Method and an apparatus to generate message authentication codes at a proxy server for validating a web session

US 8,489,740 B2
Filed: 07/17/2007
Issued: 07/16/2013
Est. Priority Date: 05/18/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating, by a proxy server communicatively coupled between an application server and a client, a first message authentication code upon receiving a message generated by the application server in response to an authentication request to initiate a web session from the client, the message generated by the application server comprising an access control token that indicates a specific type of static content that the client is allowed to access, wherein the message generated by the application server does not include a message authentication code;

adding, by the proxy server, the first message authentication code and a timestamp to the message generated by the application server, wherein the timestamp signifies when the message generated by the application server has reached the proxy server, wherein the client uses the first message authentication code and the timestamp to request access to predetermined content during the web session;

during the web session, computing, by the proxy server, a second message authentication code based on one or more previously obtained access control tokens in an access request from the client;

using the proxy server to compare the second message authentication code computed against a third message authentication code in the access request;

validating the third message authentication code in the access request in response to the second message authentication code matching the third message authentication code; and

denying the access request in response to the second message authentication code being different from the third message authentication code.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Some embodiments of a method and an apparatus to validate a web session in a proxy server have been presented. In one embodiment, a first message authentication code is generated at a proxy server communicatively coupled between an application server and a client upon receiving a message from the application server. The message is generated by the application server in response to an authentication request from the client to initiate a web session. The proxy server then adds the first message authentication code and one or more timestamps to the message. Then the proxy server may send the message to the client, wherein the client may use the first message authentication code and the one or more timestamps to request access to predetermined content during the web session.

52 Citations

View as Search Results

25 Claims

1. A method comprising:
- generating, by a proxy server communicatively coupled between an application server and a client, a first message authentication code upon receiving a message generated by the application server in response to an authentication request to initiate a web session from the client, the message generated by the application server comprising an access control token that indicates a specific type of static content that the client is allowed to access, wherein the message generated by the application server does not include a message authentication code;
  
  adding, by the proxy server, the first message authentication code and a timestamp to the message generated by the application server, wherein the timestamp signifies when the message generated by the application server has reached the proxy server, wherein the client uses the first message authentication code and the timestamp to request access to predetermined content during the web session;
  
  during the web session, computing, by the proxy server, a second message authentication code based on one or more previously obtained access control tokens in an access request from the client;
  
  using the proxy server to compare the second message authentication code computed against a third message authentication code in the access request;
  
  validating the third message authentication code in the access request in response to the second message authentication code matching the third message authentication code; and
  
  denying the access request in response to the second message authentication code being different from the third message authentication code.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - sending the message from the proxy server to the client;
      
      offloading service of the predetermined content from the application server to the proxy server; and
      
      using the proxy server to control access to the predetermined content by the client during the web session.
  - 3. The method of claim 1, further comprising:
    - using the proxy server to check an access control token within an access request from the client to determine if the client is authorized to access the predetermined content during the web session.
  - 4. The method of claim 1, further comprising:
    - using the proxy server to serve the predetermined content to the client if a message authentication code within an access request from the client is validated and an access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 5. The method of claim 1, further comprising:
    - denying the client access to the predetermined content if a message authentication code within an access request from the client is invalid.
  - 6. The method of claim 1, further comprising:
    - denying the client access to the predetermined content if an access control token within an access request from the client indicates that the client is not authorized to access the predetermined content.
  - 7. The method of claim 1, further comprising:
    - using the proxy server to issue a set of updated credentials to the client during the web session, the set of updated credentials comprising at least one of an updated message authentication code, an updated timestamp, and updated access control tokens.
  - 8. The method of claim 1, wherein the predetermined content comprises static content.

9. A proxy server comprising:
- a storage device to store instructions; and
  
  a network interface, executable by a processing device, to retrieve the instructions and, in response to the instructions, to communicatively couple to a network to receive a message generated by an application server in response to an authentication request from a client to initiate a web session, the message comprising an access control token that indicates a specific type of static content that the client is allowed to access, wherein the message generated by the application server does not include a message authentication code; and
  
