HTTP password mediator

US 9,985,991 B2
Filed: 02/26/2013
Issued: 05/29/2018
Est. Priority Date: 02/26/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising;

intercepting, within an operating system network stack of a client device, a hypertext transfer protocol (HTTP) request message issued by a client application executing on the client device, the HTTP request message indicating an operation to be performed for a user of the client application at a destination system;

analyzing, by a processing device of the client device, the intercepted HTTP request message to identify the user of the client application;

requesting, by the client device, security information for the user with respect to the destination system, the security information being from a data store and comprising a concealed password that is associated with the user and remains hidden from the user;

determining, by the processing device of the client device, whether the user is allowed to perform the operation in view of the security information;

modifying, by the client device, the intercepted HTTP request message to include the concealed password upon determining that the user is allowed to perform the operation; and

sending, by the client device, the modified HTTP request message to the destination system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for password mediation including identifying an HTTP request issued by a client application executing on a client device, the HTTP request indicating an operation to be performed for a user of the client application at a destination system, obtaining user credentials using the HTTP request, requesting security information for the user with respect to the destination system, determining whether the user is allowed to perform the operation based on the security information, and upon determining that the user is allowed to perform the operation, modifying the HTTP request based on the security information and sending the modified HTTP request to the destination system.

17 Citations

View as Search Results

20 Claims

1. A method comprising;
- intercepting, within an operating system network stack of a client device, a hypertext transfer protocol (HTTP) request message issued by a client application executing on the client device, the HTTP request message indicating an operation to be performed for a user of the client application at a destination system;
  
  analyzing, by a processing device of the client device, the intercepted HTTP request message to identify the user of the client application;
  
  requesting, by the client device, security information for the user with respect to the destination system, the security information being from a data store and comprising a concealed password that is associated with the user and remains hidden from the user;
  
  determining, by the processing device of the client device, whether the user is allowed to perform the operation in view of the security information;
  
  modifying, by the client device, the intercepted HTTP request message to include the concealed password upon determining that the user is allowed to perform the operation; and
  
  sending, by the client device, the modified HTTP request message to the destination system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 19)
- - 2. The method of claim 1, wherein determining whether the user is allowed to perform the operation comprises:
    - determining whether the HTTP request message contains an HTTP basic credential;
      
      upon determining that the HTTP request message contains the HTTP basic credential, determining whether the user can be identified in the data store;
      
      upon determining that the user can be identified in the data store, identifying the user in the data store, and obtaining the security information from the data store; and
      
      determining whether the user is allowed to perform the requested operation in view of the rules in the security information.
  - 3. The method of claim 2 further comprising upon determining that the HTTP request message does not contain the HTTP basic credential, sending the HTTP request message unmodified to the destination system.
  - 4. The method of claim 2 further comprising upon determining that the user cannot be identified in the data store, sending the HTTP request message unmodified to the destination system.
  - 5. The method of claim 2 further comprising upon determining that the user is not allowed to perform the requested operation, sending the HTTP request message unmodified to the destination system.
  - 6. The method of claim 1, wherein the modified HTTP request message comprises the HTTP request message with a portion of the security information appended.
  - 7. The method of claim 1 further comprising recording the HTTP request message from the user application to a user log.
  - 19. The method of claim 1, wherein the concealed password is an access password for an organization and is shared by a plurality of users of the organization.

8. A system comprising:
- a memory; and
  
  a processing device of a client device, the processing device operatively coupled to the memory, the processing device to;
  
  intercept a hypertext transfer protocol (HTTP) request message within an operating system network stack of the client device, wherein the HTTP request message is issued by a client application executing on the client device and indicates an operation to be performed by a user of the client application at a destination system;
  
  analyze the intercepted HTTP request message to identify the user of the client application;
  
  request security information for the user with respect to the destination system, the security information being from a data store and comprising a concealed password that is associated with the user and remains hidden from the user;
  
  determine whether the user is allowed to perform the operation in view of the security information;
  
  modify the intercepted HTTP request message to include the concealed password upon determining that the user is allowed to perform the operation; and
  
  send the modified HTTP request message to the destination system.
- View Dependent Claims (9, 10, 11, 12, 13, 20)
- - 9. The system of claim 8, wherein to determine whether the user is allowed to perform the operation, the processing device is further to:
    - determine whether the HTTP request message contains an HTTP basic credential;
      
      upon determining that the HTTP request message contains the HTTP basic credential, determine whether the user can be identified in the data store;
      
      upon determining that the user can be identified in the data store, identify the user in the data store, and obtaining the security information from the data store; and
      
      determine whether the user is allowed to perform the requested operation in view of the rules in the security information.
  - 10. The system of claim 9, wherein the processing device is further to, upon determining that the HTTP request message does not contain the HTTP basic credential, send the HTTP request message unmodified to the destination system.
  - 11. The system of claim 9, wherein the processing device is further to, upon determining that the user cannot be identified in the data store, send the HTTP request message unmodified to the destination system.
  - 12. The system of claim 9, wherein the processing device is further to, upon determining that the user is not allowed to perform the requested operation, send the HTTP request message unmodified to the destination system.
  - 13. The system of claim 8, wherein the modified HTTP request message comprises the HTTP request message with a portion of the security information appended.
  - 20. The system of claim 8, wherein the concealed password is an access password for an organization and is shared by a plurality of users of the organization.

14. A non-transitory computer-readable storage medium including instructions that cause a processing device of a client device to:
- intercept, within an operating system network stack of the client device, a hypertext transfer protocol (HTTP) request message issued by a client application executing on the client device, the HTTP request message indicating an operation to be performed for a user of the client application at a destination system;
  
  analyze, by the processing device of the client device, the intercepted HTTP request message to identify the user of the client application;
  
  request, by the client device, security information for the user with respect to the destination system, the security information being from a data store and comprising a concealed password that is associated with the user and remains hidden from the user;
  
  determine, by the processing device of the client device, whether the user is allowed to perform the operation in view of the security information;
  
  modify, by the client device, the intercepted HTTP request message to include the concealed password upon determining that the user is allowed to perform the operation; and
  
  send, by the client device, the modified HTTP request message to the destination system.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the instructions further cause the processing device to:
    - determine whether the HTTP request message contains an HTTP basic credential;
      
      upon determining that the HTTP request message contains the HTTP basic credential, determine whether the user can be identified in the data store;
      
      upon determining that the user can be identified in the data store, identify the user in the data store, and obtain the security information from the data store; and
      
      determine whether the user is allowed to perform the requested operation in view of the rules in the security information.
  - 16. The non-transitory computer-readable storage medium of claim 15, wherein the instructions further cause the processing device to send the HTTP request message unmodified to the destination system upon determining that the HTTP request message does not contain the HTTP basic credential.
  - 17. The non-transitory computer-readable storage medium of claim 15, wherein the instruction further cause the processing device to send the HTTP request message unmodified to the destination system upon determining that the user cannot be identified in the data store.
  - 18. The non-transitory computer-readable storage medium of claim 14, wherein the modified HTTP request message comprises the HTTP request message with a portion of the security information appended.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Elias, Filip, Nguyen, Filip
Primary Examiner(s)
Nipa, Wasika

Application Number

US13/777,987
Publication Number

US 20140245372A1
Time in Patent Office

1,918 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

H04L 63/20   for managing network securi...

HTTP password mediator

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HTTP password mediator

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links