Brokering state information and identity among user agents, origin servers, and proxies
First Claim
1. A method implemented and residing within a non-transitory computer-readable storage medium, comprising:
- intercepting, at a transparent proxy, a request from a client, the request for a resource of an origin server and directed initially by the client to the origin server;
obtaining, by the transparent proxy, policy enforcement data that grams the client access to use the transparent proxy based on the policy enforcement data and the policy enforcement data is digitally signed;
producing, by the transparent proxy a policy state token based on the policy enforcement data;
sending, by the transparent proxy, the policy state token to the client for authentication of the client at the transparent proxy during subsequent interactions, the policy state token maintains a relationship among the client, the transparent proxy, and the origin server and serves as authorization for the client to use the transparent proxy to access the resource of the origin server;
managing, by the transparent proxy, communications associated with the policy state token, the transparent proxy acting as an intermediary between the client and the origin server; and
managing all interactions between the client and the transparent proxy via existing network protocols and without changes to the client or the transparent proxy and using a second transparent proxy to provide failover for the transparent proxy when the transparent proxy becomes unavailable to continue to manage the interactions.
8 Assignments
0 Petitions
Accused Products
Abstract
Methods, signals, devices, and systems are provided for using proxy servers to transparently forward messages between clients and origin servers if, and only if, doing so does not violate network policies. In some systems, a transparent proxy uses a combination of standard-format HTTP commands, embedding auxiliary information in URLs and other tools and techniques to redirect an initial client request to one or more policy modules, such as a login server or an identity broker or an access control server. The policy module authenticates the request, and uses HTTP redirection to have the client transmit authorization data to the proxy. The proxy extracts the authorization data, directs the client to use a corresponding cookie, and subsequently provides the implicitly requested proxy services to the client in response to the client'"'"'s subsequently providing the authorization data in a cookie. This is accomplished without requiring installation of any invention-specific software or hardware on either the client or the origin server, and also works with proxy servers that are known to the client. Unless the client request violates network policy, a person using the client will generally perceive no reduction of services, and will instead benefit from the proxy'"'"'s caching and/or other performance enhancements.
52 Citations
20 Claims
-
1. A method implemented and residing within a non-transitory computer-readable storage medium, comprising:
-
intercepting, at a transparent proxy, a request from a client, the request for a resource of an origin server and directed initially by the client to the origin server; obtaining, by the transparent proxy, policy enforcement data that grams the client access to use the transparent proxy based on the policy enforcement data and the policy enforcement data is digitally signed; producing, by the transparent proxy a policy state token based on the policy enforcement data; sending, by the transparent proxy, the policy state token to the client for authentication of the client at the transparent proxy during subsequent interactions, the policy state token maintains a relationship among the client, the transparent proxy, and the origin server and serves as authorization for the client to use the transparent proxy to access the resource of the origin server; managing, by the transparent proxy, communications associated with the policy state token, the transparent proxy acting as an intermediary between the client and the origin server; and managing all interactions between the client and the transparent proxy via existing network protocols and without changes to the client or the transparent proxy and using a second transparent proxy to provide failover for the transparent proxy when the transparent proxy becomes unavailable to continue to manage the interactions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 17)
-
-
11. A transparent proxy server comprising:
-
a memory configured at least in part by a transparent proxy process; a processor for running the transparent proxy process; at least one link for networked communication between the transparent proxy process, on the one hand, and a client computer and an origin server, on the other hand; and a policy module identifier which identifies a policy module that grants or denies authorization of proxy services to the client computer by acquiring policy enforcement data and attempting to authenticate the client computer to the transparent proxy process in response to the policy enforcement data, the policy enforcement data provides an indication that the client can use the transparent proxy process and based on the policy enforcement data the client is granted access to the transparent proxy process, and the policy enforcement data is digitally signed, and the client computer directs a request for a resource to an origin server and the request is intercepted by the transparent proxy process, which is unknown to the client computer, and used to determine the policy module identifier which identifies the policy module, and the policy module authenticates the client computer to the transparent proxy process for subsequent interactions between the client computer and the transparent proxy process, and the transparent proxy creates a transparent proxy cookie for the relationship among the client, the origin server, and the transparent proxy, and the transparent proxy manages the transparent proxy cookie on the client, and the transparent proxy acting and an intermediary between the client and the origin server for managing cookie communications, and all interactions between the client and the transparent proxy are done via existing network protocols and without changes to the client of the transparent proxy and using a second transparent proxy to provide failover for the transparent proxy when the transparent proxy becomes unavailable to continue to manage the interactions. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method implemented and residing within a non-transitory computer-readable storage medium, comprising:
-
managing, at a transparent proxy, communications occurring between a client and an origin server; maintaining, by the transparent proxy, key information used to authenticate the client to the origin server, the origin server to the client, the client to the transparent proxy, and the origin server to the transparent proxy; and managing, by the transparent proxy, all interactions between the client and the transparent proxy via existing network protocols and without changes to the client or the transparent proxy, the client granted access to the transparent proxy based on policy enforcement data that is digitally signed and using a second transparent proxy to provide failover for the transparent proxy when the transparent proxy becomes unavailable to continue to manage the interactions. - View Dependent Claims (18, 19, 20)
-
Specification