`
`Ex. 1017
`EX. 1017
`
`US Patent No. 6,182,142 (“Win”)
`US Patent No. 6,182,142 (“Win”)
`
`
`
`
`
`
`
`(12) United States Patent
`Win et al.
`
`US00618214.2B1
`(10) Patent No.:
`US 6,182,142 B1
`(45) Date of Patent:
`Jan. 30, 2001
`
`Primary Examiner—Viet D. Vu
`74). A
`A.
`Firm—Hickman Pal
`T
`ttorney, Agent, or Firm—Hickman Palermo Truong
`& Becker, LLP; Christopher J. Pal
`Marcel K
`eCKer,
`;
`ristopher J. Palermo; Marce
`-
`Bingham
`(57)
`
`ABSTRACT
`
`(54) DISTRIBUTED ACCESS MANAGEMENT OF
`INFORMATION RESOURCES
`
`(75) Inventors: Teresa Win, Sunnyvale; Emilio
`Belmonte, San Francisco, both of CA
`(US)
`(73) Assignee: enCommerce, Inc., Santa Clara, CA
`(US)
`
`(*) Notice:
`
`-
`(21) Appl. No.: 09/113,609
`(22) Filed:
`Jul. 10, 1998
`7
`(51) Int. Cl." ….........…...... G06F 13/00
`(52) U.S. Cl. .......................... 709/229; 709/219; 709/227;
`713/201
`(58) Field of Search ..................................... 709/202, 203,
`709/217, 219, 223, 225, 229, 313, 227;
`713/200, 201, 202
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`5,261,102 * 11/1993 Hoffman .
`5,845,267 * 12/1998 Ronen .................................... 705/40
`5,918,013 * 6/1999 Mighdoll et al.
`... 709/217
`5,944,824 * 8/1999 He ..................
`... 713/201
`6,014,666 * 1/2000 Helland et al. .......................... 707/9
`* cited by examiner
`
`Using a method for controlling access to information
`resources, a single secure sign-on gives the user access to
`authorized resources, based on the user’s role in the orga
`Under 35 U.S.C. 154(b), the term of this º: º º º stored . &l º
`patent shall be extended for 0 days.
`server. A user or a c lent or browser logs in to t € system.
`runtime module on the protected server receives the login
`request and intercepts all other request by the client to use
`a resource. The runtime module connects to an access server
`that can determine whether a particular user is authentic and
`which resources the user is authorized to access. User
`information is associated with roles and functional groups of
`an organization to which the user belongs; the roles are
`associated with access privileges. The access server con
`nects to a registry server that stores information about users,
`roles, functional groups, resources, and associations among
`them. The access server and registry server exchange
`encrypted information that authorized the user to use the
`resource. The access server passes encrypted tokens that
`º the users roles and authorization rights to the
`rowser or client, which stores the tokens in memory. The
`user is presented with a customized display showing only
`those resources that the user may access. Thereafter, the
`access server can resolve requests to use other resources
`based on the tokens without contacting the registry server.
`
`
`
`
`
`
`
`100.
`BROWSER
`
`104
`PROTECTED
`SERVER
`
`34 Claims, 18 Drawing Sheets
`
`2
`
`,
`
`106
`ACCESS SERVER
`
`
`
`
`
`108
`REGISTRY
`SERVER
`
`112
`PROTECTED
`SERVER
`
`114
`ADMINISTRATION
`APPLICATION
`
`
`
`
`
`
`
`115
`INTEGRATION
`TOOLS
`
`
`
`
`
`116
`BROWSER
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 1 of 18
`
`US 6,182,142 B1
`
`100
`BROWSER
`
`104
`PROTECTED
`SERVER
`
`2
`,
`
`106
`-
`ACCESS SERVER
`
`118
`
`109
`
`108
`REGISTRY @
`SERVER
`
`
`
`112
`PROTECTED
`SERVER
`
`114
`ADMINISTRATION
`APPLICATION
`
`
`
`
`
`115
`|NTEGRATION
`TOOLS
`
`116
`BROWSER
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 2 of 18
`
`US 6,182,142 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`104
`PROTECTED
`SERVER
`
`
`
`
`
`
`
`208
`PROTECTED
`RESOURCE
`
`
`
`202
`HTTP SERVER
`
`204
`SERVER AP!
