Plaid Technologies Inc.
`Exhibit 1007
`
`Ex. 1007 Page 1
`
`

`
`Editorial Stall
`
`_
`
`Edna;
`-
`.
`G. 1:. Hgfinagie
`A
`_
`i an
`1\:s[£c'aB:m[_urS
`AIG: Davig
`1- R- Friedman
`siati Editor
`C. R. Seddon
`_
`_
`_
`Editorial Associate
`R_ M_ Johnson
`
`Publications Stan‘
`
`Art Director and
`.
`.
`BIISIIIBSS Adiiisor
`J. F. Musgrave
`Production Assistant
`L. A. Fasone
`Circulation/Fulfillment
`0 C‘ C°PP°‘a
`Administrator Analyst
`M. A. Cargiulo
`systems and Internet
`5_ E_ A113,,
`
`
`
`Advisory Board
`P. M. Horn (Chairman)
`M. J. Attardo
`J. P_ Briam
`E. Catania
`_
`13- 5- Dies
`Eilflfrio
`Kfisiiiai crmgm
`Q‘-g £I‘?I‘1‘“5‘a“""“
`M1 E
`P'R‘
`15’ "3
`OW 9}’
`-
`R- M- Stephenson
`D. M. Thomas
`J. M. Thompson
`J. T. Vanderslice
`D. M. Welsh
`
`Si-stems Journal
`
`The presence ofmiddleware in
`software systems and their ar-
`chitectures makes itpossible to
`distinguish, compattmentalize,
`and separate concerns at
`higlterarid lower levels. This in
`turn promotes a clearer and
`simpler architecture for sys-
`tems as a whole and a better
`
`opportunity for such positive
`features as interoperability,
`portability, standardization, reusability and reuse, ease
`oftesting, and management ofchange. The cover sug-
`gests such an architectural layer between two other sys-
`tems layers. Two papers and both Technical Notes in
`this issue touch on aspects and capabilities ofmiddle-
`ware.
`
`Q1
`
`
`
`.._._u,_.._.-..
`
`The IBM Sysremsloumal is a refereed techniealjournal, published
`quarterly by International Business Machines Corporation, Ar-
`monk, New York 10504 U.S.A. Oflieers: Louis V. Gerstrier. Jr.,
`Chairman and Chief Executive Oflicerg Jeifrey D. Serkes, Trea-
`surer; Dan E. O'Donnell, Secretary.
`
`the
`The Journal welcomes submissions from members of
`worldwide professional and academic community who are inter-
`ested in advances in software and systems. See_last page of this
`issue for “Information for Authors.” Manuscript submissions
`and other written correspondence should he sent to the Ed-
`itor, IBM 5'}-‘stems Joamal, P.O. Box 218, Yorktown Heights.
`New York 10598-0218 USA. Electronic correspondence
`may be sent to the Editor at the following Internet address:
`journaIs@watson.ibm.com.
`
`Subscription rate: $55.00 per calendar year (single copies $22.00;
`reprints of articles $5.00 each). Overseas and handling charges
`may apply. Discounted rates are available for IBM employees and
`qualifying customers. See inside back cover for subscription and
`ordering information, electronic sources, and abstracting and re-
`production services.
`
`Tlieioumafs World Wide Web home page may be found at URL:
`htlp:i',lwww.almaden.ibm.cumi‘journal,F.
`
`The ACM offers theloumal to its members. See inside back cover
`for more information.
`
`The IBM S}‘Sf€f?1S'.l0ii!?‘ifl'l (ISSN 0018-8{)'I'0) is published four times
`a year by International Business Machines Corporation, Old
`Orchard Road, Armonk, NY 10504. Periodicals class postage paid
`at Armonk, NY, and additional mailing offices. Postmaster: Send
`address changes to IBM Systems Journal, IBM Corporation, P.0.
`Box 218, Rte. 134, Yorktown Heights. NY 10598-0218.
