Application gateway architecture with multi-level security policy and rule promulgations

US 9,979,751 B2
Filed: 09/19/2014
Issued: 05/22/2018
Est. Priority Date: 09/20/2013
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

an application gateway server computer communicatively connected to backend systems, to an application repository, and to client devices,the application gateway server computer and the application repository residing on a content management layer between the backend systems running in an enterprise computing environment and the client devices,the backend systems residing behind a firewall of the enterprise computing environment,the application gateway server computer residing in the enterprise computing environment outside of the firewall of the enterprise computing environment and comprising application programming interfaces and services configured for communicating with the backend systems and with managed containers operating on the client devices,the services provided by the application gateway server computer comprising an application service, a device management service, and an authentication service;

wherein the application gateway server computer communicates with the backend systems through the firewall of the enterprise computing environment; and

a client device comprising a managed container embodied on a non-transitory computer readable medium,the managed container written in a programming language native to the client device and downloaded by the client device from a network source,the managed container having a managed cache and an application framework with an execution engine that provides a runtime environment for running applications on the client device, the applications associated with the backend systems running in the enterprise computing environment,the managed container configured for;

communicating with the application service of the application gateway server computer;

receiving, from the application gateway server computer via the application service of the application gateway server computer, one or more applications stored in the application repository, the one or more applications written in a cross-platform language and hosted by at least one backend system of the backend systems;

storing the one or more applications received from the application gateway server computer and data associated with the one or more applications in the managed cache of the managed container running on the client device;

providing a secure runtime shell within which the one or more applications received from the application gateway server computer and hosted by the at least one backend system of the backend systems are run on the client device;

communicating with the authentication service of the application gateway server computer, the authentication service providing the managed container with a common authentication mechanism to the backend systems such that, once authenticated by the authentication service at the application gateway server computer, the managed container has access to the backend systems through the common authentication mechanism; and

controlling the one or more applications received from the application gateway server computer and the data associated with the one or more applications stored in the managed cache of the managed container running on the client device in accordance with a set of rules, the set of rules propagated from the at least one backend system of the backend systems to the managed container via the device management service of the application gateway server computer;

wherein the application gateway server computer is further configured for;

managing the managed cache on the client device, wherein the managed cache includes a content cache for storing data associated with managed applications received from the application gateway server computer, a settings cache for storing application settings information, and a state cache for saving application state information on the client device; and

controlling the data associated with the managed applications stored in the content cache based on a rule generated on a backend system.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of an application gateway architecture may include an application gateway server computer communicatively connected to backend systems and client devices operating on different platforms. The application gateway server computer may include application programming interfaces and services configured for communicating with the backend systems and managed containers operating on the client devices. The application gateway server computer may provide applications that can be centrally managed and may extend the capabilities of the client devices, including the ability to authenticate across backend systems. A managed container may include a managed cache and may provide a secure shell for applications received from the application gateway server computer. The managed container may store the applications in the managed cache and control access to the managed cache according to rules propagated from at least one of the backend systems via the application gateway server computer.

183 Citations

37 Claims

1. A system, comprising:
- an application gateway server computer communicatively connected to backend systems, to an application repository, and to client devices,the application gateway server computer and the application repository residing on a content management layer between the backend systems running in an enterprise computing environment and the client devices,the backend systems residing behind a firewall of the enterprise computing environment,the application gateway server computer residing in the enterprise computing environment outside of the firewall of the enterprise computing environment and comprising application programming interfaces and services configured for communicating with the backend systems and with managed containers operating on the client devices,the services provided by the application gateway server computer comprising an application service, a device management service, and an authentication service;
  
  wherein the application gateway server computer communicates with the backend systems through the firewall of the enterprise computing environment; and
  
  a client device comprising a managed container embodied on a non-transitory computer readable medium,the managed container written in a programming language native to the client device and downloaded by the client device from a network source,the managed container having a managed cache and an application framework with an execution engine that provides a runtime environment for running applications on the client device, the applications associated with the backend systems running in the enterprise computing environment,the managed container configured for;
  
  communicating with the application service of the application gateway server computer;
  
