US2013191882A1PendingUtilityA1

Access control of remote communication interfaces based on system-specific keys

47
Assignee: JOLFAEI MASOUD AGHADAVOODIPriority: Jan 19, 2012Filed: Jan 19, 2012Published: Jul 25, 2013
Est. expiryJan 19, 2032(~5.5 yrs left)· nominal 20-yr term from priority
H04L 63/10H04L 63/0807G06F 21/335
47
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A computer implemented method, computer program product, and computer system is provided for receiving a service request to obtain service from a second application, the service request including a client context and a signed ticket obtained by the first application from a system computer, validating the received signed ticket based on the key associated with the system, determining that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of one or more attributes of the received client context to an access control list associated with the second application, and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
         1 . A computer program product, the computer program product being tangibly embodied on a computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
 receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;   validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;   determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and   send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.   
     
     
         2 . The computer program product of  claim 1  wherein a system includes the system computer including a central system database, the first application server and the first application, and the second application server and the second application. 
     
     
         3 . The computer program product of  claim 1  wherein a system includes the system computer that stores the key associated with the system, the system also including the first application server and the first application and the second application server and the second application, and wherein the executable code further causes a remote access engine running on the first application server to obtain the signed ticket from the system computer based on the following:
 send the client context to the system computer; and 
 receive, by the remote access engine running on the first application server, a signed ticket from the system computer that is based on the client context and the key associated with the system. 
 
     
     
         4 . The computer program product of  claim 1  wherein the signed ticket received by the remote access engine from the first application comprises a first signed ticket, and wherein the executable code causing the data processing apparatus to validate comprises executable code causing the data processing apparatus to:
 send, from the remote access engine, the client context to the system computer; 
 receive, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context; 
 validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated. 
 
     
     
         5 . The computer program product of  claim 4  wherein:
 the executable code causing the data processing apparatus to send comprises executable code causing the data processing apparatus to send, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context; and 
 the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system. 
 
     
     
         6 . The computer program product of  claim 1  wherein the system computer comprises:
 a processor; and 
 a central database for the system to securely store the key associated with the system; 
 wherein the signed ticket includes a signed client context that was signed by the system computer using the key associated with the system. 
 
     
     
         7 . The computer program product of  claim 1  wherein the client context comprises at least a system identifier (ID) that identifies the system. 
     
     
         8 . The computer program product of  claim 1  wherein the client context comprises at least a system identifier (ID) that identifies the system, an application ID that identifies the first application, and an address associated with the first application server or the first application. 
     
     
         9 . The computer program product of  claim 1  wherein the client context comprises at least one of: a system identifier (ID) that identifies the system of the first application, a user ID that identifies a user of the first application, a client ID or application ID that identifies the first application (or identifies an instance of the first application), an application server ID that identifies the server on which the first application is running, a transaction ID associated with a transaction for the requesting application, a software package ID that identifies the software package of the first application. 
     
     
         10 . The computer program product of  claim 1  wherein the service request received by the remote access engine from the first application is sent by the first application to the second application to fulfill a client request received by the first application from a client application, the service(s) of the second application being accessible through the first application after validation and are not directly accessible to the client application. 
     
     
         11 . The computer program product of  claim 1  wherein, the system computer comprises a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer; and
 wherein the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key. 
 
     
     
         12 . The computer program product of  claim 11 , wherein the signed ticket received from the first application comprises a first signed ticket, wherein the executable code causing the data processing apparatus to validate comprises executable code causing the data processing apparatus to:
 send, from the remote access engine, the received client context to the second system computer;   receive, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context;   validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.   
     
     
         13 . The computer program product of  claim 1  wherein the access control list associated with second application comprises at least one of:
 a white list or accept list that identifies one or more entities that are authorized to access the remote interface of the second application; and/or 
 a black list or deny list that identifies one or more entities that are not authorized to access the remote interface of the second application. 
 
     
     
         14 . A computer implemented method comprising:
 receiving, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;   validating, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;   determining, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and   sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.   
     
     
         15 . The computer implemented method of  claim 14  wherein the receiving comprises receiving, by a remote access engine running on the second application server from a remote access engine on the first application server that is part of or operating on behalf of the first application, the service request. 
     
     
         16 . The computer implemented method of  claim 14  wherein a system includes the system computer, the first application server and the first application, and the second application server and the second application, wherein the signed ticket received from the first application, if validated, indicates that the first application has indirect access to the key associated with the system via the system computer and, thus, indicates that the first application is authorized to obtain or access services from the second application. 
     
     
         17 . The computer implemented method of  claim 14  wherein the signed ticket received by the remote access engine from the first application comprises a first signed ticket, and wherein the validating comprises:
 sending, from the remote access engine, the client context to the system computer; 
 receiving, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context; and 
 validating, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated. 
 
     
     
         18 . The computer implemented method of  claim 17  wherein the sending comprises sending, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context; and
 the receiving comprises receiving, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system. 
 
     
     
         19 . The computer implemented method of  claim 14  wherein the system computer comprises a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer; and
 wherein the receiving comprises receiving, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key. 
 
     
     
         20 . The computer implemented method of  claim 19 , wherein the signed ticket received from the first application comprises a first signed ticket, wherein the validating comprises:
 sending, from the remote access engine, the received client context to the second system computer;   receiving, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context; and   validating, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.   
     
     
         21 . An apparatus comprising:
 receiving logic configured to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;   validation logic configured to validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;   determining logic configured to determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and   sending logic configured to send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.   
     
     
         22 . The apparatus of  claim 21  wherein the system computer comprises:
 a processor; and 
 a database to store the key associated with the system; 
 wherein the signed ticket includes a signed client context that was signed by the system computer using the key associated with the system. 
 
     
     
         23 . The apparatus of  claim 21  wherein the client context comprises at least a system identifier (ID) that identifies the system.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.