Method and system for web-based switch-user operation

US 7,296,077 B2
Filed: 12/12/2002
Issued: 11/13/2007
Est. Priority Date: 12/12/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method for accessing protected resources, the method comprising:

establishing at a proxy server a session for a first user, wherein the session is associated with a credential for the first user;

receiving at the proxy server from the first user a request to assume the identity of a second user;

obtaining a credential for the second user;

saving the credential of the first user;

associating the credential of the second user with the session for the first user;

receiving at the proxy server from the first user during the session for the first user a request for a protected resource; and

providing access to the protected resource in accordance with the credential for the second user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus, a system, and a computer program product are presented for allowing an administrative user to provide help, support, or assistance to other users within a computing environment. An administrator obtains a username of a user who requires assistance through some means. The administrator belongs to a special group of users that is allowed to invoke a switch-user function, which obtains a comprehensive version of that user'"'"'s identity, e.g., security credentials, while maintaining a session. With respect to applications and systems within a computing environment, the administrator'"'"'s session will have the attributes of the assumed user identity as if the administrator had logged in with that user'"'"'s authentication information. The administrator then accesses resources while impersonating that user in order to assist that user or to find a problem.

37 Citations

View as Search Results

21 Claims

1. A method for accessing protected resources, the method comprising:
- establishing at a proxy server a session for a first user, wherein the session is associated with a credential for the first user;
  
  receiving at the proxy server from the first user a request to assume the identity of a second user;
  
  obtaining a credential for the second user;
  
  saving the credential of the first user;
  
  associating the credential of the second user with the session for the first user;
  
  receiving at the proxy server from the first user during the session for the first user a request for a protected resource; and
  
  providing access to the protected resource in accordance with the credential for the second user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - prior to receiving the request to assume the identity of a second user, sending an HTML (Hypertext Markup Language) form to the first user.
  - 3. The method of claim 2 further comprising:
    - restricting access to the HTML form to administrative users.
  - 4. The method of claim 2 wherein the request to assume the identity of a second user comprises a submission of data for the HTML form.
  - 5. The method of claim 4 further comprising:
    - extracting a URL (Uniform Resource Locator) from the submitted data; and
      
      returning a web page identified by the URL to the first user after associating the credential of the second user with the session for the first user.
  - 6. The method of claim 1 further comprising:
    - receiving a request to conclude the assumption of the identity of the second user by the first user;
      
      retrieving the saved credential of the first user; and
      
      associating the saved credential of the first user with the session for the first user.
  - 7. The method of claim 6 further comprising:
    - redirecting a browser for the first user to a web page from which the first user initiated the request to assume the identity of the second user.

8. An apparatus for accessing protected resources, the apparatus comprising:
- means for establishing at a proxy server a session for a first user, wherein the session is associated with a credential for the first user;
  
  means for receiving at the proxy server from the first user a request to assume the identity of a second user;
  
  means for obtaining a credential for the second user;
  
  means for saving the credential of the first user;
  
  means for associating the credential of the second user with the session for the first user;
  
  means for receiving at the proxy server from the first user during the session for the first user a request for a protected resource; and
  
  means for providing access to the protected resource in accordance with the credential for the second user.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus of claim 8 further comprising:
    - means for sending, prior to receiving the request to assume the identity of a second user, an HTML (Hypertext Markup Language) form to the first user.
  - 10. The apparatus of claim 9 further comprising:
    - means for restricting access to the HTML form to administrative users.
  - 11. The apparatus of claim 9 wherein the request to assume the identity of a second user comprises a submission of data for the HTML form.
  - 12. The apparatus of claim 11 further comprising:
    - means for extracting a URL (Uniform Resource Locator) from the submitted data; and
      
      means for returning a web page identified by the URL to the first user after associating the credential of the second user with the session for the first user.
  - 13. The apparatus of claim 8 further comprising:
    - means for receiving a request to conclude the assumption of the identity of the second user by the first user;
      
      means for retrieving the saved credential of the first user; and
      
      means for associating the saved credential of the first user with the session for the first user.
  - 14. The apparatus of claim 13 further comprising:
    - means for redirecting a browser for the first user to a web page from which the first user initiated the request to assume the identity of the second user.

15. A computer program product in a computer readable medium for use in a data processing system for accessing protected resources, the computer program product comprising:
- means for establishing at a proxy server a session for a first user, wherein the session is associated with a credential for the first user;
  
  means for receiving at the proxy server from the first user a request to assume the identity of a second user;
  
  means for obtaining a credential for the second user;
  
  means for saving the credential of the first user;
  
  means for associating the credential of the second user with the session for the first user;
  
  means for receiving at the proxy server from the first user during the session for the first user a request for a protected resource; and
  
  means for providing access to the protected resource in accordance with the credential for the second user.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product of claim 15 further comprising:
    - means for sending, prior to receiving the request to assume the identity of a second user, an HTML (Hypertext Markup Language) form to the first user.
  - 17. The computer program product of claim 16 further comprising:
    - means for restricting access to the HTML form to administrative users.
  - 18. The computer program product of claim 17 wherein the request to assume the identity of a second user comprises a submission of data for the HTML form.
  - 19. The computer program product of claim 17 further comprising:
    - means for extracting a URL (Uniform Resource Locator) from the submitted data; and
      
      means for returning a web page identified by the URL to the first user after associating the credential of the second user with the session for the first user.
  - 20. The computer program product of claim 15 further comprising:
    - means for receiving a request to conclude the assumption of the identity of the second user by the first user;
      
      means for retrieving the saved credential of the first user; and
      
      means for associating the saved credential of the first user with the session for the first user.
  - 21. The computer program product of claim 20 further comprising:
    - means for redirecting a browser for the first user to a web page from which the first user initiated the request to assume the identity of the second user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Moran, Anthony S., Harmon, Benjamin B.
Primary Examiner(s)
MEKY, MOUSTAFA M

Application Number

US10/317,996
Publication Number

US 20040117489A1
Time in Patent Office

1,797 Days
Field of Search

709200-203, 709217-220, 709223-229, 713/100, 726/21
US Class Current

709/229
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 67/02   based on web technology, e....

H04L 67/142   Managing session states for...

H04L 67/2895   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

H04L 67/563   Data redirection of data ne...

H04L 67/564   Enhancement of application ...

H04L 67/5682   Policies or rules for updat...

H04L 69/329   in the application layer [O...

Method and system for web-based switch-user operation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for web-based switch-user operation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links