`
`206
`RUNTIME
`
`210
`ACL LITE
`
`
`
`
`
`
`
`
`
`
`
`100
`BROWSER
`
`
`
`
`
`
`
`212
`|NTRANET
`HTTP/HTTPS
`
`106
`ACCESS
`SERVER
`
`
`
`
`
`108
`REGISTRY
`SERVER
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 3 of 18
`
`US 6,182,142 B1
`
`
`
`
`
`
`
`
`
`
`
`302 -
`Open Resource URL
`
`
`
`
`
`304
`Open Resource URL
`
`10
`BROWSER
`
`
`
`202
`HTTP SERVER
`
`206
`RUNTIME
`
`
`
`
`
`308
`Resource Page
`
`306
`Resource not
`protected, do nothing
`
`
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 4 of 18
`
`US 6,182,142 B1
`
`302
`Open Resource URL
`
`304
`Open Resource URL
`
`100
`BROWSER
`
`
`
`202
`HTTP SERVER
`
`
`
`
`
`206
`RUNTIME
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`308
`Resource Page
`
`
`
`310
`Resource protected
`
`312
`Authenticate user
`
`
`
`
`
`
`
`
`
`316
`Redirect to Login
`URL
`
`
`
`
`
`314
`Redirect to Login
`URL
`
`
`
`3%z. 398
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 5 of 18
`
`US 6,182,142 B1
`
`302
`Open Resource URL
`
`304
`Open Resource URL
`
`100
`BROWSER
`
`
`
`
`
`
`
`202
`HTTP SERVER
`
`206
`RUNTIME
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`308
`Resource Page
`
`
`
`
`
`324
`Set environment
`variables
`
`310
`Resource protected
`
`312
`Authenticate user
`
`
`
`Public resource?
`
`320
`User authorized?
`
`
`
`
`
`
`
`
`
`
`
`
`
`322
`Redirect to Access
`Restricted URL
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 6 of 18
`
`US 6,182,142 B1
`
`106
`ACCESS
`SERVER
`
`
`
`
`
`-
`ACCESS MENU
`
`208
`PROTECTED
`RESOURCE
`
`
`
`
`
`414
`AUTHENTICATION
`CLIENT
`
`404
`402
`HTTP SERVER I SERVER API
`
`406
`RUNTIME
`
`410
`ACL LITE
`
`100
`BROWSER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`212
`INTRANET
`HTTP/HTTPS
`
`REGISTRY
`SERVER
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 7 of 18
`
`US 6,182,142 B1
`
`
`
`
`
`Open Login URL
`
`504
`Enter Name and
`Password
`
`
`
`
`
`
`
`508
`Verify Name, Password
`
`100
`BROWSER
`
`
`
`106
`ACCESS
`SERVER
`
`
`
`
`
`108
`REGISTRY
`SERVER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`506
`User Name, Password
`
`
`
`510
`Return
`verification result
`
`512
`User is not authentic,
`error message URL
`
`
`
`3%z. 60%
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 8 of 18
`
`US 6,182,142 B1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`02
`Open Login URL
`
`504
`Enter Name and
`Password
`
`
`
`508
`Verify Name, Password
`
`
`
`
`
`
`
`
`
`
`
`
`
`100
`BROWSER
`
`106
`ACCESS
`SERVER
`
`108
`REGISTRY
`SERVER
`
`
`
`
`
`506
`User Name, Password
`
`514
`Record Login
`Attempt
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`510
`Return
`verification result
`
`
`
`
`
`518
`User Authentic,
