Method and system for restricting access to user resources

US 8,631,474 B2
Filed: 05/24/2012
Issued: 01/14/2014
Est. Priority Date: 03/05/1997
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory computer-readable storage medium having computer-executable code stored therein for passing messages from a service provided by a server in a first walled garden of a plurality of walled gardens to a client, wherein each of the plurality of walled gardens is identified by an affiliation value, the computer-executable code executable to perform steps comprising:

receiving a message from the service intended for the client;

examining a header of the message to determine whether the header represents a potential security violation;

stripping the header from the message responsive to a determination that the header represents a potential security violation;

determining permissions of the service with respect to the client, wherein the permissions are determined responsive at least in part to the service, the client, and an affiliation value of the first walled garden;

including the determined permissions with the message in a second header; and

passing the message and the second header to the client.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user'"'"'s set top box (STB), or other client, executes a shell and has an application program interface (API) by which certain features of the client can be controlled. The client is in communication with a walled garden proxy server (WGPS). The client sends a request to the WGPS to access a service provided by a site in the garden. The site sends the client a message containing code calling a function in the API. The WGPS traps the message from the site and looks up the site in a table to determine the access control list (ACL) for the site. The WGPS includes the ACL in the header of the hypertext transport protocol (HTTP) message to the client. The shell receives the message and extracts the ACL. If the code lacks permission, the shell stops execution.

137 Citations

15 Claims

1. A non-transitory computer-readable storage medium having computer-executable code stored therein for passing messages from a service provided by a server in a first walled garden of a plurality of walled gardens to a client, wherein each of the plurality of walled gardens is identified by an affiliation value, the computer-executable code executable to perform steps comprising:
- receiving a message from the service intended for the client;
  
  examining a header of the message to determine whether the header represents a potential security violation;
  
  stripping the header from the message responsive to a determination that the header represents a potential security violation;
  
  determining permissions of the service with respect to the client, wherein the permissions are determined responsive at least in part to the service, the client, and an affiliation value of the first walled garden;
  
  including the determined permissions with the message in a second header; and
  
  passing the message and the second header to the client.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The computer-readable storage medium of claim 1, wherein determining permissions of the service with respect to the client comprises:
    - determining an identity of the server providing the service;
      
      determining a user agent of the client; and
      
      retrieving the permissions of the service from a permissions table using the determined identity of the server, the determined user agent, and the affiliation value of the first walled garden.
  - 3. The computer-readable storage medium of claim 2, wherein the permissions table specifies access rights for a plurality of servers in the first walled garden and indicates which application programming interfaces (APIs) of the client can be accessed by each of the plurality of servers.
  - 4. The computer-readable storage medium of claim 3, wherein each of the plurality of servers listed in the permissions table is identified according to uniform resource locator (URL) prefix.
  - 5. The computer-readable storage medium of claim 1, wherein including the determined permissions with the message comprises:
    - adding a hypertext transport protocol (HTTP) header specifying the determined permissions to the message.

6. A proxy server for passing messages from a service provided by a server in a first walled garden of a plurality of walled gardens to a client, wherein each of the plurality of walled gardens is identified by an affiliation value, the proxy server comprising:
- a processor for executing computer program code;
  
  a non-transitory computer-readable storage medium having computer-executable code stored therein, the computer-executable code executable to;
  
  receive a message from the service intended for the client;
  
  examine a header of the message to determine whether the header represents a potential security violation;
  
  strip the header from the message responsive to a determination that the header represents a potential security violation;
  
  determine permissions of the service with respect to the client, wherein the permissions are determined responsive at least in part to the service, the client, and an affiliation value of the first walled garden;
  
  include the determined permissions with the message in a second header; and
  
  pass the message and the second header to the client.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The proxy server of claim 6, wherein determining permissions of the service with respect to the client comprises:
    - determining an identity of the server providing the service;
      
      determining a user agent of the client; and
      
      retrieving the permissions of the service from a permissions table using the determined identity of the server, the determined user agent, and the affiliation value of the first walled garden.
  - 8. The proxy server of claim 7, wherein the permissions table specifies access rights for a plurality of servers in the first walled garden and indicates which application programming interfaces (APIs) of the client can be accessed by each of the plurality of servers.
  - 9. The proxy server of claim 8, wherein each of the plurality of servers listed in the permissions table is identified according to uniform resource locator (URL) prefix.
  - 10. The proxy server of claim 6, wherein including the determined permissions with the message comprises:
    - adding a hypertext transport protocol (HTTP) header specifying the determined permissions to the message.

11. A computer-implemented method of passing messages from a service provided by a server in a first walled garden of a plurality of walled gardens to a client, wherein each of the plurality of walled gardens is identified by an affiliation value, comprising:
- receiving, using one or more computers, a message from the service intended for the client;
  
  examining, using one or more computers, a header of the message to determine whether the header represents a potential security violation;
  
  stripping, using one or more computers, the header from the message responsive to a determination that the header represents a potential security violation;
  
  determining, using one or more computers, permissions of the service with respect to the client, wherein the permissions are determined responsive at least in part to the service, the client, and an affiliation value of the first walled garden;
  
  including, using one or more computers, the determined permissions with the message in a second header; and
  
  passing, using one or more computers, the message and the second header to the client.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11, wherein determining permissions of the service with respect to the client comprises:
    - determining an identity of the server providing the service;
      
      determining a user agent of the client; and
      
      retrieving the permissions of the service from a permissions table using the determined identity of the server, the determined user agent, and the affiliation value of the first walled garden.
  - 13. The method of claim 12, wherein the permissions table specifies access rights for a plurality of servers in the first walled garden and indicates which application programming interfaces (APIs) of the client can be accessed by each of the plurality of servers.
  - 14. The method of claim 13, wherein each of the plurality of servers listed in the permissions table is identified according to uniform resource locator (URL) prefix.
  - 15. The method of claim 11, wherein including the determined permissions with the message comprises:
    - adding a hypertext transport protocol (HTTP) header specifying the determined permissions to the message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
At Home Bondholders Liquidating Trust (At Home Corporation)
Original Assignee
At Home Bondholders Liquidating Trust (At Home Corporation)
Inventors
Brown, Ralph William, Medin, Milo S. Jr., Keller, Robert, Temkin, David
Primary Examiner(s)
LEMMA, SAMSON B

Application Number

US13/480,439
Publication Number

US 20120297460A1
Time in Patent Office

600 Days
Field of Search

726/2, 726/4, 726/27, 726/11, 709/225, 709/229, 713/160
US Class Current

726/4
CPC Class Codes

G06F 21/10   Protecting distributed prog...

H04L 12/1836   with heterogeneous network ...

H04L 12/1845   broadcast or multicast in a...

H04L 12/1854   with non-centralised forwar...

H04L 12/1877   Measures taken prior to tra...

H04L 12/2801   Broadband local area networks

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2861   Point-to-multipoint connect...

H04L 12/287   Remote access server, e.g. ...

H04L 12/2883   ATM DSLAM

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/101   Access control lists [ACL]

H04L 67/2885   Hierarchically arranged int...

H04L 67/52   specially adapted for the l...

H04L 67/568   Storing data temporarily at...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04N 21/2225   Local VOD servers

H04N 21/23106   involving caching operation...

Method and system for restricting access to user resources

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

137 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for restricting access to user resources

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

137 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links