[go: up one dir, main page]

WO1999066384A9 - Method and apparatus for authenticated secure access to computer networks - Google Patents

Method and apparatus for authenticated secure access to computer networks

Info

Publication number
WO1999066384A9
WO1999066384A9 PCT/US1999/013701 US9913701W WO9966384A9 WO 1999066384 A9 WO1999066384 A9 WO 1999066384A9 US 9913701 W US9913701 W US 9913701W WO 9966384 A9 WO9966384 A9 WO 9966384A9
Authority
WO
WIPO (PCT)
Prior art keywords
computer
external
references
user
program code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US1999/013701
Other languages
French (fr)
Other versions
WO1999066384A3 (en
WO1999066384A2 (en
Inventor
Stephen Uhler
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sun Microsystems Inc
Original Assignee
Sun Microsystems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems Inc filed Critical Sun Microsystems Inc
Priority to AU48244/99A priority Critical patent/AU4824499A/en
Publication of WO1999066384A2 publication Critical patent/WO1999066384A2/en
Publication of WO1999066384A3 publication Critical patent/WO1999066384A3/en
Publication of WO1999066384A9 publication Critical patent/WO1999066384A9/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Embodiments of the invention comprise a method and apparatus for authenticating secure access to computer networks. Embodiments of the invention control and manage access to a computer intranet from an extranet. Access to the intranet is allowed such that specified packets are permitted to penetrate the intranet's gateway and transmitted to a reverse proxy. The reverse proxy configurations authenticate a user, provide logging (e.g., intranet access), forward user credentials to intranet applications and provide a mapping between external references to intranet resources and their internal references. Mappings can be expressed literally or as a pattern expression.

Claims

40CLAIMS
1. In a computer system, a method of accessing a internal computer network from an external source comprising:
receiving a message from an external source at said internal computer network, said message comprising a plurality of external references to a first plurality of resources of said computer network; translating said plurality of external references to a plurality of internal references for said first plurality of resources; translating a plurality of responses to said received message to be sent to said external source, said plurality of responses comprising a plurality of internal references to a second plurality of resources of said computer network into a plurality of external references to said second plurality of resources.
2. The method of claim 1 further comprising:
performing an authentication when said received message is received from a user.
3. The method of claim 2 wherein said performing an authentication further comprises:
forwarding a challenge to said user; validating a result generated by said user from said challenge; authenticating said user when said result is valid. 41
4. The method of claim 1 wherein said translating said plurality of external references further comprises:
determining access privileges for a user, said access privileges identifying a set of mappings comprising a plurality of external references mapping entries and a corresponding plurality of internal references mapping entries; translating those of said plurality of external references for which said user is authorized based on said access privileges.
5. The method of claim 4 wherein said translating said plurality of external references further comprises:
matching said one of said plurality of external references to said plurality of external reference mapping entries; translating said one of said plurality of external references when said one of said plurality of external references matches at least one of said plurality of external reference mapping entries, said one of said plurality of external references being translated using one of said internal reference mapping entries that corresponds to said at least one of said plurality of external reference mapping entries.
6. The method of claim 1 wherein said computer network comprises a plurality of applications, said method further comprising:
obtaining authentication information when a user attempts to access said computer network from an external source; forwarding said authentication information to each of said plurality of applications as needed as said user attempts to access said each of said plurality of applications. 42
7. The method of claim 1 further comprising:
determining whether a cookie is transmitted with an attempt by a user to access said computer network; determining whether said cookie is valid, if said cookie is transmitted; authenticating said user, if at least one of said cookie not being transmitted and said cookie is not valid conditions occurs.
8. A system comprising:
an external communication network comprising a plurality of computing devices; a reverse proxy coupled to said external communication network; an internal communications network coupled to said reverse proxy; a set of mappings coupled to said reverse proxy, said set of mappings configured to map between an external reference and an internal reference to a resource of said internal communications network.
9. The system of claim 8 wherein said reverse proxy is configured to translate from said external reference to said internal reference when said external reference is received from said external communications network.