`Return Login Activity
`
`
`
`
`
`516
`Login Recorded
`
`3%z. 398
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 9 of 18
`
`US 6,182,142 B1
`
`
`
`
`
`520
`Read user profile
`
`100
`Browser
`
`106
`TTTT---------- - Access Server
`
`108
`-
`Registry Server
`
`
`
`
`
`522
`User profile
`
`
`
`
`
`
`
`
`
`524
`Return encrypted
`Cookies
`
`
`
`526
`Save cookies
`
`&z. 36
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 10 of 18
`
`US 6,182,142 B1
`
`
`
`
`
`532
`OpenLogouturL
`
`COOKIBS
`
`100
`BrOWSer
`
`
`
`106
`Access Server
`
`
`
`108
`_ _ - - - - - - - " " T Registry Server
`
`534
`Return expired
`COOkies
`
`536
`Discard cookies
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 11 of 18
`
`US 6,182,142 B1
`
`
`
`538
`User is authentic,
`Read user profile
`
`
`
`100
`BrOWSer
`
`fººt----------
`
`106
`Access Server
`
`
`
`
`
`108
`Registry Server
`
`540
`Return User
`profile
`
`542
`Return personalized
`menu
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`544
`Select resource URL
`
`3%. 65
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 12 of 18
`
`US 6,182,142 B1
`
`108
`REGISTRY
`SERVER
`
`
`
`
`
`
`
`
`
`606
`AUTHENTICATION SERVER
`MODULE
`
`100
`BROWSER
`
`
`
`
`
`
`
`106
`ACCESS
`SERVER
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 13 of 18
`
`US 6,182,142 B1
`
`100
`BROWSER
`
`,
`
`104.
`PROTECTED
`SERVER
`
`118
`
`
`
`
`
`106
`-
`ACCESS SERVER
`
`108
`REGISTRY @
`SERVER
`
`700
`#station
`
`702
`HTTP SERVER
`
`710
`ACL
`
`708A
`PROTECTED
`RESOURCE
`
`704
`SERVER API
`
`708B
`PROTECTED
`RESOURCE
`
`706
`RUNTIME
`
`
`
`114
`ADMINISTRATION
`APPLICATION
`
`&z. 7
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 14 of 18
`
`US 6,182,142 B1
`
`100
`BROWSER
`
`104
`PROTECTED
`SERVER
`
`
`
`
`
`
`
`
`
`2
`,
`
`2802
`
`106
`:
`;
`-
`|
`| H- ACCESS
`H* SERVER
`
`
`
`
`
`
`
`108
`REGISTRY
`SERVER
`
`
`
`112
`PROTECTED
`SERVER
`
`114
`ADMINISTRATION
`APPLICATION
`
`115
`INTEGRATION
`TOOLS
`
`116
`BROWSER
`
`
`
`U.S. Patent
`US. Patent
`
`US 6,182,142 B1
`US 6,182,142 B1
`
`So:
`
`film
`
`3wmmg
`
` rxmozfiz_mofimflzm:09éQEmzm292222228memmmooEmm5mgmm9w§
`
`
`
`amm|5m§xz:mmunwfiwqw
`
`“83%m,a"mom5%:
`
`036906
`maam
`
`
`
`mmmfimo8mE03:1,
`
`
`
`
`
`
`Eimm6&on20m222Emma7
`
`
`
`
`
`
`
`
`
`
`U.S. Patent
`US. Patent
`
`m
`
`US 6,182,142 B1
`US 6,182,142 B1
`
`:82m228mthommemmEcozm%$8IEmEmmmcmztoga:.
`
`NSFEco:gm>§>omEo=mmcoquom:mSEueEEm,22E$28$3an
`
`m92wamcgmw<Swim9.208.?59.
`
`858mmNola wooF
`
`
`
`700||
`
`cozmfiEEE
`
`RS®m
`2^O/ 426
`
`
`
`U.S. Patent
`US. Patent
`
`Jan. 30, 2001
`Jan. 30, 2001
`
`Sheet 17 of 18
`Sheet 17 0f 18
`
`US 6,182,142 B1
`US 6,182,142 B1
`
`
`
`
`
`
`
` mm?toammmmfim$8an286mm5c9ww<0M3 mm?
