WO1999066384A2 - Method and apparatus for authenticated secure access to computer networks - Google Patents
Method and apparatus for authenticated secure access to computer networks Download PDFInfo
- Publication number
- WO1999066384A2 WO1999066384A2 PCT/US1999/013701 US9913701W WO9966384A2 WO 1999066384 A2 WO1999066384 A2 WO 1999066384A2 US 9913701 W US9913701 W US 9913701W WO 9966384 A2 WO9966384 A2 WO 9966384A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- computer
- external
- intranet
- references
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Definitions
- This invention relates to the field of computer software, and, more specifically, to secure and authenticated computer system access.
- Computing devices can be connected via a communications network to transmit information between them and/or share peripheral devices (e.g., printers and storage devices) that are connected to the communications network.
- a communications protocol specifies a convention for communication over the network.
- a communications protocol can identify the format for messages sent over the network.
- the Internet is an example of a world wide communications network comprised of various physical networks that interconnect computing devices.
- the Internet is comprised of many physical networks that interconnect computing devices.
- a personal computer in a user's home can be connected via one or more networks that comprise the Internet to a computer system regardless of either's location to gain access to information that is resident on that computer system.
- a user's request can be transported via the Internet's networks to the computer system.
- a response from the computer system can be transmitted to the user via the Internet.
- the Transport Control Protocol /Internet Protocol are the basic communications protocol for transmitting information over Internet.
- a communications protocol typically defines the format for a packet, or bundle, of data that is to be transmitted.
- a packet usually includes control information (e.g., destination, origin, packet length, etc.), the data to be transmitted and error detection and correction.
- Other communications protocols such as Hypertext Transmission Protocol (HTTP) and File Transfer Protocol (FTP), are built on top of TCP/IP.
- Resources e.g., servers, services, program code, and files
- a URL is mechanism by which a resource can be identified in a request.
- HTTP and FTP are mechanisms by which the request is communicated.
- a communications network can be characterized as either an external network (i.e., extranet) or an internal network (intranet).
- An extranet is a communications network that is considered to be external with reference to a given organization or entity.
- a network may be considered to be external simply because it is under another's administration and control.
- the Internet is comprised of networks that are examples of extranets.
- a communications network to which access is controlled or restricted is an internal network (or intranet).
- An intranet operates over a physical network that is under a given entity's administrative control.
- An intranet can be connected to an extranet via a physical connection such as a modem and telephone line. Routing hardware and /or software is used to route packets between the intranet and an extranet via a physical connection.
- a gateway which is comprised of hardware and/or software is typically used to act as an entrance and exit into a communications network. For example, an intranet can use a gateway through which packets directed to and from the intranet must pass. A gateway can further perform conversions between otherwise incompatible communications networks.
- An entity may wish to limit the packets that are allowed access to its intranet. For example, an entity may wish to limit entry to information that is resident on its intranet such that it is not accessible to extranet users (e.g., an Internet user unaffiliated with the entity). However, current techniques for controlling external entry to an intranet are intended to prohibit external access to an intranet, or introduce a potential for breach of the intranet's security.
- a firewall prohibits an intranet user from accessing the extranet via the intranet.
- a proxy server can be installed on the intranet which has access to both the intranet and the Internet.
- a proxy server acts as a proxy to forward requests on another's (e.g., an application's or user's) behalf.
- a proxy server forwards a message without modifying its content.
- a proxy server typically performs application-level filtering of messages. That is, a proxy server examines application-level messages to determine whether and to whom the message should be forwarded.
- a proxy server can be used, for example, to forward information between two applications (or users) that reside on different intranets or between an intranet application (or user) and an extranet (e.g., the Internet).
- an intranet user sends a request directed to the Internet to the proxy server which forwards the request unchanged to the Internet.
- firewall nor a proxy server allow access by an authorized user attempting to gain access to the corporation's intranet from outside the intranet.
- the purpose of the firewall is to prohibit external access.
- a proxy server's purpose is to facilitate access within the intranet.
- One way of allowing access by an authorized external user is to eliminate the firewall. However, this would open the corporation's intranet to unauthorized users as well.
- a virtual private network approach has been used in cooperation with the firewall to allow an external user to access the intranet.
- An IP packet is enclosed within another IP packet by the virtual private network software that is running on a computer system on the extranet.
- the outer packet is addressed to an intermediate destination within the intranet.
- the firewall is configured to allow IP packets that are destined for the intermediate destination in the intranet. When the packet is received by the intermediate destination, it extracts the inner IP packet that contains the true intranet destination. The IP packet is then forwarded by the intermediate destination.
- an IP packet that originates on the intranet and destined for the extranet is enclosed within an outer IP packet that identifies a permissible origin (i.e., an origin from which the firewall is configured to allow an IP packet to be transmitted to the extranet).
- the firewall examines the outer IP packet's origin address and determines that it is permissible to forward the IP packet to the extranet from that origin.
- the virtual private network includes software that is running on the extranet client and the intranet (e.g., the destination server).
- the virtual private network running on the extranet client encloses the original IP packet in another IP packet that is addressed to a permissible destination within the intranet.
- the inner IP packet can identify any destination address on the intranet.
- an unauthorized user that gains access to a virtual private network client has uninhibited access to the intranet.
- a disadvantage of this approach is that the intranet is only as secure as the user's workstation. Therefore, a virtual private network is optimally used with a secure workstation that communicates with the intranet via a leased, or dedicated, telephone line.
- the virtual private network is clearly not optimal where the workstation is a laptop that could be left at an unsecured location or other computer system that is susceptible to public access, for example.
- FIG. 8 provides a block diagram of the web tunnel approach.
- Figure 8 depicts web tunnel 800 that includes authenticator 804A, redirector 804B and proxy 804C.
- the user must configure client 802 to send its requests for intranet 820 directly to redirector 804B.
- Redirector 804B redirects a request to either authenticator 804A or proxy 804C components of web tunnel 800.
- Authenticator 804A produces material that is used to authenticate client 802 to proxy 804C.
- Proxy 804C performs the function of receiving requests for web servers 806 and 808 and forwarding requests to them.
- redirector 804B When redirector 804B receives a URL from client 802, redirector 804B packages the URL inside another URL that identifies either authenticator 804A or 804C. For example, if the user sends a URL for a document that resides on a server inside intranet 820, redirector 804B appends the user's URL to proxy 804C's URL.
- client 802 sends an HTTP URL, "http://hr.acme.com” to redirector 804B.
- Redirector 804B generates a redirected URL, "https://tunnel.acme.com/hr.acme.com” to specify proxy 804C of web tunnel 800.
- redirector 804B sends the redirected URL back to client 802.
- Client 802 must then forward the new, redirected URL to web tunnel 800 (i.e., proxy 804C).
- Proxy 804C receives and processes the redirected URL.
- the user In the web tunnel approach, the user must repeat a request where the request identifies an intranet resource by its intranet URL. That is, before an internal URL can be forwarded to the intranet via web tunnel 800, it must first be packaged (by redirector 804B) inside another request that is directed to proxy 804C and then resent by the user. Further, the web tunnel approach requires that the user be aware of the URLs used to identify resources inside the intranet. This is disadvantageous since the user may not be aware of the actual URL of intranet resources. This also exposes the intranet structure to an external user.
