Distributed authentication mechanisms for handling diverse authentication systems in an enterprise computer system

US 6,668,327 B1
Filed: 06/14/1999
Issued: 12/23/2003
Est. Priority Date: 06/14/1999
Status: Expired due to Term

First Claim

Patent Images

1. In a distributed computing system, an authentication server arranged to provide a credential reference used by any of a number authenticated requesting clients to access a protected resource in a requested realm, comprising:

a credential request verifier arranged to determine if additional authentication data is required by the authentication server in order to grant the credential reference to the requesting client;

a realm authenticator coupled to the credential request verifier arranged to authenticate the requesting client in a requested realm when it is determined that the requesting client is allowed to access the requested realm;

a credential translator coupled to the realm authenticator arranged to grant a requested privilege in the authenticated realm to the requesting client when it is determined that the requesting client is allowed the requested privilege in the authenticated realm;

a credential generator coupled to the credential translator arranged to generate a credential in the authentication server; and

a credential reference generator that provides the credential reference to the requesting client wherein the credential reference points back to the credential that allows the requesting client access to the protected resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and computer systems for providing access to a protected resource are described. In an enterprise computer system, an authentication server provides a client requesting access to the protected resource a credential. In order to access the protected resource, the requesting client presents a protected resource access request in combination with the credential to a server coupled to the protected resource. The server, in turn, requests the authentication server to validate the credential. After the authentication server has validated the credential, the server grants the requesting client access to the protected resource.

92 Citations

View as Search Results

24 Claims

1. In a distributed computing system, an authentication server arranged to provide a credential reference used by any of a number authenticated requesting clients to access a protected resource in a requested realm, comprising:
- a credential request verifier arranged to determine if additional authentication data is required by the authentication server in order to grant the credential reference to the requesting client;
  
  a realm authenticator coupled to the credential request verifier arranged to authenticate the requesting client in a requested realm when it is determined that the requesting client is allowed to access the requested realm;
  
  a credential translator coupled to the realm authenticator arranged to grant a requested privilege in the authenticated realm to the requesting client when it is determined that the requesting client is allowed the requested privilege in the authenticated realm;
  
  a credential generator coupled to the credential translator arranged to generate a credential in the authentication server; and
  
  a credential reference generator that provides the credential reference to the requesting client wherein the credential reference points back to the credential that allows the requesting client access to the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. An authentication server as recited in claim 1, wherein when the credential request verifier determines that additional authentication data is required, then the credential request verifier initiates a session between the requesting client and the credential request verifier arranged to provide the additional authentication data.
  - 3. An authentication server as recited in claim 2, wherein when it is determined that the requesting client is not allowed access to the requested realm, then a first type fail flag is posted to the requesting client.
  - 4. An authentication server as recited in claim 3, wherein when it is determined that the requesting client is not allowed the requested privilege in the authenticated realm, then a second type fail flag is posted to the requesting client.
  - 5. An authentication server as recited in claim 4, wherein the credential generator instantiates a credential object that resides in the authentication server.
  - 6. An authentication server as recited in claim 5, wherein the credential generator returns a remote reference to the credential object to the requesting client which is then used to access the protected resource such that the requesting client is the credential owner.
  - 7. An authentication server as recited in claim 6, wherein the authentication server is securely coupled to the requesting client.
  - 8. An authentication server as recited in claim 7, wherein the authentication server and the requesting client are each securely coupled to the protected resource by way of an Enterprise Java Bean (EJB) server, wherein the authentication server, the requesting client, and the EJB server together form an EJB enterprise computer system.
  - 9. An authentication server as recited in claim 8, wherein when the requesting client requires access to the protected resource, the requesting client presents a protected access request in addition to the reference to the credential to the EJB server.
  - 10. An authentication server as recited in claim 9, wherein the EJB server responds to the presenting of the reference to the credential by requesting the authentication server validate the presented credential, wherein when the credential is validated, the EJB server grants the requesting client access to the protected resource, otherwise, the requesting client is denied access to the protected resource.
  - 11. An authentication server as recited in claim 10, wherein the requesting client is a web browser.
  - 12. An authentication server as recited in claim 1, wherein the authentication server has an address location provided by a naming service.
  - 13. An authentication server as recited in claim 1, wherein the credential reference is provided to a second requesting client that is different from the requesting client when the second requesting client is authenticated to access to the protected resource.

