US20030074583A1 - Network resource access - Google Patents
Network resource access Download PDFInfo
- Publication number
- US20030074583A1 US20030074583A1 US10/138,208 US13820802A US2003074583A1 US 20030074583 A1 US20030074583 A1 US 20030074583A1 US 13820802 A US13820802 A US 13820802A US 2003074583 A1 US2003074583 A1 US 2003074583A1
- Authority
- US
- United States
- Prior art keywords
- server
- authorization
- instructions
- authorization information
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
- 238000013475 authorization Methods 0.000 claims abstract description 143
- 238000000034 method Methods 0.000 claims abstract description 54
- 238000012545 processing Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 5
- 238000012546 transfer Methods 0.000 claims description 4
- 230000004044 response Effects 0.000 claims description 3
- 238000012360 testing method Methods 0.000 description 4
- 238000013459 approach Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 235000014510 cooky Nutrition 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Definitions
- Networks such as the Internet, provide users access to a wide variety of resources. These resources include documents, such as analyst reports and technical white papers, and other electronic content, such as audio and video.
- these resources are provided by network servers.
- Servers receive requests for resources from clients and send the requested resource in response.
- network servers protect resources from unauthorized access. For example, many servers require a user to correctly enter a username and password before authorizing access.
- a username/password scheme is one of a variety of authentication mechanisms that enables a server to restrict access to particular users.
- Different servers may use different authorization schemes. Additionally, even those servers that use the same kind of authorization scheme may request different information from a user. For example, a user's username and password may be different for different servers. Thus, as a user “surfs” to different network servers, the user often needs to remember and re-enter their authorization data.
- the disclosure describes a method for use in providing access to network resources.
- the method includes receiving, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group, the resource being protected by an authorization scheme provided by a second server.
- the method further includes determining authorization information associated with the user or the group and sending the authorization information, in accordance with the authorization scheme, to the second server.
- Embodiments may include one or more of the following features.
- the method may include transmitting instructions for processing by the client that cause the client to transmit the authorization information to the second server.
- the method may also include determining that the authorization information sent to the second server by the first server results in authorization.
- the instructions may be in JavaScript.
- the authorization information associated with the user may include a username and a password for the authorization scheme provided by the second server.
- the method may include storing authorization information for different users.
- the method may include determining the authorization scheme provided by the second computer.
- the method may include storing information identifying the different authorization schemes provided by different respective servers.
- the method may include sending the information to the second server within an HTTP (HyperText Transfer Protocol) GET or POST message.
- the network may be an intranet or the Internet.
- the network resource may be a document.
- the method may include sending an abstract of the network resource to the client.
- the message identifying a network resource may be a message generated in response to user selection of the
- the disclosure describes a computer program product, disposed on a computer readable medium, for use in providing access to network resources.
- the program includes instructions for causing a processor to receive, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group, the resource being protected by an authorization scheme provided by a second server.
- the program also includes instructions that determine authorization information associated with the user or the group of users and send the authorization information, in accordance with the authorization scheme, to the second server.
- the disclosure describes a method for authorizing a user attempting to access a document over the Internet.
- the method includes storing authorization information for different users, storing information identifying the different authorization schemes used by different respective servers, sending an abstract of a document to a web browser client, receiving, at a first server from the web browser client, a message identifying the document, the message being associated with the user, the document being protected by an authorization scheme provided by a second server, determining authorization information associated with the user, the authorization information including a username and a password, determining the authorization scheme provided by the second server, sending the authorization information, in accordance with the authentication scheme, to the second server, determining that the authorization information sent to the second server successfully authorized access, and transmitting instructions to the client, the instructions for causing the client to transmit the authorization information to the second server.
- the disclosure describes a system for providing access to network resources served by different network servers.
- the system includes storage configured to store authorization information for different servers and/or resources for different users and/or groups of users.
- the system also includes instructions for causing a system processor to receive, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group of users, the resource being protected by an authorization scheme provided by a second server.
- the instructions also cause the processor to determine authorization information associated with the user or the group of users from the storage of authorization information, and send the authorization information, in accordance with the authorization scheme, to the second server.
- the disclosure describes a method for use in providing access to network resources.
- the method includes receiving, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group of users, the resource being protected by an authorization scheme provided by a second server.
- the method also includes determining authorization information associated with the user or the group of users, and transmitting instructions for processing by the client, the instructions for causing the client to transmit the authorization information to the second server.
- FIGS. 1 to 10 are diagrams that illustrate operation of a system for providing access to network resources.
- FIG. 11 is a diagram of a system for use in providing access to network resources.
- FIG. 12 is a flow-chart of a process for use in providing access to network resources.
- FIGS. 1 depicts resources 106 stored on different network servers 102 .