10. The system of claim 8 wherein said reverse proxy is configured to translate from said internal reference to said external reference when said internal reference is sent from said internal communications network to said external communications network.
11. The system of claim 8 further comprising an authentication server, said authentication coupled to said reverse proxy and configured to authenticate a user on said external communications network attempting to access said internal communications network. 43
12. The system of claim 8 wherein said reverse proxy is coupled to said external communications network via a plurality of intermediate servers.
13. The system of claim 8 wherein said internal communications network further comprises a plurality of application servers, said plurality of application servers are coupled to reverse proxy via a plurality of proxy servers.
14. A computer program product comprising:
a computer usable medium having computer readable program code embodied therein for accessing a internal computer network from an external source comprising:
computer readable program code configured to cause a computer to receive a message from an external source at said internal computer network, said message comprising a plurality of external references to a first plurality of resources of said computer network; computer readable program code configured to cause a computer to translate said plurality of external references to a plurality of internal references for said first plurality of resources; computer readable program code configured to cause a computer to translate a plurality of responses to said received message to be sent to said external source, said plurality of responses comprising a plurality of internal references to a second plurality of resources of said computer network into a plurality of external references to said second plurality of resources. 44
15. The computer program product of claim 14 further comprising:
computer readable program code configured to cause a computer to perform an authentication when said received message is received from a user.
16. The computer program product of claim 15 wherein said computer readable program code configured to cause a computer to perform an authentication further comprises:
computer readable program code configured to cause a computer to forward a challenge to said user; computer readable program code configured to cause a computer to validate a result generated by said user from said challenge; computer readable program code configured to cause a computer to authenticate said user when said result is valid.
17. The computer program product of claim 14 wherein said computer readable program code configured to cause a computer to translate said plurality of external references further comprises:
computer readable program code configured to cause a computer to determine access privileges for a user, said access privileges identifying a set of mappings comprising a plurality of external references mapping entries and a corresponding plurality of internal references mapping entries; computer readable program code configured to cause a computer to translate those of said plurality of external references for which said user is authorized based on said access privileges. 45
18. The computer program product of claim 17 wherein said computer readable program code configured to cause a computer to translate said plurality of external references further comprises:
computer readable program code configured to cause a computer to match said one of said plurality of external references to said plurality of external reference mapping entries; computer readable program code configured to cause a computer to translate said one of said plurality of external references when said one of said plurality of external references matches at least one of said plurality of external reference mapping entries, said one of said plurality of external references being translated using one of said internal reference mapping entries that corresponds to said at least one of said plurality of external reference mapping entries.
19. The computer program product of claim 14 wherein said computer network comprises a plurality of applications, said computer program product further comprising:
computer readable program code configured to cause a computer to obtain authentication information when a user attempts to access said computer network from an external source; computer readable program code configured to cause a computer to forward said authentication information to each of said plurality of applications as needed as said user attempts to access said each of said plurality of applications. 46
20. The computer program product of claim 14 further comprising:
computer readable program code configured to cause a computer to determine whether a cookie is transmitted with an attempt by a user to access said computer network; computer readable program code configured to cause a computer to determine whether said cookie is valid, if said cookie is transmitted; computer readable program code configured to cause a computer to authenticate said user, if at least one of said cookie not being transmitted and said cookie is not valid conditions occurs.
PCT/US1999/013701 1998-06-17 1999-06-16 Method and apparatus for authenticated secure access to computer networks Ceased WO1999066384A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU48244/99A AU4824499A (en) 1998-06-17 1999-06-16 Method and apparatus for authenticated secure access to computer networks