`
`Q i
`car
`Cle
`fo r
`
`Ex. 1007 Page 2
`
`
`
`Ex. 1007 Page 2
`
`

`
`
`
`II
`
`ill
`
`II”ill
`Systems Journal
`
`Vol. 3?‘. No. 4.1998
`
`570
`
`capitalizing on
`intellectual assets
`
`K.—T. Huang
`
`584
`
`Technical note-
`WebEntree:
`A Web service
`aggregator
`Y. Zhao
`
`596
`
`Technical note—
`IMS celebrates thirty
`years as an
`IBM product
`K. Fl. Blackrnan
`
`604
`
`Books
`
`606
`
`Contents of
`Volume 37, 1998
`
`Preface
`
`An approach to
`484 improving existing
`measurement
`frameworks
`
`M. G. Mendonga, V. Fl. Basili,
`I. S. Bhandari, and J. Dawson
`
`Support for Enterprise
`Javafleans in
`Component Broker
`
`C. F. Codella,
`D. N. Dillenberger,
`D. F. Ferguson, R. D. Jackson,
`T. A. Mikalsen. and l. Silva—Lepe
`
`On the linkage
`of dynamic tables
`in relational DBMSs
`
`G. Y. Fuh, J.-H. Chow,
`N. M. Mattos, B. T. Tran,
`and T. C. Truong
`
`Software development:
`Processes and
`performance
`
`8. Sawyer and P. J. Guinan
`
`© Copyright 1998 by International Business Machines Corporation. See individual articles for copying information. Post-1994 articles that
`Carry :1 code at the bottom of the first page may be copied, provided the per—copy fee indicated in the code is paid through the Copyright
`Clearance Center, 222 Rosewood Drive, Danvers, MA 01923 LF.S.A. Table of Contents page may be freely copied and distributed in any
`form. ISSN {}0I8—86?(J. Printed in USA.
`
`l
`_:
`Ii
`
`
`
`Ex. 1007 Page 3
`
`Ex. 1007 Page 3
`
`

`
`Technical note
`
`Wel:iEntree: A Web service
`
`aggregator
`
`by Y. Zhao
`
`This technical note introduces lBM's WebEntree,
`a single-log-in Web service aggregator.
`-
`WebEntree provides an aggregated Web service
`on top of distributed Web service systems (as
`components) with a centralized access control
`and content customization facility. Each service
`system can have its own access control facility
`and provide its own independent service.
`WebEntree implements a flexible and dynamic
`component-bundling mechanism, and can
`provide personalized service with user-selected
`component sets. WebEntree otfers a convenient
`way for new components to be “plugged in” and
`"played." The owner of the aggregated Web
`service can keep each component's original
`branding, add more information, filter out certain
`content, or customize the presentations.
`WebEntree also provides a single user
`registration and authentication interface for all of
`its user-selectable service components.
`WebEntree currently accommodates Web service
`components invoked via HyperText Transfer
`Protocol (HTTP, i.e., under a Web server) and
`service components in volred directly from local
`or remote application programming interfaces.
`Other component interfaces are planned.
`
`Web service commercialization and personaliza-
`
`tion usually involve user access control. This
`means that users must register to obtain a service,
`and they must be authenticated each time to access
`the services, e.g., by providing user identification and
`password. With a growing number of Web services,
`each with its own authentication facilities, Web users
`have been inconvenienced. For example, a user’s
`identification (ID) in one system may not be accept-
`able for another system because of ID conliicts. Also
`the password validation policy (e.g., time period,
`character restrictions, etc.) in one system may differ
`
`from another. Consequently, a user must have mul-
`tiple user IDs and passwords, and must be authen-
`ticated several times to access different services. Mul-
`tiple user IDs and passwords are inconvenient to use
`and diflieult to manage. WebEntree solves this prob-
`lem by providing one common entrance for a user
`to access all Web service systems, identified as Web
`service components in this note. A user can register
`and be authenticated only once at entrance; WebEn-
`tree then handles user registration and authentica-
`tion to Web service components. WebEntree also
`provides the convenience of eonsolidating the user’s
`Web services in one place, saving exploration time.
`
`In addition, WebEntree assists a Web aggregation
`service provider by not only providing a single log-in
`entrance for users, but also the ability to change the
`Web service components’ original branding, custom-
`ize the presentation, filter out certain content, and
`add the service providcr’s own advertisements. Con-
`tents from the different Web service components are
`made accessible by WebEntree prior to sending them
`to end users, which allows the aggregation service
`provider to customize the content.