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`RS
`
`780
`«8
`
`Eocmo
`
`090||
`08_‘
`
`@%$6
`960/ ^?
`
`«we
`
`$029253
`
`
`
`$5220mE:_o>:9:
`
`
`
`230QO$2530
`
`E?952051
`
`
`
`566me6820
`
`
`
`62mg_m_o:mc_
`
`63:229.?
`
`
`
`
`
`umcgmm<EEESO65m=m><
`
`mmow
`
`38r
`
`ammoF
`
`ammo?
`
`
`
`
`
`
`
`
`
`U.S. Patent
`
`Jan. 30, 2001
`
`Sheet 18 of 18
`
`US 6,182,142 B1
`
`
`
`SJesn Aq dno.19 ?70]
`
`.90/ ^?
`
`990||
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`DISTRIBUTED ACCESS MANAGEMENT OF
`INFORMATION RESOURCES
`
`FIELD OF THE INVENTION
`This invention generally relates to methods of controlling
`access to protected information resources in a network
`environment. The invention relates more specifically to
`methods, apparatus, and products for facilitating secure and
`selective access to network resources based on a role of a
`user of the resources.
`
`BACKGROUND OF THE INVENTION
`Computer networks have become ubiquitous in business,
`industry, and education. In one approach, a network is
`configured with one or more user accounts, each of which is
`uniquely associated with a human network user or host
`computer. The network also has one or more resources, such
`as application programs that provide various computing
`functions, which are available to all users. In this approach,
`a user logs into his or her user account, selects a desired
`application. A disadvantage of this approach is that every
`user has the same rights to access any of the network
`?eSOUITCeS.
`Development of the globally accessible, packet-switched
`network known as the Internet has enabled network
`resources, accounts and applications to become available
`worldwide. Development of hypertext protocols that imple
`ment the World Wide Web (“The Web”) is enabling net
`works to serve as a platform for global electronic commerce.
`In particular, the Web is enabling the easy exchange of
`information between businesses and their customers, sup
`pliers and partners.
`Businesses are rushing to publish information on the Web
`and just as quickly stumbling into several roadblocks. For
`example, some information is valuable and sensitive, and
`needs to be made available only to selected users. Thus,
`there is a need to provide selective access to network
`resources and information over the Web.
`This need exists in the context of internal Web networks
`that are available to employees of an organization, called
`Intranets, as well as Web networks and resources that are
`available to external customers, suppliers and partners of the
`organization, called extranets. Extranet users may require
`information from a large number of diverse sources, for
`example, product catalogs, customer databases, or inventory
`systems. There may be millions of potential users, the
`number of which grows dramatically as an organization
`prospers. Thus, there is a need for a large-scale system that
`can provide selective access to a large number of informa
`tion sources for a large number of users.
`Because some of the information sources are sensitive,
`there is a need to provide secure access to the information.
`Current networks and Web systems, including Intranets
`and extranets, are expensive and complex to implement.
`These technologies also change rapidly. There is a need for
`any information access method or system to integrate with
`and use existing equipment, software and systems. There is
`also a need for method and system that is flexible or
`adaptable to changing technologies and standards.
`One approach to some of the foregoing problems and
`needs has been to provide each network resource or appli
`cation program with a separate access control list. The
`access control list identifies users or hosts that are authorized
`to access a particular application. As new users or hosts are
`added to the network, the access control lists grow, making
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 6,182,142 B1
`
`2
`security management more complicated and difficult. Use of
`a large number of separate lists also makes the user expe
`rience tedious and unsatisfactory.
`Another disadvantage of the foregoing approaches is
`duplication of management processes. To add new users to
`the system, a network administrator must repeat similar
`access processes for each application or resource to be made
`available to the new users. The redundancy of these
`processes, combined with rapid growth in the number of
`users, can make the cost of deploying, managing and Sup
`porting a system unacceptably high.
