System and methods for providing stateless security management for web applications using non-HTTP communications protocols

US 8,527,774 B2
Filed: 05/27/2010
Issued: 09/03/2013
Est. Priority Date: 05/28/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method, said method comprising the steps of:

a) receiving, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, said step of receiving including the steps of;

i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at a gateway server, and providing said secure token from said gateway server to said client system, and said secure token includes a timestamp;

ii) receiving a first connect message to said gateway server, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and

b) initiating, from said gateway server, a connection directed to said remote Web service in response to receiving said first connect message, said step of initiating including the steps of;

i) inspecting said first connect message to identify said secure token;

ii) evaluating said secure token to obtain second user credentials;

iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and

iv) sending said second connect message to said remote Web service;

wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid;

wherein said client system;

i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp;

ii) sends said secure token to said gateway server for updating of said timestamp; and

iii) stores said secure token, as updated by said gateway server, to said local store instance; and

wherein said gateway server generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A gateway server interoperates with client and remote server systems to provide stateless security management for a distributed Web application. A Web client application on the client system initiates a WebSocket connection directed to a remote Web service by performing an authentication challenge directed to a user of the Web-browser client where a secure token is not present in a local store instance corresponding to the client application. The authentication challenge obtains the user credentials and then exchanges the user credentials with the gateway server for a secure token. The secure token is then sent in a protocol specific connect message to the gateway server. The gateway server, in response to receipt of the connect message, initiates a WebSocket connection directed to the remote Web service by inspecting the connect message to recover the secure token, evaluating the secure token to obtain user credentials, injecting the secure token with the user credentials, and sending the connect message to the remote Web service.

55 Citations

View as Search Results

21 Claims

1. A computer implemented method, said method comprising the steps of:
- a) receiving, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, said step of receiving including the steps of;
  
  i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at a gateway server, and providing said secure token from said gateway server to said client system, and said secure token includes a timestamp;
  
  ii) receiving a first connect message to said gateway server, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and
  
  b) initiating, from said gateway server, a connection directed to said remote Web service in response to receiving said first connect message, said step of initiating including the steps of;
  
  i) inspecting said first connect message to identify said secure token;
  
  ii) evaluating said secure token to obtain second user credentials;
  
  iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and
  
  iv) sending said second connect message to said remote Web service;
  
  wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid;
  
  wherein said client system;
  
  i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp;
  
  ii) sends said secure token to said gateway server for updating of said timestamp; and
  
  iii) stores said secure token, as updated by said gateway server, to said local store instance; and
  
  wherein said gateway server generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer implemented method of claim 1 wherein said communications protocol identifier corresponds to a non-HTTP protocol.
  - 3. The computer implemented method of claim 2 wherein said secure token includes an encrypted copy of said first user credentials.
  - 4. The computer implemented method of claim 3 wherein said second user credentials are said first user credentials obtained by decryption of said secure token.
  - 5. The computer implemented method of claim 1 wherein the request to initiate the connection directed to the remote Web service includes a request to initiate a WebSocket protocol connection.
  - 6. The computer implemented method of claim 1 wherein said second user credentials are said first user credentials obtained by decryption of said secure token.
  - 7. The computer implemented method of claim 6 wherein said secure token corresponds to a plurality of communications protocol identifiers.

8. A system, comprising:
- a communication interface configured to receive, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, wherein receiving the request includes;
  
  i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at the system, and providing said secure token to said client system;
  
  ii) receiving a first connect message, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and
  
  a processor coupled with the communication interface and configured to initiate, a connection directed to said remote Web service in response to receiving said first connect message, wherein initiating the connection includes;
  
  i) inspecting said first connect message to identify said secure token;
  
  ii) evaluating said secure token to obtain second user credentials;
  
  iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and
  
  iv) sending said second connect message to said remote Web service;
  
  wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid;
  
  wherein said client system;
  
  i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp;
  
  ii) sends said secure token to the system for updating of said timestamp; and
  
  iii) stores said secure token, as updated by the system, to said local store instance; and
  
  wherein the system generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein said communications protocol identifier corresponds to a non-HTTP protocol.
  - 10. The system of claim 9, wherein said secure token includes an encrypted copy of said first user credentials.
  - 11. The system of claim 10, wherein said second user credentials are said first user credentials obtained by decryption of said secure token.
  - 12. The system of claim 8, wherein the request to initiate the connection directed to the remote Web service includes a request to initiate a WebSocket protocol connection.
  - 13. The system of claim 8, wherein said second user credentials are said first user credentials obtained by decryption of said secure token.
  - 14. The system of claim 13, wherein said secure token corresponds to a plurality of communications protocol identifiers.

15. A computer program product, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- a) receiving, from a client application executed within a Web-browser client on a client system, a request to initiate a connection directed to a remote Web service, wherein said connection is identified by a communications protocol identifier, said step of receiving including the steps of;
  
  i) performing an authentication challenge directed to a user of said Web-browser client where a secure token is not present in a local store instance corresponding to said client application, wherein said secure token corresponds to said communications protocol identifier, and performing said authentication challenge includes receiving first user credentials at a gateway server, and providing said secure token from said gateway server to said client system;
  
  ii) receiving a first connect message to said gateway server, wherein said connect message is protocol specific to said communications protocol identifier and wherein said first connect message includes said secure token; and
  
  b) initiating, from said gateway server, a connection directed to said remote Web service in response to receiving said first connect message, said step of initiating including the steps of;
  
  i) inspecting said first connect message to identify said secure token;
  
  ii) evaluating said secure token to obtain second user credentials;
  
  iii) injecting, in replacement of said secure token, said second user credentials into a second connect message corresponding to said first connect message; and
  
  iv) sending said second connect message to said remote Web service;
  
  wherein said secure token includes a timestamp, wherein said timestamp is determinative of whether said secure token is invalid, and wherein said step of performing determines said secure token to be not present in a local store instance where said secure token is invalid;
  
  wherein said client system;
  
  i) monitors said secure token, as stored in said local store instance, for an expiration of said timestamp;
  
  ii) sends said secure token to said gateway server for updating of said timestamp; and
  
  iii) stores said secure token, as updated by said gateway server, to said local store instance; and
  
  wherein said gateway server generates said secure token by private key encryption of said first user credentials to produce a sealed object and public key encryption of said sealed object and said timestamp.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15, wherein said communications protocol identifier corresponds to a non-HTTP protocol.
  - 17. The computer program product of claim 16, wherein said secure token includes an encrypted copy of said first user credentials.
  - 18. The computer program product of claim 17, wherein said second user credentials are said first user credentials obtained by decryption of said secure token.
  - 19. The computer program product of claim 15 wherein the request to initiate the connection directed to the remote Web service includes a request to initiate a WebSocket protocol connection.
  - 20. The computer program product of claim 15, wherein said second user credentials are said first user credentials obtained by decryption of said secure token.
  - 21. The computer program product of claim 20, wherein said secure token corresponds to a plurality of communications protocol identifiers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kaazing Corp.
Original Assignee
Kaazing Corp.
Inventors
Fallows, John R., Salim, Frank J.
Primary Examiner(s)
Shaw, Peter
Assistant Examiner(s)
Shayanfar, Ali

Application Number

US12/788,938
Publication Number

US 20100306547A1
Time in Patent Office

1,195 Days
Field of Search

713/178, 726/9
US Class Current

713/178
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/31   User authentication

G06F 2221/2103   Challenge-response

H04L 2209/56   Financial cryptography, e.g...

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 67/02   based on web technology, e....

H04L 69/16   Implementation or adaptatio...

H04L 69/162   involving adaptations of so...

H04L 9/3234   involving additional secure...

H04L 9/3271   using challenge-response

H04L 9/3297   involving time stamps, e.g....

System and methods for providing stateless security management for web applications using non-HTTP communications protocols

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

55 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods for providing stateless security management for web applications using non-HTTP communications protocols

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links