- the servers 102 protect the resources 106 from unauthorized access using authorization schemes 104 .
- authorization schemes 104 may vary in the techniques they use to authorize access to the resources 106 and may also vary in the data they collect to provide authorization.
- a server 110 can automatically handle aspects of authorization on behalf of a user. This can potentially free the user to access resources 106 provided by different servers 110 without repeatedly entering their authorization data into server forms.
- the server 110 can support many different servers 102 providing resources and can support many different users.
- FIG. 1 shows a client 100 connected to a network 108 .
- the client 100 may be a browser (e.g., Microsoft Explorer) that sends requests for network resources 106 provided by different Internet or intranet servers 102 .
- These requests may be HTTP (HyperText Transfer Protocol) messages that identify a resource 106 using a URL (Universal Resource Locator).
- HTTP HyperText Transfer Protocol
- URL Universal Resource Locator
- a request for a document from the New York Times web server may be “HTTP GET www.nytimes.com/headlines.html” where the string “www.nytimes.com/headlines.html” is the URL specifying the desired resource.
- FIG. 1 also shows a server 110 that can coordinate access to the server' 102 resources 106 .
- the server 110 includes a web server 116 (e.g., an Apache web server) that responds to received HTTP messages.
- the server 110 also includes authorization instructions 112 that can negotiate authorization with different servers 102 for a user operating a client loo.
- FIGS. 2 - 10 depict an example of operation of an authorization system.
- server 110 performs a “test” negotiation of authorization with a server 102 protecting a resource 102 of interest to a user. This test can determine whether the user is authorized to access the requested resource. After this test, the server 110 can transmit information to the client 100 so that the client 100 can repeat the authorization negotiation and establish an independent session with the server 102 .
- This approach enables the server 110 to coordinate authorization without necessitating further involvement with a session that ensues between the client 100 and the server 104 .
- This “handing off” of the session to the client 100 is merely optional. That is, server 110 may act as a proxy after initially negotiating authorization.
- the server 110 stores abstracts 114 of resources 106 .
- Such abstracts may include text descriptions of the resource 106 and/or other information (e.g., thumbnails of images or sound clips).
- the web server 116 may provide web pages that permit a user to specify a search of the abstracts and display a list of abstracts relevant to the query. For example, as shown in FIG. 2, a user operates the client 100 to request 120 an abstract 114 for a particular resource. As shown in FIG. 3, the server 110 responds by sending a message 122 to the client 100 that includes the abstract for presentation to the user.
- the user may indicate they would like to receive the resource 106 d described by the abstract. For example, a user may select a “View document” button displayed by a web page provided by the server 110 . As shown, in FIG. 4, selection can cause the client 100 to send a request 124 for the resource to the server 110 .
- the server 110 may determine the identity of a user if this has not been done previously. For example, the server 110 may interactively collect user information (e.g., username and password) via fields in a web page or non-interactively by collecting a “cookie” stored by client 100 .
- This authorization process with server 110 can permit the server 110 to determine the authorization information associated with a particular user or group of users. Thereafter, the server 110 can provide authorization for resources 106 provided by servers 102 without further user participation in the authorization schemes 104 used by the servers 102 .
- the server 110 determines authorization information associated with the user that can be used to gain access to the resource. For example, the server 110 can determine the server 102 b that provides the requested resource 106 d (e.g., by parsing the request message 124 of FIG. 4) and lookup the user's username and password for the server 102 b in a database. After retrieving the authorization information, the server 110 can negotiate authorization on behalf of the user by assembling the authorization information into a structure compliant with the authorization scheme provided by the server 102 b storing the requested resource 106 d. The server 110 can then transmit the assembled information in accordance with the server 102 b authorization scheme(s) 104 b. The transmitted information can simulate a form submission process.
- Other authorization schemes will expect the authorization information to be encoded differently (e.g., as an HTTP POST message).
- the server 102 b receiving the authorization information can return an indication 128 that authorization to access the resource has been granted.
- an indication may be as simple as an HTTP “OK” message.
- the server 110 can parse the received message 128 to determine whether or not the server 102 b has authorized access.
- the server 110 can transmit information 130 to the client 100 that enables the client 100 to independently initiate a session with the server 104 .
- the server 110 may send the client 100 instructions (e.g., JavaScript) that the client 100 can interpret or execute to establish authorized access to the resource.
- the instructions can repeat the authorization negotiation successfully tested by the server 110 .
- the client 100 sends a request 132 for authorization (FIG. 8), receives authorization 134 (FIG. 9), and ultimately receives the resource 106 d of interest (FIG. 10).
- FIGS. 2 - 10 depict sample operation of an example system.
- the server 110 need not “test” authorization before sending the authorization instructions 130 to the client 100 .
