User impersonation and authentication

US 8,756,704 B2
Filed: 06/10/2009
Issued: 06/17/2014
Est. Priority Date: 12/15/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented method for accessing a resource, the method comprising:

receiving a first identifier and a second identifier that uniquely identify a first user and a second user declared in a computer system, respectively, the first user being different from the second user;

authenticating the first user;

generating a user session object comprising the first identifier, the second identifier, and a session object identifier;

receiving a request to modify the resource from the first user;

determining whether the second user is authorized to modify the resource;

preventing the first user from modifying the resource responsive to a determination that the second user is not authorized to modify the resource;

responsive to a determination that the second user is authorized to modify the resource;

determining whether a lock object is associated with the resource, the lock object for preventing concurrent modification of the resource by more than one user, the lock object comprising a lock object session identifier, a lock object first identifier, and a lock object second identifier;

responsive to a determination that the lock object is not associated with the resource, generating a lock object, storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively, and assigning the generated lock object to the first user;

responsive to a determination that a lock object is already associated with the resource;

determining whether the lock object is owned by any user;

responsive a determination that the lock object is not owned, assigning the lock object to the first user and storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively;

responsive to a determination that the lock object is owned, determining whether a first set of criteria is satisfied for assigning the lock object to the first user; and

responsive to a determination that the first set of criteria is satisfied, providing the first user with a capability to acquire the lock object.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for modifying a resource by an authenticated user impersonating another user. In one embodiment of the invention, a lock may be acquired on the resource to be modified, storing the identity of the authenticated user and the identity of the impersonated user inside the lock object, and generating a message indicating that the lock was acquired successfully by the authenticated user impersonating another user.

43 Citations

View as Search Results

17 Claims

1. A computer-implemented method for accessing a resource, the method comprising:
- receiving a first identifier and a second identifier that uniquely identify a first user and a second user declared in a computer system, respectively, the first user being different from the second user;
  
  authenticating the first user;
  
  generating a user session object comprising the first identifier, the second identifier, and a session object identifier;
  
  receiving a request to modify the resource from the first user;
  
  determining whether the second user is authorized to modify the resource;
  
  preventing the first user from modifying the resource responsive to a determination that the second user is not authorized to modify the resource;
  
  responsive to a determination that the second user is authorized to modify the resource;
  
  determining whether a lock object is associated with the resource, the lock object for preventing concurrent modification of the resource by more than one user, the lock object comprising a lock object session identifier, a lock object first identifier, and a lock object second identifier;
  
  responsive to a determination that the lock object is not associated with the resource, generating a lock object, storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively, and assigning the generated lock object to the first user;
  
  responsive to a determination that a lock object is already associated with the resource;
  
  determining whether the lock object is owned by any user;
  
  responsive a determination that the lock object is not owned, assigning the lock object to the first user and storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively;
  
  responsive to a determination that the lock object is owned, determining whether a first set of criteria is satisfied for assigning the lock object to the first user; and
  
  responsive to a determination that the first set of criteria is satisfied, providing the first user with a capability to acquire the lock object.
- View Dependent Claims (2, 3, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein at least one of the generated lock object and the lock object acquired by the first user is adapted to indicate that the resource is locked by the first user while impersonating the second user.
  - 3. The method of claim 1, the authenticating the first user further comprising:
    - receiving an identity verifier from the first user; and
      
      authenticating the first user based on a correspondence between the identity verifier and the first identifier.
  - 10. The method of claim 1, the first set of criteria comprising:
    - correspondence between the session identifier of the user session object and the session object identifier of the lock object;
      
      correspondence between the lock object first identifier and the first identifier; and
      
      absence of another session object attempting to win a race condition to acquire the lock object.
  - 11. The method of claim 10, further comprising:
    - determining a status of the lock object, the status selected from the group consisting of;
      
      expired and active, responsive to a determination that the session identifier of the user session object does not correspond to the session object identifier of the lock object;
      
      determining whether another session object is attempting to win a race condition to acquire the lock object responsive to a determination that the lock object is expired; and
      
