Method and an apparatus to validate a web session in a proxy server

US 8,452,882 B2
Filed: 05/18/2007
Issued: 05/28/2013
Est. Priority Date: 05/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a proxy server computer communicably coupled between an application server and a client, a request to access predetermined content by the client, wherein the predetermined content is offloaded from the application server to the proxy server computer, and wherein the request includes a message previously issued by the application server to the client, the message comprising a unique message identifier, a message authentication code, a timestamp and an access control token that identifies a type of content that the client is allowed to access;

controlling, by the proxy server computer, the access to the predetermined content by the client by validating the message authentication code, and checking the timestamp and the access control token included in the message;

calculating, by the proxy server computer, a new message authentication code and a new timestamp using the access control token previously provided by the application server for the predetermined content; and

issuing a new message to the client by the proxy server computer, the new message comprising a new unique message identifier, the new message authentication code, the new timestamp, and the access control token, the new message to replace the message issued by the application server to the client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of a method and an apparatus to validate a web session in a proxy server have been presented. In one embodiment, service of predetermined content is offloaded from an application server to a proxy server communicatively coupled between the application server and a client. Using the proxy server, access to the predetermined content by the client may be controlled.

46 Citations

View as Search Results

24 Claims

1. A method comprising:
- receiving, by a proxy server computer communicably coupled between an application server and a client, a request to access predetermined content by the client, wherein the predetermined content is offloaded from the application server to the proxy server computer, and wherein the request includes a message previously issued by the application server to the client, the message comprising a unique message identifier, a message authentication code, a timestamp and an access control token that identifies a type of content that the client is allowed to access;
  
  controlling, by the proxy server computer, the access to the predetermined content by the client by validating the message authentication code, and checking the timestamp and the access control token included in the message;
  
  calculating, by the proxy server computer, a new message authentication code and a new timestamp using the access control token previously provided by the application server for the predetermined content; and
  
  issuing a new message to the client by the proxy server computer, the new message comprising a new unique message identifier, the new message authentication code, the new timestamp, and the access control token, the new message to replace the message issued by the application server to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein validating the message authentication code comprises:
    - computing a verification message authentication code based on the access control token; and
      
      comparing the verification message authentication code against the message authentication code within the request.
  - 3. The method of claim 1, wherein controlling access to the predetermined content by the client comprises:
    - checking the access control token within the request from the client to determine if the client is authorized to access the predetermined content.
  - 4. The method of claim 1, further comprising:
    - serving the predetermined content to the client if the message authentication code is validated and the access control token within the request indicates that the client has been authorized to access the predetermined content.
  - 5. The method of claim 1, further comprising:
    - denying the client access to the predetermined content if the message authentication code is invalid.
  - 6. The method of claim 1, further comprising:
    - denying the client access to the predetermined content if the access control token within the request from the client indicates that the client is not authorized to access the predetermined content.
  - 7. The method of claim 1, wherein the predetermined content comprises static content.

8. A proxy server computer comprising:
- a memory;
  
  a processing device communicably coupled to the memory;
  
  a first network interface, executable by the processing device from the memory on the proxy server computer, to communicatively couple the proxy server computer to a client in order to receive an access request from the client to access predetermined content, wherein the predetermined content is offloaded from an application server to the proxy server computer, and wherein the access request includes a message previously issued by the application server to the client, the message comprising a unique message identifier, a message authentication code, a timestamp and an access control token; and
  
  an authentication module, executable by the processing device from the memory on the proxy server computer, to;
  
  authenticate the client based on validating the message authentication code, and checking the timestamp and the access control token included in the message;
  
  calculate a new message authentication code and a new timestamp using the access control token previously provided by the application server for the predetermined content; and
  