- the server 110 need not transmit authorization instructions 130 at all, but may instead act as a “go between” between the client 100 and the server 102 d protecting the resources 106 d of interest after initially negotiating authorization.
- FIG. 11 depicts a sample architecture of an authorization system 112 (e.g., 112 in FIGS. 1 - 10 ).
- the system 112 includes a database (e.g., a MySQL relational database) that stores authorization information 146 for different users at different servers.
- a database e.g., a MySQL relational database
- authorization information 146 for different users at different servers.
- a user “[email protected]” can use a username of “Rob” and a password of “007” to access resources from ServerA and a username of “guest” and a password of “guest” to access resources from ServerB.
- authorization instructions 140 can retrieve the appropriate authorization information for a user.
- the data 146 may include a username and password, as shown, and/or other credentials.
- the data 146 may include entries for different users or groups of users. By providing a “group” capability, a user can gain access to many different servers 102 without explicitly registering. That is, a new member of a group can access those servers 102 already having defined authorization information.
- the database also includes data 144 identifying the authorization scheme used by a server.
- ServerA uses an HTTP GET encoding scheme
- ServerB uses an HTTP POST encoding scheme
- ServerC uses a technique known as Basic Authorization.
- the database also includes modules of instructions 142 that control how to negotiate authorization with the server storing a resource of interest. These instructions 142 can access and assemble authorization information and handle communication with the server storing a desired resource. For example, based on the type of authorization scheme 144 identified for a given server, the instructions 142 can negotiate access to a server using the user's authorization information 146 . The system 112 can then package instructions for transmission to the client 100 so that the client can repeat the proven-successful negotiation.
- FIG. 12 depicts a flow-chart of the process 150 described above.
- the server retrieves 154 authorization information for the user (e.g., by retrieving data from data 146 ) and identifies 156 the type of authorization scheme used by the server providing the resource (e.g., by retrieving data from data 144 ).
- the process 150 transmits 160 instructions to the client that cause the client to negotiate authorization.
- the authorization instructions 112 may be integrated into the web server 116 .
- the authorization instructions 112 may be integrated into the web server 116 .
- the access modules may be hard-coded for the authorization scheme provided by a server 102 .
- the techniques described herein may find applicability in many computing or processing environments.
- the techniques may be implemented in hardware or software, or a combination of the two.
- the techniques are implemented in computer programs executing on programmable computers that each include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and one or more output devices.
- Each program is preferably implemented in high level procedural or object oriented programming language to communicate with a computer system.
- the programs can be implemented in assembly or machine language, if desired. In any case the language may be compiled or interpreted language.
- the computer program(s) are preferably stored on a storage medium or device (e.g., CD-ROM, hard disk, or magnetic disk) that is readable by a general or special purpose programmable computer for configuring and operating the computer when the storage medium or device is read by the computer to perform the procedures described herein.
- a storage medium or device e.g., CD-ROM, hard disk, or magnetic disk
- the system may also be considered to be implemented as a computer-readable storage medium, configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
In general, in one aspect, the disclosure describes a method for use in providing access to network resources. The method includes receiving, at a first server from a remote client, a message identifying a network resource. The method also includes determining authorization information associated with the user or the group and sending the authorization information, in accordance with the authorization scheme, to the second server.
Description
- This application claims priority to co-pending U.S. Provisional Application Serial No. 60/288,594, filed on May 3, 2001, entitled “SYSTEMS AND METHODS FOR SEAMLESS INTERNET ACCOUNT ACCESS”. This application is incorporated by reference in its entirety herein.
- Networks, such as the Internet, provide users access to a wide variety of resources. These resources include documents, such as analyst reports and technical white papers, and other electronic content, such as audio and video.
- In technical terms, these resources are provided by network servers. Servers receive requests for resources from clients and send the requested resource in response. Often network servers protect resources from unauthorized access. For example, many servers require a user to correctly enter a username and password before authorizing access. A username/password scheme is one of a variety of authentication mechanisms that enables a server to restrict access to particular users.
- Different servers may use different authorization schemes. Additionally, even those servers that use the same kind of authorization scheme may request different information from a user. For example, a user's username and password may be different for different servers. Thus, as a user “surfs” to different network servers, the user often needs to remember and re-enter their authorization data.
- In general, in one aspect, the disclosure describes a method for use in providing access to network resources. The method includes receiving, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group, the resource being protected by an authorization scheme provided by a second server. The method further includes determining authorization information associated with the user or the group and sending the authorization information, in accordance with the authorization scheme, to the second server.
