Computer graphics processing and selective visual display system – Display driving control circuitry – Controlling the condition of display elements
Reexamination Certificate
2000-03-23
2002-01-15
Bayerl, Raymond J. (Department: 2173)
Computer graphics processing and selective visual display system
Display driving control circuitry
Controlling the condition of display elements
C709S219000
Reexamination Certificate
active
06339423
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates to managing access to resources accessible over a network.
BACKGROUND OF THE INVENTION
Computer networks have become ubiquitous in business, industry, and education. Networks have one or more resources, such as application programs that provide various computing functions, which are available to all users. Development of the globally accessible, packet-switched network known as the Internet has enabled network resources to become available worldwide. Development of the hypertext protocol (“HTTP”) that implements the World Wide Web (the “web”) enables networks to serve as a platform for global electronic commerce. In particular, through the web a business easily exchanges information with its customers, suppliers and partners worldwide. Because some exchanged information is valuable and sensitive, access to it should be limited to selected users. Thus, there is a need to provide selective access information available over the web.
One approach to solving the foregoing problem is to protect a set of resources accessible over the network with an access control mechanism. An access control mechanism is a combination of software and hardware configured to manage access to a set of resources connected to a network. Often, the access control mechanism is commercial software, which is purchased as off-the-shelf software from vendors of access control mechanisms. A resource is a source of information, identified by an identifier, such as a uniform resource locator (“URL”) or an internet protocol (“IP”) address. A resource protected by an access control system may be a static file (“page”) containing code conforming to the Hypertext Markup Language (“HTML”) or a dynamically generated page created by programs based on the Common Gateway Interface (“CGI”). Examples of resources include a web page, a complete web site, a web-enabled database, and an applet.
FIG. 1
is a block diagram that depicts an exemplary network architecture
100
that includes a system protected by an access control mechanism
101
. Exemplary network architecture
100
includes a browser
110
coupled by a communication link to a network
102
. The block shown for browser
110
represents a terminal, workstation computer, or an equivalent that executes a standard browser program or an equivalent, such as Netscape Navigator, Internet Explorer, or NCSA Mosaic. Network
102
is a compatible information communication network, preferably the Internet. In alternate embodiments, the browser
100
is a client process or client workstation of any convenient type, and the network
102
is a data communication network that can transfer information between the client and a server that is also coupled to the network.
The term server is used here to refer to one or more computer software or hardware elements which are dedicated to providing requested functions (“services”) on behalf of clients that transmit requests. A server may be a software module which may be invoked by and executed by a client process, a separate process that receives requests from other client processes running the same computer system, or a set of processes running on a set of computers, where the processes respond to requests by clients running on other computers.
Access control system
190
is coupled to network
102
and supplies services used to manage access to protected servers
150
, including user authentication and verification services, in a manner which shall be later described in greater detail. Protected servers
150
are also coupled to network
102
and supply one or more resources.
Before a user may access a resource from protected servers
150
, the user must first log in to access control system
190
, supplying information to access control system
190
used to authenticate the user. Users may log in either with a digital certificate transmitted to access control system
190
or by opening a login page supplied by access control system
190
with browser
110
and entering a name and password. Once the user is authenticated, an authenticated session is associated with the user, and the user may then access one or more resources on protected servers during the life of the authenticated session.
For this purpose, access control system
190
transmits one ore more identification data, e.g., cookies, to browser
110
that are used, at least in part, by a protected server to verify that the user has been authenticated. Cookies are pieces of information which a server may create and transmit to a browser, to cause the browser to store the cookie and retransmit it in subsequent requests to servers. A cookie may be associated with a domain name used to identify the IP address of a server. A domain name is an identifier that identifies a set or one or more IP addresses. Examples of domain names are ‘enCommerce.com’ or ‘uspto.gov’. A browser transmits a cookie in conjunction with a request to the server to access a resource, transmitting the cookies as part of the request. The cookies transmitted are associated with the domain name of the server.
A domain name may be used in an address that identifies a resource, such as a URL. For example, a domain may be used to identify resources “sample1File.htm” and “sample2File.htm”, by using the URL “www.demoDomain/sample2File.htm”, where ‘demoDomain’ is the domain name. The domain name corresponds to the IP address of a server that may supply a resource.
A domain is a set of resources which may identified by the domain's name. Thus, ‘sample1File.htm’ sample2File.htm’ are resources that belong to the same domain. The process of accessing a resource via a request that identifies the resource using a domain name is referred as accessing the domain.
When a protected server receives a request for access from a client who has been authenticated, the protected server receives “access control cookies” for the domain of the server. The access control cookies may contain information used to verify that a user has been authenticated, and may contain data that specifies the user's privileges. A privilege is a right to access a particular resource. Access control cookies are typically encrypted for security purposes.
A major drawback to a conventional access control system is that it only controls access to a set of servers and resources that belong to one domain. The underlying reason for this limitation is as follows. When a conventional access control system supplies access control cookies to a user that has just been authenticated, the cookies transmitted are associated with the domain of the access control system. When the browser requests access to another resource in another domain, the access control cookies are not transmitted because they are associated with the other domain. Thus, each domain name used to deploy a set of servers or resources requires its own implementation and maintenance of an access control system, adding to the expense of securing resources accessible over a network. In addition, for each domain name a user must login. Thus, the user may be encumbered by repetitious login procedures, or the number of domain names that may be used are limited by efforts to avoid encumbering the user.
Based on the foregoing, it is clearly desirable to provide an access control system that may be used to manage access to a set of resources deployed under multiple domain names, particular, requires a user to login just once to access the set of resources.
SUMMARY OF THE INVENTION
A mechanism that uses a single access control system to manage access by users to resources that belong to multiple domains is disclosed. According to one aspect, a server is associated with each domain in a set of domains. Access to resources in the domains is governed by an access control system. A first server for a first domain transmits a data token to a client seeking access to a resource in a second domain. The client transmits the data token to a second server in the other domain. The second server uses the data token to verify that the user is, authorized to acce
Belmonte Emilio
Fanti Marco
Medina Raul
Sampson Lawrence
Bayerl Raymond J.
Bingham Marcel K.
Entrust, Inc.
Hickman Palermo & Truong & Becker LLP
Nguyen Cao H.
LandOfFree
Multi-domain access control does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Multi-domain access control, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Multi-domain access control will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2871045