Electrical computers and digital processing systems: support – Multiple computer communication using cryptography – Protection at a particular protocol layer
Reexamination Certificate
1999-06-14
2004-03-02
Peeso, Thomas R. (Department: 2132)
Electrical computers and digital processing systems: support
Multiple computer communication using cryptography
Protection at a particular protocol layer
C713S152000, C713S155000, C713S168000, C713S182000, C709S203000, C709S219000, C709S229000, C707S793000
Reexamination Certificate
active
06701438
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of Invention
The invention relates generally to computer systems. More particularly, methods and apparatus for providing customizable security and logging modules in a server environment.
2. Description of Relevant Art
The explosive growth in Internet commerce, also referred to as e-commerce, has made it critical to look for ways of increasing the capability of both handling a large number of secure transactions over the Internet as well as providing the capability of efficiently logging those transactions.
Currently, most web browsers have a very simple approach to networking as illustrated in FIG.
1
. Given a web browser
100
and a URL (universal resource locator) containing a host name and a document on that host (also referred to as an http request), a browser
102
breaks up (parses) the URL into a named host portion (not shown) and a requested document
106
. In one embodiment of the invention, the requested document
106
takes the form of HTML (Hyper Text Markup Language) statements well known to those skilled in the art. In the case where the requested document is not stored in a local cache memory, the browser
102
makes a TCP (“transmission control protocol”) connection to the named host
104
which includes a server
108
. Specific to the Web, a Web server is a computer program (typically residing in the host computer
104
) that serves requested HTML pages or files whereas a Web client is the requesting program (such as the browser
100
) associated with the user.
In some cases, the requested document
106
takes the form of static web pages
110
stored in the host computer
104
. In another case, however, the requested document
106
is what is referred to as a dynamic web page
112
. Typically the dynamic web page
112
is stored in, for example, a database which is typically an external database
114
which the server
108
accesses by way of a common gateway interface (CGI) application.
The common gateway interface (CGI) is a standard way for a Web server to pass a Web user's request to an application program and to receive data back to forward to the user. When the user requests a Web page (for example, by clicking on a highlighted word or entering a Web site address), the server
108
sends back the requested page in the form of an http response. However, when a user fills out a form on a Web page and sends it in, it usually needs to be processed by an application program. The Web server
108
typically passes the form information to a small application program that processes the data and based upon the information provided, sends back a response.
Unfortunately, the common gateway interface is inefficient and resource intensive. By way of example, most modem Web applications need some kind of database access. Using a CGI application means a new database connection is created every single time the CGI runs, taking up to several seconds each time. Therefore, the CGI is unsuitable for handling the large number of transactions (referred to as “hits” which can, and usually do number in the thousands, or hundreds of thousands, and more in some cases) that are required for economic use of the Internet. One solution to the bottleneck created by the CGI is referred to as a servlet, or Java servlet when incorporated in a Java based web server.
A Java servlet is a Java program that executes on the Web or HTTP server in response to requests (i.e., http requests) from a Web browser. The Web server software uses Java Virtual Machine to run the servlet and generate an HTML page. The servlet takes input from the HTML page (http request) containing HTML input tags, processes it, and returns a responsive HTML page (http response) with the results. Since the Java servlet is dedicated to a single browser, the Java servlet is capable of handling much more traffic (in the form of http requests and associated http responses) than is possible with conventional CGI applications.
In spite of these advantages, Java servlets can not provide customized security and logging protocols. Currently, security and logging protocols are now only provided by the web server which are the same for all web applications supported thereto. In this way, all applications (or HTTP servers) coupled to a particular web server can only use whatever security and logging protocols are afforded that particular web server regardless of the specific needs of a particular application. This inflexibility adds substantial cost to effectuating an e-commerce web site since a user/developer must find a web server that the specific security and logging requirements of the desired web site in addition to the assurance that the server so selected can also handle the number of anticipated (hopefully) transactions (hits) or develop the security and logging code as a part of the application.
Therefore, what is desired is a method and an apparatus for providing customized security and logging protocols in a servlet environment.
SUMMARY OF THE INVENTION
In one embodiment of the present invention, a servlet engine arranged to provide selected security and logging protocols is disclosed. The servlet engine includes a servlet container having a security module, a logging module, and a servlet. In one embodiment, the security module provides the selected security protocols that include authentication and authorization protocols. The authentication protocols assure that a request received by the servlet engine has a verified source and the authorization protocols assure that the verified source has appropriate permission.
The logging module provides the selected logging protocols such that those received requests that do not have originate from the verified source or do not have appropriate permission are recorded by the logging module.
In a preferred embodiment, the servlet handles those requests that are authenticated and authorized by the security module and the servlet notifies the logging module of those requests which have been successfully handled by the servlet with a first type flag. The servlet notifies the logging module of those requests which have not been successfully handled by the servlet with a second type flag.
In another aspect of the invention, a method for accessing a protected resource coupled to a servlet engine that utilizes programmer selected security and logging protocols is described. In one embodiment, only those requests that pass all security protocols are handled by a servlet included in the servlet engine. In a preferred embodiment, the security protocols include authentication and authorization protocols defined by the programmer. In this way, only a requestor having appropriate security clearances can access the protected resource, such as a data base.
In yet another aspect of the invention, an apparatus for providing access to a protected resource is disclosed. An authentication means for first determining that the source of a protected resource access request is verified is coupled to an authorization means for second determining that the source of the protected access request has appropriate protected resource access permission. A request handling means coupled to the authorization means services those requests passed by both the authentication means and the authorization means, and a logging means coupled to the authentication means and the authorization means records failed authentication or failed authentication transactions as well as serviced transactions.
REFERENCES:
patent: 5944781 (1999-08-01), Murray
patent: 6151599 (2000-11-01), Shrader et al.
patent: 6226752 (2001-05-01), Gupta et al.
patent: 99/05813 (1999-02-01), None
patent: 00/11832 (2000-03-01), None
C. Dalton et al., “Applying military grade security to the Internet”, Computer Networks and ISDN Systems, North Holland Publishing, Amsterdam, NL, vol. 29, No. 15, Nov. 1, 1997.
J. Lowe, “How Java Servlets can replace CSI Scripts—For Ease, Performance & More. We look at three Approaches to Plug-In Server-Side Java Execution”, NetscapeWorld, pp. 1-3, May 5, 1997.
Davidson James Duncan
Nagar Vivek
Prabandham Harish
Beyer Weaver & Thomas LLP
Nobahar A.
Peeso Thomas R.
Sun Microsystems Inc.
LandOfFree
Methods and apparatus for providing customizable security... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Methods and apparatus for providing customizable security..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Methods and apparatus for providing customizable security... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3202502