`Thus, there is a need for a mechanism to govern access to
`one or more information resources in which selective access
`is given to particular users.
`There is also a need for such a mechanism that is equally
`adaptable to an internal network environment and to an
`external network environment.
`There is a further need for such a mechanism that is easy
`to configure and re-search configure as new users and
`resources become part of the system.
`There is still another need for such a mechanism that is
`simple to administer.
`SUMMARY OF THE INVENTION
`The foregoing needs, and other needs and objectives that
`will become apparent from the description herein, are
`achieved by the present invention, which comprises, in one
`aspect, a method of controlling access to one or more
`information resources stored on a first server, the method
`comprising the steps of receiving information describing a
`user at the first server; identifying, at a second server
`coupled to the first server, a subset of the resources that the
`user is authorized to access, based on one or more roles that
`are stored in association with user identifying information;
`communicating information defining the subset to the first
`server; storing first information defining the subset, and
`second information defining the roles, in one or more tokens;
`communicating the tokens to a client that is associated with
`the user; and thereafter resolving requests to use the
`resources at the first server based on the tokens.
`One feature of this aspect is the steps of defining a role of
`the user; and storing an association of the user to the role at
`the second server. A related feature is the steps of defining
`one or more roles and functional groups of an organization
`to which the user belongs; storing information describing the
`roles and functional groups in association with information
`describing the user; and determining whether the user may
`access the resource based on the information describing the
`roles and functional groups.
`According to another feature, the identifying step further
`comprises the steps of connecting the first server to the
`second server, in which the second server stores information
`describing the user, one or more roles, one or more func
`tional groups, the resources, and associations among them;
`and communicating a request for a profile of the user from
`the first server to the second server. In another feature, the
`receiving step further comprises the steps of receiving the
`information describing the user at a runtime module on the
`first server that also intercepts requests to access the
`resource. In yet another feature, the step of identifying
`further comprises the step of determining whether the user
`is authentic. A related feature is that the step of identifying
`further comprises the steps of communicating encrypted
`information between the first server and the second server
`describing resources that the user is authorized to use.
`In another feature, the steps of communicating further
`comprise the steps of passing one or more encrypted tokens
`
`
`
`3
`that define the user’s roles and authorization rights from the
`second server to the first server. Another feature is that the
`steps of communicating further comprise the steps of pass
`ing one or more encrypted tokens that define the user’s roles
`and authorization rights from the second server to the client;
`and storing the tokens in a memory of the client.
`Another feature involves the steps of communicating,
`from the first server to the client, a customized display
`identifying only those resources that the user may access,
`whereby a single secure sign-on gives a user access to one
`or more of the resources. Still another feature involves the
`steps of communicating, from the first server to the client,
`information describing a customized display that identifies
`only those resources that the user may access.