- the web tunnel approach requires a configuration that restricts the type of user that can use the approach. That is, the web tunnel approach requires that there be no proxies between client 802 and web tunnel 800. This is unrealistic since, as described above, most access schemes use a proxy server as a conduit for transmissions between the client and the Internet.
- the web tunnel approach cannot be used by a corporate intranet user who is required to use a proxy server to access the Internet, for example.
- the web tunnel approach requires that the client browser be configured directly to web tunnel 800.
- the structure of the intranet is such that a client request could be forwarded to an ultimate destination via multiple computer networks. Each of these computer networks may require that a proxy server be used to direct the request to the next Internet destination.
- the web tunnel approach is incapable of functioning in this type of environment. It is limited to direct connection between the client and the web tunnel that services the request's final destination. That is, the client must be directly connected to the final destination's web tunnel mechanism. There is no ability for one or more proxies to be positioned between the client and the web tunnel.
- Embodiments of the invention comprise a method and apparatus for secure authenticated access to computer networks.
- Embodiments of the invention control and manage access to an intranet from an extranet. Access to the intranet is allowed such that specified packets are permitted to penetrate the intranet's gateway.
- Embodiments of the invention can be used to limit access to the intranet to specific types of messages (e.g., messages received from browser software running on a client workstation) transmitted via the Internet, for example.
- Embodiments of the invention offer multi-tiered access control.
- a user is authenticated before being allowed access to an intranet. Further, access privileges associated with an authenticated user are identified and used to determine the resources that an authenticated user is permitted to access.
- a user's authentication information is retained and provided to intranet applications based on an application's requirements. Thus, the user's credentials can be used to sign the user onto multiple intranet applications.
- a logging facility is offered in embodiments of the invention for logging information associated with intranet accesses.
- Embodiments of the invention can log internal errors, configuration errors, login attempts, login failures, session time-outs, session terminations, and performance metrics.
- Embodiments of the invention provide a transparent application pass-through.
- An external reference is used for an intranet resource.
- the external reference need not be the same as the actual reference of the intranet resource (as used in the intranet).
- a mapping is used to associate the external, or virtual, reference with the actual, intranet reference. Mapping between external and internal references is performed transparently to the user and/or applications executing on the intranet.
- Embodiments of the invention map intranet references to external references before the reference is sent to the user. Conversely, an external reference that is received from the user can be translated to the intranet reference. There is no need for an external user to be aware of a resource's actual, intranet reference. This is advantageous for both facilitating an authenticated user's access and shielding the intranet's structure.
- Embodiments of the invention include configuration information that identifies the hosts (e.g., servers) that are allowed to be mapped between internal and external references.
- An internal reference to an intranet resource is re-written as an external reference when a reference to the resource is sent out to an external computer.
- embodiments of the invention map external resource references to internal resource references.
- Each mapping consists of an internal mapping entry and an associated external mapping entry.
- a mapping entry can be specified using literal expressions or pattern expressions.
- internal mapping entries e.g., literal and/or pattern expressions
- a similar approach is taken to map an external reference to an internal reference.
- the mappings that are associated with a user are identified in embodiments of the invention based on a user's credentials. A user's credentials identify the access privileges for the user.
- mappings can be associated with the employee privilege. If the user has multiple privileges each of which has a set of mappings, the multiple sets of mappings can be combined to generate a complete set of mappings for the user. Later processed mappings can supplement or modify previously-processed mappings, for example.
- mappings associated with the user can be searched to find the reference submitted by the user. If the reference is not found in the user's mappings, access is denied. If a response (or other message) is returned to the user, internal references are re-written to external references according to the user's set of mappings. It is possible, however, that the set of mappings may specify that the internal reference is to be forwarded without any modification.
- Figure 1 is a block diagram of one embodiment of a computer system capable of providing a suitable environment for an embodiment of the invention.
- Figure 2A provides a model used in one or more embodiments of the invention.
- Figure 2B illustrates a model implementation of a reverse proxy as a component of an intranet gateway according to one embodiment of the invention.
- FIG. 2C illustrates configuration alternatives according to one or more embodiments of the invention.
- Figure 3 illustrates a request processing model according to an embodiment of the invention.
- Figure 4 illustrates a login and authentication model according to an embodiment of the invention.
- Figure 5 provides an request processing process flow according to an embodiment of the invention.
- Figures 6A-6B provide an authentication process flow according to an embodiment of the invention.
- Figure 7 provides a request processing process flow according to an embodiment of the invention.
- Figure 8 provides a block diagram of the web tunnel approach. DETAILED DESCRIPTION OF THE INVENTION
- Embodiments of the invention comprise a method and apparatus for authenticated secure access to computer networks.
- Embodiments of the invention control and manage access to a computer intranet from an extranet. Access to the intranet is allowed (through any number of firewalls or proxies) such that specified packets are permitted to penetrate the intranet's gateway.
- Embodiments of the invention can be used to limit access to the intranet to specific types of packets (e.g., packets received from browser software running on a client workstation) transmitted via an extranet.
- Embodiments of the invention offer multi-tiered access control.
- a user is authenticated before being allowed access to an intranet. Further, access privileges associated with an authenticated user are identified and used to determine the resources that the user is permitted to access.
- a user's authentication information is retained and provided to applications that exist on the intranet based on an application's requirements. Thus, the user's single sign-on information can be used to sign the user onto multiple intranet applications.
- a logging facility is offered in embodiments of the invention for logging information associated with intranet accesses.
- Embodiments of the invention provide a transparent application pass-through.
- a reference is used for external accesses of an intranet resource.
- the external reference need not be the same as the actual reference of the intranet resource (as used in the intranet).
- a mapping is used to associate the external, or virtual, reference with the actual, intranet reference. There is no need for an external user to be aware of a resource's actual, intranet reference. This is advantageous for both facilitating an external user's access and shielding the intranet's structure.
- Embodiments of the invention use the mapping of external references to internal references to transform an intranet reference to an external reference before the reference is sent to the user. Conversely, an external reference that is received from the user can be translated to the intranet reference. Mapping between external and internal references can be performed on those resources that exist on the intranet to which the user has authorization to access, for example. Mapping between external and internal references is performed transparently to the user and /or applications executing on the intranet.
- Embodiments of the invention include mapping information that identifies the internal and external references used for intranet resources (such as hosts or servers) for each user accessing the intranet from an extranet.
- An internal reference to an intranet resource's is re-written as an external reference as the reference is sent out to an extranet.
- the external reference can be translated to the intranet resource's internal reference.
- the mapping information can identify resources using literal or pattern expressions. A pattern expression can be used to identify a group of resources, for example.
- An embodiment of the invention can be implemented as computer software in the form of computer readable program code executed on a general purpose computer such as computer 100 illustrated in Figure 1.
- a keyboard 110 and mouse 111 are coupled to a bi-directional system bus 118.
- the keyboard and mouse are for introducing user input to the computer system and communicating that user input to processor 113.