`
`Through WebEntree, the aggregation service pro-
`vider can also provide personalized services. Custom-
`ers can seiect the prebundled Web service compo-
`nent groups they want via initial registration, and they
`can change their selections at any time. With the use
`
`'‘‘Copyright 1998 by International Business Machines Corpora-
`tinn. Copying in printed form for private use is permitted with-
`out payment of royalty provided that ( 1) each reproduction is done
`without alteration and (2) the Journal reference and IBM copy-
`right noticc are included on the first page. The title and abstract,
`but no other portions, of this paper may be copied or distributed
`royalty free without further permission by t:ompLIter—bused and
`other information—service systems. Permission to i-eptrblish any
`other portion of this paper must be obtained from the Editor.
`
`534 2HAo
`
`£I}tB~B6?l1l‘EJ8l'SF.UD $1‘ I993 IBM
`
`IBM SYSTEMS JOURNAL, voL 3?. NO 4. 1993
`Ex. 1007 Page 4
`
`Ex. 1007 Page 4
`
`

`
`of WebEr1trce’s graphical user interface (GUI)-based
`administration subsystem, an aggregation service
`provider can add or remove a Web service compo-
`nent easily. Also, the service provider can dynam-
`ically bundle the service components into-different
`groups, and manage user information and access to
`the diiferent groups. The administration activity will
`not interrupt customer service.
`
`Some WebEntree application scenarios follow:
`
`- Web service center as a virtual Web site: WebEn-
`tree enables the separation of Web service from
`Web contents, greatly reducing complexity for the
`Web service provider. Thus, a Web service pro-
`vider can create a service Web site without host-
`ing the actual contents, oifering a variety of pop-
`ular Web applications and services from many
`locations.
`
`- Existing Web publication service provider enhance-
`ments: A publisher with an existing Web site can
`add other interesting Web sites. This broadens the
`contents and colors of the site and adds to its ap-
`peal. WebEntree also enables the integration of
`multiple Web service systems that the service pro-
`vider may have.
`- Service site in a company’s intranet." In a company’s
`intranet, there may be a need to construct a Web
`service site that aggregates a variety of Web ser-
`vices from outside as well as inside the company.
`By using WebEntree, employees do not need to
`individually pay registration or service fees for the
`services provided because these items are handled
`in one place. The single registration and log-in in-
`terface and personalized home page also provide
`employees with access convenience. In addition,
`the company can customize and filter the Web con-
`tents.
`
`‘ Service sitefor an extrnnee An extranet is a network
`among partners. There may be access control in-
`volved with each partner’s Web site. WebEntree
`makes it easier for a user to access the participat-
`ing Web sites.
`
`The Web content mentioned earlier is information
`that is representable by a Web browser. It can be
`compound documents or business data. It can be
`dynamically generated from database query and
`computation or from static files. The Web service is
`to provide Web content from a Web server to Web
`browse rs. Web service aggregation provides collective
`Web services from involved Web services systems
`(or components). It is different from integration,
`
`IBM SYSTEMS JOURNAL, VOL 3?, NO 4. 1998
`
`which tends to provide 5 more tightly coupled sys-
`tem.
`
`Single registration and authentication eiforts (or sin-
`gle sign—on) for non—Web environments have been
`around for a long time. A survey can be found in
`Hursti.‘ IBM’s Global Sign-On product is one exam-
`ple."' More can be found in the documents from The
`Open Group.“ These solutions usually are based
`on DCE (Distributed Computing Environment) or
`LAN (local area network) architecture, and for mul-
`tiple hosts in an affiliated environment. In a Web
`environment, the most popular service systems are
`based on HyperText Transfer Protocol (H'I'I‘P),5 or
`so-called Web servers, although Common Object
`Request Broker Architecture (CORBA**)-based 110?
`(Internet Inter-Orb Protocol) servers are beginning
`to be considered now as well. These Web service sys-
`tems usuaily are operated in a nonatiiliated environ-
`ment. The problem of single registration and authen-
`tication must be solved for Web service systems
`operated across all different protocols.
`
`In HTTP, the response to a request must come from
`the server to which the request was sent. This makes
`it difficult for requests to diiferent H'I'rP servers to
`go through a single aggregator gateway. Proxy serv-
`ers“ can be a solution. H'I'I'P-based proxy servers have
`been implemented by Netscapef IBM, and other
`companies. Services available via proxy servers in-
`clude firewall, cache,7 and content filtering and se-
`lection.“ The problem with this solution is that the
`proxy server must be specified on the Web browser.