  issue a new message to the client, the new message comprising a new unique message identifier, the new message authentication code, the new timestamp, and the access control token, the new message to replace the message issued by the application server to the client.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 9. The apparatus of claim 8, further comprising:
    - a second network interface, executable on the proxy server computer, to communicatively couple to the application server.
  - 10. The apparatus of claim 8, wherein the authentication module is further to compute a validation message authentication code based the access control token in the access request from the client and to compare the validation message authentication code computed against the message authentication code within the access request.
  - 11. The apparatus of claim 8, wherein the authentication module is operable to check the access control token within the access request from the client to determine if the client is authorized to access the predetermined content.
  - 12. The apparatus of claim 8, wherein the authentication module is operable to serve the predetermined content to the client if the message authentication code within the access request from the client is validated and the access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 13. The apparatus of claim 8, wherein the authentication module is operable to deny the client access to the predetermined content if the message authentication code within the access request from the client is invalid.
  - 14. The apparatus of claim 8, wherein the authentication module is operable to deny the client access to the predetermined content if the access control token within the access request from the client indicates that the client is not authorized to access the predetermined content.
  - 15. A system comprising the proxy server computer of claim 8, further comprising the application server and a backend server coupled to the application server.
  - 16. A system comprising the proxy server computer of claim 8, further comprising the application server and a backend server coupled to the application server, wherein the backend server comprises a database server.
  - 17. A system comprising the proxy server computer of claim 8, wherein the predetermined content comprises static content, and the system further comprises:
    - a repository coupled to the proxy server computer, to store the static content.

18. A non-transitory machine-readable medium that includes instructions that, when executed by a processor, will cause the processor to perform operations comprising:
- receiving an access request at a proxy server running on the processor, the access request being a request from a client to access predetermined content offloaded from an application server to the proxy server, wherein the request includes a message previously issued by the application server to the client, the message comprising a unique message identifier, a message authentication code, a timestamp and an access control token;
  
  controlling, by the proxy server, access to the predetermined content by the client by validating the message authentication code, and checking the timestamp, and the access control token included in the message;
  
  calculating, by the proxy server, a new message authentication code and a new timestamp using the access control token previously provided by the application server to the proxy server for the predetermined content; and
  
  issuing a new message to the client, the new message comprising a new unique message identifier, the new message authentication code, the new timestamp, and the access control token, the new message to replace the message issued by the application server to the client.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The machine-readable medium of claim 18, wherein using the proxy server to control access to the predetermined content by the client comprises:
    - using the proxy server to compute a validation message authentication code based the access control token in the access request from the client; and
      
      using the proxy server to compare the validation message authentication code computed against the message authentication code within the access request.
  - 20. The machine-readable medium of claim 18, wherein using the proxy server to control access to the predetermined content by the client comprises:
    - using the proxy server to check the access control token within the access request from the client to determine if the client is authorized to access the predetermined content.
  - 21. The machine-readable medium of claim 18, wherein the operations further comprise:
    - serving the predetermined content to the client if the message authentication code within the access request from the client is validated and the access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 22. The machine-readable medium of claim 18, wherein the operations further comprise:
    - denying the client access to the predetermined content if the message authentication code within the access request from the client is invalid.
  - 23. The machine-readable medium of claim 18, wherein the operations further comprise:
    - denying the client access to the predetermined content if the access control token within the access request from the client indicates that the client is not authorized to access the predetermined content.
  - 24. The machine-readable medium of claim 18, wherein the predetermined content comprises static content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James Paul
Primary Examiner(s)
Nguyen, Dustin
Assistant Examiner(s)
Mesa, Joel

Application Number

US11/804,683
Publication Number

US 20080288648A1
Time in Patent Office

2,202 Days
Field of Search

709/229, 725/25, 726/9, 726/10, 726/20
US Class Current

709/229
CPC Class Codes

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

H04L 67/02   based on web technology, e....

H04L 67/06   specially adapted for file ...

H04L 67/56   Provisioning of proxy servi...

Method and an apparatus to validate a web session in a proxy server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Method and an apparatus to validate a web session in a proxy server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links