System and method for enforcing access control to publicly-accessible web applications

US 9,948,648 B1
Filed: 03/14/2013
Issued: 04/17/2018
Est. Priority Date: 03/14/2013
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing access control to a web application, the method comprising:

generating, by a user account registration module, a computationally-secure pseudo-random password;

associating, by the user account registration module, the generated computationally-secure pseudo-random password with an application username of a web client;

storing, in a user account credential store module, the generated computationally-secure pseudo-random password and the associated application username;

requesting, via a web proxy connected to the web client, access to a protected page offered by the web application;

determining, by the web proxy, whether the web client has previously been authenticated to the web proxy;

responsive to a determination that the web client has previously been authenticated, intercepting, by the web proxy, a login page from the web application;

retrieving, by the web proxy, the stored generated computationally-secure pseudo-random password and the associated application username from the user account credential store module;

inserting, by the web proxy on behalf of the web client, the retrieved stored generated computationally-secure pseudo-random password and the associated application username into the login page;

wherein the retrieving and inserting is performed by the web proxy that is directly connected to the web client without the need for re-authentication of the web client with the web proxy;

wherein the web proxy is configured to read an organization'"'"'s security policy settings from a proxy configuration module to determine credentials required to authenticate the web client and redirect the user to the login page for authentication according to an organization'"'"'s security policy; and

forwarding, by the web proxy, the login page with the inserted computationally-secure pseudo-random password and the associated application username to the web application to complete an authentication process with the web application to allow the web client to access the protected page offered by the web application.

View all claims

23 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for enforcing access control to a web application. The method includes generating a computationally-secure pseudo-random password, associating the generated computationally-secure pseudo-random password with an application username of at least one web client, and storing, in a user account credential store module, the generated computationally-secure pseudo-random password and the associated application username. The method also includes requesting, via a web proxy connected to the at least one web client, access to a protected page offered by the web application, intercepting, by the web proxy, a login page from the web application, and inserting, by the web proxy on behalf of the at least one web client, the stored generated computationally-secure pseudo-random password and the associated application username into the login page. The method also includes forwarding the login page with the inserted computationally-secure pseudo-random password and the associated application username to the web application to complete, by the web proxy, an authentication process with the web application to allow the at least one web client to access the protected page offered by the web application.

Citations

19 Claims

1. A method for enforcing access control to a web application, the method comprising:
- generating, by a user account registration module, a computationally-secure pseudo-random password;
  
  associating, by the user account registration module, the generated computationally-secure pseudo-random password with an application username of a web client;
  
  storing, in a user account credential store module, the generated computationally-secure pseudo-random password and the associated application username;
  
  requesting, via a web proxy connected to the web client, access to a protected page offered by the web application;
  
  determining, by the web proxy, whether the web client has previously been authenticated to the web proxy;
  
  responsive to a determination that the web client has previously been authenticated, intercepting, by the web proxy, a login page from the web application;
  
  retrieving, by the web proxy, the stored generated computationally-secure pseudo-random password and the associated application username from the user account credential store module;
  
  inserting, by the web proxy on behalf of the web client, the retrieved stored generated computationally-secure pseudo-random password and the associated application username into the login page;
  
  wherein the retrieving and inserting is performed by the web proxy that is directly connected to the web client without the need for re-authentication of the web client with the web proxy;
  
  wherein the web proxy is configured to read an organization'"'"'s security policy settings from a proxy configuration module to determine credentials required to authenticate the web client and redirect the user to the login page for authentication according to an organization'"'"'s security policy; and
  
  forwarding, by the web proxy, the login page with the inserted computationally-secure pseudo-random password and the associated application username to the web application to complete an authentication process with the web application to allow the web client to access the protected page offered by the web application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the web proxy is a reverse proxy.
  - 3. The method of claim 1, wherein the web proxy comprises a server computer.
  - 4. The method of claim 1, wherein the web proxy is configured to retrieve resources for the web client from the web application and return the resources to the web client as though they originated from the web proxy.
  - 5. The method of claim 1, wherein the web proxy is configured for enabling Single-Sign-On (SSO) thereby allowing the web client to access multiple services offered by the web application without a need for re-authentication.
  - 6. The method of claim 1, wherein the at least one web client comprises at least one of a mobile phone, a laptop computer, a tablet computer, a personal digital assistant (PDA), a netbook computer, and a device capable of including a web browser application.
  - 7. The method of claim 1, wherein the user account registration module is configured to create a user account with the web application.
  - 8. The method of claim 7, wherein the user account registration module comprises a server computer.
  - 9. The method of claim 1, wherein the web proxy is interconnected to the web application via a network.
  - 10. The method of claim 9, wherein the network is the Internet.