`Most corporate Web clients use a proxy server to go
`through their firewalls and to get Internet access. Ob-
`viously, different proxy servers are used by different
`corporate firewalls. Since only one proxy server en-
`try is allowed for each Web browser (although proxy
`server relay is allowed from the entry proxy server),
`it is difficult for a common service proxy to reach all
`users inside different firewalls (each firewall proxy
`has to be configured separately to use the common
`service proxy). It will be more complicated when mul-
`tiple common service proxies are involved through
`different Web service providers. WebEntree has been
`designed to solve this problem in an alternative way.
`
`WebEntree adopts object-oriented architecture and
`design. It is based on the object—oriented J ava* * Web
`servers (Web servers that support Sun Microsystems‘
`servlct application programming interfaces) and is
`implemented purely in the Java language; therefore,
`it is platform—indcpendent.
`
`Ex. 1007 Page 5ZH»°~0 585
`
`Ex. 1007 Page 5
`
`

`
`
`
`L,;sT2E
`
`.
`-'
`
`'g\"neaa~""—mE;"1<——n
`_!
`
`_
`
`fl
`
`"
`
`, _i_-n11=_sEnvsa
`wassenven 1
`
`'
`
`-1-<lTTP swan
`_' wasSERVER2
`
`.
`
`,
`
`'
`
`-
`
`"I
`I
`' H'l'|'P saav
`[wiressenvsnn
`
`!
`
`FlEMOTE
`APPUCATIDN
`I
`
`
`Architecture
`
`The conceptual architecture of Webl-Entree is shown
`in Figure 1. WebEntree can provide services from
`either inside a firewall (to serve intranet customers)
`or outside a firewall (to serve certain internal infor-
`mation to the world), as illustrated in Figure 2. To
`enhance security, digital certification can be used to
`establish trust between Web clients and WebEntree.
`This can be implemented by using secure HTTP based
`on SSI. (Secure Socket Layer). Some Web service
`components may also choose to use SSL with certif-
`icates for security enhancement. Most current Web
`servers support secure HTTP protocol. The challenges
`in using SSL are (1) the involvement of a third party
`who issues the certificates and (2) certificate man-
`agement in both Web client and server.‘ The third
`party must be trusted by both the other two parties.
`Depending on the needs of a Web service provider,
`Wcbfintree can be configured to use or not to use
`351..
`
`As shown in the system architecture depicted in Fig-
`ure 3, Webfintrce has three main subsystems: user
`registration, service engine, and administration. The
`user registration subsystem coordinates user regis-
`
`53fi ZHAO
`
`tration information with the corresponding service
`components. The service engine accepts requests
`from Web browsers, passes them to the correspond-
`ing serviee components, obtains responses from the
`components, and sends them back to the Web brows-
`ers. Also, the service engine conveys user authen-
`tication information to the corresponding compo-
`nents, and provides various service options. The
`administration subsystem is implemented with a
`graphical user interface, which provides a convenient
`mechanism for managing users and Web service
`components, as well as for service and Web content
`customization.
`
`A data manager maintains a repository for user, ser-
`vice component, user access group, and component
`bundling information. It also manages a set of per-
`sistent objects to accommodate repository accesses
`from diiferent threads and processes. This data man-
`ager and relevant persistent objects are implemented
`on top ofJDBC (Java Database Connectivity), allow-
`ing access to different database products.
`
`A user must be registered to obtain services from
`WebEntrec. User registration information is prop-
`
`IBM svsnzms J5dnrl9L97vg@9a?.6No 4. 1993
`
`Figure 1
`
`The conceptual architecture of Webfinlree
`
`,
`
`.
`
`I_-of-s.
`
`—
`_ _____L
`
`.-
`
`._.____
`
`~
`
`ll
`
`,
`
`'
`I
`
`5
`
`E
`
`Ex. 1007 Page 6
`
`

`
`
`
`
`
`
`
`
`Figure 2 Webfintree for both intranet and extranet Web users
`
`._j..#..-—..-----v.—.—.—-—.-.———"—.f."."'""'-""A
`
`
`
`
`__..___—D-——-—---/A.P"'|-‘.1.-—-¢-,..._.._..,.....
