Web services security system and method
First Claim
1. A process comprising:
- receiving, at a server-side web service provider computing platform, a web service request for a particular web service, along with user identification credentials comprising an application identification (“
ID”
) and password, from a web service subscribing application within a client-side computing platform, said web service request and said user identification credentials received into a service agent executing within the server-side web service provider computing platform;
determining by the service agent executing within the server-side web service provider computing platform whether said user identification credentials are cached in a cache in said service agent, and further, whether said user identification credentials are valid, and further, whether said user identification credentials are associated with the requested particular web service in said cache in said service agent;
in response to a determination that said user identification credentials are not cached in said service agent, communicating, by the service agent executing within the server-side web service provider computing platform, with a security gateway within a web service management platform that is separate from both said client-side computing platform and said server-side web service provider computing platform to authorize said subscribing application within said client-side computing platform to access said particular web service, said communicating being transparent to said client-side computing platform;
in response to the determination that said user identification credentials are cached in said service agent and are invalid, sending by the server-side web service provider computing platform a response to said web service subscribing application within said client-side computing platform with an error message; and
in response to the determination that said user identification credentials are cached in said service agent, are valid, and are associated with the requested particular web service in said cache in said service agent, passing by the service agent executing within the server-side web service provider computing platform said particular web service request received from said subscribing application to said web service to access said requested particular web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application;
wherein said service agent executing within the server-side web service provider computing platform does not receive information about said security gateway along with said web service request received from said web service subscribing application.
2 Assignments
0 Petitions
Accused Products
Abstract
An exemplary method includes (1) receiving a web service request for a particular web service, along with user identification credentials, from a web service subscriber, the request and the credentials being received into a service agent of a web service publisher, (2) determining whether the credentials are cached in the service agent, and further, whether the credentials are valid, (3) in response to a determination that the credentials are not cached in the service agent, initiating a security service to authorize the web service subscriber to access the particular web service, (4) in response to a determination that the credentials are cached in the service agent and are invalid, responding to the web service subscriber with an error message, and (5) in response to a determination that the credentials are cached in the service agent and are valid, passing the web service request to the particular web service for access.
96 Citations
13 Claims
-
1. A process comprising:
-
receiving, at a server-side web service provider computing platform, a web service request for a particular web service, along with user identification credentials comprising an application identification (“
ID”
) and password, from a web service subscribing application within a client-side computing platform, said web service request and said user identification credentials received into a service agent executing within the server-side web service provider computing platform;determining by the service agent executing within the server-side web service provider computing platform whether said user identification credentials are cached in a cache in said service agent, and further, whether said user identification credentials are valid, and further, whether said user identification credentials are associated with the requested particular web service in said cache in said service agent; in response to a determination that said user identification credentials are not cached in said service agent, communicating, by the service agent executing within the server-side web service provider computing platform, with a security gateway within a web service management platform that is separate from both said client-side computing platform and said server-side web service provider computing platform to authorize said subscribing application within said client-side computing platform to access said particular web service, said communicating being transparent to said client-side computing platform; in response to the determination that said user identification credentials are cached in said service agent and are invalid, sending by the server-side web service provider computing platform a response to said web service subscribing application within said client-side computing platform with an error message; and in response to the determination that said user identification credentials are cached in said service agent, are valid, and are associated with the requested particular web service in said cache in said service agent, passing by the service agent executing within the server-side web service provider computing platform said particular web service request received from said subscribing application to said web service to access said requested particular web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application; wherein said service agent executing within the server-side web service provider computing platform does not receive information about said security gateway along with said web service request received from said web service subscribing application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A process comprising:
-
receiving data traffic representative of a web service request for a particular web service, along with user identification credentials comprising an application identification (“
ID”
) and password, from a web service subscribing application within a client-side computing platform via a network, said web service request for said particular web service and said user identification credentials received into a service agent executing within a server-side web service provider computing platform;determining by said service agent that said user identification credentials are not cached in said service agent; transmitting, by said service agent via said network in a manner that is transparent to said client-side computing platform, data traffic representative of said user identification credentials and a name of said requested web service to a security gateway within a web service management platform that is separate from said client-side computing platform and said server-side web service provider computing platform; receiving, by said service agent in a manner that is transparent to said client-side computing platform, data traffic representative of a response from said security gateway via said network, said response comprising an authorization to access said requested web service; passing, by said service agent, said web service request for said particular web service received from said web service subscribing application to a web service provider computer application executing within said server-side web service provider computing platform to access said requested particular web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application; and caching, by said service agent, said user identification credentials, expiration information for said user identification credentials, and data identifying said requested web service; wherein said service agent executing within the server-side web service provider computing platform does not receive information about said security gateway along with said web service request for said particular web service received from said web service subscribing application within said client-side computing platform.
-
-
11. A system comprising:
-
a web service provider computer application within a server-side computing platform and configured to provide a web service over a network; and a web service agent co-resident with said web service provider computer application within said server-side computing platform and configured to receive, via said network, a web service request for said web service, along with user identification credentials comprising an application identification (“
ID”
) and password, from a web service subscribing application within a client-side computing platform,determine whether said user identification credentials are cached in said web service agent, and further, whether said user identification credentials are valid, in response to a determination that said user identification credentials are not cached in said web service agent, call a security service provided by a web service management platform that is separate from said client-side computing platform and said server-side computing platform to authorize said web service subscribing application within the client-side computing platform to access said web service, in response to a determination that said user identification credentials are cached in said web service agent and are invalid, send an error message to said web service subscribing application within the client-side computing platform via said network, and in response to a determination that said user identification credentials are cached in said web service agent and are valid, pass said web service request received from said web service subscribing application to said web service provider computer application to access said requested web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application; and a security gateway within said web service management platform that is separate from said client-side computing platform and said server-side computing platform and in communication with said web service agent via said network; wherein, when initiated by said call to said security service, said security gateway receives, in a manner that is transparent to said client-side computing platform, said user identification credentials and a name of said web service being accessed from said web service agent via said network, passes, in a manner that is transparent to said client-side computing platform, said user identification credentials and said name of said web service being accessed to a policy server, receives, in a manner that is transparent to said client-side computing platform, a response from said policy server, said response comprising an authorization or a denial of access to said web service, and passes, in a manner that is transparent to said client-side computing platform, said response to said web service agent via said network. - View Dependent Claims (12, 13)
-
Specification