      providing the first user with a capability to acquire the lock object responsive to a determination that another session object is not attempting to win a race condition to acquire the lock object.
  - 12. The method of claim 11, further comprising:
    - responsive to a determination that the session identifier of the user session object does not correspond to the session object identifier of the lock object and a determination that the lock object is active, determining whether the first identifier corresponds to the lock object first identifier;
      
      determining whether another user is attempting to win a race condition to acquire the lock object; and
      
      responsive to a determination that the first identifier corresponds to the lock object first identifier and a determination that another user is not attempting to win a race condition to acquire the lock object, providing the first user with a capability to acquire the lock object.
  - 13. The method of claim 12, further comprising:
    - determining whether a second set of criteria is satisfied responsive to a determination that the first identifier does not correspond to the lock object first identifier;
      
      providing the first user with a capability to acquire the lock object responsive to a determination that the second set of criteria is satisfied; and
      
      preventing the first user from modifying the resource responsive to a determination that the second set of criteria is not satisfied,wherein the second set of criteria comprises;
      
      correspondence between the second identifier and the lock object first identifier, orcorrespondence between the second identifier and the lock object second identifier.

4. A computer program product stored on a non-transitory computer readable medium, the computer readable medium comprising computer program instructions for accessing a resource, the computer program instructions comprising:
- computer program instructions for receiving a first identifier and a second identifier that uniquely identify a first user and a second user declared in a computer system, respectively, the first user being different from the second user;
  
  computer program instructions for authenticating the first user;
  
  computer program instructions for generating a user session object comprising the first identifier, the second identifier, and a session object identifier;
  
  computer program instructions for receiving a request to modify the resource from the first user;
  
  computer program instructions for preventing the first user from modifying the resource responsive to a determination that the second user is not authorized to modify the resource;
  
  responsive to a determination the second user is authorized to modify the resource;
  
  computer program instructions for determining whether a lock object is associated with the resource, the lock object for preventing concurrent modification of the resource by more than one user, the lock object comprising a lock object session identifier, a lock object first identifier, and a lock object second identifier;
  
  computer program instructions for, responsive to a determination that the lock object is not associated with the resource, generating a lock object, storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively, and assigning the generated lock object to the first user;
  
  responsive to a determination that a lock object is associated with the resource;
  
  computer program instructions for determining whether the lock object is owned by any user;
  
  computer program instructions for, responsive to a determination that the lock object is not owned, assigning the lock object to the first user and storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively;
  
  computer program instructions for, responsive to a determination that the lock object is owned, determining whether a first set of criteria for assigning the lock object to the first user is satisfied; and
  
  computer program instructions for, responsive to a determination that the first set of criteria is satisfied, providing the first user with a capability to acquire the lock object.
- View Dependent Claims (5, 6)
- - 5. The computer program product of claim 4, further comprising computer program instructions associated with the generated lock object or the lock object acquired by the first user for indicating that the resource is locked by the first user while impersonating the second user.
  - 6. The computer program product of claim 4, further comprising:
    - computer program instructions for receiving an identity verifier from the first user; and
      
      computer program instructions for authenticating the first user based on a correspondence between the identity verifier and the first identifier.

7. A system for permitting access to a resource, the system comprising:
- one or more processors;
  
  a memory operatively coupled to the one or more processors;
  
  one or more nonvolatile storage devices accessible by the one or more processors; and
  
  an authentication and authorization tool for permitting a first user to access the resource, the authentication and authorization tool comprising computer program instructions that upon execution by at least one of the one or more processors cause the system to perform steps comprising;
  
  receiving a first identifier and a second identifier that uniquely identify a first and second user declared in the computer system, respectively, the first user being different from the second user;
  
  authenticating the first user;
  
  generating a user session object comprising the first identifier, the second identifier, and a session object identifier;
  
  receiving a request to modify the resource from the first user;
  
  determining whether the second user is authorized to modify the resource;
  
  preventing the first user from modifying the resource responsive to a determination that the second user is not authorized to modify the resource;
  
