HTTP authentication and authorization management

US 8,656,462 B2
Filed: 07/24/2008
Issued: 02/18/2014
Est. Priority Date: 07/24/2008
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method, comprising:

receiving, at a processing node comprising a communication device, a request for a domain from a client browser;

determining if the client browser is both authenticated and authorized through the steps of;

determining a state of a plurality of states associated with the client browser based on data included with the request, wherein the plurality of states are managed by a state manager and the plurality of states comprise a plurality of authenticated states and an unauthenticated state;

determining whether the state comprises an authenticated state of the plurality of authenticated states,in response to the state comprises an authenticated state of the plurality of authenticated states,determining at the processing node whether the request includes domain authorization data for the requested domain;

in response to the request for the domain includes the domain authorization data, determining whether the domain authorization data matches with the requested domain,in response to the domain authorization data matches with the requested domain, allowing the request for the domain;

in response to the request for the domain does not include the domain authorization data, requesting authorized user data from the client browser;

in response to the request for the authorized user data, determining whether the client browser provided the authorized user data;

in response to the client browser provided the authorized user data, generating at the processing node the domain authorization data, allowing the request for the domain, and providing the domain authorization data to the client browser;

in response to if the client browser does not provide the authorized user data, requesting user authorization from the client browser.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and apparatus for a distributed security that provides authentication and authorization management. The system can include a state manager that is used to identify and maintain the source associated with a client browser that submits requests to the state manager. The state manager can allow requests that are authorized and request authorization for requests that are not. The state manager can maintain the states associated with each domain to reduce the number of transaction needed to authenticate and/or authorize subsequent requests to the same domain or to different domains.

Citations

19 Claims

1. A computer implemented method, comprising:
- receiving, at a processing node comprising a communication device, a request for a domain from a client browser;
  
  determining if the client browser is both authenticated and authorized through the steps of;
  
  determining a state of a plurality of states associated with the client browser based on data included with the request, wherein the plurality of states are managed by a state manager and the plurality of states comprise a plurality of authenticated states and an unauthenticated state;
  
  determining whether the state comprises an authenticated state of the plurality of authenticated states,in response to the state comprises an authenticated state of the plurality of authenticated states,determining at the processing node whether the request includes domain authorization data for the requested domain;
  
  in response to the request for the domain includes the domain authorization data, determining whether the domain authorization data matches with the requested domain,in response to the domain authorization data matches with the requested domain, allowing the request for the domain;
  
  in response to the request for the domain does not include the domain authorization data, requesting authorized user data from the client browser;
  
  in response to the request for the authorized user data, determining whether the client browser provided the authorized user data;
  
  in response to the client browser provided the authorized user data, generating at the processing node the domain authorization data, allowing the request for the domain, and providing the domain authorization data to the client browser;
  
  in response to if the client browser does not provide the authorized user data, requesting user authorization from the client browser.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein receiving at a processing node a request for a domain from a client browser comprises:
    - receiving at a processing node a request for a Uniform Resource Locator (URL) from a client browser; and
      
      identifying a domain associated with the URL.
  - 3. The method of claim 2, wherein allowing the request for the domain comprises allowing the request for a URL associated with the domain.
  - 4. The method of claim 1, wherein requesting user authorization from the client browser comprises initiating a request from an access agent to the client browser for user credentials, and wherein the access agent is separate from the processing node.
  - 5. The method of claim 1, wherein the domain authorization data is based on the authorized user data.
  - 6. The method of claim 1, wherein user authorization data is based on authentication data, the authentication data passed to the processing node as a query parameter.
  - 7. The method of claim 1, wherein the request for the domain is an Hypertext Transfer Protocol (http) request.
  - 8. The method of claim 1, wherein the domain authorization data is an Hypertext Transfer Protocol (http) cookie.
  - 9. The method of claim 1, wherein allowing the request comprises:
    - removing the domain authorization data from the request; and
      