  receiving, from the application gateway server computer via the application service of the application gateway server computer, one or more applications stored in the application repository, the one or more applications written in a cross-platform language and hosted by at least one backend system of the backend systems;
  
  storing the one or more applications received from the application gateway server computer and data associated with the one or more applications in the managed cache of the managed container running on the client device;
  
  providing a secure runtime shell within which the one or more applications received from the application gateway server computer and hosted by the at least one backend system of the backend systems are run on the client device;
  
  communicating with the authentication service of the application gateway server computer, the authentication service providing the managed container with a common authentication mechanism to the backend systems such that, once authenticated by the authentication service at the application gateway server computer, the managed container has access to the backend systems through the common authentication mechanism; and
  
  controlling the one or more applications received from the application gateway server computer and the data associated with the one or more applications stored in the managed cache of the managed container running on the client device in accordance with a set of rules, the set of rules propagated from the at least one backend system of the backend systems to the managed container via the device management service of the application gateway server computer;
  
  wherein the application gateway server computer is further configured for;
  
  managing the managed cache on the client device, wherein the managed cache includes a content cache for storing data associated with managed applications received from the application gateway server computer, a settings cache for storing application settings information, and a state cache for saving application state information on the client device; and
  
  controlling the data associated with the managed applications stored in the content cache based on a rule generated on a backend system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the one or more applications and the data associated with the one or more applications stored in the managed cache are under control of the managed container in accordance with the set of rules propagated from the at least one backend system regardless of network connectivity of the client device.
  - 3. The system of claim 1, wherein the secure runtime shell includes a secure data encryption shell that encrypts the data associated with the one or more applications to limit or prevent access to the data by the client device operating system and other applications that reside on the client device but that were not received from the application gateway server computer.
  - 4. The system of claim 3, wherein at least one rule of the set of rules determines encryption parameters for encrypting the data, the secure data encryption shell encrypting the data based on the encryption parameters.
  - 5. The system of claim 4, wherein the encryption parameters are shared between the managed container and one or more of the backend systems, via the application gateway server computer, to enable shared secure access to data between and among applications received from the application gateway server computer and the one or more backend systems.
  - 6. The system of claim 1, wherein at least a portion of the set of rules resides on the client device, the backend systems, the application gateway server computer, or a combination thereof.
  - 7. The system of claim 6, wherein the set of rules includes at least one of:
    - a rule controlling storage of data associated with applications received from the application gateway server computer, a rule controlling access to data associated with applications received from the application gateway server computer, or a rule controlling update of data associated with applications received from the application gateway server computer.
  - 8. The system of claim 6, wherein the set of rules is stored on the client device, the managed container using the stored set of rules to control or protect data associated with applications received from the application gateway server computer.
  - 9. The system of claim 8, wherein an update to one of the rules is propagated from at least one of the backend systems to the managed container via the application gateway server computer, the managed container executing, based on the updated rule, an update to data associated with at least one of the applications received from the application gateway server computer.
  - 10. The system of claim 1, wherein the set of rules includes an application rule to control at least one application received from the application gateway server computer.
  - 11. The system of claim 10, wherein the application rule is stored on the client device, the managed container using the stored application rule to control the at least one application received from the application gateway server computer.
  - 12. The system of claim 11, wherein an update to the application rule is propagated from at least one of the backend systems to the managed container via the application gateway server computer, the managed container executing, based on the updated application rule, an update to the at least one application received from the application gateway server computer.
  - 13. The system of claim 1, wherein the services provided by the application gateway server computer further include one or more of:
    - a notification service for selectively sending messages to one or more of the managed containers on the client devices, a specific managed application or managed applications contained in the one or more of the managed containers, one or more of the backend systems, or a combination thereof;
      
      an enrollment service for registering the client device with the application gateway server computer;
      
      a proxy service for communicating with one or more of the backend systems lacking a dedicated application programming interface;
      
      a media conversion service for controlling content quality, size, format, watermarking, or a combination thereof such that the content is consumable by the client devices;
      
      a settings service for providing a storage mechanism for settings comprising application defaults, user preferences, and application state information such that the settings are persisted at the application gateway server computer and consistent across the client devices;
      
      ora profile service for providing a common user profile across the backend systems.
  - 14. The system of claim 1, wherein the application gateway server computer further comprises a user interface configured for administration, configuration, and deployment of the applications.