- Other suitable input devices may be used in addition to, or in place of, the mouse 111 and keyboard 110.
- I/O (input/ output) unit 119 coupled to bi-directional system bus 118 represents such I/O elements as a printer, A/V (audio/video) I/O, etc.
- Computer 100 includes a video memory 114, main memory 115 and mass storage 112, all coupled to bi-directional system bus 118 along with keyboard 110, mouse 111 and processor 113.
- the mass storage 112 may include both fixed and removable media, such as magnetic, optical or magnetic optical storage systems or any other available mass storage technology.
- Bus 118 may contain, for example, thirty- two address lines for addressing video memory 114 or main memory 115.
- the system bus 118 also includes, for example, a 32-bit data bus for transferring data between and among the components, such as processor 113, main memory 115, video memory 114 and mass storage 112. Alternatively, multiplex data /address lines may be used instead of separate data and address lines.
- the processor 113 is a microprocessor manufactured by Motorola, such as the 680X0 processor or a microprocessor manufactured by Intel, such as the 80X86, or Pentium processor, or a SPARC microprocessor from Sun Microsystems, Inc.
- Main memory 115 may be comprised of dynamic random access memory (DRAM).
- Video memory 114 is a dual-ported video random access memory. One port of the video memory 114 is coupled to video amplifier 116.
- the video amplifier 116 is used to drive the cathode ray tube (CRT) raster monitor 117.
- Video amplifier 116 is well known in the art and may be implemented by any suitable apparatus. This circuitry converts pixel data stored in video memory 114 to a raster signal suitable for use by monitor 117.
- Monitor 117 is a type of monitor suitable for displaying graphic images.
- Computer 100 may also include a communication interface 120 coupled to bus 118.
- Communication interface 120 provides a two-way data communication coupling via a network link 121 to a local network 122.
- ISDN integrated services digital network
- communication interface 120 provides a data communication connection to the corresponding type of telephone line, which comprises part of network link 121.
- LAN local area network
- communication interface 120 provides a data communication connection via network link 121 to a compatible LAN.
- Communication interface 120 could also be a cable modem or a wireless interface. In any such implementation, communication interface 120 sends and receives electrical, electromagnetic or optical signals which carry digital data streams representing various types of information.
- Network link 121 typically provides data communication through one or more networks to other data devices.
- network link 121 may provide a connection through local network 122 to host computer 123 or to data equipment operated by an Internet Service Provider (ISP) 124.
- ISP 124 in turn provides data communication services through the world wide packet data communication network now commonly referred to as the "Internet" 125.
- Internet 125 uses electrical, electromagnetic or optical signals which carry digital data streams.
- the signals through the various networks and the signals on network link 121 and through communication interface 120, which carry the digital data to and from computer 100, are exemplary forms of carrier waves transporting the information.
- Computer 100 can send messages and receive data, including program code, through the network(s), network link 121, and communication interface 120.
- server 126 might transmit a requested code for an application program through Internet 125, ISP 124, local network 122 and communication interface 120.
- one such downloaded application is the method and apparatus for authenticated secure access to computer networks described herein.
- the received code may be executed by processor 113 as it is received, and/or stored in mass storage 112, or other non-volatile storage for later execution. In this manner, computer 100 may obtain application code by way of a carrier wave.
- Application code may be embodied in any form of computer program product.
- a computer program product comprises a medium configured to store or transport computer readable code, or in which computer readable code may be embedded.
- Some examples of computer program products are CD-ROM disks, ROM cards, floppy disks, magnetic tapes, computer hard drives, servers on a network, and carrier waves.
- the computer system described above is for purposes of example only.
- An embodiment of the invention may be implemented in any type of computer system or programming or processing environment including, but not limited to, embedded systems and /or "thin" access devices such as a web phone.
- Embodiments of the invention comprise software configured to allow authenticated, secure access to a computer network such as an intranet.
- Figure 2A provides a model used in one or more embodiments of the invention.
- Client 202 comprises a computer system connected to an extranet (e.g., extranet 244).
- Client 202 can be, for example, running browser software and capable of connecting to the Internet in some manner.
- client 202 can be an individual user that directly connects to the Internet via an Internet Service Provider.
- client 202 can be a corporate user that accesses the Internet via a corporate intranet and a proxy server running on the intranet, for example.
- a request generated by client 202 is transmitted via line 220 (i.e., the user's connection to the Internet).
- line 220 can represent a secure socket connection such as that provided by Netscape's Secure Socket Layer (SSL) mechanism.
- Line 220 can represent an immediate connection between client 202 and reverse proxy 204.
- line 220 can represent an indirect connection between client 202 and reverse proxy 204. That is, a communication between client 220 and reverse proxy 204 can be made via intermediate networks and any number of proxy (or other) servers at each intermediate point.
- reverse proxy 204 comprises program code configured to control access to an intranet from an external source (an extranet such as the Internet).
- reverse proxy 204 is configured to authenticate user(s), facilitate single sign-on for users, perform logging functions, control access to resources (e.g., intranet resources), and/or facilitate references to authorized resources (e.g., intranet resources).
- Application servers 212A-212C are examples of resources of an intranet.
- a request that is initiated by client 202 may be processed by one of application servers 212A-212C, for example.
- a request may be for a Web page that resides on application server 212A, for example.
- the request can be for program code (e.g., an applet) to be downloaded to client 202 or for invocation of program code on one of application servers 212A-212C, for example.
- Reverse proxy 204 comprises program code that is configured to, among others, authenticate the user of client 202.
- Reverse proxy 204 interacts with authentication server 208 to authenticate the user.
- Information entered by the user during the authentication is retained and can be forwarded by reverse proxy 204 to authenticate the user to an application running on one of application servers 212A-212C.
- Reverse proxy 204 can retain user information using state server 206, for example.
- Lines 232 and 222 represent communications between reverse proxy 204 and authentication server 208 and reverse proxy 204 and state server 206 (respectively) which can be achieved using a remote procedure call (RPC) mechanism, for example.
- RPC remote procedure call
- Reverse proxy 204 further ensures that an authenticated user is only permitted to access authorized resources on the intranet.
- Authentication server 208 forwards an authenticated user's access privileges to reverse proxy 204.
- Reverse proxy 204 determines what a user is permitted to access using the access privileges received from authentication server 208.
- Access privileges can be comprised of a list of intranet resources to which a user is allowed access.
- access can be expressed using a generic identification or pattern that is compared to a resource's reference to determine whether the reference and pattern match. For example, a group of resources that start with the letter "a” and include the letter “g” might be expressed as "a*g*", for example, where "*" is a wild card for none or more characters. All resource references that begin with an "a” and include a "g” match this pattern.
- Reverse proxy 204 can perform a matching operation with the pattern and the resource identifier supplied by the user to determine whether the user is permitted to access the resource.
- the generic identification or pattern can be used to determine whether an external reference is translated to its internal reference and vice versa.