      transmitting the request to the domain.
  - 10. The method of claim 1, wherein determining a state associated with the client browser comprises determining that the client browser is associated with an Authorized User (AU) state if the request from the client browser included user authorization data.
  - 15. The method of claim 1, further comprising:
    - if the state comprises the unauthenticated state, redirecting the client browser to an access agent for authentication of the client browser, and wherein the access agent is separate from the processing node.
  - 16. The method of claim 1, wherein each of the plurality of authenticated states determine an authorization level related to accessible resources of the client browser, and each of the plurality of states comprises a level of authentication and authorization of the client browser.
  - 17. The method of claim 16, wherein the state manager is configured to maintain the state of the client browser.
  - 18. The method of claim 4, wherein the processing node is part of a distributed security system comprising an authority node communicatively coupled to the processing node and the access agent.
  - 19. The method of claim 18, wherein the distributed security system is implemented as an overlay network in a wide area network.

11. A computer implemented method, comprising:
- receiving, at a processing node comprising a communication device, an Hypertext Transfer Protocol (http) request from a client browser;
  
  analyzing at the processing node data associated with the http request;
  
  determining if the client browser is both authenticated and authorized through the steps of;
  
  determining a state of a plurality of states based on the data associated with the http request, wherein the plurality of states are managed by a state manager and the plurality of states comprise a plurality of authenticated states and an unauthenticated state;
  
  determining whether the state comprises one of the plurality of authenticated states,in response to the state comprises one of the plurality of authenticated states, determining whether the data associated with the http request;
  
  in response to the data associated with the http request included domain authorization data, determining whether the domain authorization data matches with the http request,in response to the domain authorization data matches with the http request, allowing the data associated the http request;
  
  in response to the data associated with the http request does not include domain authorization data,determining whether the data associated with the http request;
  
  in response to the data associated with the http request included authorized user data,generating domain authorization data based on the authorized user data;
  
  redirecting the client browser to submit a redirected http request to the processing node with the generated domain authorization data,in response to the data associated with the http request does not include authorized user data, instructing the client browser to obtain authorization; and
  
  determining whether the state comprises the unauthenticated state,in response to the state comprises the unauthenticated state, redirecting the client browser to an access agent for authentication, and wherein the access agent is separate from the processing node.

12. A non-transitory computer readable storage medium storing computer instructions, which when executed by a computer device, cause the computing device to perform the steps of:
- receiving at a processing node a request for a Uniform Resource Locater (URL) at a domain;
  
  determining if a client browser associated with the request is both authenticated and authorized through the steps of;
  
  determining a state of a plurality of states based on the request, wherein the plurality of states are managed by a state manager and the plurality of states comprise a plurality of authenticated states and an unauthenticated state;
  
  determining whether the state comprises one of the plurality of authenticated states,in response to the state comprises one of the plurality of authenticated states,determining at the processing node whether the request includes domain authorization data for the domain of the request URL;
  
  in response to the request for the domain includes the domain authorization data, determining whether the domain authorization data matches with requested domain,in response to the domain authorization data matches with the requested domain, allowing the request for the URL;
  
  in response to the request for the domain does not include the domain authorization data, requesting authorized user data from the client browser;
  
  in response to the request for the authorized user data, determining whether the client browser provided the authorized user data;
  
  in response to the client browser provided the authorized user data, generating at the processing node the domain authorization data, allowing the request for the URL, and providing the domain authorization data to the client browser;
  
  in response to the client browser does not provide the authorized user data, requesting user authorization from the client browser.
- View Dependent Claims (13, 14)
- - 13. The non-transitory computer readable storage medium storing computer instructions of claim 12, wherein the request is an Hypertext Transfer Protocol (http) request.
  - 14. The non-transitory computer readable storage medium storing computer instructions of claim 12, wherein the domain authorization data and the authorized user data are stored in the form of an Hypertext Transfer Protocol (http) cookie.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zscaler Incorporated
Original Assignee
Zscaler Incorporated
Inventors
Kailash, Kailash, Nanjundaswamy, Shashidhara Mysore, Mullick, Amarnath, Raphel, Jose
Primary Examiner(s)
Pham, Luu
Assistant Examiner(s)
Le, Canh

Application Number

US12/179,403
Publication Number

US 20100024006A1
Time in Patent Office

2,035 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

HTTP authentication and authorization management

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP authentication and authorization management

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links