`
`
`
`WEBENTREE
`DATABASE ‘I
`
`-
`
`EXTEFINAL
`
` INTERNAL
`
`INTERNAL WEBENTFIEE
`
`WEB SEHVJCE
`ENGINE
`
`
`
` ‘ weeSERVICE
`
`| ENGINE
`
`P SERVER
`
`PREUATE SERVICE
`
`l
`
`agated to the user-selected Web service components
`or applications by the registration subsystem. Initial
`groups of service components can be selected dur-
`ing registration. After registration, a user is granted
`a user ID, a password, and a certificate if SS1. authen-
`tication is involved in a selected Web service com-
`ponent. Then, the user can log in to the member ser-
`vice provided by Webfintree. After user log-in, the
`service engine authenticates the user and provides
`a personalized home page that includes hyperlinks
`to all service components the user has selected. When
`the user clicks on a component’s hyperlink, the re-
`quest is sent to the service engine. The service en-
`gine first compares the user‘s access to the acces-
`
`the requested service
`sibility requirements for
`component. If the user has proper access, the ser-
`vice engine will retrieve the Web content from the
`selected URL (uniform resource locator) and send
`it to the user. Also, users can post content to a Web
`service component. Optionally, the service engine
`can also support usage logs and reporting, and an
`interface to a billing or payment subsystem.
`
`The Weblfilntree administration subsystem is imple-
`mented in two versions: :1 server-based Java appli-
`cation version and a Java applets version, viewable
`with a Web browser. The user interface is basically
`the same in both versions.
`
`IBM SYSTEMS JOURNAL. VOL 3?, NO 4, 1998
`
`Ex. 10%§gg§§7
`
`kn--'
`
`_““_,“‘_.‘,,_.,__.yIp—-——1v
`
`
`
`
`’__‘_,,_‘,.....4..-o-1*“‘*“r"\-
`
`.a-q—-
`
`Ex. 1007 Page 7
`
`

`
`
`Figure 3 WebEntree’s system architecture
`
`if?“
`f,~~.f
`'.-_' -——'-
`|
`‘H--.
`
`-—'
`
`‘jl
`
`, wsassavics
`;._ coupon:-:m'1
`' HTTPSEHVER
`
`
`
`
`,,l T
`' Ar-iwucnnouii
`| APPLICATKJN1
`
`I
`i
`l
`
`SU BSYSTEM
`
`.l;IEG|STFiA'I'l.ON
`
`
`
`ADMFNISTRAHON
`I, suasvsren
`
`
`
`User registration subsystem
`
`The user registration subsystem allows users to reg-
`ister themselves. It also provides a user with an ini-
`tial list of selectable service groups. Each group
`contains a list of service components, and each com-
`ponent can reside in multiple groups. Also, a user
`can access multiple groups. The user registration in-
`formation is stored in a persistent repository (i.e.,
`a database) via the data manager. This registration
`information is propagated to the access control sys-
`tems of user-selected service components. Therefore,
`only one registration is necessary to access all ser-
`vice components that are routed to WebEr1tree. It
`also enables a single user—authentication interface,
`i.e., a user needs only to log in once to access all of
`the services provided by selected service components.
`A sample user registration form is shown in Figure
`4. The architecture and control flow for this sub-
`system are shown in Figure 5.
`
`Registration mechanisms. WebEntree provides two
`types of user registration mechanisms: automatic and
`
`538 ZHAO
`
`administrator assisted via electronic mail. In the au-
`tomatic registration mechanism, a user fills in a reg-
`istration form like the one shown in Figure 4. Then,
`the registration form is sent to the rcgixtrrrriort man-
`rtgervia URL after submission. The registration man-
`ager parses the user‘s information and calls the data
`manager to store the user data into the aggregatofs
`database. Then, the registration manager invokes the
`registration dispatcher to register the user to the se-
`lected Web service components. The user becomes
`a member and gets access to the aggregated Web
`service immediately.
`
`If a proofing procedure needs to be performed be-
`fore a user can be registered, the administrator-as
`sisted registration mechanism can be applied. With
`this mechanism, the user’s registration forms are
`routed to a system administrator via electronic mail.