- reverse proxy 204 determines that a user's request is directed to a permitted resource, reverse proxy 204 forwards the request via the intranet to a destination to access the resource. For example, a request from a user who is authorized to access application server 212A is forwarded by reverse proxy 204 to proxy server 210 (via line 234) as plain text. Proxy server 210 directs the request to application server 212A, via line 224. Application servers 212A-212C receive a request from proxy server 210 via lines 224, 226 and 228 which represent a plain text transaction, for example.
- Reverse proxy 204 retains a user's credentials (e.g., via state server 206) that can be forwarded to an application that executes on the intranet.
- the application need not request initial sign-on information from the user. Further, the user does not have to perform multiple sign-ons for each intranet application. Instead, the information received from the user by reverse proxy 204 can be forwarded to an intranet application. Thus, there is a single sign-on and authentication for a user.
- Reverse proxy 204 can facilitate logging.
- reverse proxy 204 can log internal errors, configuration errors, login attempts, login failures, session time-outs, session terminations, and performance metrics.
- a user In the Internet, or World Wide Web (WWW), a user typically identifies a resource (e.g., a file, application or application server) using a universal resource locator (URL) specification.
- a URL identifies the name of the resource, its location and the protocol used to obtain it.
- a URL identifies the server that can produce the resource (e.g., a file) and the protocol used to access the server. For example:
- Reverse proxy 204 maps an external reference for an intranet resource to its internal reference (i.e., the name used on the intranet to identify the resource).
- an extranet user can identify an internal resource even if the user does not know the intranet resource's internal reference. Further, it may be desirable to mask the actual intranet resource reference from the extranet user.
- a different mapping between external and internal references provides the ability to associate an external reference with different internal references.
- the external reference can map to a first internal resource.
- the same external reference can map to a second internal resource when a different mapping is used.
- the mapping mechanism of reverse proxy 204 can be used to specify a user's the access privileges. For example, the absence of a mapping to an internal resource in a set of mappings for a user signifies that the user is not authorized to access the internal resource.
- a web server can be used to forward requests for web documents to a content server and to forward responses received from a content server to a client browser, for example.
- Reverse proxy 204 can be implemented as a common gateway interface (CGI) script that runs on an intranet's web server.
- CGI common gateway interface
- reverse proxy 204 can be implemented as a plug-in of the web server. If reverse proxy 204 is implemented as a CGI script or as a plug-in, the web server forwards all requests directed to the intranet to reverse proxy 204 for processing. Reverse proxy 204 forwards a response to the web server for forwarding to the extranet (e.g., a client browser).
- reverse proxy 204 can be implemented as a stand alone component of the architecture. In this case, reverse proxy 204 can also act as a web server.
- an implementation e.g., CGI script, plug-in, or stand alone implementation
- reverse proxy 204 is included as a part of the gateway between the intranet and external networks such as the Internet.
- Figure 2B illustrates a model implementation of a reverse proxy as a component of an intranet gateway according to one embodiment of the invention.
- Intranet 248 consists of proxy server 210, authentication 208 and application servers 212A-212C, as described in conjunction with Figure 2A.
- Intranet 248 is a computing device, and /or network, access to which is to be restricted or controlled.
- Client 202 is resident on extranet 244.
- Extranet 244 is a computing device and /or network whose access to intranet 248 is to be controlled or restricted.
- Extranet 244 can be, for example, the various communications networks that comprise the Internet.
- Reverse proxy 204 is configured to control access to intranet 248 from extranet 244.
- Gateway 246 comprises firewalls 240 and 242 and reverse proxy 204.
- Firewalls 240 and 242 examine received packets to determine whether the packet should be allowed access to intranet 248.
- a firewall is a software application that typically examines a packet's header to determine the packet's type, the sender and the intended recipient. The access criteria made known to the firewall (e.g., via configuration information) is used by the firewall to determine whether the information contained in the packet satisfies the criteria.
- firewall 240 is configured to allow packets (e.g., IP packets that are addressed to reverse proxy 204). The packet is forwarded to reverse proxy 204 which ensures that the packet is compliant with the HTTP protocol.
- Firewall 242 can be configured to allow messages (e.g., RPC messages) originating from reverse proxy 204 and bound for either proxy server 210 or authentication server 208.
- Firewalls merely provide additional checkpoints for filtering packets directed to the intranet.
- Reverse proxy 204 provides a checkpoint that screens received packets and can be configured to accept certain packets and deny access to the rest.
- intranet gateway 246 can be comprised of reverse proxy 204, or reverse proxy 204 and one or more firewalls.
- FIG. 2C illustrates configuration alternatives according to one or more embodiments of the invention.
- An extranet (e.g., extranet 244 of Figure 2B) includes client 202.
- Box 276 represents the intermediate connections (e.g., proxy servers such as proxy servers 230 and /or 240, or other intermediate servers, computing devices and/or networks) between client 202 and an instance of reverse proxy 204. Box 276 can contain none or more intermediate connections.
- client 202 can be directly connected to an instance of reverse proxy 204 (e.g., reverse proxy 224), or connected to an instance of reverse proxy 204 via one or more intermediate servers.
- a request from client 202 can be routed via intermediate servers to reverse proxy 224.
- reverse proxies 224 and 234 can control access to an intranet.
- Reverse proxies 224 and 234 can authenticate the user of client 202 via an authentication server (e.g., authentication servers 228 and 218, respectively).
- an authentication server e.g., authentication servers 228 and 218, respectively.
- reverse proxies 224 and 234 use different authentication servers (authentication servers 228 and 218, respectively). However, they can use the same authentication server.
- Box 286 indicates that there can be one or more instances of reverse proxy 204 to control access to an intranet.
- Each instance of reverse proxy 204 can be configured to authenticate a user, support single sign-on, perform logging and access control and map external references to internal references of intranet resources, for example.
- a first authentication can be performed by reverse proxy 224. If the authentication is successful, the request is processed by reverse proxy 224.
- Reverse proxy 224 can forward the request to application 212B via proxy 250 where the request is directed to application 212B, for example.
- reverse proxy 224 can forward the request to reverse proxy 234 if, for example, the request is directed to application server 212A.
- Reverse proxy 234 can perform a second authentication, if desired.
- reverse proxy 204 can be directly connected to an intranet resource as illustrated by reverse proxy 234 (e.g., reverse proxy 234 is directed connected to application server 212A).
- reverse proxy 234 is directed connected to application server 212A.
- an instance of reverse proxy can be indirectly connected to an intranet resource via, for example, one or more proxy servers.
- reverse proxy 224 is connected to application server 212B via proxy server 250.
- Reverse proxy 204 interacts with client 202 to receive and process a user request.
- Reverse proxy 204 enforces access privileges associated with a user.
- reverse proxy 204 can perform a logging function.
- Figure 3 illustrates a request processing model according to an embodiment of the invention. (Embodiments of the invention comprising user authentication are described below. ) The request processing described in Figure 3 assumes that the user of client 202 has been authenticated and reverse proxy 204 is aware of the access privileges associated with the user of client 202.
- Client 202 transmits a request to reverse proxy 204.
- An authenticated user's authorized access request is forwarded to the intranet resource. For example, a request from an authenticated user to access application server 212A (e.g., an application that is running on application server 212A) is forwarded to application server 212A via proxy server 210 by reverse proxy 204.