  responsive to a determination that the second user is authorized to modify the resource;
  
  determining whether a lock object is associated with the resource, the lock object for preventing concurrent modification of the resource by more than one user, and comprising a lock object session identifier, a lock object first identifier, and a lock object second identifier;
  
  responsive to a determination that the lock object is not associated with the resource, generating a first user lock object, storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively, and assigning the generated lock object to the first user;
  
  responsive to a determination that a lock object is associated with the resource;
  
  determining whether the lock object is owned by any user;
  
  responsive to a determination that the lock object is not owned, assigning the lock object to the first user and storing the session object identifier, the first identifier, and the second identifier as the lock object session identifier, the lock object first identifier, and the lock object second identifier, respectively;
  
  responsive to a determination that the lock object is owned, determining whether a first set of criteria for assigning the lock object to the first user is satisfied; and
  
  responsive to a determination that the first set of criteria is satisfied, providing the first user with a capability to acquire the lock object.
- View Dependent Claims (8, 9, 14, 15, 16, 17)
- - 8. The resource access system of claim 7, wherein the generated lock object or the lock object acquired by the first user is adapted to indicate that the resource is locked by the first user while impersonating the second user.
  - 9. The resource access system of claim 7, further comprising computer program instructions that upon execution cause the system to perform additional steps comprising:
    - receiving an identity verifier from the first user; and
      
      authenticating the first user based on a correspondence between the identity verifier and the first identifier.
  - 14. The system of claim 7, the first set of criteria comprising:
    - correspondence between the session identifier of the user session object and the session object identifier of the lock object;
      
      correspondence between the lock object first identifier and the first identifier; and
      
      absence of another session object attempting to win a race condition to acquire the lock object.
  - 15. The system of claim 14, the authentication and authorization tool further comprising computer program instructions that upon execution cause the system to perform additional steps comprising:
    - determining a status of the lock object, the status selected from the group consisting of;
      
      expired and active, responsive to a determination that the session identifier of the user session object does not correspond to the session object identifier of the lock object;
      
      determining whether another session object is attempting to win a race condition to acquire the lock object responsive to a determination that the lock object is expired; and
      
      providing the first user with a capability to acquire the lock object responsive to a determination that another session object is not attempting to win a race condition to acquire the lock object.
  - 16. The system of claim 15, the authentication and authorization tool further comprising computer program instructions that upon execution cause the system to perform additional steps comprising:
    - responsive to a determination that the session identifier of the user session object does not correspond to the session object identifier of the lock object and a determination that the lock object is active, determining whether the first identifier corresponds to the lock object first identifier;
      
      determining whether another user is attempting to win a race condition to acquire the lock object; and
      
      responsive to a determination that the first identifier corresponds to the lock object first identifier and a determination that another user is not attempting to win a race condition to acquire the lock object, providing the first user with a capability to acquire the lock object.
  - 17. The system of claim 16, the authentication and authorization tool further comprising computer program instructions that upon execution cause the system to perform additional steps comprising:
    - determining whether a second set of criteria is satisfied responsive to a determination that the first identifier does not correspond to the lock object first identifier;
      
      providing the first user with a capability to acquire the lock object responsive to a determination that the second set of criteria is satisfied; and
      
      preventing the first user from modifying the resource responsive to a determination that the second set of criteria is not satisfied,wherein the second set of criteria comprises;
      
      correspondence between the second identifier and the lock object first identifier, orcorrespondence between the second identifier and the lock object second identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Castellucci, Antonio, Iorfida, Dario, Vitaletti, Marcello, Gambardella, Carmela, Rea, Aniello Alessandro
Primary Examiner(s)
Zele, Krista
Assistant Examiner(s)
Benoit, Esther

Application Number

US12/481,841
Publication Number

US 20100154043A1
Time in Patent Office

1,833 Days
Field of Search

726/28
US Class Current

726/28
CPC Class Codes

G06F 21/6218 to a system of files or obj...

User impersonation and authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

43 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

User impersonation and authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

43 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links