Electrical computers and digital processing systems: multicomput – Computer network managing – Computer network access regulating
Reexamination Certificate
1998-08-19
2001-03-20
Burgess, Glenton B. (Department: 2153)
Electrical computers and digital processing systems: multicomput
Computer network managing
Computer network access regulating
C709S229000, C709S223000, C709S224000, C709S226000, C713S152000, C713S152000, C707S793000, C707S793000
Reexamination Certificate
active
06205480
ABSTRACT:
FIELD OF THE INVENTION
The present invention relates generally to networked computer systems. More particularly, the present invention relates to user authentication and access to back-end or external applications via a web server.
BACKGROUND OF THE INVENTION
In a typical web-based server application, user access to information is achieved via a web server, with the application requiring the user to be authenticated by, e.g., a user id and/or a password. When a user desires access to a new application (such as a database management system (DBMS) engine; new applications will often have a different configuration and/or manufacturer than the initial application), such a new server has a login/authentication procedure which is independent of previous login/authentication procedures encountered by the user. To access the web pages, appropriate identification credentials must be presented to the new application. This is conventionally accomplished by requiring the user to input additional login/authentication information specific to the new application, or by hard-coding a generic login and password in the scripts used by the user's web server to access the new application and dynamically generate a new web page using the output from the application.
Both of these solutions are unsatisfactory. Requiring the user to input additional information places a burden on the user to remember multiple logins and passwords, further places a burden on each server and system administrator to maintain multiple user accounts for each and every access by a user, and is a potential security risk because passwords are transmitted unencrypted over the network. Using a generic or static login and password in a script is a potential security hole and does not readily provide different levels of access based on the identity of the user.
These issues have been addressed by the so-called new technology LAN manager (NTLM) automated authentication system. In the NTLM system, once the user is initially authenticated to a Microsoft network or to a Microsoft Windows NT domain (using a password), similar components (the web browser and server) can assure one another of the user's identity. This assurance occurs transparently to the user. However, this system does not perform authentication to a new application (beyond the server). Thus, the NTLM authentication system is of limited utility for many users.
U.S. Pat. No. 5,689,638 to Sadovsky discloses a method and system for accessing independent network resources without prompting the user for authentication data. When the system receives a user request to access an independent network resource, system logon and server authentication data is autonomously supplied to the independent network resource without further user interaction. Sadovsky, however, is not concerned with a worldwide web hypertext transfer protocol environment, and is not concerned with authentication information based on the user's role. In the Sadovsky system, a password cache is maintained in the main memory of a local computer system. The password cache contains a server name, user name and password for each server to be accessed by a particular user. When presented with an access request, network software searches the password cache structure for the server authentication information before passing it on to the server to be accessed.
U.S. Pat. No. 5,678,041 to Baker et al. discloses a system and method that restricts a user's access of Internet information based on a rating category and/or ID associated with a particular terminal through the implementation of a firewall internal to a user's computer network. The firewall prevents the user from accessing certain types of Internet information (e.g., prevents children from accessing obscene material, prevents workers from accessing non-work related material, etc.). Thus, Baker is concerned with an internal authorization to access remote resources (which are presumed to be public resources), and is not concerned with a system in which authentication information is required by the remote resources.
It would be desirable to allow a user to easily, automatically, and transparently authorized to access, via a web server, a plurality of applications which require authentication, whether in an intranet or internet environment. It would further be desirable for such a scheme to be implemented in a hypertext transfer protocol (HTTP) environment, and to maintain the security of the network. It would further be desirable to allow access regardless of whether the applications are operating in the same or different environments.
SUMMARY OF THE INVENTION
The present invention overcomes the above-described problems, and achieves additional advantages, by providing for a system and method for authenticating a user in a web server environment, by providing for an authentication scheme in which users are logged in and authenticated a single time, yet can access multiple applications via a web server. According to exemplary embodiments, an initial authentication is performed to access a first application via a first server, and the user's identity is mapped into a network credential which includes a user role. Additional applications are accessed by providing the network credential to a script, retrieving script access values for the additional applications based on the network credential and presenting the script access values (as, for example, user name and password) to the additional applications.
The authentication scheme according to the present invention allows a user to access numerous protected resources with a single authentication procedure, greatly improving the user's ease of system use. Further, the use of role-based authentication simplifies system administration burdens. The present invention is particularly advantageous in an intranet environment.
REFERENCES:
patent: 5586260 (1993-02-01), Hu
patent: 5604490 (1997-02-01), Blakley, III et al.
patent: 5655077 (1997-08-01), Jones et al.
patent: 5678041 (1997-10-01), Baker et al.
patent: 5682478 (1997-10-01), Watson et al.
patent: 5684950 (1997-11-01), Dare et al.
patent: 5684957 (1997-11-01), Kondo et al.
patent: 5689638 (1997-11-01), Sadovsky
patent: 5734831 (1996-04-01), Sanders
patent: 5742759 (1998-04-01), Nessett et al.
patent: 5768504 (1998-06-01), Kells et al.
patent: 5875296 (1997-01-01), Shi et al.
patent: 5881225 (1997-04-01), Worth
patent: 5918228 (1997-01-01), Rich et al.
patent: 5987611 (1996-04-01), Freund
patent: 5999978 (1997-10-01), Angal et al.
Broadhurst Christopher John Creighton
Byrne Barry Anthony
McMahon Piers
Press James
White Clive John
Burgess Glenton B.
Computer Associates Think Inc.
Ho Chuong
Leedom Jr. Charles M.
Nixon & Peabody LLP
LandOfFree
System and method for web server user authentication does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with System and method for web server user authentication, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and System and method for web server user authentication will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2477362