- application server 212A e.g., an application that is running on application server 212A
- Reverse proxy 204 ensures that the user has sufficient access privileges to access the intranet resource referenced in the user's request. That is, reverse proxy 204 examines a list of authorized resources associated with a user to determine whether the user has been authorized to access the referenced resource. Therefore, if the request originates from an authenticated user who has sufficient access privileges to access the reference resource, reverse proxy 204 changes the resource reference to its internal reference and forwards the request to the intranet resource using its internal reference.
- Reverse proxy 204 maps external resource references contained in the request to actual intranet resource references. Conversely, reverse proxy 204 maps internal resource references contained in a message transmitted from the intranet (e.g., a response to a request) to their corresponding external resource references. The mappings that are performed by reverse proxy 204 are performed on each transmission as it is transmitted between the intranet and an extranet.
- a transmission such as a URL request can be sent to the intranet from an extranet.
- the transmission can be, for example, a user's request in the form of a URL that comprises an external reference to an HTML page that resides on a server on the intranet.
- Reverse proxy 204 translates the external reference to an internal reference, if a mapping exists for the user between the external reference and its internal reference.
- a reference to an internal resource may be bound for an extranet.
- a response to a request generated on the intranet such as a response generated by an application running on application server 212A, can contain an internal reference to an intranet resource.
- the request is forwarded by application server 212A to proxy server 210 which forwards it to reverse proxy 204.
- Reverse proxy 204 translates internal references contained to the response to external references, using a set of mappings associated with the user, before forwarding the response to client 202.
- the response is an HTML page that contains hyperlinks to other HTML pages that reside on the intranet
- reverse proxy 204 translates the hyperlink references to external references using the user's set of mappings.
- the external reference identifies reverse proxy 204.
- a user requests a intranet resource by its external reference (e.g., selects a hyperlink that has been re-written by reverse proxy 204)
- the request is forwarded to reverse proxy 204.
- Reverse proxy 204 can attempt to re-write the external reference using the set of mappings associated with the requesting user.
- reverse proxy 204 refers to a table that identifies a mapping between an intranet resource's external reference and its internal reference.
- the following provides an example of a table of mappings according to an embodiment of the invention:
- the internal reference identifies an intranet resource (e.g., a server named "internal. helpServer").
- the intranet resource's internal reference is mapped to an external reference for the intranet resource.
- an intranet resource's internal reference is re-written (as an external reference) to appear as though it is on reverse proxy 204.
- the external reference includes a reference to reverse proxy 204.
- Reverse proxy 204 substitutes the external reference in place of the intranet resource's intranet reference in a transmission (e.g., a response) that is sent to client 202.
- a transmission e.g., a response
- a link in an HTML document that is expressed as an intranet reference to an index.html file in the help directory of the internal.helpServer server can be translated to a "help" external reference by reverse proxy 204.
- An intranet reference of "internal.helpServer:8015/help/index.html” can be translated to a "help/index.html” reference, for example, to present to the user.
- reverse proxy 204 translates the "help/index.html” to its intranet reference before it forwards the request.
- the "help/index.html” is translated to "internal.helpServer:8015/help/index.html” by reverse proxy 204, for example.
- Reverse proxy 204 forwards the request to the
- reverse proxy 204 forwards a request including its intranet references to the intranet (e.g., initially to proxy server 210).
- the first five entries in the mappings table contain literal expressions for both the internal and external references.
- a mapping can also be expressed in terms of pattern expressions. If a pattern expression is given, it is used to translate references that match the pattern expression. For example, if a pattern expression is used in the external reference mapping entry (e.g., the left-hand column in the above mapping table), an external reference is compared to the external reference pattern expression. If the external reference matches the pattern, then the external reference can be translated to the internal reference mapping entry (e.g., the right-hand column in the above mapping table). Where the internal reference mapping entry is expressed in terms of a pattern expression, the pattern expression can be used to generate the internal reference.
- the last table entry includes a pattern expression for both the external and internal references.
- the mappings table example uses regular expressions to describe a pattern.
- the external reference pattern expression example matches an external reference that contains a first set of alphabetic characters followed by a period (".") followed by a second set of alphabetic characters, and optionally followed by a ":80".
- external references such as "xyz.cde” or "xyz.cde:80" matches the external reference pattern expression.
- An external reference such as "xyz.cde. abc” does not match the external reference pattern expression. If the external reference matches the external reference pattern expression, the external reference is translated into the internal reference.
- the internal reference is also expressed as a pattern.
- the internal reference pattern expression is used to translate the external reference into the internal reference.
- the first set of alphabetic characters from the external reference becomes the first part of the internal reference followed by a ".” followed by the second set of alphabetic characters from the external reference. If the external reference contained an ":80" character string, it is replaced by an ":8080" character string. If, for example, the external reference was "xyz.cde:80", it is translated to an "xyz.cde:8080" internal reference.
- an external reference does not match the external reference pattern expression, it is not translated into an internal reference. If the external reference cannot be translated into an internal reference using another external reference entry in the mappings table, the external reference cannot be used to access an internal resource. Thus, access to the internal resource should be denied.
- the external reference of "xyz.cde. abc" does not match any of the external reference entries in the mappings table, is not translatable to an internal resource using this mappings table and access to an internal resource is therefore not possible. The user could be informed, for example, that there is no such resource with the name specified by the external reference.
- reverse proxy 204's mapping mechanism can be used to enforce an access policy for external users. Further, using the mapping mechanism, a user of client 202 need not have knowledge of the actual internal reference for an intranet resource. This simplifies a user's access. Further, this level of redirection allows resources to be moved to different sites on the intranet without requiring the user to be aware of the move. In addition to simplifying a user's access, there are security benefits to shielding the structure of the intranet from the user. Using external references that map to their corresponding intranet references has the effect of hiding the intranet's actual structure. This can limit a user's ability to successfully attempt an unauthorized access of the intranet, or a component of the intranet.
- the same external reference can map to a different internal resource depending on which set of mappings are used.
- the set of mappings that are used for translating references for a given user can be specified in the user's credentials.
- the same external reference used by two different users can translate into different internal references where the two users are assigned a different set of mappings.
- Authentication server 208 returns a user's credentials for an authenticated user.
- a user's credentials identify the set of mappings for the user.
- the user's credentials can specify a set of privileges (e.g., a user may have the privileges associated with an employee, a member of a given department, and /or a member of management of a given department).
- a user's privileges are used to identify the set of mappings for the user.
- Multiple sets of mappings can be combined to construct a master set of mappings for the user. For example, where each privilege included in a user's credentials identifies a different set of mappings, the sets of mappings can be combined to create one set of mappings for a user.
- the sets of mappings can be combined such that a mapping can be added based on one set of mappings and deleted or modified based on another (e.g., subsequently processed) set of mappings.
- a user's credentials can be used to authenticate the user to a given intranet resource (e.g., an application).
- reverse proxy 204 forwards the user's credentials (e.g., using one or more credential forwarding mechanisms available in the HTTP protocol).
- Reverse proxy 204 can send the user's credentials in addition to forwarding the user's information (e.g., userid) to the intranet.
