Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1999-01-29
2002-08-20
Winder, Patrice (Department: 2155)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
C709S228000
Reexamination Certificate
active
06438600
ABSTRACT:
BACKGROUND OF THE INVENTION
1. Field of the Invention
The present invention relates to computer security, and deals more particularly with a method, system, and computer program for securely executing code that is invoked within a browser. Credentials for a user are automatically shared only among a trusted set of applications, without requiring the application developer to write code to manage the credentials.
2. Description of the Related Art
The Internet is a vast collection of computing resources, interconnected as a network, from sites around the world. It is used every day by millions of people. The World Wide Web (referred to herein as the “Web”) is that portion of the Internet which uses the HyperText Transfer Protocol (“HTTP”) as a protocol for exchanging messages. (Alternatively, the “HTTPS” protocol can be used, where this protocol is a security-enhanced version of HTTP.)
A user of the Internet typically accesses and uses the Internet by establishing a network connection through the services of an Internet Service Provider (ISP). An ISP provides computer users the ability to dial a telephone number using their computer modem (or other connection facility, such as satellite transmission), thereby establishing a connection to a remote computer owned or managed by the ISP. This remote computer then makes services available to the user's computer. Typical services include: providing a search facility to search throughout the interconnected computers of the Internet for items of interest to the user; a browse capability, for displaying information located with the search facility; and an electronic mail facility, with which the user can send and receive mail messages from other computer users.
The user working in a Web environment will have software running on his computer to allow him to create and send requests for information, and to see the results. These functions are typically combined in what is referred to as a “Web browser”, or “browser”. After the user has created his request using the browser, the request message is sent out into the Internet for processing. The target of the request message is one of the interconnected computers in the Internet network. That computer will receive the message, attempt to find the data satisfying the user's request, format that data for display with the user's browser, and return the formatted response to the browser software running on the user's computer. This is an example of a client-server model of computing, where the machine at which the user requests information is referred to as the client, and the computer that locates the information and returns it to the client is the server. In the Web environment, the server is referred to as a “Web server”. The client-server model may be extended to what is referred to as a “three-tier architecture”. This architecture places the Web server in the middle tier, where the added third tier typically represents data repositories of information that may be accessed by the Web server as part of the task of processing the client's request. This three-tiered architecture recognizes the fact that many client requests do not simply require the location and return of static data, but require an application program to perform processing of the client's request in order to dynamically create the data to be returned. In this architecture, the Web server may equivalently be referred to as an “application server”, reflecting the fact that this middle tier is where the business logic of the application typically resides, and the computers on which the data repositories reside may be referred to as “data servers”, or “backend data servers”. A data server stores and manages the data that is used by an application.
When a Web page is retrieved from a server and downloaded to a client machine, the page may contain static predefined content formatted using HTML (HyperText Markup Language). In addition, the Web page may contain dynamically-executable content. One way in which dynamic content can be embedded in a Web page is through use of one or more Java applets. Java is a programming language that is widely accepted for writing Web applications, as it is a robust portable object-oriented language defined specifically for the Web environment. (“Java” is a trademark of Sun Microsystems, Inc.) Java attains its portability through use of a specially-designed virtual machine, called a “Java Virtual Machine” (JVM), which runs on the client workstation and enables executable code to adapt to various execution platforms. An “applet” is a small Java program that executes within a Web browser on the client machine. The applet typically is delivered to the client machine from the Web server along with the Web page in which the applet is embedded. When the Web browser accesses and processes a Web page containing an applet, the applet's code is executed (either automatically or in response to an invocation such as the user clicking on an icon, depending on how the applet has been written) to create the dynamic content.
Network computing models are replacing traditional client-server models in the Web environment. A network computing model is a scalable distributed computing infrastructure, enabling a server to provide a client machine with access to applications on demand of the client. With this type of distributed computing, a key concern is limiting application access to authorized clients. When a request for service from an application is received in a client-server or network computing model (that is, when requests for execution are sent from the client to a server, and executed at the server on behalf of the client), a verification process may be performed to determine if the requesting client is in fact authorized to use this service, before the application performs the service. For example, the executing application code often needs to access protected data that is stored on the server. Protected services and data may also be a concern when the code is a locally-executing applet, such that a verification process may need to be implemented on the client machine. This verification process typically uses user credentials, where “credentials” refers to application-specific information (such as a user name or other identifier, a user password, etc.) that identifies the requesting user at the client machine. These credentials are compared to a previously-defined, stored set of the credentials for all authorized users. If the credentials match an entry in this stored set, then this user is an authorized user.
For Web-based applications, the security procedures that are used to control access to protected data and/or services are usually implemented independently for each application. This results in redundant effort by programmers, taking time and resources away from addressing the actual requirements of the application itself. Alternatively, HTTP Authentication may be used. HTTP Authentication is a standard technique whereby user credentials are encoded as an HTTP Request header, and authentication challenges are encoded as an HTTP Response header. At least two types of HTTP Authentication mechanisms are currently defined: Basic Authentication and Digest Authentication. Basic Authentication is quite common, and uses plaintext transmission of passwords. Digest Authentication, on the other hand, sends credentials as digested information, but is not currently supported by many browsers.
The basic authentication scheme is always supported in typical implementations of Java, and the digest scheme may also be supported. When present, these schemes form part of the core Java Development Kit, and are accessed via the java.net.URLConnection class.
Since HTTP Authentication support is implemented in Java classes that are loaded from the local client file system (i.e. the file system on the machine that is running the browser), the Java classes in which the authentication support is provided are accessible to all Java applets, regardless of the codebase and server from which that applet
Greenfield Jonathan Scott
McGarvey John Ryan
Doubet Marcia L.
Ray-Yarletts Jeanine S.
Winder Patrice
LandOfFree
Securely sharing log-in credentials among trusted... does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Securely sharing log-in credentials among trusted..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Securely sharing log-in credentials among trusted... will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2967940