`If approved, the administrator sends the user’s reg-
`istration form to the registration manager. Then the
`registration manager stores the user’s registration
`information in the aggreg-ator’s database via the data
`
`IBM SYSTEMSE§Jl.lffib\y.|5f£5.e%, NO 4. 1993
`
`Ex. 1007 Page 8
`
`

`
`
`
`Figure 4 A sample user registration form
`
`‘
`
`"l
`
`'
`
`1
`
`1
`
`=—.n—s-
`
`Please register yourselt:
`Name,
`' __""";
`'
`"'""‘ '_ " '
`L_____m_J
`il,-Qgflbr
`_ _
`___
`!__j___i
`P5t.§9r!!!9!d_3
`__
`_
`I‘
`address
`[
`
`1
`
`-
`
`
`
`
`
`Select your application groups:
`[You will be in the defeat‘! group
`if on selection I3 made}
`___ _ ___ _____
`._
`_
`'
`'
`',i':Eriiuiiem'u]a' ""
`
`I IBM Book Server
`' Digital Um‘?
`'_«"\_r!=_t=.ir9
`.
`i_P._._NewsG'°"E..
`- CNN News
`{Erltorrriation Center
`
`Community
`-—- !
`' Community Life
`
`_
`_
`
`
`_
`
`.
`
`._ —I
`
`
`
`0 Netscape
`' Hot Places on Web
`
`-
`
`‘ Digltil Library
`r_ " Games aTu:i—r-tin"
`I Best Places
`In Game Land
`
`
`
`
`[j§;.;..a'
`
`ii
`
`manager and invokes the registration dispatcher to
`propagate the registration information. The user is
`notified via electronic mail about membership and
`access information.
`
`Registration synchronization. The registration syn-
`chronization between WebEntree and other Web
`
`service components is achieved by propagating user
`registration information in WcbEntree to other user-
`selected service components via the regular regis-
`tration channei provided by these components, e.g.,
`via HTML (HyperText Markup Language) forms, cli-
`ent registration applets, or server registration APIS
`(application programming interfaces). For each Web
`service component, there is a special registration han-
`dler. This handler, implemented in Java code, sends
`registration information in the format that is accept-
`able by the componcnt’s registration interface. The
`registration method in a registration handler is cus-
`tomized code. Since each Web service componcnt’s
`registration interface can be unique, registration
`method automation does not seem possible in a non-
`affiliated environment.
`
`lBM SYSTEMS JOURNAL. VOL 3?, ND 4. 1998
`
`The registration dispatcher is a daemon, started at
`aggregation service initialization time, that detects
`user registration and invokes the registration han-
`dlers to send registration information to the user-
`selected Web service components or applications.
`
`If a uscr—seleeted Web service component provides
`personalized service, the user profile information,
`user ID, and password are sent to this component
`for registration. Notice that the password here is not
`the same password used to access the aggregator.
`The component password is generated by running
`a Java algorithm, and the algorithm produces the
`same password each time. To change the password
`is to change the algorithm, which belongs to the sys-
`tem and is transparent to users. The password pol-
`icies can be provided from the administrator’s in-
`terface, and the Java code will be dynamically
`generated and compiled. The generated passwords
`compty with the password policies specified by the
`Web service components. The password algorithm
`is implemented as a method inside the registration
`handler.
`
`Ex. 1oo?'3?§E;e@-9
`
`Ex. 1007 Page 9
`
`

`
`
`
`REGETRATION
`IDLSPATCHER
`
`|
`
`‘
`
`'
`
`.
`
`wee SERVICE
`COMPONENT
`- REGISTRATION
`' HANDLEFI
`i__
`_
`_____i
`
`
`
`HTTP sssvsa
`.. ___ ___ ___
`' wsesenvnce
`5 COMPONENT1
`
`§
`;
`
`r
`J
`5 HTFP sssves
`_._
`‘.
`wseseavncs
`COMPONENT n
`
`l
`!
`
`E
`,
`I
`
`i t
`
`f H1'f‘P SEEVEF!mm
`REGISTRATION
`MANAGER
`
`.
`
`DATA
`|’_ MANAGER
`
`—‘
`
`
`
`The registration handlers are dynamically loaded at
`run time, an advantage of Java code. Therefore, the
`registration handlers can respond to registration in-
`terface and password changes for a Web service com-
`ponent at any time during service, as necessary. Since
`each‘ password is uniquely generated at run time for
`each Web service component (by running the Java
`code), an intruder to WebEntree will not be able to
`find passwords to the Web service components. Each
`aggregated Web service component can use its own
`password generation methods (e.g., with encryption)
`or the default ones provided by this Web sc
`ice ag-
`gregator.