- an application that executes on application server 212A may require a userid to authenticate a user before the user's request can be processed by the application.
- Reverse proxy 204 forwards the request and credentials (that includes a userid) to application server 212A via proxy server 210.
- Reverse proxy 204 interacts with authentication server 208 to authenticate a user and retrieve a user's access privileges. A user's access privileges are used by reverse proxy 204 to determine whether a request to access an intranet resource is authorized. An authenticated user's authorized access request is forwarded to the intranet resource.
- Figure 4 illustrates a login and authentication model according to an embodiment of the invention.
- reverse proxy 204 To access the intranet initially, the user sends a request to reverse proxy 204. Since it is the user's initial request to the intranet, reverse proxy 204 requests user login information and authenticates the user. The authentication process, therefore, occurs upon a user's initial access to the intranet in one or more embodiments of the invention. User authentication can also take place at given times during a user's session.
- Client 202 sends a request to reverse proxy 204. If client 202 has already logged on and has been authenticated, client 202 has a cookie (or piece of information) given to the user by reverse proxy 204 that client 202 can send to reverse proxy 204. If client 202 sends a valid cookie with the request, reverse proxy 204 can process the request as described in conjunction with Figure 3, for example.
- reverse proxy 204 assumes that the user is an authenticated user and initiates an authentication for the user.
- Reverse proxy 204 sends a request for user information to client 202.
- the request from reverse proxy 204 for user information can be in the form of an HTML page that contains a set of prompts and input fields, for example.
- the user can enter the user information and submit the HTML page.
- Client 202 forwards the user information to reverse proxy 204.
- the requested user information is extracted from the HTML page.
- Reverse proxy 204 forwards the userid to authentication server 208 and generates an information item or value (referred to as a cookie) such as a random number for the user.
- a cookie comprises a unique value for the user.
- a cookie can remain valid until the user logs off, or can become invalid prior to the user logging off, for example.
- a user's cookie can expire, for example, after the user has been logged on for a certain period of time, or if no transmissions are received from the user over a certain period of time.
- Authentication server 208 generates a challenge (e.g., a randomly generated value) and forwards the challenge to reverse proxy 204.
- Reverse proxy 204 stores the challenge, cookie and userid.
- reverse proxy 204 sends the challenge, cookie and userid to state server 206 for retention.
- Reverse proxy 204 forwards the challenge to client 202 along with the cookie and instructions to forward the cookie with each subsequent transmission to reverse proxy 205.
- the user responds with a result that is generated from the challenge. For example, the user enters the challenge into computing device 404 (e.g., via a key pad of the computing device).
- Computing device 404 is used to generate a unique value using input a portion of which is sent to client 202 by reverse proxy 204.
- An enigma card or smart card are examples of computing devices that execute an algorithm to compute a result based on input. These computing devices are available from various manufacturers.
- the user inputs a challenge and another identifier (e.g., a personal identification number or PIN) into computing device 404.
- Computing device 404 generates a result which is referred to herein as the user's password, or result.
- the user's password e.g., the user's password
- the result computed from the input will necessarily be different for each authentication. This creates a more secure environment, since the user's password (i.e., the result generated by the computing device) changes for each login.
- X.509 digital certificates are used to authenticate the user.
- Some browsers have built-in capability to provide certificates such as those certificates that are based on the X.509 International Standards Organization (ISO) standard.
- ISO International Standards Organization
- reverse proxy 204 requests a certificate
- the web browser requests the user for a value referred to as a certificate identifier or pass phrase.
- the browser sends an X.509 certificate.
- Reverse proxy 204 can forward the certificate to authentication 208 to authenticate the certificate ID or pass phrase submitted by the user.
- computing device 404 is not used to generate a result. Instead, the user simply enters a result (e.g., a password or PIN) that has been issued to the user. In this case, a challenge is not sent to the client 202.
- the user is authenticated on the basis of the userid and password values.
- the user enters the result displayed by computing device 404 in a field of the browser software running on client 202 and client 202 forwards the result and cookie to reverse proxy 204.
- Reverse proxy 204 sends the cookie to state server 206 to retrieve the user's userid and challenge from storage.
- State server 206 retrieves the userid and challenge associated with the user's cookie and forwards them to reverse proxy 204.
- Reverse proxy 204 sends the userid, challenge and result to authentication server 208.
- Authentication server 208 generates a result based on the challenge and verifies that the result received from the user is the expected result given the challenge provided to the user. If not, authentication server 208 forwards a rejection to reverse proxy 204.
- Reverse proxy 204 can forward the rejection to client 202.
- authentication server 208 forwards the credentials associated with the userid to reverse proxy 204.
- the credentials can be, for example, a list of intranet resources that the user is given authority to access.
- the authorized resources can be itemized individually, or a pattern can be used to identify a set of resources whose identifiers (e.g., URLs) match the pattern.
- Reverse proxy 204 uses the user's credentials to determine whether the user is authorized to access the intranet resource(s) identified in the user's request. If the user does not have the authority to access the intranet resource(s), a rejection message can be sent to client 202. If the user's credentials indicate that the user has authority to access the intranet resource(s), reverse proxy 204 forwards the request to intranet 248 (e.g., proxy server 210).
- intranet 248 e.g., proxy server 210
- reverse proxy 204 processes requests received from both authenticated and unauthenticated users.
- Figure 5 provides a request processing process flow according to an embodiment of the invention.
- client 202 sends a request to reverse proxy 204.
- reverse proxy 204 makes a determination whether the user is an authenticated or unauthenticated user. If, for example, the request includes a valid cookie generated by reverse proxy 204, processing continues at step 518 to process the request.
- Figure 7 provides an example of a process flow for processing an authenticated user's request. Processing continues at step 502 to await another request.
- Figures 6A-6B illustrate an authentication process flow according to an embodiment of the invention.
- reverse proxy 204 makes a determination whether the user is an authorized user. For example, reverse proxy 204 examines the transmission from authentication server 208 to determine whether the transmission contains a rejection of the user or contains the user's credentials. If the transmission contains a rejection, processing continues at step 512 to send a rejection message to client 202 and processing continues at step 502 to await another request. If authentication server 210 forwards the user's credentials, processing continues at step 514 to determine user's access privileges based on the credentials sent by authentication server 208. At step 516, reverse proxy 204 translates any external addresses to intranet addresses in the request. At step 518, the request is processed.
- a new user is authenticated to ensure that the user is an authorized user.
- an existing user e.g., a user who was previously authenticated with reverse proxy 204
- Figures 6A-6B provide an authentication process flow according to an embodiment of the invention.
- Step 602 is initiated after a request is received from client 202 and reverse proxy 204 determines that the user needs to be authenticated.
- reverse proxy 204 sends a request to client 202 for the user's information.
- the client's userid is sent to authentication server 208 once it is received from client 202 by reverse proxy 204.
- reverse proxy 204 receives the challenge generated by authentication server 208.
- reverse proxy 204 obtains a cookie that uniquely identifies the session that the user is establishing between client 202 and reverse proxy 204.
- reverse proxy 204 retains the cookie, challenge and userid for the user.
