Hosted application sandbox model
First Claim
1. A method of configuring a server having a processor and a network address to execute at least two instances of an application on behalf of a user of a device accessible over a network through a routing table, the method comprising:
- executing on the processor instructions configured to;
responsive to receiving the application;
store the application; and
allocate at least two subdomains of the server for respective instances of the application, where the at least two subdomains are mapped to the network address of the server through one routing rule in the routing table; and
responsive to receiving a request to execute the application on behalf of the user;
among the at least two subdomains allocated for the respective instances of the application, select a selected subdomain that has not been selected for another instance of the application;
instantiating a new instance of the application on the processor; and
serve an application user interface of the new instance of the application to the device of the user through the selected subdomain serving the application user interface of the application.
2 Assignments
0 Petitions
Accused Products
Abstract
An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user'"'"'s computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user'"'"'s computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.
-
Citations
20 Claims
-
1. A method of configuring a server having a processor and a network address to execute at least two instances of an application on behalf of a user of a device accessible over a network through a routing table, the method comprising:
executing on the processor instructions configured to; responsive to receiving the application; store the application; and allocate at least two subdomains of the server for respective instances of the application, where the at least two subdomains are mapped to the network address of the server through one routing rule in the routing table; and responsive to receiving a request to execute the application on behalf of the user; among the at least two subdomains allocated for the respective instances of the application, select a selected subdomain that has not been selected for another instance of the application; instantiating a new instance of the application on the processor; and serve an application user interface of the new instance of the application to the device of the user through the selected subdomain serving the application user interface of the application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
19. A server that executes at least two instances of an application on behalf of a user of a device, the server comprising:
-
a processor; a network adapter communicating with the device over a network through a routing table, wherein the server is identified to the device by a network address; and a memory storing instructions that, when executed by the processor, provide a system comprising; an application domain allocator that, responsive to receiving an application, allocates at least two subdomains of the server for respective instances of the application, where the at least two subdomains are mapped to the network address of the server through one routing rule in the routing table; and an application instantiator that, responsive to receiving a request to execute the application on behalf of the user; among the at least two subdomains allocated for instances of the application, selects a selected distinct subdomain that has not been selected for another instance of the application; instantiates a new instance of the application on the processor; and serves an application user interface of the new instance of the application to the device of the user through the selected subdomain.
-
-
20. A memory device storing instructions that, when executed by at least one processor of a server having a network address and an application store, cause the at least one processor to execute an application on behalf of a user of a device by:
-
responsive to receiving the application; storing the application in the application store; allocating at least two subdomains of the server for respective instances of the application, where the at least two subdomains are mapped to the network address of the system through one routing rule in the routing table; and responsive to receiving a request to execute the application on behalf of the user; among the at least two subdomains allocated for the respective instances of the application, select a selected subdomain that has not been selected for another instance of the application; instantiating a new instance of the application on the device; and serving an application user interface of the new instance of the application to the device of the user through the selected subdomain.
-
Specification