`
`If a Web service component does not provide any
`personalized service, it is unnecessary to propagate
`user information to it. The aggregator is registered
`to each Web service component with a separate ID
`and password. The aggregatofis ID can be either
`dynamically generated (as for the password) or
`
`590 ZHAO
`
`stored in the Web service component authentication
`table. The password generation is as described above. '
`
`This two-level registration and authentication mech-
`anism, along with run-time password generation for
`accessing real content in the Web service compo-
`nents, has enhanced WebEntree’s security, because
`the passwords to Web service components are not
`recorded anywhere. The Web service component de-
`termines whether clear password text is allowed to
`be transferred on the network (e.g., basic authen-
`tication) or not (e.g., digest authentication). For af-
`filiated Web service components, one-time password
`or token-based authentication can be considered as
`well for further improvement of security, e.g., the
`Kerberos method. 9 SSL—based authentication can give
`better security, but is more expensive when consid-
`ering certifieate management and the involvement
`of a third party. 1“ The overall security also relies on
`the security implernentation for individual Web ser-
`
`nsm srsrems JOURNAL. voEn7,1fl074Pam 10
`
`Ex. 1007 Page 10
`
`

`
`_.__._._4
`
`
`
`Ir
`1:..
`l5!
`
`
`
`..'.-_-_..;.w—a~-...—--——.'.:—'—-—------—--'*"—"
`
`
`
`
`._.-—-r_rrz-.--—-a.-—'r'I—':'-''"""
`
`
`
`.._,..,.....__.,_..-—_.—v.
`
`vice components, although WebEntree does not re-
`duce their security level.
`
`on their user ID in the request header. For other au-
`thentication mechanisms “cookies” and session-
`
`Since the same password is used by all users from
`WebEntree, if passwords are easily obtained from
`a particular Web service component (e.g., passwords
`are stored as clear text in the server or database),
`the possible damage to this component would be
`greater because of WebEntree’s involvement. To
`provide better security service for each Web service
`component, a diiferent password could be generated
`for each user. The drawback of this choice would be
`
`the additional complexity for password generation
`and maintenance, although the implementation
`would still be practical.
`
`After registration, a user is granted a user ID, a pass-
`word, and a certificate if SSL authentication is used.
`The user can then log in to the member service pro-
`vided by the service engine of the aggregator.
`
`.
`
`A registered user can be removed by the system ad-
`ministrator. In addition, a user can remove himself
`or herself by selecting deregistration. During dereg-
`istration, the registration manager removes the user
`from the aggregator’s database and invokes the reg-
`istration dispatcher to remove the user from previ-
`ously selected Web service components. Users can
`also update their service selections by themselves.
`Each time a user updates his or her service compo-
`nent group selection list, registration information will
`be sent to the newly selected components and de-
`registration information will be sent to the deselected
`components. Some Web service components may re-
`quire rnore specific information than the general reg-
`istration information that WebEntrce provides. If
`so, an additional request form will prompt the user
`after their selection.
`
`WebEntree service engine
`
`The WebEntree service engine performs user an-
`thentication, service access control, gateway access
`to Web service components, and personalized user
`services. The service personalization is based on the
`user ID obtained during user authentication. For ba-
`sic and digest authentication, the user ID, password,
`and authenticated server are stored in the Web
`
`browser (both Netscape Navigator“ and Internet
`Explorer” support this feature). The user ID and
`password are sent to the Web server in the request
`header each time the user makes a URL request via
`the Web browser. Thus, the WebEntree service en-
`
`gine can provide personalized content to users based
`
`IBM SYSTEMS JOURNAL. VOL 3?. NO 4, $993
`
`tracking techniques can be used to carry user infor-
`mation. The servlet APIS are useful
`for
`these
`operations. “
`
`The architecture of WebEntree’s service engine is
`shown in Figure 6. The Web service coordinator
`manages the workflow among the diiferent compo-
`nents inside the service engine. For first-level authen-
`tication (users authenticate to WebEntree), the ac-
`cess authenticator checks the user’s credential (i.e.,
`user ID and password) based on the information in
`the URL request (e.g., for basic or digest authenti-
`cation, user ID and password are in the request head-
`ers) and the information in the user credential ob-
`ject (created from the persistent data in database).
