System and methods for providing stateless security management for web applications using non-HTTP communications protocols
First Claim
1. A computer implemented method, said method comprising the steps of:
- a) receiving, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, said step of receiving including the steps of;
i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at a gateway server, and providing said secure token from said gateway server to said client system, and said secure token includes a timestamp;
ii) receiving a first connect message to said gateway server, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and
b) initiating, from said gateway server, a connection directed to said remote Web service in response to receiving said first connect message, said step of initiating including the steps of;
i) inspecting said first connect message to identify said secure token;
ii) evaluating said secure token to obtain second user credentials;
iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and
iv) sending said second connect message to said remote Web service;
wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid;
wherein said client system;
i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp;
ii) sends said secure token to said gateway server for updating of said timestamp; and
iii) stores said secure token, as updated by said gateway server, to said local store instance; and
wherein said gateway server generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp.
4 Assignments
0 Petitions
Accused Products
Abstract
A gateway server interoperates with client and remote server systems to provide stateless security management for a distributed Web application. A Web client application on the client system initiates a WebSocket connection directed to a remote Web service by performing an authentication challenge directed to a user of the Web-browser client where a secure token is not present in a local store instance corresponding to the client application. The authentication challenge obtains the user credentials and then exchanges the user credentials with the gateway server for a secure token. The secure token is then sent in a protocol specific connect message to the gateway server. The gateway server, in response to receipt of the connect message, initiates a WebSocket connection directed to the remote Web service by inspecting the connect message to recover the secure token, evaluating the secure token to obtain user credentials, injecting the secure token with the user credentials, and sending the connect message to the remote Web service.
-
Citations
21 Claims
-
1. A computer implemented method, said method comprising the steps of:
-
a) receiving, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, said step of receiving including the steps of; i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at a gateway server, and providing said secure token from said gateway server to said client system, and said secure token includes a timestamp; ii) receiving a first connect message to said gateway server, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and b) initiating, from said gateway server, a connection directed to said remote Web service in response to receiving said first connect message, said step of initiating including the steps of; i) inspecting said first connect message to identify said secure token; ii) evaluating said secure token to obtain second user credentials; iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and iv) sending said second connect message to said remote Web service; wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid; wherein said client system; i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp; ii) sends said secure token to said gateway server for updating of said timestamp; and iii) stores said secure token, as updated by said gateway server, to said local store instance; and wherein said gateway server generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
-
a communication interface configured to receive, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, wherein receiving the request includes; i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at the system, and providing said secure token to said client system; ii) receiving a first connect message, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and a processor coupled with the communication interface and configured to initiate, a connection directed to said remote Web service in response to receiving said first connect message, wherein initiating the connection includes; i) inspecting said first connect message to identify said secure token; ii) evaluating said secure token to obtain second user credentials; iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and iv) sending said second connect message to said remote Web service; wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid; wherein said client system; i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp; ii) sends said secure token to the system for updating of said timestamp; and iii) stores said secure token, as updated by the system, to said local store instance; and wherein the system generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
-
a) receiving, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, said step of receiving including the steps of; i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at a gateway server, and providing said secure token from said gateway server to said client system; ii) receiving a first connect message to said gateway server, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and b) initiating, from said gateway server, a connection directed to said remote Web service in response to receiving said first connect message, said step of initiating including the steps of; i) inspecting said first connect message to identify said secure token; ii) evaluating said secure token to obtain second user credentials; iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and iv) sending said second connect message to said remote Web service; wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid; wherein said client system; i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp; ii) sends said secure token to said gateway server for updating of said timestamp; and iii) stores said secure token, as updated by said gateway server, to said local store instance; and wherein said gateway server generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp. - View Dependent Claims (16, 17, 18, 19, 20, 21)
-
Specification