Multi-domain access control
First Claim
1. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the method comprising the steps of:
- a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted between a first class of one or more servers and said client, wherein said particular data item;
was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;
said first server determining that said user has been authenticated by said access control system based on said particular data item; and
in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items.
7 Assignments
0 Petitions
Accused Products
Abstract
A multi-domain resource access control mechanism uses a single access control system to manage access by users to resources that belong to multiple domains. A server is associated with each domain in a set of domains. Access to resources in the domains is governed by an access control system. A first server for a first domain transmits a data token to a client seeking access to a resource in a second domain. The client transmits the data token to a second server in the other domain. The second server uses the data token to verify that the user is authentic, that is, authorized to access resources protected by the access control system. Once determining that the user is authorized to access resources, access control cookies are transmitted to client. When the client requests access to a resource in the second domain, and the request did not include access control cookies for the second domain, data is transmitted to the browser causing it to generate another request to the first server. The first server ensures that the user has been authenticated before transmitting the data token to the browser. In addition, the first server may cause copies of access control cookies for the user to be stored for later transmission to the second server.
406 Citations
28 Claims
-
1. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the method comprising the steps of:
-
a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted between a first class of one or more servers and said client, wherein said particular data item;
was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;
said first server determining that said user has been authenticated by said access control system based on said particular data item; and
in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
receiving a first request from said client to access said resource;
determining that said client did not transmit particular access control information in conjunction with said first request that may be used to determine whether said client may access said resource; and
in response to determining that said client did not transmit said particular access control information in conjunction with said first request, said first server causing said client to transmit a second request to said second server to determine access rights of said client.
-
-
3. The method of claim 2, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.
-
4. The method of claim 3, wherein said second server determining that said user has been authenticated includes said second server causing said user to log-in to said access control system to be authenticated by said access control system.
-
5. The method of claim 3, wherein said second server determining that said user has been authenticated includes said second server determining that said user has been authenticated by said access control system.
-
6. The method of claim 5, wherein said second server determining that said user has been authenticated by said access control system is performed by examining one or more cookies that are associated with a domain name associated with said second server but not said first server.
-
7. The method of claim 1, further including the steps of:
-
causing said client to transmit said particular data item to one or more other servers, wherein each other server of said one or more other servers transmits other data items that are only transmitted between said client and another class of one or more servers to which said each other server belongs; and
each other server of said one or more other servers transmitting other access control information generated by said access control system in another data item of said respective other data items.
-
-
8. The method of claim 1, the method further including the steps of:
-
said second server causing a second data item which reflects said access control information in said first data item to be stored in a storage mechanism that may be accessed by said first server; and
said first server retrieving said second data item to generate said first data item.
-
-
9. The method of claim 8, wherein said storage mechanism is a particular server dedicated to generating data items that each indicate that a particular user has been authenticated by said access control system, the method further including the step of said particular server generating said particular data item in response to a request transmitted by said second server to said particular server.
-
10. The method of claim 1, further including the steps of:
-
said second server transmitting a request for said particular data item to a particular server dedicated to generating data items that each indicate that a particular user has been authenticated by said access control system; and
said particular server generating said particular data item and transmitting said particular data item to said second server.
-
-
11. The method of claim 10, wherein the step of said first server determining that said user has been authenticated by said access control system includes said first server transmitting a request to said particular server to verify that said particular data item is associated with a user that has been authenticated.
-
12. The method of claim 1, wherein said first class of servers are servers that belong to the same particular domain.
-
13. The method of claim 12, wherein said second server belongs a second domain and not said particular domain.
-
14. The method of claim 1, wherein said first data items are cookies.
-
15. A computer-readable medium carrying one or more sequences of one or more instructions for controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the one or more sequences of one or more instructions including instructions which when executed by one or more processors, cause the one or more processors to perform the steps of:
-
a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted between a first class of one or more servers and said client, wherein said particular data item;
was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;
said first server determining that said user has been authenticated by said access control system based on said particular data item; and
in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items. - View Dependent Claims (16, 17, 18, 19, 20)
receiving a first request from said client to access said resource;
determining that said client did not transmit particular access control information in conjunction with said first request that may be used to determine whether said client may access said resource; and
in response to determining that said client did not transmit said particular access control information in conjunction with said first request, said first server causing said client to transmit a second request to said second server to determine access rights of said client.
-
-
17. The computer-readable medium of claim 16, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.
-
18. The computer-readable medium of claim 17, wherein said second server determining that said user has been authenticated includes said second server causing said user to log-in to said access control system to be authenticated by said access control system.
-
19. The computer-readable medium of claim 17, wherein said second server determining that said user has been authenticated includes said second server determining that said user has been authenticated by said access control system.
-
20. The computer-readable medium of claim 19, wherein said second server determining that said user has been authenticated by said access control system is performed by examining one or more cookies that are associated with a domain name associated with said second server but not said first server.
-
21. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in cookies to determine whether access may be permitted, the method comprising the steps of:
-
a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in cookies associated with a first domain;
wherein said first server belongs to said first domain;
wherein said particular data item;
was transmitted to said client from a second server that does not belong to said first domain, and indicates that a user has been authenticated by said access control system;
said first server determining that said user has been authenticated by said access control system based on said particular data item; and
in response to said first server determining that said user may access said resource, transmitting access control information in a cookie associated with the first domain to said client. - View Dependent Claims (22, 23)
receiving a first request from said client to access said resource;
determining that said client did not transmit particular access control information in conjunction with said first request that may be used to determine whether said client may access said resource; and
in response to determining that said client did not transmit said particular access control information in conjunction with said first request, said first server causing said client to transmit a second request to said second server to determine access rights of said client.
-
-
23. The method of claim 22, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.
-
24. A method of controlling access to a resource protected by an access control system that uses access control information transmitted in conjunction with requests to access the resource to determine whether access may be permitted, the method comprising the steps of:
-
a first server receiving a particular data item from a client, wherein said first server transmits and receives access control information generated by said access control system in first data items that are only transmitted by said client to one or more servers belonging to a first class of one or more servers, wherein said particular data item;
was transmitted to said client from a second server that does not belong to said first class, and indicates that a user has been authenticated by said access control system;
said first server determining that said user has been authenticated by said access control system based on said particular data item; and
in response to said first server determining that said user may access said resource, transmitting access control information in a first data item of said first data items to said client. - View Dependent Claims (25, 26, 27, 28)
receiving a first request from said client to access said resource;
determining that said client did not transmit particular access control information in conjunction with said first request that may be used to determine whether said client may access said resource; and
in response to determining that said client did not transmit said particular access control information in conjunction with said first request, said first server causing said client to transmit a second request to said second server to determine access rights of said client.
-
-
26. The method of claim 25, wherein said particular data item was transmitted to said client from a second server in response to said second server determining that said user has been authenticated.
-
27. The method of claim 25, wherein said client is a browser.
-
28. The method of claim 25, wherein said first data items are cookies.
Specification