Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1998-10-15
2002-01-22
Hayes, Gail (Department: 2131)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C705S069000, C705S076000
Reexamination Certificate
active
06341352
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Technical Field
The present invention relates generally to managing security policies as protected files (e.g., Web documents) are accessed by a Web browser user from a secure distributed file system.
2. Description of the Related Art
The World Wide Web of the Internet is the most successful distributed application in the history of computing. In the Web environment, client machines effect transactions to Web servers using the Hypertext Transfer Protocol (HTTP), which is a known application protocol providing users access to files (e.g., text, graphics, images, sound, video, etc.) via a standard page description language known as Hypertext Markup Language (HTML). HTML provides basic document formatting and allows the developer to specify “links” to other servers and files. In the Internet paradigm, a network path to a server is identified by a so-called Uniform Resource Locator (URL) having a special syntax for defining a network connection.
Use of an HTML-compatible browser (e.g., Netscape Navigator or Microsoft Internet Explorer) at a client machine involves specification of a link via the URL. In response, the client makes a request to the server identified in the link and receives in return a document formatted, for example, according to HTML.
Many business organizations and other entities now desire to integrate Web transaction processing into their distributed computing environment in which users access distributed resources and process applications. A known distributed computing environment, called DCE, has been implemented using “open” software conforming to standards implemented from time-to-time by The Open Group or “TOG” (f/k/a the Open Systems Foundation (OSF)). As DCE environments become more popular, many applications have been written and utilized to provide distributed services such as data sharing, printing services and database access. The Open Group DCE includes a distributed file system, called Distributed File Services (DFS), for use in these environments.
DFS provides many advantages over a standalone file server, such as higher availability of data and resources, the ability to share information throughout a very large-scale system, and protection of information by the robust DCE security mechanism. In particular, DFS makes files highly available through replication, making it possible to access a copy of a file if one of the machines where the file is located goes down. DFS also brings together all of the files stored in various file systems in a global namespace. Multiple servers can export their file system to this namespace. All DFS users, in the meantime, share this namespace, making all DFS files readily available from any DFS client machine.
The functionality of existing standalone Web servers in the enterprise environment has been extended to take advantage of the scalability, file availability and security features of DFS (and other similar distributed file systems). As a by-product, users with off-the-shelf browsers are able to easily access the Web information stored in the DFS namespace with no additional software on the client machine. This functionality has been implemented in a Web server plug-in product. The product allows a Web browser user to access documents stored in the Distributed File System (DFS) space of the Distributed Computing Environment (DCE). This is accomplished by enabling the user to log onto the browser with a valid DCE identity and then setting up the Web server with the appropriate DCE credentials to allow the server to access the document on behalf of the Web user.
Because DCE credentials are used to facilitate a Web transaction into DFS, however, there is a possibility that the user's password may have expired when the user attempts to access a DFS document. Thus, for example, a user may have a valid DCE credential on a given day but then leave his or her machine (with the browser open) running overnight. When the user arrives the next day, however, his or her DCE password may no longer be valid for some reason. Thus, for example, the administrator may not want the Web browser user to access the protected documents in DFS. Nevertheless, DCE takes no explicit action when the user's password has expired. Thus, the user may still be able to access the documents, which may be unacceptable to some administrators or in certain environments.
This invention addresses the problem of managing password expiration (or other security policy changes) in a system wherein a user of Web browser accesses Web documents stored in a secure distributed file system space.
BRIEF SUMMARY OF THE INVENTION
An object of this invention is to enable a Web browser user to automatically change a password when an invalid password is detected and then to use the new password to access documents in a secure distributed file system space. The technique is preferably implemented in conjunction with a Web server application that accesses a document within the file system space on behalf of the Web browser user.
Another more general object of this invention is to change or enforce a given security policy as a server impersonates a client to obtain access to files stored in a distributed file system space of a distributed computed environment.
Yet another object of this invention is to selectively inhibit a Web browser user having an expired password from accessing documents in a protected distributed file system space.
A more general object of this invention is to change a security policy for an application using a security subprogram that is independent of the application.
Still another more general object of this invention is to monitor a security policy change for a given process during the operation of another process and to selectively direct a user to a mechanism that enables the user to respond to the policy change.
Another object of this invention is to enable an administrator to lock a user out of DCE/DFS functionality from a Web browser until the administrator has an opportunity to renew the account and reset the user's password.
These and other objects of this invention are provided in various methods, systems and computer program products. Thus, for example, a method for changing a user password according to the present invention is preferably operative as a Web server impersonates a Web client to obtain access to files stored in a distributed file system space of a distributed computing environment. The distributed computing environment typically includes a security service for returning a credential to a user authenticated to access the distributed file system. The present invention provides a mechanism for enabling a user to change his or her password, for example, when the user's password has expired. The method begins in response to receipt of a Web transaction request from the Web client. At this point, a determination is made regarding whether the user's password has expired. If so, the mechanism preferably suspends processing of the Web transaction request and then enters a password change subprogram to enable the user to define a new password. Typically, the password change subprogram displays a password change dialog that interacts with the user. Upon definition of the new password by the user, the mechanism resumes processing of the original Web transaction request. Alternatively, the user may be prompted to terminate the original transaction request and select a new URL and/or document.
The mechanism preferably suspends processing of the Web transaction request by saving the user-requested Uniform Resource Locator (URL) in the Web transaction request and then redirecting the user to a URL associated with the password change subprogram. Upon completion of any necessary user interactions with the password change subprogram, the original transaction is resumed, preferably by restoring the user-requested URL back into the Web transaction request. This operation may take place automatically upon definition of the new password. Alternatively, the user may be required to take some
Child Garry L.
London Shrader Theodore Jack
Soper Davis Kent
Burwell Joseph R.
Hayes Gail
Jackson Denise
Judson David
LaBaw Jeffrey S.
LandOfFree
Method for changing a security policy during processing of a... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Method for changing a security policy during processing of a..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Method for changing a security policy during processing of a... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2845317