Content management system and methodology employing non-transferable access tokens to control data access

US 7,035,854 B2
Filed: 04/23/2002
Issued: 04/25/2006
Est. Priority Date: 04/23/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A computer program product for organizing information in a content management system, the computer program product including a plurality of computer executable instructions stored on a computer readable medium, wherein the instructions, when executed by the content management system, cause the system to perform the steps of:

receiving, by the system, a request from a client user for an object stored in the system;

generating, by the system, a unique object identifier associated with the requested object;

generating, by the system, a non-transferable access token comprising information associated with object access privileges to which the client user is entitled and unique information associated with the client user, wherein the unique information associated with the client user comprises at least one username and at least one password, the unique information used to permit only the client user to utilize the non-transferable access token, the non-transferable access token being coded with information unique to the client user such that when submitted to the system by a user other than the client user, the system denies access to the requested object;

receiving, by an object server associated with the system, an encrypted connection from a web browser associated with the client user;

receiving, over the encrypted connection, non-transferable authentication information corresponding to the at least one username and the at least one password;

decrypting at least a portion of the non-transferable access token, the portion representing the unique information associated with the client user;

determining whether the at least one username and the at least one password match the decrypted portion of the non-transferable access token resulting in a transfer determination;

validating the non-transferable access token with a library server associated with the system if the transfer determination shows that the non-transferable access token has not been transferred, the validating step resulting in a token validation; and

granting the client user access to the requested object based upon the token validation.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for accessing information in a content management system including a library server for generating non-transferable access tokens and an object server for storing objects to which access may be requested by a client user. Enhanced security is achieved by generating non-transferable access tokens which can be used by a particular client user to access a particular data object in the object server. However, should the token be transferred to a user other then the client user for which the token was generated, the system will not permit access to the object.

176 Citations

16 Claims

1. A computer program product for organizing information in a content management system, the computer program product including a plurality of computer executable instructions stored on a computer readable medium, wherein the instructions, when executed by the content management system, cause the system to perform the steps of:
- receiving, by the system, a request from a client user for an object stored in the system;
  
  generating, by the system, a unique object identifier associated with the requested object;
  
  generating, by the system, a non-transferable access token comprising information associated with object access privileges to which the client user is entitled and unique information associated with the client user, wherein the unique information associated with the client user comprises at least one username and at least one password, the unique information used to permit only the client user to utilize the non-transferable access token, the non-transferable access token being coded with information unique to the client user such that when submitted to the system by a user other than the client user, the system denies access to the requested object;
  
  receiving, by an object server associated with the system, an encrypted connection from a web browser associated with the client user;
  
  receiving, over the encrypted connection, non-transferable authentication information corresponding to the at least one username and the at least one password;
  
  decrypting at least a portion of the non-transferable access token, the portion representing the unique information associated with the client user;
  
  determining whether the at least one username and the at least one password match the decrypted portion of the non-transferable access token resulting in a transfer determination;
  
  validating the non-transferable access token with a library server associated with the system if the transfer determination shows that the non-transferable access token has not been transferred, the validating step resulting in a token validation; and
  
  granting the client user access to the requested object based upon the token validation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product of claim 1, wherein the step of receiving the at least one username and the at least one password further comprises determining whether the web browser associated with the client user is presenting a unique information cookie to the object server that includes the unique information regarding the client user and, if the unique information cookie is not presented, redirecting the web browser associated with the client user to a password form that comprises a unique object identifier associated with the requested object in a hidden field within the password form, and wherein the password form further comprises non-hidden input fields for the at least one username and the at least one password.
  - 3. The computer program product of claim 1 further including instructions for setting a non-transferable flag in the access token to indicate that the access token is non-transferable to a user other than the client user.
  - 4. The computer program product of claim 1 further including instructions for querying the client user for username and password.
  - 5. The computer program product of claim 4 further including instructions for encrypting the username and password to provide an encrypted username and encrypted password.
  - 6. The computer program product of claim 5 further including instructions for embedding the encrypted username and encrypted password in the non-transferable access token.
  - 7. The computer program product of claim 6 further including instructions for transmitting to the system, by the client user, an object request including the unique object identifier and the non-transferable access token.
  - 8. The computer program product of claim 7 further including instructions for prompting, by the system, the client user for username and password to provide a prompted username and prompted password.

9. A method of organizing information in a content management system, the method comprising the steps of:
- receiving, by the system, a request from a client user for an object stored in the system;
  
  generating, by the system, a unique object identifier associated with the requested object;
  
  generating, by the system, a non-transferable access token comprising information associated with object access privileges to which the client user is entitled and unique information associated with the client user, wherein the unique information associated with the client user comprises at least one username and at least one password, the unique information used to permit only the client user to utilize the non-transferable access token, the non-transferable access token being coded with information unique to the client user such that when submitted to the system by a user other than the client user, the system denies access to the requested object;
  
  receiving, by an object server associated with the system, an encrypted connection from a web browser associated with the client user;
  
  receiving, over the encrypted connection, non-transferable authentication information corresponding to the at least one username and the at least one password;
  
  decrypting at least a portion of the non-transferable access token, the portion representing the unique information associated with the client user;
  
  determining whether the at least one username and the at least one password match the decrypted portion of the non-transferable access token resulting in a transfer determination;
  
  validating the non-transferable access token with a library server associated with the system if the transfer determination shows that the non-transferable access token has not been transferred, the validating step resulting in a token validation; and
  
  granting the client user access to the requested object based upon the token validation.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the step of receiving the at least one username and the at least one password further comprises determining whether the web browser associated with the client user is presenting a unique information cookie to the object server that includes the unique information regarding the client user and, if the unique information cookie is not presented, redirecting the web browser associated with the client user to a password form that comprises a unique object identifier associated with the requested object in a hidden field within the password form, and wherein the password form further comprises non-hidden input fields for the at least one username and the at least one password.
  - 11. The method of claim 9 further comprising setting a non-transferable flag in the access token to indicate that the access token is non-transferable to a user other than the client user.
  - 12. The method of claim 9 further comprising querying the client user for username and password.
  - 13. The method of claim 12 further comprising encrypting the username and password to provide an encrypted username and encrypted password.
  - 14. The method of claim 13 further comprising embedding the encrypted username and encrypted password in the non-transferable access token.
  - 15. The method of claim 14 further comprising transmitting to the system, by the client user, an object request including the unique object identifier and the non-transferable access token.
  - 16. The method of claim 15 further comprising prompting, by the system, the client user for username and password to provide a prompted username and prompted password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Hsiao, Hui-I, Mega, Cataldo, Laue, Matthew
Primary Examiner(s)
Kindred, Alford W.

Application Number

US10/128,503
Publication Number

US 20030200202A1
Time in Patent Office

1,463 Days
Field of Search

707 1- 4, 707 9- 10, 707102-103 Z, 707/103.R
US Class Current

1/1
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2141   Access rights, e.g. capabil...

Y10S 707/99931   Database or file accessing

Y10S 707/99939   Privileged access

Y10S 707/99943   Generating database or data...

Y10S 707/99944   Object-oriented database st...

Content management system and methodology employing non-transferable access tokens to control data access

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

176 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Content management system and methodology employing non-transferable access tokens to control data access

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

176 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links