  an authentication module, executable by the processing device, to add a timestamp to the message generated by the application server, wherein the timestamp signifies when the message generated by the application server has reached the proxy server, wherein the authentication module comprises a message authentication code computation module to generate a first message authentication code for the message generated by the application server, wherein the authentication module is to add the first message authentication code to the message generated by the application server, wherein the client uses the first message authentication code and the timestamp to request access to predetermined content during the web session, wherein the message authentication code computation module is further to compute, during the web session, a second message authentication code based on one or more previously obtained access control tokens in an access request from the client, to compare the second message authentication code computed against a third message authentication code in the access request, to validate the third message authentication code in the access request in response to the second message authentication code matching the third message authentication code, and to deny the access request in response to the second message authentication code being different from the third message authentication code.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17)
- - 10. The proxy server of claim 9, wherein the network interface is to send the message to the client via the network, and wherein the processing device further executes a content serving module to serve the predetermined content to the client during the web session, wherein the authentication module is further to control access to the predetermined content by the client during the web session.
  - 11. The proxy server of claim 9, wherein the authentication module is to issue a set of updated credentials to the client during the web session, the set of updated credentials comprising at least one of an updated message authentication code, an updated timestamp, and an updated access control token.
  - 12. The proxy server of claim 9, wherein the authentication module is to check an access control token within an access request from the client to determine if the client is authorized to access the predetermined content.
  - 13. The proxy server of claim 9, wherein the content serving module serves the predetermined content to the client if a message authentication code within an access request from the client is validated and an access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 14. The proxy server of claim 9, wherein the authentication module is to deny the client access to the predetermined content if a message authentication code within an access request from the client is invalid.
  - 15. The proxy server of claim 9, wherein the authentication module is to deny the client access to the predetermined content if an access control token within an access request from the client indicates that the client is not authorized to access the predetermined content.
  - 16. A system comprising the proxy server of claim 9, further comprising the application server and a backend server coupled to the application server.
  - 17. A system comprising the proxy server of claim 9, wherein the predetermined content comprises static content, and the system further comprises:
    - a repository coupled to the proxy server, to store the static content.

18. A non-transitory machine-readable medium that provides instructions that, if executed by a processor, will cause the processor to perform operations comprising:
- generating, by a proxy server comprising the processor and communicatively coupled between an application server and a client, a first message authentication code upon receiving a message generated by the application server in response to an authentication request to initiate a web session from the client, the message generated by the application server comprising an access control token that indicates a specific type of static content that the client is allowed to access, wherein the message generated by the application server does not include a message authentication code;
  
  adding, by the proxy server, the first message authentication code and a timestamp to the message generated by the application server, wherein the timestamp signifies when the message generated by the application server has reached the proxy server, wherein the client uses the first message authentication code and the timestamp to request access to predetermined content during the web session;
  
  during the web session, computing, by the proxy server, a second message authentication code based on one or more previously obtained access control tokens in an access request from the client;
  
  using the proxy server to compare the second message authentication code computed against a third message authentication code in the access request;
  
  validating the third message authentication code in the access request in response to the second message authentication code matching the third message authentication code; and
  
  denying the access request in response to the second message authentication code being different from the third message authentication code.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
- - 19. The non-transitory machine-readable medium of claim 18, wherein the operations further comprise:
    - sending the message from the proxy server to the client;
      
      offloading service of the predetermined content from the application server to the proxy server; and
      
      using the proxy server to control access to the predetermined content by the client during the web session.
  - 20. The non-transitory machine-readable medium of claim 18, wherein the operations further comprise:
    - using the proxy server to check an access control token within an access request from the client to determine if the client is authorized to access the predetermined content during the web session.
  - 21. The non-transitory machine-readable medium of claim 18, wherein the operations further comprise:
    - using the proxy server to serve the predetermined content to the client if a message authentication code within an access request from the client is validated and an access control token within the access request indicates that the client has been authorized to access the predetermined content.
  - 22. The non-transitory machine-readable medium of claim 18, wherein the operations further comprise:
    - denying the client access to the predetermined content if a message authentication code within an access request from the client is invalid.
  - 23. The non-transitory machine-readable medium of claim 18, wherein the operations further comprise:
    - denying the client access to the predetermined content if an access control token within an access request from the client indicates that the client is not authorized to access the predetermined content.
  - 24. The non-transitory machine-readable medium of claim 18, wherein the operations further comprise:
    - using the proxy server to issue a set of updated credentials to the client during the web session, the set of updated credentials comprising at least one of an updated message authentication code, an updated timestamp, and updated access control tokens.
  - 25. The non-transitory machine-readable medium of claim 18, wherein the predetermined content comprises static content.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James Paul
Primary Examiner(s)
Nguyen, Dustin
Assistant Examiner(s)
Mesa, Joel

Application Number

US11/879,723
Publication Number

US 20080289025A1
Time in Patent Office

2,191 Days
Field of Search

709/225, 709/223
US Class Current

709/225
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 63/0281   Proxies

H04L 63/08   for authentication of entit...

H04L 63/123   received data contents, e.g...

Method and an apparatus to generate message authentication codes at a proxy server for validating a web session

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

52 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Method and an apparatus to generate message authentication codes at a proxy server for validating a web session

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links