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US9889298A 1998-06-17 1998-06-17
US09/098,892 1998-06-17

Publications (3)

Publication Number Publication Date
WO1999066384A2 WO1999066384A2 (en) 1999-12-23
WO1999066384A3 WO1999066384A3 (en) 2000-07-06
WO1999066384A9 true WO1999066384A9 (en) 2000-08-10

Family

ID=22271433

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US1999/013701 Ceased WO1999066384A2 (en) 1998-06-17 1999-06-16 Method and apparatus for authenticated secure access to computer networks

Country Status (2)

Country Link
AU (1) AU4824499A (en)
WO (1) WO1999066384A2 (en)

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6324648B1 (en) * 1999-12-14 2001-11-27 Gte Service Corporation Secure gateway having user identification and password authentication
US6584454B1 (en) * 1999-12-31 2003-06-24 Ge Medical Technology Services, Inc. Method and apparatus for community management in remote system servicing
JP2001229130A (en) * 1999-12-31 2001-08-24 Ge Medical Technology Services Inc Method and device for secure remote access to software of center service facility
AU2001243364A1 (en) * 2000-03-01 2001-09-12 Sun Microsystems, Inc. System and method for avoiding re-routing in a computer network during secure remote access
US7257836B1 (en) * 2000-04-24 2007-08-14 Microsoft Corporation Security link management in dynamic networks
JP2002055948A (en) * 2000-08-11 2002-02-20 Nifty Corp Computer system, member information transmitting method, and personal information acquiring method
DE10107883B4 (en) * 2001-02-19 2006-02-09 Deutsche Post Ag Method for transmitting data, proxy server and data transmission system
US7146403B2 (en) 2001-11-02 2006-12-05 Juniper Networks, Inc. Dual authentication of a requestor using a mail server and an authentication server
EP1777912B1 (en) * 2001-11-02 2018-08-15 Juniper Networks, Inc. Method and system for providing secure access to resources on private networks
US7281139B2 (en) * 2002-07-11 2007-10-09 Sun Microsystems, Inc. Authenticating legacy service via web technology
WO2005062989A2 (en) 2003-12-23 2005-07-14 Wachovia Corporation Authentication system for networked computer applications
US7970788B2 (en) 2005-08-02 2011-06-28 International Business Machines Corporation Selective local database access restriction
US7933923B2 (en) 2005-11-04 2011-04-26 International Business Machines Corporation Tracking and reconciling database commands
DE102006012167B4 (en) * 2006-03-13 2008-02-21 Mainpean Gmbh Method and computer system for providing a service offered via a digital information network
US8141100B2 (en) 2006-12-20 2012-03-20 International Business Machines Corporation Identifying attribute propagation for multi-tier processing
US8495367B2 (en) 2007-02-22 2013-07-23 International Business Machines Corporation Nondestructive interception of secure data in transit
US8261326B2 (en) 2008-04-25 2012-09-04 International Business Machines Corporation Network intrusion blocking security overlay
US8910255B2 (en) 2008-05-27 2014-12-09 Microsoft Corporation Authentication for distributed secure content management system
US20110231479A1 (en) * 2010-03-22 2011-09-22 Siemens Product Lifecycle Management Software Inc. System and Method for Secure Multi-Client Communication Service
GB2498566A (en) * 2012-01-20 2013-07-24 Dolphin Speed Networks Ltd Authenticating a user at a proxy using cookies
US10498734B2 (en) 2012-05-31 2019-12-03 Netsweeper (Barbados) Inc. Policy service authorization and authentication
JP7018255B2 (en) * 2016-04-19 2022-02-10 株式会社三菱Ufj銀行 Authentication management device and program
CN106209815A (en) * 2016-07-04 2016-12-07 安徽天达网络科技有限公司 A kind of Multi net voting connects authentication method

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5805820A (en) * 1996-07-15 1998-09-08 At&T Corp. Method and apparatus for restricting access to private information in domain name systems by redirecting query requests
WO1998031124A1 (en) * 1997-01-10 1998-07-16 Hanson Gordon L Reverse proxy server

Also Published As

Publication number Publication date
WO1999066384A3 (en) 2000-07-06
AU4824499A (en) 2000-01-05
WO1999066384A2 (en) 1999-12-23

Similar Documents

Publication Publication Date Title
WO1999066384A9 (en) Method and apparatus for authenticated secure access to computer networks
US7954144B1 (en) Brokering state information and identity among user agents, origin servers, and proxies
US7581244B2 (en) IMX session control and authentication
Gutzmann Access control and session management in the HTTP environment
US7895319B2 (en) Variable DNS responses based on client identity
US6691232B1 (en) Security architecture with environment sensitive credential sufficiency evaluation
US8984620B2 (en) Identity and policy-based network security and management system and method
RU2439692C2 (en) Policy-controlled delegation of account data for single registration in network and secured access to network resources
US8332919B2 (en) Distributed authentication system and distributed authentication method
US6732105B1 (en) Secure authentication proxy architecture for a web-based wireless intranet application
US7185360B1 (en) System for distributed network authentication and access control
US7464402B2 (en) Authentication of network users
US20100269149A1 (en) Method of web service and its apparatus
US9548982B1 (en) Secure controlled access to authentication servers
Harrison Lightweight directory access protocol (LDAP): Authentication methods and security mechanisms
US20060206616A1 (en) Decentralized secure network login
US10404684B1 (en) Mobile device management registration
US6611916B1 (en) Method of authenticating membership for providing access to a secure environment by authenticating membership to an associated secure environment
US20090055917A1 (en) Authentication method and authentication system using the same
EP1530343A1 (en) Method and system for creating authentication stacks in communication networks
CN116055176A (en) Dynamic authorization login method based on SSO client security
US9485654B2 (en) Method and apparatus for supporting single sign-on in a mobile communication system
Mittal et al. Enabling trust in single sign-on using DNS based authentication of named entities
KR20180099992A (en) Consolidated Authentication Method based on Certificate
JP2003032281A (en) Access guidance apparatus and method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
AK Designated states

Kind code of ref document: A3

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

AK Designated states

Kind code of ref document: C2

Designated state(s): AE AL AM AT AU AZ BA BB BG BR BY CA CH CN CU CZ DE DK EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MD MG MK MN MW MX NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT UA UG UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: C2

Designated state(s): GH GM KE LS MW SD SL SZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

COP Corrected version of pamphlet

Free format text: PAGES 1/11-11/11, DRAWINGS, REPLACED BY NEW PAGES 1/11-11/11; DUE TO LATE TRANSMITTAL BY THE RECEIVING OFFICE

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct app. not ent. europ. phase