15. A method, comprising:
- sending, by an application service of an application gateway server computer, one or more applications stored in an application repository to a managed container embodied on a non-transitory computer readable medium of a client device, the application gateway server computer communicatively connected to backend systems, to the application repository, and to the client device, the application gateway server computer and the application repository residing on a content management layer between the backend systems running in an enterprise computing environment and the client devices, the backend systems residing behind a firewall of the enterprise computing environment, the application gateway server computer residing in the enterprise computing environment outside of the firewall of the enterprise computing environment and comprising application programming interfaces and services configured for communicating with the backend systems and with the managed container, wherein the application gateway server computer communicates with the backend systems through the firewall of the enterprise computing environment, the managed container written in a programming language native to the client device and downloaded by the client device from a network source, the managed container having a managed cache and an application framework with an execution engine that provides a runtime environment for applications associated with the backend systems running in the enterprise computing environment;
  
  receiving, by the managed container from the application gateway server computer via the application service of the application gateway server computer, the one or more applications stored in the application repository, the one or more applications written in a cross-platform language;
  
  storing, by the managed container running on the client device, the one or more applications received from the application gateway server computer and data associated with the one or more applications in the managed cache of the managed container running on the client device;
  
  providing, by the managed container running on the client device, a secure runtime shell within which the one or more applications received from the application gateway server computer and hosted by at least one backend system of the backend systems running in the enterprise computing environment are run on the client device;
  
  communicating, by the managed container running on the client device with an authentication service of the application gateway server computer that provides a common authentication mechanism to the backend systems such that, once authenticated by the authentication service at the application gateway server computer, the managed container has access to the backend systems through the common authentication mechanism;
  
  controlling, by the managed container, the one or more applications received from the application gateway server computer and the data associated with the one or more applications stored in the managed cache of the managed container running on the client device in accordance with a set of rules, the set of rules propagated from at least one backend system of the backend systems to the managed container via a device management service of the application gateway server computer;
  
  managing, by the application gateway server computer, the managed cache on the client device, wherein the managed cache includes a content cache for storing data associated with managed applications received from the application gateway server computer, a settings cache for storing application settings information, and a state cache for saving application state information on the client device; and
  
  controlling, by the application gateway server computer, the data associated with the managed applications stored in the content cache based on a rule generated on a backend system.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37)
- - 16. The method according to claim 15, wherein the one or more applications and the data associated with the one or more applications stored in the managed cache are under control of the managed container in accordance with the set of rules propagated from the at least one backend system regardless of network connectivity of the client device.
  - 17. The method according to claim 15, wherein the secure runtime shell includes a secure data encryption shell that encrypts the data associated with the one or more applications to limit or prevent access to the data by the client device operating system and other applications that reside on the client device but that were not received from the application gateway server computer.
  - 18. The method according to claim 17, wherein at least one rule of the set of rules determines encryption parameters for encrypting the data, the secure data encryption shell encrypting the data based on the encryption parameters.
  - 19. The method according to claim 18, wherein the encryption parameters are shared between the managed container and one or more of the backend systems, via the application gateway server computer, to enable shared secure access to data between and among applications received from the application gateway server computer and the one or more backend systems.
  - 20. The method according to claim 15, wherein at least a portion of the set of rules resides on the client device, the backend systems, the application gateway server computer, or a combination thereof.
  - 21. The method according to claim 20, wherein the set of rules includes at least one of:
    - a rule controlling storage of data associated with applications received from the application gateway server computer, a rule controlling access to data associated with applications received from the application gateway server computer, or a rule controlling update of data associated with applications received from the application gateway server computer.
  - 22. The method according to claim 20, wherein the set of rules is stored on the client device, the managed container using the stored set of rules to control or protect data associated with applications received from the application gateway server computer.
  - 23. The method according to claim 22, wherein an update to one of the rules is propagated from at least one of the backend systems to the managed container via the application gateway server computer, the managed container executing, based on the updated rule, an update to data associated with at least one of the applications received from the application gateway server computer.
  - 24. The method according to claim 15, wherein the set of rules includes an application rule to control at least one application received from the application gateway server computer.
  - 25. The method according to claim 24, wherein the application rule is stored on the client device, the managed container using the stored application rule to control the at least one application received from the application gateway server computer.
  - 26. The method according to claim 25, wherein an update to the application rule is propagated from at least one of the backend systems to the managed container via the application gateway server computer, the managed container executing, based on the updated application rule, an update to the at least one application received from the application gateway server computer.
  - 27. The method according to claim 15, wherein the services provided by the application gateway server computer further include one or more of:
    - a notification service for sending messages to the managed container, a specific managed application or managed applications contained in the managed container, one or more of the backend systems, or a combination thereof;
      
