Inter-application management of user credential data

US 9,405,896 B2
Filed: 07/08/2011
Issued: 08/02/2016
Est. Priority Date: 04/12/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

providing, with a hardware computing device, at least one of two security framework configurations, wherein a first configuration utilizes a cookie and a second configuration utilizes server-side storage;

performing user authorization, with the hardware computing device, using at least one of the two security framework configurations, wherein performing the user authorizations with the cookie includes providing a cookie stored on the hardware computing device and the server-side storage includes storing developer-defined user information (DDUI), wherein the DDUI comprises at least a user identifier for on-demand database service;

wherein when using the cookie to perform user authorizations, each time a user makes a request the cookie is sent for authentication purposes to provide re-authentication with each request, wherein either the user is recognized because the cookie or a session context containing a security token was provided, or the user is not recognized and diverted to a security handshake, or a token request is utilized to obtain a session identifier, API endpoint and authentication token;

wherein when using the server-side storage, the hardware computing device is configured to not write locally to an application memory, but instead to access a shared session cache, where each of a plurality of servers are to be given access to a specific session cache; and

wherein performing the user authorizations is done through a client web application executed by a hardware computing device to allow access to an on-demand database service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and apparatus for enhancing the functionality and utility of an authentication process for web applications is disclosed.

144 Citations

13 Claims

1. A method, comprising:
- providing, with a hardware computing device, at least one of two security framework configurations, wherein a first configuration utilizes a cookie and a second configuration utilizes server-side storage;
  
  performing user authorization, with the hardware computing device, using at least one of the two security framework configurations, wherein performing the user authorizations with the cookie includes providing a cookie stored on the hardware computing device and the server-side storage includes storing developer-defined user information (DDUI), wherein the DDUI comprises at least a user identifier for on-demand database service;
  
  wherein when using the cookie to perform user authorizations, each time a user makes a request the cookie is sent for authentication purposes to provide re-authentication with each request, wherein either the user is recognized because the cookie or a session context containing a security token was provided, or the user is not recognized and diverted to a security handshake, or a token request is utilized to obtain a session identifier, API endpoint and authentication token;
  
  wherein when using the server-side storage, the hardware computing device is configured to not write locally to an application memory, but instead to access a shared session cache, where each of a plurality of servers are to be given access to a specific session cache; and
  
  wherein performing the user authorizations is done through a client web application executed by a hardware computing device to allow access to an on-demand database service.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein a security framework to provide the at least one of two security framework configurations comprises a plurality of generic servlet filters and spring security filters.
  - 3. The method of claim 1, further comprising a generic servlet filter performs OAuth flow and routes the user to the login page.
  - 4. The method of claim 3, wherein the generic servlet filter is used within servlet-based web applications that operate without using any specific security framework.
  - 5. The method of claim 1, further comprising:
    - a generic servlet filter resulting in exactly one of the following outcomes,finding a cookie or session containing that user'"'"'s SecurityContext, so that the user is recognized;
      
      not finding a cookie or session containing that user'"'"'s SecurityContext, and sending that user to an authorization url to begin an OAuth handshake;
      
      orsending a token request to obtain a Session ID, API endpoint, and authentication (refresh) token.
  - 6. The method of claim 1, further comprising:
    - facilitating a choice between storing user data in browser cookies or server side sessions, thereby resulting in application instances being completely stateless.

7. A multi-tenant database system, comprising:
- a group of hardware computing devices providing a database system to store data for each of multiple tenants;
  
  an application server communicably coupled to the database system and to a network, the application server to provide at least one of two security framework configurations, wherein a first configuration utilizes a cookie and a second configuration utilizes server-side storage, to perform user authorization using at least one of the two security framework configurations, wherein performing the user authorizations with the cookie includes providing the cookie stored on the hardware computing device and the server-side storage includes storing developer-defined user information (DDUI), wherein the DDUI comprises at least a user identifier for the on-demand database service, wherein when using the cookie to perform user authorizations, each time a user makes a request the cookie is sent for authentication purposes to provide re-authentication with each request, wherein either the user is recognized because the cookie or a session context containing a security token was provided, or the user is not recognized and diverted to a security handshake, or a token request is utilized to obtain a session identifier, API endpoint and authentication token, and wherein when using the server-side storage, the hardware computing device is configured to not write locally to an application memory, but instead to access a shared session cache, where each of a plurality of servers are to be given access to a specific session cache, and wherein performing the user authorizations is done through a client web application executed by a hardware computing device to allow access to an on-demand database service.

8. A non-transitory machine-readable medium carrying one or more sequences of instructions for implementing a method for providing an interface for object relationships, comprising:
- performing user authorization, with the hardware computing device, using at least one of the two security framework configurations, wherein performing the user authorizations with the cookie includes providing a cookie stored on the hardware computing device and the server-side storage includes storing developer-defined user information (DDUI), wherein the DDUI comprises at least a user identifier for on-demand database service;
  
  wherein when using the cookie to perform user authorizations, each time a user makes a request the cookie is sent for authentication purposes to provide re-authentication with each request, wherein either the user is recognized because the cookie or a session context containing a security token was provided, or the user is not recognized and diverted to a security handshake, or a token request is utilized to obtain a session identifier, API endpoint and authentication token;
  
  wherein when using the server-side storage, the hardware computing device is configured to not write locally to an application memory, but instead to access a shared session cache, where each of a plurality of servers are to be given access to a specific session cache; and
  
  wherein performing the user authorizations is done through a client web application executed by a hardware computing device to allow access to an on-demand database service.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The non-transitory machine-readable medium of claim 8, wherein a security framework to provide the at least one of two security framework configurations comprises a plurality of generic servlet filters and spring security filters.
  - 10. The non-transitory machine-readable medium of claim 8, wherein a generic servlet filter performs OAuth flow and routes the user to the login page.
  - 11. The non-transitory machine-readable medium of claim 10, wherein the generic servlet filter is used within servlet-based web applications that operate without using any specific security framework.
  - 12. The non-transitory machine-readable medium of claim 8, further comprising:
    - a generic servlet filter resulting in exactly one of the following outcomes,finding a cookie or session containing that user'"'"'s SecurityContext, so that the user is recognized;
      
      not finding a cookie or session containing that user'"'"'s SecurityContext, and sending that user to an authorization url to begin an OAuth handshake;
      
      orsending a token request to obtain a Session ID, API endpoint, and authentication (refresh) token.
  - 13. The method of claim 8, further comprising:
    - facilitating a choice between storing user data in browser cookies or server side sessions, thereby resulting in application instances being completely stateless.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Simone, John, Hossain, Fiaz
Primary Examiner(s)
Vaughan, Michael R

Application Number

US13/178,511
Publication Number

US 20120266229A1
Time in Patent Office

1,852 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/41   where a single sign-on prov...

G06F 8/20   Software design

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 67/01   Protocols

Inter-application management of user credential data

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

144 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Inter-application management of user credential data

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links