`In another aspect, the invention provides a method of
`controlling access to one or more information resources
`stored on a protected server, the method comprising the steps
`of receiving, at the protected server, login information
`describing a user who desires to access one of the resources;
`determining that the user is authentic and permitted to access
`one of the resources; identifying, at a second server coupled
`to the protected server, a subset of the resources that the user
`is authorized to access, based on at least one role that is
`stored in association with user information; communicating
`information defining the subset to the protected server;
`storing first information defining the subset, and second
`information defining the roles, in one or more tokens;
`communicating the tokens to a client that is associated with
`the user; and thereafter resolving requests to use the
`resources at the protected server based on the tokens,
`whereby a single secure sign-on gives the user access to the
`one of the resources. One feature of this aspect is the steps
`of receiving a request from the client to access one of the
`resources; determining, based on the one or more tokens,
`whether the client is authorized to use the one of the
`resources; and granting access to the one of the resources to
`the client. A related feature is the steps of intercepting the
`request from the client at a runtime module of the protected
`server. Yet another related feature involves the steps of
`granting access to the resource only when the roles associ
`ated with the user satisfy an access rule. Another feature
`involves the steps of defining the access rule, associated with
`the user, as a Boolean expression that includes one or more
`roles.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`The present invention is illustrated by way of example,
`and not by way of limitation, in the figures of the accom
`panying drawings and in which like reference numerals refer
`to similar elements and in which:
`FIG. 1 is a block diagram of an information access
`system;
`FIG. 2 is a block diagram of a protected server and its
`connections to the system of FIG. 1;
`FIG. 3A is a state diagram showing actions carried out by
`a protected server;
`FIG. 3B is a state diagram showing a process of opening
`a protected resource;
`FIG. 3C is a state diagram showing a process of autho
`rizing access to a restricted resource;
`FIG. 4 is a block diagram of an access server used in the
`system of FIG. 1;
`FIG. 5A is a state diagram showing steps carried out in a
`user verification process;
`FIG. 5B is a state diagram showing steps carried out in a
`login process;
`
`10
`
`15
`
`20
`
`25
`
`30
`
`35
`
`40
`
`45
`
`50
`
`55
`
`60
`
`65
`
`US 6,182,142 B1
`
`4
`FIG. 5C is a state diagram showing steps carried out in
`generating user profile information;
`FIG. 5D is a state diagram showing steps carried out in a
`logout process;
`FIG. 5E is a state diagram showing steps carried out in a
`process of generating a personalized menu;
`FIG. 6 is a block diagram of a registry server used in the
`system of FIG. 1;
`FIG. 7 is a block diagram of the system of FIG. 1 showing
`details of an administrative application;
`FIG. 8 is a block diagram of the system of FIG. 1 showing
`security features;
`FIG. 9 is a block diagram of a computer system with
`which aspects of the invention may be implemented;
`FIG. 10A is a block diagram of a resource administration
`user interface display;
`FIG. 10B is a block diagram of a role assignment user
`interface display;
`FIG. 10C is a block diagram of a user interface display
`generated to facilitate working with groups of users.
`
`DETAILED DESCRIPTION OF THE
`PREFERRED EMBODIMENT
`A method and apparatus for controlling access to pro
`tected information resources is described. In the following
`description, for the purposes of explanation, numerous spe
`cific details are set forth in order to provide a thorough
`understanding of the present invention. It will be apparent,
`however, to one skilled in the art that the present invention
`may be practiced without these specific details. In other
`instances, well-known structures and devices are shown in
`block diagram form in order to avoid unnecessarily obscur
`ing the present invention.
`
`Overview of Preferred Embodiment
`FIG. 1 is a block diagram of main elements of an
`information access system 2 according to a preferred
`embodiment. Generally, an information access system 2
`comprises a plurality of components including an Access
`Server 106, Registry Server 108, Administration Application
`114, and Integration Tools 115. The foregoing components
`cooperate to control access to resources stored on one or
`more Protected Servers 104,112. Generally, each Protected
`Server is a Web server. Each component comprises one or
`more modules. Each module provides one or more services
`to users of the system 2 and administrators. There may be
`any number of Protected Servers 104. Users are individuals
`who have a relationship with an organization and play
`various roles, and are registered in the system 2. Users may
`be members of an organization, or may be customers,
`suppliers, or business partners of the organization. Admin
`istrators control the system.
`In one embodiment, all the components are stored on and
`executed by one physical server or computer. In alternate
`embodiments, one ore more components are installed on
`separate computers; this approach may improve security and
`performance. For example, Registry Server 108 may be part
`of a secure Intranet that is protected using a firewall 118, and
`Access Server 106 may be located on an extranet for access
`by users inside and outside the enterprise. Further, there may
`be more than one Registry Server 108 in a mirrored or
`replicated configuration. Each Access Server 106 may be
`coupled to more than one Registry Server 108, so that a
`particular Access Server 106 can communicate with a sec
`
`
`
`US 6,182,142 B1
`
`15
`
`20
`
`30
`
`35
`
`25
`
`5
`ond Registry Server 108 if a first one is busy or unavailable.