      an enrollment service for registering the client device with the application gateway server computer;
      
      a proxy service for communicating with one or more of the backend systems lacking a dedicated application programming interface;
      
      a media conversion service for controlling content quality, size, format, watermarking, or a combination thereof such that the content is consumable by the client devices;
      
      a settings service for providing a storage mechanism for settings comprising application defaults, user preferences, and application state information such that the settings are persisted at the application gateway server computer and consistent across the client devices;
      
      ora profile service for providing a common user profile across the backend systems.
  - 28. The method according to claim 15, wherein the application gateway server computer sends an application to the managed container in response to a request from the managed container or an instruction received via a user interface of the application gateway server computer.
  - 29. The method according to claim 15, further comprising:
    - updating an application residing on the application gateway server computer, the updated application associated with a version previously installed on the client device; and
      
      responsive to the update of the application on the application gateway server computer, updating the associated version on the client device.
  - 30. The method according to claim 15, further comprising:
    - controlling, by the application gateway server computer, the application settings information stored in the settings cache based at least in part on modifications at the application gateway server computer.
  - 31. The method according to claim 15, wherein the client device is a plurality of client devices and wherein versions of the managed applications are installed across the plurality of client devices, further comprising:
    - controlling, by the application gateway server computer, the application state information stored in the state cache on each of the plurality of client devices.
  - 32. The method according to claim 15, further comprising:
    - receiving data from a data source associated with a backend system, the data associated with a managed application received from the application gateway server computer; and
      
      storing the data associated with the managed application in the managed cache.
  - 33. The method according to claim 32, wherein said receiving the data associated with the managed application is in accordance with a data policy rule associated with the backend system.
  - 34. The method according to claim 33, wherein the data policy rule resides on the application gateway server computer, further comprising:
    - controlling the data receiving at the application gateway server computer in accordance with the data policy rule.
  - 35. The method according to claim 34, wherein said controlling the data receiving at the application gateway server computer is based on an update to the data policy rule.
  - 36. The method according to claim 33, wherein the data policy rule is stored in the managed cache, the data policy rule being one of the rules in the set of rules, further comprising:
    - controlling the data receiving at the managed container.
  - 37. The method according to claim 36, wherein said controlling the data receiving at the managed container is based on an update to the data policy rule, said update to the data policy rule propagated to the managed container from the backend system via the application gateway server computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ip Ot Sub Ulc
Original Assignee
Open Text Sa Ulc (Open Text Corporation)
Inventors
Beckman, Gregory, Laird, Robert, Gagne, Alain
Primary Examiner(s)
Pham, Luu T
Assistant Examiner(s)
Malinowski, Walter J

Application Number

US14/491,386
Publication Number

US 20150089224A1
Time in Patent Office

1,341 Days
Field of Search

713168, 726 1
US Class Current
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/16   Program or content traceabi...

G06F 21/6218   to a system of files or obj...

G06F 21/6227   where protection concerns t...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 3/04817   using icons graphical or vi...

G06F 8/65   Updates security arrangemen...

H04L 63/02   for separating internal fro...

H04L 63/0428   wherein the data content is...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

H04L 67/56   Provisioning of proxy servi...

H04L 67/565   Conversion or adaptation of...

H04L 67/5683   Storage of data provided by...

H04L 9/40   Network security protocols

Application gateway architecture with multi-level security policy and rule promulgations

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

183 Citations

37 Claims

Specification

Use Cases

Quick Links

Others

Application gateway architecture with multi-level security policy and rule promulgations

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

183 Citations

37 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others