Access control of remote communication interfaces based on system-specific keys
First Claim
1. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
- receive, by a first application server from a client application, a client request;
receive, by the first application server, a plurality of client contexts generated by a remote access engine and on behalf of the first application server, the plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service;
obtain, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service;
send, by the first application server in response to the received client request, a first service request to a second application server the first service request including the first client context and the first signed ticket;
receive, by the first application server, the requested service from the second application server;
the second application server validates the first signed ticket by performing the following;
send the first client context to the system computer;
receive a third signed ticket from the system computer; and
validate the first signed ticket received from the first application server by comparing the first signed ticket to the third signed ticket received from the system computer, wherein a match between the first and third signed tickets indicates that the first signed ticket is validated.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer implemented method, computer program product, and computer system is provided for receiving a service request to obtain service from a second application, the service request including a client context and a signed ticket obtained by the first application from a system computer, validating the received signed ticket based on the key associated with the system, determining that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of one or more attributes of the received client context to an access control list associated with the second application, and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
26 Citations
20 Claims
-
1. A computer program product, the computer program product being tangibly embodied on a non-transitory computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
-
receive, by a first application server from a client application, a client request; receive, by the first application server, a plurality of client contexts generated by a remote access engine and on behalf of the first application server, the plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service; obtain, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service; send, by the first application server in response to the received client request, a first service request to a second application server the first service request including the first client context and the first signed ticket; receive, by the first application server, the requested service from the second application server; the second application server validates the first signed ticket by performing the following; send the first client context to the system computer; receive a third signed ticket from the system computer; and validate the first signed ticket received from the first application server by comparing the first signed ticket to the third signed ticket received from the system computer, wherein a match between the first and third signed tickets indicates that the first signed ticket is validated. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 15, 16)
-
-
12. An apparatus comprising at least one processor and at least
one memory including computer instructions, when executed by the at least one processor, cause the apparatus to: -
receive, by a first application server from a client application, a client request; receive, by the first application server, a plurality of client contexts generated by a remote access engine and on behalf of the first application server, the plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service; obtain, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service; send, by the first application server in response to the received client request, a first service request to a second application server sending a second service request to a third application server, the first service request including the first client context and the first signed ticket, the second service request including the second client context and the second signed ticket; receive, by the first application server, the requested services from the second application server and the third application server; the second application server validates the first signed ticket by performing the following; send the first client context to the system computer; receive a third signed ticket from the system computer; and validate the first signed ticket received from the first application server by comparing the first signed ticket to the third signed ticket received from the system computer, wherein a match between the first and third signed tickets indicates that the first signed ticket is validated. - View Dependent Claims (13, 14)
-
-
17. A computer implemented method comprising:
-
receiving, by a first application server from a client application, a client request; generate a plurality of client contexts including a client context for each of a plurality of application service requests identified in the client request, each of the client contexts based on at least a user ID or application ID and an identification of an associated requested application service; obtaining, by the first application server from a system computer based on a key associated with a system, a first signed ticket based on a first client context and associated with a first application service, and a second signed ticket based on a second client context and associated with a second application service; sending, by the first application server in response to the received client request, a first service request to a second application server and sending a second service request to a third application server, the first service request including the first client context and the first signed ticket, the second service request including the second client context and the second signed ticket; and receiving, by the first application server, the requested services from the second application server and the third application server; the third application server validates the second signed ticket by performing the following; send the second client context to the system computer; receive a third signed ticket from the system computer; and validate the second signed ticket received from the first application server by comparing the second signed ticket to the third signed ticket received from the system computer, wherein a match between the second and third signed tickets indicates that the second signed ticket is validated. - View Dependent Claims (18, 19, 20)
-
Specification