Transaction authorization

US 8,250,627 B2
Filed: 07/28/2008
Issued: 08/21/2012
Est. Priority Date: 07/28/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for transaction authorization within a security service, the computer-implemented method comprising:

receiving a request, by a reverse proxy server, from a requestor for an authorized transaction of an application;

presenting the requestor to a confirmation page of the application;

submitting a confirmed transaction request to the application;

intercepting by a computer the confirmed transaction request by the security service, wherein a transaction identifier is cached to form a cached transaction identifier;

requesting by the computer the requestor to authenticate to form an authentication request;

placing the cached transaction identifier into the authentication request;

determining by the computer whether the requestor was authenticated;

responsive to a determination the requestor authenticated, receiving authentication information-comprising an associated transaction identifier;

determining whether the cached transaction identifier is equivalent to the authentication information; and

responsive to a determination that the cached transaction identifier is equivalent to authentication information, passing the request with the cached transaction identifier in the request to an application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment provides a computer-implemented method for transaction authorization within a security service. The computer-implemented method intercepts a request by a security service, wherein a transaction identifier is cached to form a cached transaction identifier, and requests the requester to authenticate to form an authentication request. The computer-implemented method further determines whether the requester was authenticated, and responsive to a determination the requester was authenticated, receives authentication information, including an associated transaction identifier. The request is intercepted and the cached transaction identifier inserted. The computer-implemented method further determines whether the cached transaction identifier is equivalent to the authentication information, including an associated transaction identifier, and responsive to a determination that the cached transaction identifier is equivalent to authentication information, including an associated transaction identifier, passes the request to the application.

11 Citations

View as Search Results

19 Claims

1. A computer-implemented method for transaction authorization within a security service, the computer-implemented method comprising:
- receiving a request, by a reverse proxy server, from a requestor for an authorized transaction of an application;
  
  presenting the requestor to a confirmation page of the application;
  
  submitting a confirmed transaction request to the application;
  
  intercepting by a computer the confirmed transaction request by the security service, wherein a transaction identifier is cached to form a cached transaction identifier;
  
  requesting by the computer the requestor to authenticate to form an authentication request;
  
  placing the cached transaction identifier into the authentication request;
  
  determining by the computer whether the requestor was authenticated;
  
  responsive to a determination the requestor authenticated, receiving authentication information-comprising an associated transaction identifier;
  
  determining whether the cached transaction identifier is equivalent to the authentication information; and
  
  responsive to a determination that the cached transaction identifier is equivalent to authentication information, passing the request with the cached transaction identifier in the request to an application.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented method of claim 1, wherein responsive to a determination the requestor authenticated further comprises:
    - inserting the cached transaction identifier in the request.
  - 3. The computer-implemented method of claim 1, wherein responsive to a determination the requestor is not authenticated, raising an authentication error, and notifying the requestor;
    - and wherein responsive to a determination that the cached transaction identifier is not equivalent to authenticated session information of the requestor, raising an invalid transaction identifier error, and notifying the requestor.
  - 4. The computer-implemented method of claim 1, wherein inserting the cached transaction identifier in the request further comprises one of:
    - intercepting the request, inserting the cached transaction identifier into the request, forwarding of the request to the application by one of a reverse proxy server and a web server security plug-in; and
      
      redirecting the request to the application, intercepting the request, inserting the cached transaction identifier into the request; and
      
      forwarding of the request to the application by the security service.
  - 5. The method of claim 1, wherein the request is associated with a transaction having the transaction identifier in a user session, and further comprising:
    - responsive to the start of a subsequent transaction in the user session, said subsequent transaction causing any request using the cached transaction identifier to fail; and
      
      responsive to the attempted use of the cached transaction identifier failing, authenticating the subsequent transaction without use of the cached transaction identifier.
  - 6. The method of claim 1, wherein the reverse proxy server comprises a security plug-in in a web server implementing a security service.

7. A data processing system for transaction authorization within a security service, the data processing system comprising:
- a bus;
  
  a memory connected to the bus, the memory comprising computer-executable instructions therein;
  
  a communications unit connected to the bus;
  
  a processor unit connected to the bus, wherein the processor unit executes the computer-executable instructions to direct the data processing system to;
  
  receive a request, by a reverse proxy server, from a requestor for an authorized transaction of the application;
  
  present the requestor to a confirmation page of the application;
  
  submit a confirmed transaction request to the application;
  
  intercept the request by the security service, wherein a transaction identifier is cached to form a cached transaction identifier;
  
  request the requestor to authenticate to form an authentication request;
  
  place the cached transaction identifier into the authentication request;
  
  determine whether a requestor was authenticated;
  
  responsive to a determination the requestor authenticated, receive authentication information comprising an associated transaction identifier;
  
  determine whether the cached transaction identifier is equivalent to the authentication information; and
  
  responsive to a determination that the cached transaction identifier is equivalent to the authentication information, pass the request with the cached transaction identifier in the request to an application.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The data processing system of claim 7, wherein the processor unit further executes the computer-executable instructions to direct the data processing system to be responsive to a determination the requestor authenticated further comprises:
    - insert the cached transaction identifier in the request.
  - 9. The data processing system of claim 7, wherein the processor unit further executes the computer-executable instructions to direct the data processing system to be responsive to a determination the requestor is not authenticated, raise an authentication error, and notify the requestor;
    - and wherein the processor unit executes the computer-executable instructions to direct the data processing system to be responsive to a determination that the cached transaction identifier is not equivalent to authenticated session information of the requestor further comprises raise an invalid transaction identifier error, and notify the requestor.
  - 10. The data processing system of claim 7, wherein the processor unit executes the computer-executable instructions to direct the data processing system to insert the cached transaction identifier in the request further comprises one of:
    - intercept the request, insert the cached transaction identifier into the request, forward the request to the application by one of a reverse proxy server and a web server security plug-in; and
      
