Security proxying for end-user applications

US 8,424,058 B2
Filed: 10/04/2007
Issued: 04/16/2013
Est. Priority Date: 12/07/2006
Status: Active Grant

First Claim

Patent Images

1. In an end-user application, a method comprising:

receiving input from an interface, the input soliciting an operation of the end-user application, wherein the end-user application is one of multiple enterprise widgets, limited featured applications that execute on a widget runtime environment on a computing platform of an enterprise, the enterprise widgets available to a user authenticated on the computing platform, the widget runtime environment to execute on the computing platform to provide an execution platform on the computing platform including services shared by the enterprise widgets, each enterprise widget including functionality to access enterprise data from one or more backend servers of the enterprise;

sending, from the end-user application to the widget runtime environment, a request for a service of a backend server that provides the solicited operation, the request having insufficient security information for the backend server to authenticate the application to enable the application to access the requested service, the request to cause the widget runtime environment to use a security proxy on the widget runtime environment to determine that the request from the end-user application is missing required security information for the request, obtain the required security information not included in the request from a security information source separate from the end-user application, and to inject the security information into the request for the service of the backend server in response to determining that the request does not include the required security information and forward the request to the backend server;

receiving the service from the backend server at the end-user application in response to the solicited operation, based on the backend server authenticating the end-user application with the security information injected by the security proxy; and

providing a representation of data associated with the received service in the interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatuses enable a service mediator to provide security proxying services to an end-user application requesting a backend service of an enterprise network. The end-user application generates a request for a service of the backend system. The request does not have sufficient security information to enable access to the backend system. The service mediator can detect that one or more items of required security information are not present in the request and injects the necessary security information into the request. The end-user application need not even have access to the security information or even be aware that security information is needed to access the service. The request having the required security information is sent to the backend to enable access to the backend service.

63 Citations

View as Search Results

23 Claims

1. In an end-user application, a method comprising:
- receiving input from an interface, the input soliciting an operation of the end-user application, wherein the end-user application is one of multiple enterprise widgets, limited featured applications that execute on a widget runtime environment on a computing platform of an enterprise, the enterprise widgets available to a user authenticated on the computing platform, the widget runtime environment to execute on the computing platform to provide an execution platform on the computing platform including services shared by the enterprise widgets, each enterprise widget including functionality to access enterprise data from one or more backend servers of the enterprise;
  
  sending, from the end-user application to the widget runtime environment, a request for a service of a backend server that provides the solicited operation, the request having insufficient security information for the backend server to authenticate the application to enable the application to access the requested service, the request to cause the widget runtime environment to use a security proxy on the widget runtime environment to determine that the request from the end-user application is missing required security information for the request, obtain the required security information not included in the request from a security information source separate from the end-user application, and to inject the security information into the request for the service of the backend server in response to determining that the request does not include the required security information and forward the request to the backend server;
  
  receiving the service from the backend server at the end-user application in response to the solicited operation, based on the backend server authenticating the end-user application with the security information injected by the security proxy; and
  
  providing a representation of data associated with the received service in the interface.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein the end-user application comprises a desktop widget.
  - 3. The method of claim 1, wherein the end-user application has no self-contained access to the security information.
  - 4. The method of claim 1, wherein the end-user application is unaware of a need for security information to be included in the request to the backend server.
  - 5. The method of claim 1, wherein the security proxy comprises a service mediator that provides services to the end-user application, including a security proxy service.

6. An article of manufacture comprising a non-signal machine readable storage medium having content stored thereon to provide instructions that cause a machine to perform operations including:
- receiving input from an interface, the input soliciting an operation of the end-user application, wherein the end-user application is one of multiple enterprise widgets, limited featured applications that execute on a widget runtime environment on a computing platform of an enterprise, the enterprise widgets available to a user authenticated on the computing platform, the widget runtime environment to execute on the computing platform to provide an execution platform on the computing platform including services shared by the enterprise widgets, each enterprise widget including functionality to access enterprise data from one or more backend servers of the enterprise;
  
  sending, from the end-user application to the widget runtime environment, a request for a service of a backend server that provides the solicited operation, the request having insufficient security information to access the requested service, the request to cause the widget runtime environment to use a security proxy on the widget runtime environment to determine that the request from the end-user application is missing required security information for the request, obtain the required security information not included in the request from a security information source separate from the end-user application, and to inject the security information into the request for the service of the backend server in response to determining that the request does not include the required security information and forward the request to the backend server;
  
  receiving the service from the backend server at the end-user application in response to the solicited operation, based on the backend server authenticating the end-user application with the security information injected by the security proxy; and
  
  providing a representation of data associated with the received service in the interface.
- View Dependent Claims (7, 8)
- - 7. The article of manufacture of claim 6, wherein the content to provide instructions for receiving the input soliciting the operation of the end-user application comprises content to provide instructions forreceiving input soliciting an operation of a desktop widget.
  - 8. The article of manufacture of claim 7, wherein the content to provide instructions for receiving the input soliciting the operation of the desktop widget comprises content to provide instructions forreceiving input soliciting an operation of an enterprise widget having self-contained access to an enterprise backend server.

