Access control of remote communication interfaces based on system-specific keys

US 9,191,389 B2
Filed: 01/17/2014
Issued: 11/17/2015
Est. Priority Date: 01/19/2012
Status: Active Grant

First Claim

Patent Images

1. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:

receive, by a first application server from a client application, a client request;

receive, by the first application server, a plurality of client contexts generated by a remote access engine and on behalf of the first application server, the plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service;

obtain, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service;

send, by the first application server in response to the received client request, a first service request to a second application server the first service request including the first client context and the first signed ticket;

receive, by the first application server, the requested service from the second application server;

the second application server validates the first signed ticket by performing the following;

send the first client context to the system computer;

receive a third signed ticket from the system computer; and

validate the first signed ticket received from the first application server by comparing the first signed ticket to the third signed ticket received from the system computer, wherein a match between the first and third signed tickets indicates that the first signed ticket is validated.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method, computer program product, and computer system is provided for receiving a service request to obtain service from a second application, the service request including a client context and a signed ticket obtained by the first application from a system computer, validating the received signed ticket based on the key associated with the system, determining that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of one or more attributes of the received client context to an access control list associated with the second application, and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.

26 Citations

View as Search Results

20 Claims

1. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
- receive, by a first application server from a client application, a client request;
  
  receive, by the first application server, a plurality of client contexts generated by a remote access engine and on behalf of the first application server, the plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service;
  
  obtain, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service;
  
  send, by the first application server in response to the received client request, a first service request to a second application server the first service request including the first client context and the first signed ticket;
  
  receive, by the first application server, the requested service from the second application server;
  
  the second application server validates the first signed ticket by performing the following;
  
  send the first client context to the system computer;
  
  receive a third signed ticket from the system computer; and
  
  validate the first signed ticket received from the first application server by comparing the first signed ticket to the third signed ticket received from the system computer, wherein a match between the first and third signed tickets indicates that the first signed ticket is validated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 15, 16)
- - 2. The computer program product of claim 1 wherein the code is further configured to cause the at least one data processing apparatus to:
    - send a reply from the first application server to the client application based on the requested services received by the first application server from the second application server.
  - 3. The computer program product of claim 1 wherein the second application server validates the received client context via communication with the system computer prior to providing the requested application service to the first application server.
  - 4. The computer program product of claim 1 wherein the first application server obtaining a plurality of signed tickets, sending a plurality of service requests and receiving, by the first application server, the requested services is transparent to the client application.
  - 5. The computer program product of claim 1 wherein each of the service requests includes a request to sign or encrypt the associated client context, the first signed ticket including the first client context that has been signed or encrypted by the system computer, and the second signed ticket including the second client context that has been signed or encrypted by the system computer.
  - 6. The computer program product of claim 1 wherein a system includes the system computer including a central system database, the first application server, and the second application server.
  - 7. The computer program product of claim 1 wherein a system includes the system computer that stores the key associated with the system, the system also including the first application server and the second application server, and wherein the executable code further causes the remote access engine running on the first application server to obtain the first signed ticket from the system computer based on the following:
    - send the first client context to the system computer; and
      
      receive, by the remote access engine running on the first application server, the first signed ticket from the system computer that is based on the client context and the key associated with the system.
  - 8. The computer program product of claim 1 wherein the system computer comprises:
    - a processor; and
      
      a central database for the system to securely store the key associated with the system;
      
      wherein the first signed ticket includes a signed first client context that was signed by the system computer using the key associated with the system.
  - 9. The computer program product of claim 1 wherein the client context comprises at least a system identifier (ID) that identifies the system.
  - 10. The computer program product of claim 1 wherein the first client context comprises at least a system identifier (ID) that identifies the system, and an address associated with the first application server.
  - 11. The computer program product of claim 1 wherein the first service request and the second service request are sent by the first application server to fulfill the client request received by the first application server from the client application, the requested services being accessible by the first application server after context validation by the second application server, the requested services are not directly accessible to the client application.
  - 15. The computer program product of claim 1 wherein the code is further configured to cause the at least one data processing apparatus to:
    - send a second service request to a third application server, the second service request including the second client context and the second signed ticket;
      