- Embodiments may include one or more of the following features. The method may include transmitting instructions for processing by the client that cause the client to transmit the authorization information to the second server. The method may also include determining that the authorization information sent to the second server by the first server results in authorization. The instructions may be in JavaScript. The authorization information associated with the user may include a username and a password for the authorization scheme provided by the second server. The method may include storing authorization information for different users. The method may include determining the authorization scheme provided by the second computer. The method may include storing information identifying the different authorization schemes provided by different respective servers. The method may include sending the information to the second server within an HTTP (HyperText Transfer Protocol) GET or POST message. The network may be an intranet or the Internet. The network resource may be a document. The method may include sending an abstract of the network resource to the client. The message identifying a network resource may be a message generated in response to user selection of the abstract.
- In general, in another aspect, the disclosure describes a computer program product, disposed on a computer readable medium, for use in providing access to network resources. The program includes instructions for causing a processor to receive, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group, the resource being protected by an authorization scheme provided by a second server. The program also includes instructions that determine authorization information associated with the user or the group of users and send the authorization information, in accordance with the authorization scheme, to the second server.
- In general, in another aspect, the disclosure describes a method for authorizing a user attempting to access a document over the Internet. The method includes storing authorization information for different users, storing information identifying the different authorization schemes used by different respective servers, sending an abstract of a document to a web browser client, receiving, at a first server from the web browser client, a message identifying the document, the message being associated with the user, the document being protected by an authorization scheme provided by a second server, determining authorization information associated with the user, the authorization information including a username and a password, determining the authorization scheme provided by the second server, sending the authorization information, in accordance with the authentication scheme, to the second server, determining that the authorization information sent to the second server successfully authorized access, and transmitting instructions to the client, the instructions for causing the client to transmit the authorization information to the second server.
- In general, in another aspect, the disclosure describes a system for providing access to network resources served by different network servers. The system includes storage configured to store authorization information for different servers and/or resources for different users and/or groups of users. The system also includes instructions for causing a system processor to receive, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group of users, the resource being protected by an authorization scheme provided by a second server. The instructions also cause the processor to determine authorization information associated with the user or the group of users from the storage of authorization information, and send the authorization information, in accordance with the authorization scheme, to the second server.
- In general, in another aspect, the disclosure describes a method for use in providing access to network resources. The method includes receiving, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group of users, the resource being protected by an authorization scheme provided by a second server. The method also includes determining authorization information associated with the user or the group of users, and transmitting instructions for processing by the client, the instructions for causing the client to transmit the authorization information to the second server.
- FIGS.1 to 10 are diagrams that illustrate operation of a system for providing access to network resources.
- FIG. 11 is a diagram of a system for use in providing access to network resources.
- FIG. 12 is a flow-chart of a process for use in providing access to network resources.
- FIGS.1 depicts resources 106 stored on different network servers 102. As shown, the servers 102 protect the resources 106 from unauthorized access using authorization schemes 104. These authorization schemes 104 may vary in the techniques they use to authorize access to the resources 106 and may also vary in the data they collect to provide authorization.
- Described herein is an approach that takes care of server authorization for a user “behind the scenes”. In this scheme, a
server 110 can automatically handle aspects of authorization on behalf of a user. This can potentially free the user to access resources 106 provided bydifferent servers 110 without repeatedly entering their authorization data into server forms. Theserver 110 can support many different servers 102 providing resources and can support many different users. - In greater detail, FIG. 1 shows a
client 100 connected to anetwork 108. Theclient 100 may be a browser (e.g., Microsoft Explorer) that sends requests for network resources 106 provided by different Internet or intranet servers 102. These requests may be HTTP (HyperText Transfer Protocol) messages that identify a resource 106 using a URL (Universal Resource Locator). For example, a request for a document from the New York Times web server may be “HTTP GET www.nytimes.com/headlines.html” where the string “www.nytimes.com/headlines.html” is the URL specifying the desired resource. - FIG. 1 also shows a
server 110 that can coordinate access to the server' 102 resources 106. Theserver 110 includes a web server 116 (e.g., an Apache web server) that responds to received HTTP messages. Theserver 110 also includesauthorization instructions 112 that can negotiate authorization with different servers 102 for a user operating a client loo. - To illustrate how the approach can be used to provide