- reverse proxy 204 can send the cookie, challenge and userid values to state server 206 in a storage request.
- reverse proxy 204 sends the challenge to client 202 along with the cookie.
- reverse proxy 204 receives a result and cookie from the client.
- reverse proxy 204 obtains the challenge and userid associated with the cookie sent by client 202.
- reverse proxy 204 sends the challenge, result and userid to authentication server 208.
- reverse proxy 204 receives either a rejection or the user's credentials in response to the challenge, result and userid.
- processing continues at step 510 of Figure 5 to determine whether authentication succeeded or failed.
- a user's request received by reverse proxy 204 is forwarded to the intranet, if the user is an authenticated user and is authorized to access the referenced intranet resources.
- Figures 5 and 6A-6B include steps for ensuring that a user is an authenticated user. If a request is from an authenticated user, reverse proxy 204 translates external references to intranet references (see step 516 of Figure 5).
- Figure 7 provides a process flow for processing an authenticated user's request according to an embodiment of the invention.
- reverse proxy 204 determines whether the user is authorized to access a referenced intranet resource (e.g., by comparing the user's credentials with the reference). If the user does not have authorization to access the referenced intranet resource, processing continues at step 716 to generate an error. If the user has authorization to access the referenced intranet resource, processing continues at step 704 to include user authentication information in the request and forward the request to the intranet (e.g., proxy server 210). The request is forwarded within the intranet to the referenced resource.
- the intranet e.g., proxy server 210
- the response is forwarded back to the user.
- a response to the request is received by reverse proxy 204.
- reverse proxy 204 translates intranet references contained in the response to external references.
- the filtered content i.e., the content containing the external references
- Request processing finishes for the current request at step 712.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU48244/99A AU4824499A (en) | 1998-06-17 | 1999-06-16 | Method and apparatus for authenticated secure access to computer networks |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US9889298A | 1998-06-17 | 1998-06-17 | |
US09/098,892 | 1998-06-17 |
Publications (3)
Publication Number | Publication Date |
---|---|
WO1999066384A2 true WO1999066384A2 (en) | 1999-12-23 |
WO1999066384A3 WO1999066384A3 (en) | 2000-07-06 |
WO1999066384A9 WO1999066384A9 (en) | 2000-08-10 |
Family
ID=22271433
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US1999/013701 WO1999066384A2 (en) | 1998-06-17 | 1999-06-16 | Method and apparatus for authenticated secure access to computer networks |
Country Status (2)
Country | Link |
---|---|
AU (1) | AU4824499A (en) |
WO (1) | WO1999066384A2 (en) |
Cited By (23)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2803461A1 (en) * | 1999-12-31 | 2001-07-06 | Ge Medical Tech Serv | Mechanical image equipment/industrial remote diagnostic remote access license control having application demand network/central structure sent and central structure identifying/authorizing password application accessing information. |
FR2803462A1 (en) * | 1999-12-31 | 2001-07-06 | Ge Medical Tech Serv | Accessing by user distant medical diagnosis system containing protected software application via network by providing authorization certificate to user so that he/she may use protected software application |
WO2001065806A3 (en) * | 2000-03-01 | 2002-03-28 | Sun Microsystems Inc | System and method for avoiding re-routing in a computer network during secure remote access |
DE10107883A1 (en) * | 2001-02-19 | 2002-08-29 | Post Ebusiness Gmbh Deutsche | Method for transmitting data, proxy server and data transmission system |
EP1277099A2 (en) * | 2000-04-24 | 2003-01-22 | Microsoft Corporation | Security link management in dynamic networks |
GB2393365A (en) * | 2002-07-11 | 2004-03-24 | Sun Microsystems Inc | Authenticating a client to a legacy server using a web server connected to an authentication service when the client wishes to access data on the web server |
WO2005062989A2 (en) | 2003-12-23 | 2005-07-14 | Wachovia Corporation | Authentication system for networked computer applications |
EP1777912A1 (en) * | 2001-11-02 | 2007-04-25 | Juniper Networks, Inc. | Method and system for providing secure access to resources on private networks |
EP1316892A4 (en) * | 2000-08-11 | 2007-06-27 | Nifty Corp | Member information transmitting method, individual information acquiring method, and system |
DE102006012167A1 (en) * | 2006-03-13 | 2007-09-20 | Mainpean Gmbh | Service e.g. downloading digital music file, providing method, involves generating session, and providing service in frame of session through supplier, where communication between customer and supplier takes place via backup module |
EP1254432A4 (en) * | 1999-12-14 | 2009-04-22 | Verizon Corporate Serv Group | Secure gateway having user identification and password authentication |
WO2009151730A2 (en) | 2008-05-27 | 2009-12-17 | Microsoft Corporation | Authentication for distributed secure content management system |
US7877440B2 (en) | 2001-11-02 | 2011-01-25 | Juniper Networks, Inc. | Web resource request processing |
US7933923B2 (en) | 2005-11-04 | 2011-04-26 | International Business Machines Corporation | Tracking and reconciling database commands |
US7970788B2 (en) | 2005-08-02 | 2011-06-28 | International Business Machines Corporation | Selective local database access restriction |
US8141100B2 (en) | 2006-12-20 | 2012-03-20 | International Business Machines Corporation | Identifying attribute propagation for multi-tier processing |
WO2011119482A3 (en) * | 2010-03-22 | 2012-08-23 | Siemens Product Lifecycle Management Software Inc. | System and method for secure multi-client communication service |
US8261326B2 (en) | 2008-04-25 | 2012-09-04 | International Business Machines Corporation | Network intrusion blocking security overlay |
US8495367B2 (en) | 2007-02-22 | 2013-07-23 | International Business Machines Corporation | Nondestructive interception of secure data in transit |
GB2498566A (en) * | 2012-01-20 | 2013-07-24 | Dolphin Speed Networks Ltd | Authenticating a user at a proxy using cookies |
CN106209815A (en) * | 2016-07-04 | 2016-12-07 | 安徽天达网络科技有限公司 | A kind of Multi net voting connects authentication method |
US10498734B2 (en) | 2012-05-31 | 2019-12-03 | Netsweeper (Barbados) Inc. | Policy service authorization and authentication |
JP2021140821A (en) * | 2016-04-19 | 2021-09-16 | 株式会社三菱Ufj銀行 | Screen control device and screen control method |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5805820A (en) * | 1996-07-15 | 1998-09-08 | At&T Corp. | Method and apparatus for restricting access to private information in domain name systems by redirecting query requests |
WO1998031124A1 (en) * | 1997-01-10 | 1998-07-16 | Hanson Gordon L | Reverse proxy server |
-
1999
- 1999-06-16 WO PCT/US1999/013701 patent/WO1999066384A2/en active Application Filing
- 1999-06-16 AU AU48244/99A patent/AU4824499A/en not_active Abandoned
Cited By (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1254432A4 (en) * | 1999-12-14 | 2009-04-22 | Verizon Corporate Serv Group | Secure gateway having user identification and password authentication |