      receive, by the first application server, the requested service from the third application server.
  - 16. The computer program product of claim 15 wherein:
    - the third application server validates the second signed ticket by performing the following;
      
      send the second client context to the system computer;
      
      receive a third signed ticket from the system computer;
      
      validate the second signed ticket received from the first application server by comparing the second signed ticket to the third signed ticket received from the system computer, wherein a match between the second and third signed tickets indicates that the second signed ticket is validated.

12. An apparatus comprising at least one processor and at leastone memory including computer instructions, when executed by the at least oneprocessor, cause the apparatus to:
- receive, by a first application server from a client application, a client request;
  
  receive, by the first application server, a plurality of client contexts generated by a remote access engine and on behalf of the first application server, the plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service;
  
  obtain, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service;
  
  send, by the first application server in response to the received client request, a first service request to a second application server sending a second service request to a third application server, the first service request including the first client context and the first signed ticket, the second service request including the second client context and the second signed ticket;
  
  receive, by the first application server, the requested services from the second application server and the third application server;
  
  the second application server validates the first signed ticket by performing the following;
  
  send the first client context to the system computer;
  
  receive a third signed ticket from the system computer; and
  
  validate the first signed ticket received from the first application server by comparing the first signed ticket to the third signed ticket received from the system computer, wherein a match between the first and third signed tickets indicates that the first signed ticket is validated.
- View Dependent Claims (13, 14)
- - 13. The apparatus of claim 12 wherein the system includes the system computer including a central system database, the first application server, the second application server and the third application server.
  - 14. The apparatus of claim 12 wherein the system includes the system computer that stores the key associated with the system, the system also including the first application server, the second application server and the third application server, and wherein the executable code further causes the remote access engine running on the first application server to obtain the first signed ticket from the system computer based on the following:
    - send the first client context to the system computer; and
      
      receive, by the remote access engine running on the first application server, the first signed ticket from the system computer that is based on the client context and the key associated with the system.

17. A computer implemented method comprising:
- receiving, by a first application server from a client application, a client request;
  
  generate a plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service;
  
  obtaining, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service;
  
  sending, by the first application server in response to the received client request, a first service request to a second application server and sending a second service request to a third application server, the first service request including the first client context and the first signed ticket, the second service request including the second client context and the second signed ticket; and
  
  receiving, by the first application server, the requested services from the second application server and the third application server;
  
  the third application server validates the second signed ticket by performing the following;
  
  send the second client context to the system computer;
  
  receive a third signed ticket from the system computer; and
  
  validate the second signed ticket received from the first application server by comparing the second signed ticket to the third signed ticket received from the system computer, wherein a match between the second and third signed tickets indicates that the second signed ticket is validated.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 wherein:
    - the second application server validates the first signed ticket by performing the following;
      
      send the first client context to the system computer;
      
      receive a third signed ticket from the system computer;
      
      validate the first signed ticket received from the first application server by comparing the first signed ticket to the third signed ticket received from the system computer, wherein a match between the first and third signed tickets indicates that the first signed ticket is validated.
  - 19. The method of claim 17 and further comprising sending a reply from the first application server to the client application based on the requested services received by the first application server from the second application server and the third application server.
  - 20. The method of claim 17 wherein each of the second and third application servers validate their respective received client contexts via communication with the system computer prior to providing the requested application service to the first application server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SAP SE
Original Assignee
SAP SE
Inventors
Jolfaei, Masoud Aghadavoodi
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/157,757
Publication Number

US 20140137213A1
Time in Patent Office

669 Days
Field of Search

726/4, 726/5, 726/6, 726/8, 726/9, 726/10, 713/155, 802/03
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/10   for controlling access to d...

Access control of remote communication interfaces based on system-specific keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Access control of remote communication interfaces based on system-specific keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links