client 100 access to resources 106, FIGS. 2-10 depict an example of operation of an authorization system. In this example,server 110 performs a “test” negotiation of authorization with a server 102 protecting a resource 102 of interest to a user. This test can determine whether the user is authorized to access the requested resource. After this test, theserver 110 can transmit information to theclient 100 so that theclient 100 can repeat the authorization negotiation and establish an independent session with the server 102. This approach enables theserver 110 to coordinate authorization without necessitating further involvement with a session that ensues between theclient 100 and the server 104. This “handing off” of the session to theclient 100, however, is merely optional. That is,server 110 may act as a proxy after initially negotiating authorization. - In the sample shown in FIG. 2, the
server 110 stores abstracts 114 of resources 106. Such abstracts may include text descriptions of the resource 106 and/or other information (e.g., thumbnails of images or sound clips). Theweb server 116 may provide web pages that permit a user to specify a search of the abstracts and display a list of abstracts relevant to the query. For example, as shown in FIG. 2, a user operates theclient 100 to request 120 an abstract 114 for a particular resource. As shown in FIG. 3, theserver 110 responds by sending amessage 122 to theclient 100 that includes the abstract for presentation to the user. - After viewing the abstract, the user may indicate they would like to receive the
resource 106 d described by the abstract. For example, a user may select a “View document” button displayed by a web page provided by theserver 110. As shown, in FIG. 4, selection can cause theclient 100 to send arequest 124 for the resource to theserver 110. Upon receipt of therequest 124, theserver 110 may determine the identity of a user if this has not been done previously. For example, theserver 110 may interactively collect user information (e.g., username and password) via fields in a web page or non-interactively by collecting a “cookie” stored byclient 100. This authorization process withserver 110 can permit theserver 110 to determine the authorization information associated with a particular user or group of users. Thereafter, theserver 110 can provide authorization for resources 106 provided by servers 102 without further user participation in the authorization schemes 104 used by the servers 102. - As shown in FIG. 5, the
server 110 determines authorization information associated with the user that can be used to gain access to the resource. For example, theserver 110 can determine theserver 102 b that provides the requestedresource 106 d (e.g., by parsing therequest message 124 of FIG. 4) and lookup the user's username and password for theserver 102 b in a database. After retrieving the authorization information, theserver 110 can negotiate authorization on behalf of the user by assembling the authorization information into a structure compliant with the authorization scheme provided by theserver 102 b storing the requestedresource 106 d. Theserver 110 can then transmit the assembled information in accordance with theserver 102 b authorization scheme(s) 104 b. The transmitted information can simulate a form submission process. For example, an HTTP GET message assembled for transmission to theserver 102 b can include a request for a URL of “www.server.com/document.doc?username=guest; password=rosebud”. Other authorization schemes, however, will expect the authorization information to be encoded differently (e.g., as an HTTP POST message). - As shown in FIG. 6, the
server 102 b receiving the authorization information can return anindication 128 that authorization to access the resource has been granted. For example, such an indication may be as simple as an HTTP “OK” message. Theserver 110 can parse the receivedmessage 128 to determine whether or not theserver 102 b has authorized access. - As shown in FIG. 7, after determining authorization has been granted, the
server 110 can transmitinformation 130 to theclient 100 that enables theclient 100 to independently initiate a session with the server 104. For example, theserver 110 may send theclient 100 instructions (e.g., JavaScript) that theclient 100 can interpret or execute to establish authorized access to the resource. The instructions can repeat the authorization negotiation successfully tested by theserver 110. Thus, as shown, theclient 100 sends arequest 132 for authorization (FIG. 8), receives authorization 134 (FIG. 9), and ultimately receives theresource 106 d of interest (FIG. 10). - Once a session is established between the
client 100 and theserver 102 b providing theresource 106 d, reauthorization need not be repeated unless required by theserver 102 b. That is, typically, aclient 100 will establish a session only once with a server in a given time period even though theclient 100 may access different resources 106 served by theserver 102 b. - FIGS.2-10 depict sample operation of an example system. However, other systems need not proceed as described above. For example, the
server 110 need not “test” authorization before sending theauthorization instructions 130 to theclient 100. Additionally, as described above, theserver 110 need not transmitauthorization instructions 130 at all, but may instead act as a “go between” between theclient 100 and the server 102 d protecting theresources 106 d of interest after initially negotiating authorization. - FIG. 11 depicts a sample architecture of an authorization system112 (e.g., 112 in FIGS. 1-10). As shown the
system 112 includes a database (e.g., a MySQL relational database) that storesauthorization information 146 for different users at different servers. For example, as shown, a user “[email protected]” can use a username of “Rob” and a password of “007” to access resources from ServerA and a username of “guest” and a password of “guest” to access resources from ServerB. After determining the server storing a requested resource,authorization instructions 140 can retrieve the appropriate authorization information for a user. Thedata 146 may include a username and password, as shown, and/or other credentials. Thedata 146 may include entries for different users or groups of users. By providing a “group” capability, a user can gain access to many different servers 102 without explicitly registering. That is, a new member of a group can access those servers 102 already having defined authorization information. - As shown, the database also includes
data 144 identifying the authorization scheme used by a server. For example, as shown, ServerA uses an HTTP GET encoding scheme, ServerB uses an HTTP POST encoding scheme, while ServerC uses a technique known as Basic Authorization. By changing these entries, theserver 110 can quickly adapt should a server change its authorization scheme. - The database also includes modules of
