an application-specific secure connection between the client application and the server application for conducting a transaction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 18)
- - 2. The method of claim 1 further comprising:
    - allocating dynamically to each of the server applications an application-specific secure port upon deployment of that server application on the resource-constrained device, such that a same application deployed on different resource-constrained devices can be associated with a different application-specific secure port on each of the different resource-constrained devices.
  - 3. The method of claim 2 further comprising:
    - for each of the server applications, spawning a new port listener, wherein the new port listener listens on the application-specific secure port for that server application.
  - 4. The method of claim 1 further comprising:
    - redirecting said executing client application to said secure-application specific port.
  - 5. The method of claim 1 further comprising:
    - wherein the secure port director determines the secure port by accessing the redirection map on said resource-constrained device, in response to receiving a Hypertext Transfer Protocol (HTTP) request by said executing client application, and looking up a secure port as indicated by a uniform resource locator (URL) of the request.
  - 6. The method of claim 1 wherein said transport security layer is a secure sockets layer.
  - 7. The method of claim 1 further comprising:
    - deploying an application bundle onto the resource-constrained device.
  - 8. The computer-implemented method of claim 7, wherein the application bundle comprises:
    - the server application;
      
      at least one trusted client public key certificate for deployment in the application context of the server application; and
      
      a private key for said server application wherein said security token includes at least said private key.
  - 18. The method of claim 2, wherein upon deployment of that server applications on the resource-constrained device, each of the server applications are allocated a unique application-specific secure port.

9. A resource-constrained device, comprising:
- an application container, which includes a plurality of server applications executing therein, wherein each server applicationexecutes within its own application context,is capable of conducting transactions with client applications executing on a remote device, andincludes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application;
  
  one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications;
  
  a plurality of virtual hosts, wherein, during deployment of each server application to the resource-constrained device, the resource-constrained device dynamically allocates a secure port and a virtual host associated with that server application, which receives requests directed to that server application, and adds an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map;
  
  a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container;
  
  a secure port redirector provided within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirectorlistens on the default port for an incoming request directed to a particular server application,determines, using the redirection map, the secure port associated with the virtual host for that particular server application, andrebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application; and
  
  a security layer which executes within the application contexts of the server applications, wherein upon receiving a rebuilt request directed to a particular server application, the security layer uses the security tokens that are specific to the particular server application toauthenticate the client application that initially sent the request, andestablish an application-specific secure connection between the client application and the server application for conducting the transaction.
- View Dependent Claims (10, 11, 12, 13, 16, 17)
- - 10. The resource-constrained device of claim 9 further comprising:
    - a trust store object in said application context, wherein the trust store object includes a security token for said client application and further wherein said security token is used in said authentication.
  - 11. The resource-constrained device of claim 9 further comprising:
    - a key store object in said application context, wherein the key store object includes said security token for said server application.
  - 12. The resource-constrained device of claim 9 further comprising:
    - a redirection map, coupled to said secure port redirector, comprising at least one entry including;
      
      an application identifier identifying the server application; and
      
      a port identified identifying the application-specific secure port.
  - 13. The resource-constrained device of claim 10 further comprising:
    - a virtual host listening on said secure port.
  - 16. The resource-constrained device of claim 9, wherein the device allocates dynamically to each of the server applications an application-specific secure port upon deployment of that server application on the resource-constrained device.
  - 17. The resource-constrained device of claim 16, wherein upon deployment of the server applications on the resource-constrained device, each of the server applications are allocated a unique application-specific secure port.

14. A tangible computer product having stored thereon computer-readable instructions, which when executed by a resource-constrained device generates a method comprising:
- providing, at the resource-constrained device, an application container which includes a plurality of server applications executing therein, wherein each server applicationexecutes within its own application context,is capable of conducting transactions with client applications executing on a remote device, andincludes within its application context one or more security tokens specific to that server application, for use by the client applications with that server application;
  
  providing one or more application firewalls, which restrict the application context and the security tokens specific to each server application from use by others of the server applications;
  
  providing a physical interconnect layer which is configured to allow the client applications to make requests to the server applications within the application container;
  
  during deployment of each server application to the resource-constrained device,dynamically allocating a secure port and a virtual host associated with that server application, which receives requests directed to that server application, andadding an application-context root uniform resource identifier and an identifier for the newly allocated port to a redirection map;
  
  providing a secure port redirector within the application container and coupled to a default port which receives the requests via the physical interconnect layer, wherein the secure port redirectorlistens on the default port for an incoming request directed to a particular server application,determines, using the redirection map, the secure port associated with the virtual host for that particular server application, andrebuilds the incoming request to form a rebuilt request that includes an identifier for the secure port associated with the virtual host for that particular server application;
  
  receiving, at a security layer which executes within the application contexts of the server applications, a rebuilt request, from the client application executing on the client device, directed to the particular server application; and
  
  using the security tokens are specific to that the particular server application toauthenticate the client application that initially sent the request, andestablish an application-specific secure connection between the client application and the server application for conducting a transaction.
- View Dependent Claims (15, 19)
- - 15. The computer-program product of claim 14, wherein said method further comprises:
    - allocating dynamically to each of the server applications an application-specific secure port upon deployment of that server application on the resource-constrained device, such that a same application deployed on different resource-constrained devices can be associated with a different application-specific secure port on each of the different resource-constrained devices.
  - 19. The computer-program product of claim 14, wherein upon deployment of the server applications on the resource-constrained device, each of the server applications are allocated a unique application-specific secure port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
Ravishankar, Tanjore S., Violleau, Thierry, Hill, Matthew R.
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
Gregory, Shaun

Application Number

US11/525,978
Time in Patent Office

2,153 Days
Field of Search

709/203, 709/226, 709/229, 726 14- 15, 713/151, 713/152, 713/162, 713/171, 713/173
US Class Current

726/9
CPC Class Codes

G06F 21/77   in smart cards

H04L 63/02   for separating internal fro...

H04L 63/0442   wherein the sending and rec...

H04L 63/0853   using an additional device,...

H04L 67/02   based on web technology, e....

Transport-level web application security on a resource-constrained device

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Transport-level web application security on a resource-constrained device

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links