      redirect the request to the application, intercepting the request, inserting the cached transaction identifier into the request; and
      
      forward the request to the application by the security server.
  - 11. The data processing system of claim 7, wherein the request is associated with a transaction having the transaction identifier in a user session, and wherein the processor unit further executes the computer-executable instructions to direct the data processing system to:
    - responsive to the start of a subsequent transaction in the user session, said subsequent transaction causes any request using the cached transaction identifier to fail; and
      
      responsive to the attempted use of the cached transaction identifier failing, authenticate the subsequent transaction without use of the cached transaction identifier.
  - 12. The data processing system of claim 7, wherein the reverse proxy server comprises a security plug-in in a web server implementing a security service.

13. A computer program product for transaction authorization within a security service, the computer program product comprising one or more computer-readable tangible storage devices:
- computer-executable instructions, stored on at least one of the one or more storage devices, for receiving the request by a reverse proxy server from a requestor for an authorized transaction of the application computer-executable instructions, stored on at least one of the one or more storage devices, for presenting the requestor to a confirmation page of the application;
  
  computer-executable instructions, stored on at least one of the one or more storage devices, for submitting a confirmed transaction request to the application;
  
  computer-executable instructions, stored on at least one of the one or more storage devices, for intercepting a request by the security service, wherein a transaction identifier is cached to form a cached transaction identifier;
  
  computer-executable instructions, stored on at least one of the one or more storage devices, for requesting a requestor to authenticate to form an authentication request;
  
  computer-executable instructions, stored on at least one of the one or more storage devices, for placing the cached transaction identifier into the authentication request;
  
  computer-executable instructions, stored on at least one of the one or more storage devices, for determining whether the requestor was authenticated;
  
  computer-executable instructions, stored on at least one of the one or more storage devices, responsive to a determination the requestor authenticated, for receiving authentication information comprising an associated transaction identifier;
  
  computer-executable instructions, stored on at least one of the one or more storage devices, for determining whether the cached transaction identifier is equivalent to the authentication information; and
  
  computer-executable instructions, stored on at least one of the one or more storage devices, responsive to a determination that the cached transaction identifier is equivalent to the authentication information, for passing the request with the cached transaction identifier in the request to an application.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer program product of claim 13, wherein computer-executable instructions responsive to a determination the requestor authenticated further comprises:
    - computer-executable instructions, stored on at least one of the one or more storage devices, for inserting the cached transaction identifier in the request.
  - 15. The computer program product of claim 13, wherein computer-executable instructions responsive to a determination the requestor is not authenticated further comprise computer-executable instructions, stored on at least one of the one or more storage devices, for raising an authentication error, andcomputer-executable instructions, stored on at least one of the one or more storage devices, for notifying the requestor;
    - and computer-executable instructions for raising an invalid transaction identifier error; and
      
      computer-executable instructions for notifying the requestor.
  - 16. The computer program product of claim 13, wherein computer-executable instructions for inserting the cached transaction identifier in the request further comprises computer-executable instructions for one of:
    - computer-executable instructions, stored on at least one of the one or more storage devices, for intercepting the request, inserting the cached transaction identifier into the request, forwarding of the request to the application by one of a reverse proxy server and a web server security plug-in; and
      
      computer-executable instructions, stored on at least one of the one or more storage devices for redirecting the request to the application, intercepting the request, inserting the cached transaction identifier into the request; and
      
      forwarding of the request to the application by the security server.
  - 17. The computer program product of claim 13, wherein the request is associated with a transaction having the transaction identifier in a user session, and further comprising:
    - computer-executable instructions, stored on at least one of the one or more storage devices, responsive to the start of a subsequent transaction in the user session, said subsequent transaction causing any request using the cached transaction identifier to fail; and
      
      computer-executable instructions, stored on at least one of the one or more storage devices, responsive to the attempted use of the cached transaction identifier failing, for authenticating the subsequent transaction without use of the cached transaction identifier.

18. An apparatus for transaction authorization within a security service, the apparatus comprising:
- a reverse proxy server, for receiving requests from a requestor for a transaction, the reverse proxy server comprising a security plug-in in a web server implementing a security service;
  
  an authentication service in communication with the reverse proxy server, wherein the authentication service authenticates a user;
  
  a security service in communication with the reverse proxy server, wherein the security service intercepts the request and redirects the request for authentication;
  
  an application in communication with the reverse proxy server, wherein the application generates and uses a transaction identifier; and
  
  a cache memory, in communication with the security service, that stores the transaction identifier, wherein the transaction identifier is used by the security service and authentication service to authenticate the requestor and the transaction,wherein the application places a cached transaction identifier into the authentication request.
- View Dependent Claims (19)
- - 19. The apparatus of claim 18, wherein the apparatus is a data processing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Exton, Scott Anthony, Harmon, Benjamin Brewer, Hockings, Christopher John, Jensen, Paul William
Primary Examiner(s)
Reza, Mohammad W

Application Number

US12/180,903
Publication Number

US 20100023454A1
Time in Patent Office

1,485 Days
Field of Search

726/2, 726/9, 726/10, 726/12, 726/20, 713/153, 713/159, 713/181
US Class Current

726/2
CPC Class Codes

G06F 21/31   User authentication

G06Q 20/10   specially adapted for elect...

G06Q 20/382   insuring higher security of...

G06Q 20/40   Authorisation, e.g. identif...

H04L 2463/102   applying security measure f...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/10   for controlling access to d...

Transaction authorization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Transaction authorization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links