instructions 142 that control how to negotiate authorization with the server storing a resource of interest. Theseinstructions 142 can access and assemble authorization information and handle communication with the server storing a desired resource. For example, based on the type ofauthorization scheme 144 identified for a given server, theinstructions 142 can negotiate access to a server using the user'sauthorization information 146. Thesystem 112 can then package instructions for transmission to theclient 100 so that the client can repeat the proven-successful negotiation. - FIG. 12 depicts a flow-chart of the
process 150 described above. As shown, after a server receives 152 a user request for access to a resource provided by a different server, the server retrieves 154 authorization information for the user (e.g., by retrieving data from data 146) and identifies 156 the type of authorization scheme used by the server providing the resource (e.g., by retrieving data from data 144). After successfully negotiating 158 authorization with the server, theprocess 150 transmits 160 instructions to the client that cause the client to negotiate authorization. - The above described a sample implementation. However, there are a wide variety of variations of the above. For example, while depicted as separate entities, the
authorization instructions 112 may be integrated into theweb server 116. Additionally, while the above describes a division between the access module instructions and the database of authorization schemes, other implementations may include different configurations. For example, the access modules may be hard-coded for the authorization scheme provided by a server 102. - The techniques described herein may find applicability in many computing or processing environments. The techniques may be implemented in hardware or software, or a combination of the two. Preferably, the techniques are implemented in computer programs executing on programmable computers that each include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and one or more output devices.
- Each program is preferably implemented in high level procedural or object oriented programming language to communicate with a computer system. However, the programs can be implemented in assembly or machine language, if desired. In any case the language may be compiled or interpreted language.
- The computer program(s) are preferably stored on a storage medium or device (e.g., CD-ROM, hard disk, or magnetic disk) that is readable by a general or special purpose programmable computer for configuring and operating the computer when the storage medium or device is read by the computer to perform the procedures described herein. The system may also be considered to be implemented as a computer-readable storage medium, configured with a computer program, where the storage medium so configured causes a computer to operate in a specific and predefined manner.
- Other embodiments are within the scope of the following claims.
Claims (31)
1. A method for use in providing access to network resources, the method comprising:
receiving, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group, the resource being protected by an authorization scheme provided by a second server;
determining authorization information associated with the user or the group; and
sending the authorization information, in accordance with the authorization scheme, to the second server.
2. The method of claim 1 , further comprising transmitting instructions for processing by the client, the instructions for causing the client to transmit the authorization information to the second server.
3. The method of claim 2 , further comprising determining that the authorization information sent to the second server by the first server results in authorization.
4. The method of claim 2 , wherein the instructions comprise JavaScript.
5. The method of claim 1 , wherein the authorization information associated with the user comprises a username and a password for the authorization scheme provided by the second server.
6. The method of claim 1 , further comprising storing authorization information for different users.
7. The method of claim 1 , further comprising determining the authorization scheme provided by the second computer.
8. The method of claim 7 , further comprising storing information identifying the different authorization schemes used by different respective servers.
9. The method of claim 8 , wherein the sending the information to the second server comprises sending the information within an HTTP (HyperText Transfer Protocol) GET or POST message.
10. The method of claim 1 , wherein the network comprises at least one of the following: an intranet and the Internet.
11. The method of claim 1 , wherein the network resource comprises a document.
12. The method of claim 1 , further comprising sending an abstract of the network resource to the client.
13. The method of claim 12 , wherein the message identifying a network resource comprises a message generated in response to user selection of the abstract.
14. A computer program product, disposed on a computer readable medium, for use in providing access to network resources, the program including instructions for causing a processor to:
receive, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group, the resource being protected by an authorization scheme provided by a second server;
determine authorization information associated with the user or the group of users; and
send the authorization information, in accordance with the authorization scheme, to the second server.
15. The program of claim 14 , further comprising instructions for causing the processor to transmit instructions for processing by the client, the transmitted instructions for causing the client to transmit the authorization information to the second server.
16. The program of claim 15 , further comprising instructions for causing the processor to determine that the authorization information sent to the second server by the first server results in authorization.
17. The program of claim 15 , wherein the transmitted instructions comprise JavaScript.
18. The program of claim 14 , wherein the authorization information associated with the user comprises a username and a password for the authorization scheme provided by the second server.
19. The program of claim 14 , further comprising instructions for causing the processor to store authorization information for different users.
20. The program of claim 14 , further comprising instructions for causing the processor to determine the authorization scheme provided by the second computer.
21. The program of claim 14 , further comprising instructions for causing the processor to store information identifying the different authorization schemes used by different respective servers.
