Web services security system and method

US 8,402,525 B1
Filed: 07/01/2005
Issued: 03/19/2013
Est. Priority Date: 07/01/2005
Status: Active Grant

First Claim

Patent Images

1. A process comprising:

receiving, at a server-side web service provider computing platform, a web service request for a particular web service, along with user identification credentials comprising an application identification (“

ID”

) and password, from a web service subscribing application within a client-side computing platform, said web service request and said user identification credentials received into a service agent executing within the server-side web service provider computing platform;

determining by the service agent executing within the server-side web service provider computing platform whether said user identification credentials are cached in a cache in said service agent, and further, whether said user identification credentials are valid, and further, whether said user identification credentials are associated with the requested particular web service in said cache in said service agent;

in response to a determination that said user identification credentials are not cached in said service agent, communicating, by the service agent executing within the server-side web service provider computing platform, with a security gateway within a web service management platform that is separate from both said client-side computing platform and said server-side web service provider computing platform to authorize said subscribing application within said client-side computing platform to access said particular web service, said communicating being transparent to said client-side computing platform;

in response to the determination that said user identification credentials are cached in said service agent and are invalid, sending by the server-side web service provider computing platform a response to said web service subscribing application within said client-side computing platform with an error message; and

in response to the determination that said user identification credentials are cached in said service agent, are valid, and are associated with the requested particular web service in said cache in said service agent, passing by the service agent executing within the server-side web service provider computing platform said particular web service request received from said subscribing application to said web service to access said requested particular web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application;

wherein said service agent executing within the server-side web service provider computing platform does not receive information about said security gateway along with said web service request received from said web service subscribing application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exemplary method includes (1) receiving a web service request for a particular web service, along with user identification credentials, from a web service subscriber, the request and the credentials being received into a service agent of a web service publisher, (2) determining whether the credentials are cached in the service agent, and further, whether the credentials are valid, (3) in response to a determination that the credentials are not cached in the service agent, initiating a security service to authorize the web service subscriber to access the particular web service, (4) in response to a determination that the credentials are cached in the service agent and are invalid, responding to the web service subscriber with an error message, and (5) in response to a determination that the credentials are cached in the service agent and are valid, passing the web service request to the particular web service for access.

96 Citations

View as Search Results

13 Claims

1. A process comprising:
- receiving, at a server-side web service provider computing platform, a web service request for a particular web service, along with user identification credentials comprising an application identification (“
  
  ID”
  
  ) and password, from a web service subscribing application within a client-side computing platform, said web service request and said user identification credentials received into a service agent executing within the server-side web service provider computing platform;
  
  determining by the service agent executing within the server-side web service provider computing platform whether said user identification credentials are cached in a cache in said service agent, and further, whether said user identification credentials are valid, and further, whether said user identification credentials are associated with the requested particular web service in said cache in said service agent;
  
  in response to a determination that said user identification credentials are not cached in said service agent, communicating, by the service agent executing within the server-side web service provider computing platform, with a security gateway within a web service management platform that is separate from both said client-side computing platform and said server-side web service provider computing platform to authorize said subscribing application within said client-side computing platform to access said particular web service, said communicating being transparent to said client-side computing platform;
  
  in response to the determination that said user identification credentials are cached in said service agent and are invalid, sending by the server-side web service provider computing platform a response to said web service subscribing application within said client-side computing platform with an error message; and
  
  in response to the determination that said user identification credentials are cached in said service agent, are valid, and are associated with the requested particular web service in said cache in said service agent, passing by the service agent executing within the server-side web service provider computing platform said particular web service request received from said subscribing application to said web service to access said requested particular web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application;
  
  wherein said service agent executing within the server-side web service provider computing platform does not receive information about said security gateway along with said web service request received from said web service subscribing application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The process of claim 1, further comprising:
    - receiving, by said security gateway, said web service request and said user identification credentials from said service agent executing within the server-side web service provider computing platform; and
      
      returning, by said security gateway, a response to said service agent executing within the server-side web service provider computing platform, said response comprising an authorization or a denial of said web service request.
  - 3. The process of claim 2, further comprising:
    - determining, by said service agent, said response is an authorization of said web service request;
      
      responsive to said determination, caching, by said service agent, said user identification credentials and data identifying the requested particular web service in said cache in said service agent; and
      
      passing, by said service agent, said web service request to said particular web service for access.
  - 4. The process of claim 2, further comprising:
    - determining, by said service agent, said response is a denial of said web service request; and
      
      responding, by said service agent, to said web service subscribing application within the client-side computing platform with an error message.
  - 5. The method of claim 3, further comprising caching expiration information along with said user identification credentials in said cache in said service agent.
  - 6. The method of claim 1, wherein said web service request and said user identification credentials are received in a Simple Objects Access Protocol (“
    - SOAP”
      
      ) message.
  - 7. The method of claim 6, wherein said user identification credentials are included in a header of said SOAP message.
  - 8. The method of claim 1, wherein said determining whether said user identification credentials are valid comprises determining whether said user identification credentials are within a defined time frame.
  - 9. The process of claim 1, wherein said web service subscriber comprises a developer of said subscribing application.

10. A process comprising:
- receiving data traffic representative of a web service request for a particular web service, along with user identification credentials comprising an application identification (“
  
  ID”
  
  ) and password, from a web service subscribing application within a client-side computing platform via a network, said web service request for said particular web service and said user identification credentials received into a service agent executing within a server-side web service provider computing platform;
  
  determining by said service agent that said user identification credentials are not cached in said service agent;
  
  transmitting, by said service agent via said network in a manner that is transparent to said client-side computing platform, data traffic representative of said user identification credentials and a name of said requested web service to a security gateway within a web service management platform that is separate from said client-side computing platform and said server-side web service provider computing platform;
  
  receiving, by said service agent in a manner that is transparent to said client-side computing platform, data traffic representative of a response from said security gateway via said network, said response comprising an authorization to access said requested web service;
  
  passing, by said service agent, said web service request for said particular web service received from said web service subscribing application to a web service provider computer application executing within said server-side web service provider computing platform to access said requested particular web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application; and
  
  caching, by said service agent, said user identification credentials, expiration information for said user identification credentials, and data identifying said requested web service;
  
  wherein said service agent executing within the server-side web service provider computing platform does not receive information about said security gateway along with said web service request for said particular web service received from said web service subscribing application within said client-side computing platform.

11. A system comprising:
- a web service provider computer application within a server-side computing platform and configured to provide a web service over a network; and
  
  a web service agent co-resident with said web service provider computer application within said server-side computing platform and configured toreceive, via said network, a web service request for said web service, along with user identification credentials comprising an application identification (“
  
  ID”
  
  ) and password, from a web service subscribing application within a client-side computing platform,determine whether said user identification credentials are cached in said web service agent, and further, whether said user identification credentials are valid,in response to a determination that said user identification credentials are not cached in said web service agent, call a security service provided by a web service management platform that is separate from said client-side computing platform and said server-side computing platform to authorize said web service subscribing application within the client-side computing platform to access said web service,in response to a determination that said user identification credentials are cached in said web service agent and are invalid, send an error message to said web service subscribing application within the client-side computing platform via said network, andin response to a determination that said user identification credentials are cached in said web service agent and are valid, pass said web service request received from said web service subscribing application to said web service provider computer application to access said requested web service in said server-side web service provider computing platform in accordance with a service level agreement between a web service subscriber and a server-side provider to provide said particular web service to said web service subscribing application; and
  
  a security gateway within said web service management platform that is separate from said client-side computing platform and said server-side computing platform and in communication with said web service agent via said network;
  
  wherein, when initiated by said call to said security service, said security gatewayreceives, in a manner that is transparent to said client-side computing platform, said user identification credentials and a name of said web service being accessed from said web service agent via said network,passes, in a manner that is transparent to said client-side computing platform, said user identification credentials and said name of said web service being accessed to a policy server,receives, in a manner that is transparent to said client-side computing platform, a response from said policy server, said response comprising an authorization or a denial of access to said web service, andpasses, in a manner that is transparent to said client-side computing platform, said response to said web service agent via said network.
- View Dependent Claims (12, 13)
- - 12. The system of claim 11, wherein said web service agent is configured tocall said security service by transmitting, to said security gateway via said network, said user identification credentials and said name of said web service being accessed,receive said response from said security gateway via said network, andevaluate said response.
  - 13. The system, of claim 12, wherein in response to said response including an authorization to access said web service, said web service agent is configured topass said web service request to said web service provider computer application for access, andcache said user identification credentials, expiration information for said user identification credentials, and data identifying said web service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Services Corporation (Verizon Communications Inc.)
Inventors
Rodrigues, Ruchir, Shah, Mehul K., Lorenzo, Austin, Bolduc, Paul, Anumala, Srinivas, Goyal, Vishnu
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US11/173,196
Time in Patent Office

2,818 Days
Field of Search

None
US Class Current

726/8
CPC Class Codes

H04L 41/0273   using web services for netw...

H04L 41/5003   Managing SLA; Interaction b...

H04L 41/5032   Generating service level re...

H04L 41/5048   Automatic or semi-automatic...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

Web services security system and method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

13 Claims

Specification

Use Cases

Quick Links

Others

Web services security system and method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

13 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others