User authentication for intermediate representational state transfer (REST) client via certificate authority

US 9,021,552 B2
Filed: 04/05/2011
Issued: 04/28/2015
Est. Priority Date: 04/05/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-readable storage device including executable code that, when executed, is configured to cause at least one data processing apparatus to:

receive, by an intermediate representational state transfer (REST) client and from a separate user computer, a request for a resource stored on a REST server, the resource request including a user ID associated with a user;

determine, by the intermediate REST client and responsive to the resource request, that a key pair associated with the user ID is not stored on the intermediate REST client;

based on determining that a keypair associated with the user ID is not stored on the intermediate REST client;

generate, by the intermediate REST client, a public key and a corresponding private key, the generated public key and the corresponding generated private key included in a keypair associated with the user ID; and

store the generated keypair on the intermediate REST client in association with the user ID;

obtain, by the intermediate REST client, a certificate associated with the user ID that is signed by a certificate authority and based on at least the user ID and the generated public key associated with the user ID;

establish a connection between the intermediate REST client and the REST server using the certificate and the generated private key associated with the user ID; and

access, by the intermediate REST client on behalf of the user of the user computer, using a stateless protocol with the REST server, the requested resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present description refers to a computer implemented method, computer program product, and computer system for receiving a resource request at a representational state transfer (REST) client from a user, the resource request including a user ID, determining, by the REST client, a key pair including a public key and a corresponding private key that are associated with the user ID, obtaining, by the REST client, a certificate associated with the user ID that is signed by a certificate authority and based on at least the user ID and the public key associated with the user ID, impersonating, by the REST client, the user to a REST server using the certificate and the private key associated with the user ID, and accessing, by the REST client on behalf of the user, using a stateless protocol with the REST server, the requested resource.

Citations

20 Claims

1. A computer-readable storage device including executable code that, when executed, is configured to cause at least one data processing apparatus to:
- receive, by an intermediate representational state transfer (REST) client and from a separate user computer, a request for a resource stored on a REST server, the resource request including a user ID associated with a user;
  
  determine, by the intermediate REST client and responsive to the resource request, that a key pair associated with the user ID is not stored on the intermediate REST client;
  
  based on determining that a keypair associated with the user ID is not stored on the intermediate REST client;
  
  generate, by the intermediate REST client, a public key and a corresponding private key, the generated public key and the corresponding generated private key included in a keypair associated with the user ID; and
  
  store the generated keypair on the intermediate REST client in association with the user ID;
  
  obtain, by the intermediate REST client, a certificate associated with the user ID that is signed by a certificate authority and based on at least the user ID and the generated public key associated with the user ID;
  
  establish a connection between the intermediate REST client and the REST server using the certificate and the generated private key associated with the user ID; and
  
  access, by the intermediate REST client on behalf of the user of the user computer, using a stateless protocol with the REST server, the requested resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer-readable storage device of claim 1 wherein the executable code causing the data processing apparatus to establish comprises executable code causing the data processing apparatus to establish by the intermediate REST client, a secure sockets layer (SSL) connection with the REST server using the certificate and the generated private key associated with the user ID.
  - 3. The computer-readable storage device of claim 1 wherein the executable code causing the data processing apparatus to obtain comprises executable code causing the data processing apparatus to:
    - send a certificate signing request from the intermediate REST client to the certificate authority, the certificate signing request including an unsigned certificate; and
      
      receive, at the intermediate REST client from the certificate authority, the certificate that has been signed by the certificate authority.
  - 4. The computer-readable storage device of claim 3 wherein the unsigned certificate includes the user ID and the generated public key associated with the user, and wherein the signed certificate received by the intermediate REST client from the certificate authority includes the certificate and a digital signature provided by the certificate authority based on a private key associated with the certificate authority.
  - 5. The computer-readable storage device of claim 1 wherein the executable code further causes the data processing apparatus to authenticate, by the intermediate REST client, the user.
  - 6. The computer-readable storage device of claim 1 wherein the executable code further causes the data processing apparatus to forward, by the intermediate REST client, the requested resource obtained from or via the REST server to the user computer.
  - 7. The computer-readable storage device of claim 1 wherein the generated key pair, including the generated public key and the corresponding generated private key, is unknown to the user and the user computer, and is used by the intermediate REST client to impersonate the user, with permission from the user, in communicating with the REST server to access the requested resource, wherein the requested resource is stored by or controlled by the REST server and assigned to or associated with the user.
  - 8. The computer-readable storage device of claim 1 wherein the executable code causing the data processing apparatus to determine comprises executable code causing the data processing apparatus to:
    - determine, by the intermediate REST client and responsive to the resource request, that a key pair associated with the user ID is stored on the intermediate REST client; and
      
      based on determining that a keypair associated with the user ID is stored on the intermediate REST client, retrieve from memory included in the intermediate REST client, a key pair previously generated and stored in the memory, the generated key pair including a generated public key and a corresponding generated private key that are associated with the user ID, the retrieving of the generated keypair allowing the intermediate REST client to impersonate the user to the REST server.
  - 9. The computer-readable storage device of claim 1 wherein the certificate comprises a X.509 certificate that includes the user ID, the generated public key associated with the user ID and a digital signature provided by the certificate authority based on the certificate authority'"'"'s private key.
  - 10. The computer-readable storage device of claim 1 wherein the certificate authority is an entity that is separate from the intermediate REST client.
  - 11. The computer-readable storage device of claim 1 wherein the stateless protocol comprises hypertext transfer protocol secure (HTTPS).
  - 12. The computer-readable storage device of claim 1 wherein the intermediate REST client comprises a SSL-enabled client that implements hypertext transfer protocol secure (HTTPS) as a stateless protocol to communicate with the REST server.
  - 13. The computer-readable storage device of claim 1 wherein the executable code further causes the data processing apparatus to:
    - obtain, by the intermediate REST client, the requested resource from the REST server; and
      
      perform, by the intermediate REST client, an action using the requested resource, the action identified by and received from the separate user computer.

14. A computer implemented method comprising:
- receiving a resource request at an intermediate representational state transfer (REST) client from a separate user computer, a request for a resource stored on a REST server, the resource request including a user ID associated with a user;
  
  determining, by the intermediate REST client and responsive to the resource request, that a key pair associated with the user ID is not stored on the intermediate REST client;
  
  based on determining that a keypair associated with the user ID is not stored on the intermediate REST client;
  
  generating, by the intermediate REST client, a public key and a corresponding private key, the generated public key and the corresponding generated private key included in a keypair associated with the user ID; and
  
  store the generated keypair on the intermediate REST client in association with the user ID;
  
  obtaining, by the intermediate REST client, a certificate associated with the user ID that is signed by a certificate authority and based on at least the user ID and the generated public key associated with the user ID;
  
  establishing a connection between the intermediate REST client and the REST server using the certificate and the generated private key associated with the user ID; and
  
  accessing, by the intermediate REST client on behalf of the user of the user computer, using a stateless protocol with the REST server, the requested resource.
- View Dependent Claims (15, 16, 17)
- - 15. The computer implemented method of claim 14 wherein the establishing comprises establishing by the intermediate REST client, a secure sockets layer (SSL) connection with the REST server using the certificate and the generated private key associated with the user ID.
  - 16. The computer implemented method of claim 14 and further comprising forwarding, by the intermediate REST client, the requested resource obtained from or via the REST server to the user computer.
  - 17. The computer implemented method of claim 14 wherein the generated key pair, including the generated public key and the corresponding generated private key, is unknown to the user and the user computer, and is used by the intermediate REST client to impersonate the user in communicating with the REST server to access the requested resource, and wherein the certificate comprises a X.509 certificate that includes the user ID, the generated public key associated with the user ID and a digital signature provided by the certificate authority based on the certificate authority'"'"'s private key.

18. An apparatus comprising:
- a transceiver configured to receive at an intermediate representational state transfer (REST) client and from a separate user computer, a request for a resource stored on a REST server, the resource request including a user ID associated with a user;
  
  key determination logic configured to;
  
  determine, by the intermediate REST client and responsive to the resource request, that a key pair associated with the user ID is not stored on the intermediate REST client, and based on determining by the key determination logic that a keypair associated with the user ID is not stored on the intermediate REST client;
  
  generate, by the intermediate REST client, a public key and a corresponding private key, the generated public key and the corresponding generated private key included in a keypair associated with the user ID; and
  
  store the generated keypair on the intermediate REST client in association with the user ID;
  
  certificate acquisition logic configured to obtain, by the intermediate REST client, a certificate associated with the user ID that is signed by a certificate authority and based on at least the user ID and the generated public key associated with the user ID;
  
  impersonating logic configured to establish a connection between the intermediate REST client and the REST server using the certificate and the generated private key associated with the user ID; and
  
  accessing logic configured to access, by the intermediate REST client on behalf of the user, using a stateless protocol with the REST server, the requested resource.
- View Dependent Claims (19, 20)
- - 19. The apparatus of claim 18 wherein the impersonating logic comprises SSL connection logic configured to establish by the intermediate REST client, a secure sockets layer (SSL) connection with a REST server using the certificate and the generated private key associated with the user ID.
  - 20. The apparatus of claim 18 wherein the key pair, including the generated public key and the corresponding generated private key is unknown to the user and the user computer, and is used by the REST client to impersonate the user in communicating with the REST server to access the requested resource, and wherein the certificate comprises a X.509 certificate that includes the user ID, the generated public key associated with the user ID and a digital signature provided by the certificate authority based on the certificate authority'"'"'s private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Zlatarev, Stephan, Steigmann, Uwe, Engler, Michael, Janzen, Wolfgang
Primary Examiner(s)
Zee, Edward
Assistant Examiner(s)
NGUY, CHI D

Application Number

US13/080,302
Publication Number

US 20120260330A1
Time in Patent Office

1,484 Days
Field of Search

726/10
US Class Current

726/2
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2107   File encryption

G06F 2221/2117   User registration

H04L 63/0884   by delegation of authentica...

H04L 63/166   at the transport layer

H04L 67/142   Managing session states for...

H04L 9/3263   involving certificates, e.g...

User authentication for intermediate representational state transfer (REST) client via certificate authority

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

User authentication for intermediate representational state transfer (REST) client via certificate authority

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links