22. The program of claim 14 , wherein the instructions for causing the processor to send the information to the second server comprise instructions that cause the processor to send the information within an HTTP (HyperText Transfer Protocol) GET or HTTP POST message.
23. A method for authorizing a user attempting to access a document over the Internet, the method comprising:
storing authorization information for different users;
storing information identifying the different authorization schemes used by different respective servers;
sending an abstract of a document to a web browser client;
receiving, at a first server from the web browser client, a message identifying the document, the message being associated with the user, the document being protected by an authorization scheme provided by a second server;
determining authorization information associated with the user, the authorization information including a username and a password;
determining the authorization scheme provided by the second server;
sending the authorization information, in accordance with the authentication scheme, to the second server;
determining that the authorization information sent to the second server successfully authorized access; and
transmitting instructions to the client, the instructions for causing the client to transmit the authorization information to the second server.
24. A system for providing access to network resources served by different network servers, the system comprising:
storage configured to store authorization information for different servers and/or resources for different users and/or groups of users; and
instructions for causing a system processor to
receive, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group of users, the resource being protected by an authorization scheme provided by a second server;
determine authorization information associated with the user or the group of users from the storage of authorization information; and
send the authorization information, in accordance with the authorization scheme, to the second server.
26. A method for use in providing access to network resources, the method comprising:
receiving, at a first server from a remote client, a message identifying a network resource, the message being associated with a user or group of users, the resource being protected by an authorization scheme provided by a second server;
determining authorization information associated with the user or the group of users; and
transmitting instructions for processing by the client, the instructions for causing the client to transmit the authorization information to the second server.
27. The method of claim 26 , further comprising sending the authorization information, in accordance with the authorization scheme, to the second server.
28. The method of claim 26 , wherein the instructions comprise JavaScript.
29. The method of claim 26 , wherein the authorization information associated with the user comprises a username and a password for the authorization scheme provided by the second server.
30. The method of claim 26 , further comprising storing authorization information for different users.
31. The method of claim 26 , further comprising determining the authorization scheme provided by the second computer.
32. The method of claim 31 , further comprising storing information identifying the different authorization schemes used by different respective servers.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/138,208 US20030074583A1 (en) | 2001-05-03 | 2002-05-03 | Network resource access |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US28859401P | 2001-05-03 | 2001-05-03 | |
US10/138,208 US20030074583A1 (en) | 2001-05-03 | 2002-05-03 | Network resource access |
Publications (1)
Publication Number | Publication Date |
---|---|
US20030074583A1 true US20030074583A1 (en) | 2003-04-17 |
Family
ID=23107789
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US10/138,208 Abandoned US20030074583A1 (en) | 2001-05-03 | 2002-05-03 | Network resource access |
Country Status (2)
Country | Link |
---|---|
US (1) | US20030074583A1 (en) |
WO (1) | WO2002091648A2 (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050198525A1 (en) * | 2004-03-02 | 2005-09-08 | Nokia Corporation | System and associated terminal, method and computer program product for conveying context information and providing a context-based service based upon the context information |
US20100318783A1 (en) * | 2009-06-10 | 2010-12-16 | Ashwin Raj | Service activation using algorithmically defined key |
US20120054489A1 (en) * | 2010-08-25 | 2012-03-01 | University Bank | Method and system for database encryption |
RU2637485C2 (en) * | 2015-12-29 | 2017-12-04 | Эдуард Юрьевич Прудников | Method of anti-pirate authorization of access to computer network |
US11212292B2 (en) * | 2019-07-01 | 2021-12-28 | Hewlett Packard Enterprise Development Lp | Network access control authorization process chaining |
US11811714B2 (en) * | 2007-07-25 | 2023-11-07 | Verizon Patent And Licensing Inc. | Application programming interfaces for communication systems |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1471442A1 (en) * | 2003-04-25 | 2004-10-27 | AnyDoc Limited | Digital document distribution systems |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5875296A (en) * | 1997-01-28 | 1999-02-23 | International Business Machines Corporation | Distributed file system web server user authentication with cookies |
US6092196A (en) * | 1997-11-25 | 2000-07-18 | Nortel Networks Limited | HTTP distributed remote user authentication system |
