Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1996-04-15
2002-04-23
Barot, Bharat (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S202000, C709S203000, C709S225000, C707S793000, C707S793000, C713S155000, C713S164000, C713S182000, C713S152000, C713S152000, C713S152000
Reexamination Certificate
active
06377994
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
This invention relates to access control in a distributed system and, more particularly, to a method and apparatus for controlling server access to a resource in a client/server system.
2. Description of the Related Art
Client/server systems are well known in the field of data processing. In a client/server system, a “client” process issues a request to a “server” process to perform a service for it. In response, the server transmits a reply to the client, notifying it of the results of the service. Often, the client process executes on a personal workstation, while the server process executes on a central “host” processor; however, this is not required and the two processes can run on the same machine. The service may be accessing or printing a file, executing an application, or some more specialized service such as providing access control as described below.
The terms “client” and “server” are relative to the service in question. Thus, the same process may be performing a service for a first process while requesting a service (such as access to a resource) from a second. The intermediary process functions as a server relative to the first process and as a client relative to the second.
Server processes of this latter type that request access to resources on behalf of clients present special security problems. For the purpose of gauging their security exposures, servers may be categorized into two general types: trusted servers and untrusted servers. Servers are considered to be “trusted” (or “authorized”) if they originate from the entity making the determination (usually the vendor of the operating system) or have otherwise been carefully examined so as to provide a high degree of assurance that they are free from malicious code. Servers that cannot be vouched for in sense are regarded as “untrusted” (or “unauthorized”) servers.
Providing security contexts, which are authenticated identities, for client users in client/server applications where the server executes on a host system causes the client to have a host identity whose “scope of access authority” includes resources within the entire host system. If not controlled, this compromises the security and integrity of the entire host system. In the prior art, the only way to control the scope of authority of clients was to make the server code “authorized” and carefully inspect any such code to make sure that it didn't misbehave.
SUMMARY OF THE INVENTION
In accordance with the present invention, unauthorized servers will be able to issue new security service requests to have security contexts created for their clients—they could do this before only if they were authorized. With the new service, the security contexts created will be flagged as unauthenticated client security contexts. This is because the host system cannot assume that the “unauthorized” code had not manipulated the request (via trojan-horse code for example) to acquire the authenticated identity of someone other than the true client or to use a valid client's identity to do something nasty. Later, when any authorization checking request comes to the host system from any resource manager on the host system because the server acting at the request of the client has “asked for” access to some resource, the host system will require that both the client and the server be authorized to the resource. Thus, the server cannot access any resources outside of its own scope of access authority.
More particularly, the present invention contemplates a method and apparatus for handing requests for access to a resource purportedly on behalf of a client from an untrusted application server in a client/server system, that may be capable of operating as a “rogue” server. Upon receiving a service request from a client, an untrusted application server creates a new thread within its address space for the client and obtains from the security server a client security context, which is anchored to the task control block (TCB) for that thread. The client security context specifies the client and indicates whether the client is an authenticated client or an unauthenticated client.
When the application server makes a request for access to a resource purportedly on behalf of the client, the security server examines the security context created for the requesting thread. If the client security context indicates that the client is an authenticated client, the security server grants access to the resource if the client specified in the client security context is authorized to make the requested access to the resource. If the client security context indicates that the client is an unauthenticated client, the security server grants access to the resource only if both the client specified in the client security context and the application server are authorized to make the requested access to the resource.
With the present invention, the scope of access authority of a client can be limited to only resources that the server itself also has authority to. All other resources within the host system are not accessible by such a client user (while the user is a client user), even though the user may have access authority to other resources when not executing as a client. The servers are no longer required to be authorized or code inspected. Host systems incorporating the present invention thus become much more attractive platforms for the development of server applications.
REFERENCES:
patent: 5173939 (1992-12-01), Abadi et al.
patent: 5187790 (1993-02-01), East et al.
patent: 5204961 (1993-04-01), Barlow
patent: 5210795 (1993-05-01), Lipner et al.
patent: 5220603 (1993-06-01), Parker
patent: 5224163 (1993-06-01), Gasser et al.
patent: 5235642 (1993-08-01), Wobber et al.
patent: 5237614 (1993-08-01), Weiss
patent: 5263157 (1993-11-01), Janis
patent: 5263158 (1993-11-01), Janis
patent: 5263165 (1993-11-01), Janis
patent: 5321841 (1994-06-01), East et al.
patent: 5339403 (1994-08-01), Parker
patent: 5349642 (1994-09-01), Kingdor
patent: 5481720 (1996-01-01), Loncks et al.
patent: 5495533 (1996-02-01), Linehar et al.
patent: 5537642 (1996-07-01), Glowing et al.
patent: 5586260 (1996-12-01), Hu
patent: 5678041 (1997-10-01), Baker et al.
patent: 5689638 (1997-11-01), Sadovsky
patent: 5764890 (1998-06-01), Glasser et al.
patent: 5815665 (1998-09-01), Teper et al.
IBM Manual, CICS Transaction Server for OS/390, CICS RACF Security Guide, Release 2, SC33-1801-01, 1997.
IBM Manual, CICS/ESA, CICS-RACF Security Guide, Version 3, Release 3, SC33-0749-01, 1992.
IBM Manual, CICS-RACF Security Guide, CICS for MVS/ESA, Version 4, Release1, 1994.
Harroun, P.C., “Detection and Elimination of Unauthorized Resource Access Control Facility Privileges”, IBM Technical Disclosure Bulletin, vol. 36, No. 03, Mar. 1993, p. 77.*
Steiner, J.G. et al., “Kerberos: An Authentication Service for Open Network Systems”, USENIX Winter Conference, Feb. 9-12, 1988, Dallas, Texas, pp. 191-202.*
Stevens, W.R., “UNIX Network Programming”, PTR Prentice-Hall, Inc., Englewood Cliffs, New Jersey, 1990, pp. 431-436.*
“MVS/ESA OpenEdition DCE: RACF and DCE Security Interoperation” IBM International Technical Support Centers, IBM order No. GG24-2526-00, Apr., 1995.*
“Security Server (RACF) Support for: OpenEdition DCE, SOMobjects for MVS, and System View for MVS”, IBM order No. GC28-1924-00, Mar. 1996.
Ault Donald Fred
Dayka John Carr
Finkelstein Eric Charles
Guski Richard Henry
Barot Bharat
Kinnaman, Jr. William A.
LandOfFree
Method and apparatus for controlling server access to a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method and apparatus for controlling server access to a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method and apparatus for controlling server access to a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2933401