`If they are a match, the access authenticator sends
`“true” to the Web service coordinator; if not, “false”
`is sent. Based on the authentication result, the Web
`service coordinator either generates the user’s per-
`sonal home page or sends back an alert to inforln
`the user of the access violation.
`
`The user’s personal home page is generated based
`on the user ID,
`the user-accessible component
`groups, and the Web service components in these
`groups. An access control object for each Web ser-
`vice component indicates by which groups it can be
`accessed.
`
`After the user selects a hyperlink from his or her
`home page, the second—level authentication pro-
`ceeds, between Weblintree and the Web service
`component indicated by the selected URL. The Web
`service coordinator sends authentication information
`
`to the component’s Web server—a password for ba-
`sic or digest authentication, and a certificate for SSL
`authentication.
`
`After authentication, the Web service coordinator
`sends the user request to the Web request dispatcher.
`The dispatcher constructs the URL based on the pa-
`rametcr string passed by the user and the server map
`information stored in the repository. Then, the dis-
`patcher sends the constructed URL to the corre-
`sponding Web service component, gets response
`content back, and sends it to the Web service co-
`ordinator.
`
`Notice that ifWebEntree and the Web service com-
`
`ponent are not on the same side of a firewall, a proxy
`server or a SOCKS (socket secure) server can be used
`for service request and access.
`
`Ex. 1007 P55391159‘
`
`Ex. 1007 Page 11
`
`

`
`
`Figure 6
`The architecture at the service engine
`
`1
`
`ll
`
`1 s 2 4 l 3
`
`HTTP ssnven
`m —— ——-
`-
`wee seouesr
`I‘?
`_ DISPATCHEFI
`i was ssnvice
`CODFIDENATOFI
`
`ssnvrce
`E”G””‘E
`
`I
`NOT1FlCA‘I1ON
`AGENT
`
`l
`1"
`
`T
`-
`_ "
`
`l V11
`
`
`; conrsm
`I cones
`I —.
`
`' was SERVICE
`' ACCESS
`
`-— AUTHENTFCATOH =-—-
`
`| CACHE
`
`vvsassnviee
`sgl oousousurs
`
`I
`
`_
`.1? LOCAIJHEMOTE
`4; APPLICATIONS
`
`J
`.
`J
`
`DATA MANAGER
`
`
`
`After the Web service coordinator gets the Web con-
`tent from the Web service component, it sends the
`content to the content editor. The content editor
`parses the content and performs the following op-
`erations:
`
`- Converts URLs for protocols (HTTP, FTP [File
`Transfer Protocol], telnet, gopher, etc.) to point
`to WebEntree’s service engine. The URLs for im-
`ages, sounds, and other multimedia data are
`changed to the absolute path to the original serv-
`ers. It should be noticed that the “CODEBASE” at-
`tribute for Java applets should be specified for the
`original server.
`- Adds information to the content according to the
`predefined service request, e.g., the WebEntree
`service owner’s branding
`- Adds specific information to the content accord-
`ing to user information
`
`The local or remote applications related to content
`are hosted in WebEntree’s Web site. The content
`
`592 ZHAO
`
`can be in the local machine of the Web service en-
`gine or can be accessed via DCE, CORBA, etc. The
`Web service coordinator directly serves the content
`in WebEntree’s Web site by invoking local and re-
`mote applications; no content parsing or transfor-
`mation is necessary.
`
`To enhance performance, a cache manager, as shown
`in Figure 6, manages a cache for service data. These '
`service data are in the form of persistent data ob-
`jects, such as the Web service component’s informa-
`tion objeet, access control information object, and
`authentication information object. Each Web ser-
`vice component is given a unique ID when it is added
`to Web!-Entree, and the eachedeomponent informa-
`tion objects are retrieved by component It). Also, the
`user-persistent data, such as the user profile infor-
`mation object and the user credential information
`object, can be cached for the most recent users. These
`user-data objects can be retrieved by user IDs. No-
`tice that Web content is not cached here; it is han~
`dled by Web servers or