US6182229B1 (en) * | 1996-03-13 | 2001-01-30 | Sun Microsystems, Inc. | Password helper using a client-side master password which automatically presents the appropriate server-side password in a particular remote server |
US6205480B1 (en) * | 1998-08-19 | 2001-03-20 | Computer Associates Think, Inc. | System and method for web server user authentication |
US6226752B1 (en) * | 1999-05-11 | 2001-05-01 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
US6421768B1 (en) * | 1999-05-04 | 2002-07-16 | First Data Corporation | Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment |
-
2002
- 2002-05-03 US US10/138,208 patent/US20030074583A1/en not_active Abandoned
- 2002-05-03 WO PCT/US2002/013860 patent/WO2002091648A2/en not_active Application Discontinuation
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6182229B1 (en) * | 1996-03-13 | 2001-01-30 | Sun Microsystems, Inc. | Password helper using a client-side master password which automatically presents the appropriate server-side password in a particular remote server |
US5875296A (en) * | 1997-01-28 | 1999-02-23 | International Business Machines Corporation | Distributed file system web server user authentication with cookies |
US6092196A (en) * | 1997-11-25 | 2000-07-18 | Nortel Networks Limited | HTTP distributed remote user authentication system |
US6205480B1 (en) * | 1998-08-19 | 2001-03-20 | Computer Associates Think, Inc. | System and method for web server user authentication |
US6421768B1 (en) * | 1999-05-04 | 2002-07-16 | First Data Corporation | Method and system for authentication and single sign on using cryptographically assured cookies in a distributed computer environment |
US6226752B1 (en) * | 1999-05-11 | 2001-05-01 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
US6763468B2 (en) * | 1999-05-11 | 2004-07-13 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050198525A1 (en) * | 2004-03-02 | 2005-09-08 | Nokia Corporation | System and associated terminal, method and computer program product for conveying context information and providing a context-based service based upon the context information |
US11811714B2 (en) * | 2007-07-25 | 2023-11-07 | Verizon Patent And Licensing Inc. | Application programming interfaces for communication systems |
US20100318783A1 (en) * | 2009-06-10 | 2010-12-16 | Ashwin Raj | Service activation using algorithmically defined key |
US8782391B2 (en) * | 2009-06-10 | 2014-07-15 | Visa International Service Association | Service activation using algorithmically defined key |
US9160734B2 (en) | 2009-06-10 | 2015-10-13 | Visa International Service Association | Service activation using algorithmically defined key |
US9426659B2 (en) | 2009-06-10 | 2016-08-23 | Visa International Service Association | Service activation using algorithmically defined key |
US20120054489A1 (en) * | 2010-08-25 | 2012-03-01 | University Bank | Method and system for database encryption |
RU2637485C2 (en) * | 2015-12-29 | 2017-12-04 | Эдуард Юрьевич Прудников | Method of anti-pirate authorization of access to computer network |
US11212292B2 (en) * | 2019-07-01 | 2021-12-28 | Hewlett Packard Enterprise Development Lp | Network access control authorization process chaining |
Also Published As
Publication number | Publication date |
---|---|
WO2002091648A2 (en) | 2002-11-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8819253B2 (en) | Network message generation for automated authentication | |
US8006098B2 (en) | Integrating legacy application/data access with single sign-on in a distributed computing environment | |
US8528066B2 (en) | Methods and apparatus for enabling context sharing | |
US20190173871A1 (en) | Using application level authentication for network login | |
US8572691B2 (en) | Selecting a web service from a service registry based on audit and compliance qualities | |
US7024552B1 (en) | Location authentication of requests to a web server system linked to a physical entity | |
EP1157344B1 (en) | Proxy server augmenting a client request with user profile data | |
JP5357246B2 (en) | System, method and program product for integrated authentication | |
US7533419B2 (en) | Human interactive proof service | |
US7296077B2 (en) | Method and system for web-based switch-user operation | |
US8544067B2 (en) | System and method for authenticating web users | |
US20020156905A1 (en) | System for logging on to servers through a portal computer | |
JPH11282804A (en) | Communication system having user authentication function and user authentication method | |
JP2005512247A (en) | Network user authentication system and method | |
US20040158743A1 (en) | Method and system for logging into and providing access to a computer system via a communication network | |
US20050188008A1 (en) | System for communicating with servers using message definitions | |
CN103428179A (en) | Method, system and device for logging into multi-domain-name website | |
CN106664228A (en) | Sharing between cpe and companion device | |
US20200014751A1 (en) | System, method, and apparatuses for dynamic authorization | |
EP2813051B1 (en) | Dynamic sharing of a webservice | |
US20030074583A1 (en) | Network resource access | |
JP2008226015A (en) | Session authority management method | |
JP4589200B2 (en) | Authentication method, authentication cooperation device, program thereof, and program recording medium in broadcast communication cooperation service | |
JP2011197874A (en) | Server apparatus and program | |
KR20140042049A (en) | Method for managing multi content servers |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: COMERICA BANK, CALIFORNIA Free format text: INTELLECTUAL PROPERTY SECURITY AGREEMENT;ASSIGNOR:BITPIPE, INC.;REEL/FRAME:015596/0867 Effective date: 20041202 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |