Secure client-side communication between multiple domains

US 8,539,234 B2
Filed: 03/30/2011
Issued: 09/17/2013
Est. Priority Date: 03/30/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, by a server, authentication information of a user for a first domain and a second domain from a client system;

authenticating an identity of the user based at least in part upon the authentication information;

generating a set of instructions for client-side communication between the first domain and the second domain in response to a request received from the client system, the set of instructions indicating instructions that are permitted to be used in the client-side communication between the first domain and the second domain;

generating cryptographic construct data, using one or more processors in one or more computer systems, for the set of instructions; and

sending the set of instructions and the cryptographic construct data to the client system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for secure client-side communication between multiple domains is provided. Such methods and systems can provide for decreased communication latency particularly effective for dynamic multi-domain and/or multi-tenant environments while allowing for granular security or specific security of messages and operations with regard to users, user sessions, groups, organizations, permissions sets, applications, or any other logical delineation. Such methods and systems may involve a variety of security components, for example, at least one set of instructions including a plurality of defined instruction to be utilized by users of the set of instructions to communicate, and cryptographic construct data in order to verify the data integrity and the authenticity of messages sent and received using the secure client-side communication between multiple domains.

Citations

22 Claims

1. A computer-implemented method comprising:
- receiving, by a server, authentication information of a user for a first domain and a second domain from a client system;
  
  authenticating an identity of the user based at least in part upon the authentication information;
  
  generating a set of instructions for client-side communication between the first domain and the second domain in response to a request received from the client system, the set of instructions indicating instructions that are permitted to be used in the client-side communication between the first domain and the second domain;
  
  generating cryptographic construct data, using one or more processors in one or more computer systems, for the set of instructions; and
  
  sending the set of instructions and the cryptographic construct data to the client system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method of claim 1, wherein the authentication information for each domain is received in response to the user providing security credentials upon logging in to a web application.
  - 3. The method of claim 2, further including the user logging in to one or more web applications using a web browser.
  - 4. The method of claim 1, further including the client system displaying communication information from the first domain and the second domain on a web browser window in response to receiving the set of instructions and the cryptographic construct data.
  - 5. The method of claim 1, wherein at least one of the set of instructions or the cryptographic construct data is generated in response to one or more requests received from the client system.
  - 6. The method of claim 1, wherein the generating of the set of instructions includes one or more instruction IDs and the method further comprises mapping one or more operations to each instruction ID.
  - 7. The method of claim 6, wherein each of the one or more instruction IDs includes a random numbers that is unique within each set of instructions.
  - 8. The method of claim 1 further comprising:
    - evaluating a context of the user, anddetermining an access level of the user based on the context of the user.
  - 9. The method of claim 8, wherein each instruction within the set of instructions is generated based at least in part upon the access level of the user.
  - 10. The method of claim 1, wherein the cryptographic construct data includes Hash-Based Message Authentication Code (HMAC) construct.
  - 11. The method of claim 10, wherein the cryptographic construct data includes a secret key and an algorithm for an HMAC function.
  - 12. The method of claim 1, wherein the set of instructions includes metadata for one or more of the instructions.
  - 13. The method of claim 12, wherein the metadata for the one or more instructions includes a Time To Live (TTL) for at least one of the one or more instructions.
  - 14. The method of claim 1, wherein at least one of the first domain or the second domain is a subdomain.
  - 15. The method of claim 1, wherein generating includes:
    - receiving authentication information of the user for the first domain from a first client on the client system;
      
      receiving authentication information of the user for the second domain from a second client on the client system;
      
      generating a set of instructions for client-side communication on the client system between the first domain and the second domain in response to a request received from at least one of the first client and the second client; and
      
      sending the set of instructions and the cryptographic construct data to the first client and the second client.
  - 16. The method of claim 1, wherein generating includes:
    - receiving authentication information of a first user for the first domain from the client system;
      
      receiving authentication information of a second user for the second domain from the client system; and
      
      authenticating identity of each user based at least in part upon the authentication information.

17. A method comprising:
- providing authentication information of a user for a first domain and a second domain to a server;
  
  receiving a set of instructions for client-side communication between the first domain and the second domain, the set of instructions including one or more operations mapped to at least one instruction ID and indicating instructions that are permitted to be used in the client-side communication between the first domain and the second domain;
  
  receiving cryptographic construct data for the set of instructions;
  
  identifying a first instruction ID corresponding to a first set of one or more operations;
  
  generating, using one or more processors in one or more computer systems, a first message using the cryptographic construct data; and
  
  sending the first message to a recipient.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The method of claim 17 further comprising:
    - detecting a second message;
      
      validating the second message using the cryptographic construct data;
      
      identifying a second set of one or more operations corresponding to a second instruction ID; and
      
      performing the second set of operations.
  - 19. The method of claim 17, wherein the identifying the first instruction ID further comprises matching the first set of operations with the first instruction ID.
  - 20. The method of claim 17, wherein the cryptographic construct data includes a secret key and an HMAC function.
  - 21. The method of claim 20, wherein the first message is generated by combining the first message with the secret key using the HMAC function.

22. A system for secure client-side communication between multiple domains, the system comprising:
- at least one web-enabled client device configured to;
  
  provide authentication information of a user for a first domain and a second domain;
  
  receive a set of instructions and a cryptographic construct data, the set of instructions including one or more operations mapped to at least one instruction ID;
  
  identify a first instruction ID corresponding to a first set of one or more operations;
  
  generate a first message using the cryptographic construct data;
  
  send the message to a recipient;
  
  detect a second message;
  
  validate the second message using the cryptographic construct data;
  
  identify a second set of one or more operations corresponding to a second instruction ID; and
  
  perform the second set of operations;
  
  and at least one web-enabled server device configured to;
  
  receive the authentication information of the user for the first domain and the second domain from the at least one client device;
  
  authenticate an identity of the user based at least in part upon the authentication information;
  
  generate the set of instructions for client-side communication between the first domain and the second domain in response to a request received from the at least one client device;
  
  generate the cryptographic construct data for the set of instructions; and
  
  send the set of instructions and the cryptographic construct data to the at least one client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
O'Connor, Brendan, Gluck, Yoel
Primary Examiner(s)
CHEN, SHIN HON

Application Number

US13/065,868
Publication Number

US 20110246772A1
Time in Patent Office

902 Days
Field of Search

None
US Class Current

713/168
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 2209/80   Wireless

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/12   Applying verification of th...

H04L 9/3242   involving keyed hash functi...

Secure client-side communication between multiple domains

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Secure client-side communication between multiple domains

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links