14. A method of accessing a protected resource in a multi-platform enterprise computer system having an authentication server arranged to provide a credential reference associated with a credential used by any of a number of requesting clients to access the protected resource, wherein the authentication server is securely coupled to the requesting client and a server coupled to the protected resource, comprising:
- providing an access request to the authentication server by the requesting client that includes authentication data indicative of the protected resource;
  
  authenticating the requesting client to access the protected resource by the authentication server based upon the authentication data;
  
  authenticating the requesting client to exercise a privilege associated with the protected resource, wherein the privilege is in addition to the granted access;
  
  providing the requesting client with the credential reference;
  
  presenting the credential reference along with a protected resource access request to the server;
  
  validating the credential by the authentication server when the credential reference is presented by the server; and
  
  granting the requesting client access to the protected resource by the server when the credential is validated.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. A method as recited in claim 14, wherein the server is an Enterprise Java Bean (EJB) server.
  - 16. A method as recited in claim 14, wherein the protected resource is a data base.
  - 17. A method as recited in claim 16, wherein the requesting client is a web browser.
  - 18. A method as recited in claim 17, wherein when the authentication server denies the access request of the requesting client, then the authentication server responds by posting a first type fail flag.
  - 19. A method as recited in claim 17, wherein when the authentication server denies the requesting client the requested privilege, the authentication server posts a second type fail flag, whereas the authentication server provides the requesting client with the credential to access the protected resource without the privilege.

20. A method of accessing a protected resource in a multi-platform enterprise computer system having an authentication server arranged to authenticate a credential used by a requesting client as a credential owner to access the protected resource, wherein the authentication server is securely coupled to the requesting client and an EJB server coupled to the protected resource, comprising:
- providing a credential request to the authentication server by the requesting client, wherein the credential request includes authentication data indicative of the protected resource;
  
  authenticating the requesting client to access the protected resource by the authentication server base upon the authentication data;
  
  authenticating the requesting client to exercise a privilege associated with the protected resource, wherein the privilege is in addition to the granted access;
  
  providing the requesting client with a reference to the credential;
  
  presenting the reference to the credential along with a protected resource access request to the server;
  
  validating the credential by the authentication server when presented by the server; and
  
  granting the requesting client access to the protected resource by the EJB server when the credential is validated.
- View Dependent Claims (21, 22, 23, 24)
- - 21. A method as recited in claim 20, wherein the protected resource is a data base.
  - 22. A method as recited in claim 20, wherein the requesting client is a web browser.
  - 23. A method as recited in claim 22, wherein when the authentication server denies the credential request of the requesting web browser, then the authentication server responds by posting a first type fail flag.
  - 24. A method as recited in claim 22, wherein when the authentication server denies the requesting web browser the requested privilege, the authentication server posts a second type fail flag, whereas the authentication server provides the requesting client with the credential to access the protected resource without the privilege.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Prabandham, Harish, Nagar, Vivek
Primary Examiner(s)
Peeso, Thomas R.

Application Number

US09/332,775
Time in Patent Office

1,653 Days
Field of Search

713/201, 713/155, 713/162, 713/168, 713/182, 713/200
US Class Current

726/4
CPC Class Codes

G06F 21/33 using certificates

Distributed authentication mechanisms for handling diverse authentication systems in an enterprise computer system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

92 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed authentication mechanisms for handling diverse authentication systems in an enterprise computer system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

92 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links