11. A system comprising:
- a web proxy computer server interoperably connected to at least one of a web application, a proxy configuration module, a user directory, a user account credential store module, and a user account registration server computer;
  
  a web client comprising a processor and interoperably coupled to the web proxy computer server, wherein the web client communicates with the web application via the web proxy computer server;
  
  wherein the user account registration server computer is configured to generate a computationally-secure pseudorandom password and associate the generated computationally-secure pseudo-random password with an application username of the web client;
  
  wherein the web proxy computer server is configured to request access to a protected page offered by the web application, determine whether the web client has previously been authenticated to the web proxy computer server and response to a determination that the web client has previously been authenticated, intercept a login page from the web application, retrieve the computationally-secure pseudo-random password and the associated application username from the user account credential store module, insert the generated computationally-secure pseudo-random password and the associated application username into the login page, and forward the login page with the inserted computationally-secure pseudo-random password and the associated application username to the web application to complete an authentication process with the web application to allow the web client to access the protected page offered by the web application;
  
  wherein the retrieval and insertion is performed by the web proxy computer server that is directly connected to the web client without the need for re-authentication of the web client with the web proxy computer server; and
  
  wherein the web proxy computer server is configured to read an organization'"'"'s security policy settings from a proxy configuration module to determine credentials required to authenticate the web client and redirect the user to the login page for authentication according to an organization'"'"'s security policy.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the web proxy computer server is interconnected to the web application via a network.
  - 13. The system of claim 12, wherein the network is the Internet.
  - 14. The system of claim 11, wherein the web proxy computer server is configured to retrieve resources on behalf of the web client from the web application and return the resources to the web client as though they originated from the web computer.
  - 15. The system of claim 11, wherein the web proxy computer server is configured for enabling Single-Sign-On (SSO) thereby allowing the web client to access multiple services offered by the web application without a need for re-authentication.
  - 16. The system of claim 11, wherein the web proxy computer server is a reverse proxy computer.
  - 17. The system of claim 11, wherein the user account registration server computer is configured to create a user account with the web application.
  - 18. The system of claim 11, wherein the web client comprises at least one of a mobile phone, a laptop computer, a tablet computer, a personal digital assistant (PDA), a netbook computer, and a device capable of including a web browser application.

19. A computer-program product comprising a non-transitory computer-usable medium having computer-readable program code embodied therein, the computer-readable program code adapted to be executed to implement a method for enforcing access control to a web application, the method comprising:
- generating, by a user account registration module, a computationally-secure pseudo-random password;
  
  associating, by the user account registration module, the generated computationally-secure pseudo-random password with an application username of a web client;
  
  storing, in a user account credential store module, the generated computationally-secure pseudo-random password and the associated application username;
  
  requesting, via a web proxy connected to the web client, access to a protected page offered by the web application;
  
  determining, by the web proxy, whether the web client has previously been authenticated to the web proxy;
  
  responsive to a determination that the web client has previously been authenticated, intercepting, by the web proxy, a login page from the web application without re-authentication with the web proxy;
  
  retrieving, by the web proxy, the stored generated computationally-secure pseudo-random password and the associated application username from the user account credential store module;
  
  inserting, by the web proxy on behalf of the web client, the retrieved stored generated computationally-secure pseudo-random password and the associated application username into the login page;
  
  wherein the retrieving and inserting is performed by the web proxy that is directly connected to the web client without the need for re-authentication of the web client with the web proxy;
  
  wherein the web proxy is configured to read an organization'"'"'s security policy settings from a proxy configuration module to determine credentials required to authenticate the web client and redirect the user to the login page for authentication according to an organization'"'"'s security policy; and
  
  forwarding, by the web proxy, the login page with the inserted computationally-secure pseudo-random password and the associated application username to the web application to complete an authentication process with the web application to allow the web client to access the protected page offered by the web application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Quest Software, Inc.
Original Assignee
Dell Software, Inc. (Dell Technologies Inc.)
Inventors
King-Britton, Dan
Primary Examiner(s)
Le, Khoi

Application Number

US13/804,064
Time in Patent Office

1,860 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0281   Proxies

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/10   for controlling access to d...

System and method for enforcing access control to publicly-accessible web applications

First Claim

23 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for enforcing access control to publicly-accessible web applications

First Claim

23 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links