`Each Registry Server 108 may be coupled to or support more
`than one Access Server 106. Each Registry Server 108 may
`execute operations using multiple execution threads, in
`which access of each thread to Registry Repository 110 is
`managed by the Access Control Library.
`A browser 100 is coupled by a communication link to a
`network 102. The block shown for browser 100 represents a
`terminal, workstation computer, or an equivalent that
`executes a standard Web browser program or an equivalent,
`10
`such as Netscape Navigator, Internet Explorer, or NCSA
`Mosaic. Network 102 is a compatible information commu
`nication network, preferably the Internet. In alternate
`embodiments, the browser 100 is a client process or client
`workstation of any convenient type, and the network 102 is
`a data communication network that can transfer information
`between the client and a server that is also coupled to the
`network.
`The system 2 enables organizations to register informa
`tion sources or Resources and register Users of the infor
`mation in a central repository. A Resource is a source of
`information, identified by a Uniform Resource Locator
`(URL) and published by a Web server either in a static file
`formatted using Hypertext Markup Language (HTML) or in
`a dynamically generated page created by a CGI-based
`program. Examples of resources include a Web page, a
`complete Web site, a Web-enabled database, and an applet.
`The system 2 enables administrators to implement access
`rules by defining Roles that Users play when working for an
`organization or doing business with an enterprise. A Role
`may reflect a relationship of a User to the organization
`(employee, customer, distributor, supplier), their department
`within an organization (sales, marketing, engineering) or
`any other affiliation or function (member of quality task
`force, hotline staff member) that defines their information
`needs and thus their access rights or privileges. Thus,
`examples of Roles include Employee, Customer,
`Distributor, Supplier, Sales, Marketing, Engineering, and
`Hotline Staff.
`40
`Roles are defined by information identifying a name of a
`role and by a functional group in which the role resides. A
`functional group is often a department in which similar
`functions exist. Examples of functional groups are
`Marketing, Sales, Engineering, Human Resources, and
`Operations.
`In some embodiments, the term User Type or Person Type
`refers to employees, directors, officers, contractors,
`customers, distributors, etc., and Role refers to a job func
`tion such as sales representative, financial analyst, etc.
`Roles determine what resources a User can access.
`Further, each role may require a unique set of information
`that is available in resources. For example, a User who is an
`Employee in the Marketing department could access Price
`List and New Products Resources. Thus, system 2 enables
`the creation of resource profiles by assigning roles to
`resources, and user profiles by assigning roles to users to
`generate access rights. System 2 automatically links a user
`profile to the resources profiles that have been assigned the
`same roles, so that deployment of new resources may occur
`rapidly.
`Roles and resources are owned by Functional Groups
`within the organization.
`The system 2 makes managing access simple because it is
`based on an additive data model. Assigning a role to a user
`or deleting a role from a user can add or delete access to all
`resources with that role. Similarly, adding a role to a
`
`45
`
`50
`
`55
`
`60
`
`65
`
`6
`resource or removing a role from a resource can give or take
`away access to that resource from all users with that role.
`The system 2 allows administrators to make such changes in
`a simple manner, resulting in significant administration time
`savings.
`The system 2 also enables Users to log-in to the system
`once, and thereafter access one or more Resources during an
`authenticated session. Users may log in either with a digital
`certificate or by opening a login page URL with a web
`browser and entering a name and password. In the past, users
`have had to log in individually to each Web application that
`they are authorized to use. In the preferred embodiment,
`users always access the same login page regardless of the
`number of resources to which they need access. Thus, the
`system provides a mechanism of single secure log-in to Web
`?eSOUITCeS.
`If the login attempt is successful, the system 2 presents the
`User with a Personalized Menu that assists the User in
`identifying and selecting a Resource. In one embodiment, a
`Personalized Menu is an HTML page containing a list of
`authorized Resources. The Personalized Menu displays only
`Resources to which the User has access. The User can then
`select and access a Resource.