FR2803462A1 (en) * | 1999-12-31 | 2001-07-06 | Ge Medical Tech Serv | Accessing by user distant medical diagnosis system containing protected software application via network by providing authorization certificate to user so that he/she may use protected software application |
FR2806233A1 (en) * | 1999-12-31 | 2001-09-14 | Ge Medical Tech Serv | SYSTEM PROVIDING SELECTIVE ACCESS TO A SOFTWARE APPLICATION |
FR2803461A1 (en) * | 1999-12-31 | 2001-07-06 | Ge Medical Tech Serv | Mechanical image equipment/industrial remote diagnostic remote access license control having application demand network/central structure sent and central structure identifying/authorizing password application accessing information. |
WO2001065806A3 (en) * | 2000-03-01 | 2002-03-28 | Sun Microsystems Inc | System and method for avoiding re-routing in a computer network during secure remote access |
EP1277099A2 (en) * | 2000-04-24 | 2003-01-22 | Microsoft Corporation | Security link management in dynamic networks |
EP1498800B1 (en) * | 2000-04-24 | 2008-07-02 | Microsoft Corporation | Security link management in dynamic networks |
US7257836B1 (en) | 2000-04-24 | 2007-08-14 | Microsoft Corporation | Security link management in dynamic networks |
EP1316892A4 (en) * | 2000-08-11 | 2007-06-27 | Nifty Corp | Member information transmitting method, individual information acquiring method, and system |
DE10107883A1 (en) * | 2001-02-19 | 2002-08-29 | Post Ebusiness Gmbh Deutsche | Method for transmitting data, proxy server and data transmission system |
DE10107883B4 (en) * | 2001-02-19 | 2006-02-09 | Deutsche Post Ag | Method for transmitting data, proxy server and data transmission system |
EP1777912A1 (en) * | 2001-11-02 | 2007-04-25 | Juniper Networks, Inc. | Method and system for providing secure access to resources on private networks |
US7877440B2 (en) | 2001-11-02 | 2011-01-25 | Juniper Networks, Inc. | Web resource request processing |
GB2393365B (en) * | 2002-07-11 | 2005-03-16 | Sun Microsystems Inc | A method and system for authenticating users of computer services |
GB2393365A (en) * | 2002-07-11 | 2004-03-24 | Sun Microsystems Inc | Authenticating a client to a legacy server using a web server connected to an authentication service when the client wishes to access data on the web server |
WO2005062989A2 (en) | 2003-12-23 | 2005-07-14 | Wachovia Corporation | Authentication system for networked computer applications |
EP1697818A4 (en) * | 2003-12-23 | 2014-06-11 | Wachovia Corp | Authentication system for networked computer applications |
US7970788B2 (en) | 2005-08-02 | 2011-06-28 | International Business Machines Corporation | Selective local database access restriction |
US7933923B2 (en) | 2005-11-04 | 2011-04-26 | International Business Machines Corporation | Tracking and reconciling database commands |
DE102006012167B4 (en) * | 2006-03-13 | 2008-02-21 | Mainpean Gmbh | Method and computer system for providing a service offered via a digital information network |
DE102006012167A1 (en) * | 2006-03-13 | 2007-09-20 | Mainpean Gmbh | Service e.g. downloading digital music file, providing method, involves generating session, and providing service in frame of session through supplier, where communication between customer and supplier takes place via backup module |
US8141100B2 (en) | 2006-12-20 | 2012-03-20 | International Business Machines Corporation | Identifying attribute propagation for multi-tier processing |
US8495367B2 (en) | 2007-02-22 | 2013-07-23 | International Business Machines Corporation | Nondestructive interception of secure data in transit |
US8261326B2 (en) | 2008-04-25 | 2012-09-04 | International Business Machines Corporation | Network intrusion blocking security overlay |
WO2009151730A2 (en) | 2008-05-27 | 2009-12-17 | Microsoft Corporation | Authentication for distributed secure content management system |
EP2304639A4 (en) * | 2008-05-27 | 2014-12-10 | Microsoft Corp | Authentication for distributed secure content management system |
WO2011119482A3 (en) * | 2010-03-22 | 2012-08-23 | Siemens Product Lifecycle Management Software Inc. | System and method for secure multi-client communication service |
GB2498566A (en) * | 2012-01-20 | 2013-07-24 | Dolphin Speed Networks Ltd | Authenticating a user at a proxy using cookies |
US10498734B2 (en) | 2012-05-31 | 2019-12-03 | Netsweeper (Barbados) Inc. | Policy service authorization and authentication |
JP2021140821A (en) * | 2016-04-19 | 2021-09-16 | 株式会社三菱Ufj銀行 | Screen control device and screen control method |
CN106209815A (en) * | 2016-07-04 | 2016-12-07 | 安徽天达网络科技有限公司 | A kind of Multi net voting connects authentication method |
Also Published As
Publication number | Publication date |
---|---|
AU4824499A (en) | 2000-01-05 |
WO1999066384A3 (en) | 2000-07-06 |
WO1999066384A9 (en) | 2000-08-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US6212640B1 (en) | Resources sharing on the internet via the HTTP | |
WO1999066384A2 (en) | Method and apparatus for authenticated secure access to computer networks | |
US7877440B2 (en) | Web resource request processing | |
US8326981B2 (en) | Method and system for providing secure access to private networks | |
US6640302B1 (en) | Secure intranet access | |
EP1442580B1 (en) | Method and system for providing secure access to resources on private networks | |
KR100946110B1 (en) | Method and system for stepping up with certificate-based authentication without breaking an existing SSL session | |
US8209541B2 (en) | Method and system for single sign-on for multiple remote sites of a computer network | |
US5805803A (en) | Secure web tunnel | |
US7360244B2 (en) | Method for authenticating a user access request | |
US6981143B2 (en) | System and method for providing connection orientation based access authentication | |
US6763468B2 (en) | Method and apparatus for authenticating users | |
JP4639297B2 (en) | Single sign-on for network systems with multiple separately controlled limited access resources | |
US7356833B2 (en) | Systems and methods for authenticating a user to a web server | |
US8640202B2 (en) | Synchronizing user sessions in a session environment having multiple web services | |
US20020184507A1 (en) | Centralized single sign-on method and system for a client-server environment | |
US20020069366A1 (en) | Tunnel mechanis for providing selective external access to firewall protected devices | |
JP2005538434A (en) | Method and system for user-based authentication in a federated environment | |
US7334126B1 (en) | Method and apparatus for secure remote access to an internal web server | |
JP2002523973A (en) | System and method for enabling secure access to services in a computer network | |
US6782418B1 (en) | Method and apparatus for secure data file uploading | |
Boncella | Web security for e-commerce | |
JP2001056795A (en) | Access authentication processing device, network including the same, storage medium therefor, and access authentication processing method | |
EP1777912B1 (en) | Method and system for providing secure access to resources on private networks |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A2 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A2 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
AK | Designated states |
Kind code of ref document: A3 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A3 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
AK | Designated states |
Kind code of ref document: C2 Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: C2 Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
COP | Corrected version of pamphlet |
Free format text: PAGES 1/11-11/11, DRAWINGS, REPLACED BY NEW PAGES 1/11-11/11; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |
|
122 | Ep: pct application non-entry in european phase |