9. In a service mediator that provides services to an end-user application, a method comprising:
- receiving at the service mediator from an end-user application a request for a service of a backend server, wherein the end-user application is one of multiple enterprise widgets, limited featured applications that execute on a widget runtime environment on a computing platform of an enterprise, the enterprise widgets available to a user authenticated on the computing platform, the widget runtime environment to execute on the computing platform to provide an execution platform on the computing platform including services shared by the enterprise widgets including the service mediator, each enterprise widget including functionality to access enterprise data from one or more backend servers of the enterprise;
  
  determining at the widget runtime environment via the service mediator that the request for the service requires security information;
  
  determining at the widget runtime environment via the service mediator that the request from the end-user application is missing the required security information;
  
  obtaining the required security information not included in the request from a security information source separate from the end-user application;
  
  injecting the required security information into the request; and
  
  forwarding the request for the service to the backend server to cause the backend server to authenticate the end-user application with the security information injected by the service mediator.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein determining that the request for the service requires security information comprises:
    - sending the request to the backend server; and
      
      receiving a response at the widget runtime environment from the backend server requiring authentication information.
  - 11. The method of claim 9, wherein determining that the request from the end-user application does not include the required security information comprises:
    - identifying the request as being from one of a particular type of applications.
  - 12. The method of claim 9, wherein determining that the request from the end-user application does not include the required security information comprises:
    - identifying the request as being received on a particular interface.
  - 13. The method of claim 9, wherein injecting the security information comprises:
    - providing single sign-on (SSO) authentication information.
  - 14. The method of claim 13, wherein providing the SSO authentication information further comprises:
    - obtaining the SSO authentication information from an SSO manager executing on a common operating environment with the end-user application.
  - 15. The method of claim 9, wherein injecting the security information comprises:
    - providing user name and password information with the request.
  - 16. The method of claim 9, further comprising:
    - receiving a response from the backend server that includes data related to the requested service; and
      
      forwarding the response to the end-user application.

17. An article of manufacture comprising a non-signal machine readable storage medium having content stored thereon to provide instructions that cause a machine to perform operations including:
- receiving at the service mediator from an end-user application a request for a service of a backend server, wherein the end-user application is one of multiple enterprise widgets, limited featured applications that execute on a widget runtime environment on a computing platform of an enterprise, the enterprise widgets available to a user authenticated on the computing platform, the widget runtime environment to execute on the computing platform to provide an execution platform on the computing platform including services shared by the enterprise widgets including the service mediator, each enterprise widget including functionality to access enterprise data from one or more backend servers of the enterprise;
  
  determining at the widget runtime environment via the service mediator that the request for the service requires security information;
  
  determining at the widget runtime environment via the service mediator that the request from the end-user application is missing the required security information;
  
  obtaining the required security information not included in the request from a security information source separate from the end-user application;
  
  injecting the required security information into the request; and
  
  forwarding the request for the service to the backend server to cause the backend server to authenticate the end-user application with the security information injected by the service mediator.
- View Dependent Claims (18, 19)
- - 18. The article of manufacture of claim 17, wherein the content to provide instructions for determining that the request from the end-user application does not include the required security information comprises content to provide instructions foridentifying the request as being at least one of a request from one of a particular type of applications, or a request received on a particular interface.
  - 19. The article of manufacture of claim 17, wherein the content to provide instructions for injecting the security information comprises content to provide instructions for providing single sign-on (SSO) authentication information.

20. A system comprising:
- an end-user application operating out of memory, the end-user application to generate a request for a backend service, the request lacking security information required to access the backend service, wherein the end-user application is one of multiple enterprise widgets, limited featured applications that execute on a widget runtime environment on a computing platform of an enterprise, the enterprise widgets available to a user authenticated on the computing platform, the widget runtime environment to execute on the computing platform to provide an execution platform on the computing platform including services shared by the enterprise widgets, each enterprise widget including functionality to access enterprise data from one or more backend servers of the enterprise; and
  
  a security proxy on the widget runtime environment coupled to the end-user application to obtain the request, determine that the request from the end-user application does not include required security information for the request, obtain the required security information not included in the request from a security information source separate from the end-user application, and inject the security information into the request in response to determining that the request does not include the required security information to authenticate the end-user application based on the security information injected by the security proxy to enable the end-user application to access the backend service.
- View Dependent Claims (21, 22, 23)
- - 21. The system of claim 20, wherein the end-user application comprises an enterprise widget having self-contained access to an enterprise backend server.
  - 22. The system of claim 20, wherein the end-user application has no self-contained access to security information.
  - 23. The system of claim 20, wherein the security proxy injects security information including single sign-on (SSO) authentication information obtained from an SSO manager executing on a common operating environment with the end-user application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP AG (SAP SE)
Inventors
Wood, Eric R. B., Vinogradov, Ilja
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US11/867,650
Publication Number

US 20080141341A1
Time in Patent Office

2,021 Days
Field of Search

717/100, 705/50, 726/3
US Class Current

726/3
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 21/629 to features or functions of...

Security proxying for end-user applications

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

23 Claims

Specification

Use Cases

Quick Links

Others

Security proxying for end-user applications

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

23 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others