`Protected Server 104 is coupled to the network 102
`logically separate from browser 100.
`The Registry Server 108 is coupled to a Registry Reposi
`tory 110 that stores information about users, resources and
`roles of the users. Registry Server 108 is coupled by a secure
`communication link 109 to Access Server 106, which is
`coupled to network 102. Registry Server 108 has an Authen
`tication Server Module that manages concurrent access of
`multiple users or browsers 100 to Registry Repository 110.
`A Protected Server 112 is coupled to Registry Server 108.
`The Protected Server 112 executes or supervises execution
`of an Administration Application 114, which functions to
`register and manage users, resources and roles by reading
`and writing information to or from Registry Repository 110.
`Integration Tools 115 are selectively executed on Pro
`tected Server 112 and function to customize the particular
`configuration of the foregoing components. For example,
`Integration Tools 115 are use to customize the form or
`content of screen displays presented to browser 100 for user
`login and logout, or to enforce password selection rules.
`Integration Tools 115 also function to integrate resources
`with the foregoing components and to integrate data stores
`or directories with Registry Repository 110.
`Access Server 106 stores a log-in page, Authentication
`Client Module and Access Menu Module. The Authentica
`tion Client Module authenticates a user by verifying the
`name and password with the Registry Server 108. If the
`name and password are correct, the Authentication Client
`Module reads the user’s roles from the Registry Server 108.
`It then encrypts and sends this information in a “cookie” to
`the user’s browser. A “cookie” is a packet of data sent by
`web servers to web browsers. Each cookie is saved by
`browser 100 until the cookie expires. Cookies received from
`a web server in a specific domain are returned to web servers
`in that same domain during open URL requests. A cookie
`returned by the Authentication Client Module is required for
`access to resources protected by the system 2.
`Once a user has been authenticated, the Access Menu
`Module of the Access Server returns a Personalized Menu of
`the type described above.
`When the user selects a resource, the browser sends an
`open URL request and cookie to a Protected Web Server. A
`Protected Web Server is a web server with resources pro
`
`
`
`7
`tected by the Runtime Module. The Runtime Module
`decrypts information in the cookie and uses it to verify that
`the user is authorized to access the resource. The cookie is
`also used by the resource to return information that is
`customized based on the user’s name and roles.
`The Registry Server contains an Authentication Server
`Module and a Registry Repository. The Authentication
`Server Module is structured as a Java server. The Registry
`Repository is structured as a database. For example, the
`Registry Repository may be an SQL Server relational data
`base management system, the Oracle7(R) database, etc. The
`Registry Server also contains an Access Control Library that
`is structured as a Java library.
`The Administration Application contains Administration
`Application Modules, a Runtime Module, and an Access
`Control Library. The Administration Application Modules
`are structured as one or more HTML pages, CGI-based Java
`programs, or applets. The Runtime Module is structured as
`a C/C++ web server plug-in.
`The Integration Tools comprise an Access Control
`Library, and sample program source code. Preferably, the
`source code is written in the Java(R) language.
`The Access Server comprises an Authentication Client
`Module, Access Menu Module, Runtime Module, and an
`Access Control Library Lite. The Authentication Client
`Module and Access Menu Module are structured as one or
`more HTML pages or CGI-based Java programs. The
`Access Control Library Lite is one or more software com
`ponents that interact to control access to the Access Server
`and its resources. The term “Lite” indicates that the access
`control components provide more limited functions, and are
`therefore more secure, than an Access Control Library.
`The Protected Web Server comprises a Runtime Module
`and an Access Control Library.
`The Runtime Module and Access Control Library are
`reused by several components, for example, the Runtime
`Module is used to protect resources on Protected Web
`Servers and system resources in the Access Server and
`Administration Application.
`Protected Server
`A Protected Server 104 preferably is a World Wide Web
`server that stores one or more resources 208 that are pro
`tected by a Runtime Module 206. In the preferred
`embodiment, Runtime Module 206 provides one or more
`functional services. For example, the Runtime Module func