US20130191882A1 - Access control of remote communication interfaces based on system-specific keys - Google Patents

Access control of remote communication interfaces based on system-specific keys Download PDF

Info

Publication number
US20130191882A1
US20130191882A1 US13/353,558 US201213353558A US2013191882A1 US 20130191882 A1 US20130191882 A1 US 20130191882A1 US 201213353558 A US201213353558 A US 201213353558A US 2013191882 A1 US2013191882 A1 US 2013191882A1
Authority
US
United States
Prior art keywords
application
signed
computer
signed ticket
client context
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US13/353,558
Inventor
Masoud Aghadavoodi Jolfaei
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SAP SE
Original Assignee
SAP SE
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SAP SE filed Critical SAP SE
Priority to US13/353,558 priority Critical patent/US20130191882A1/en
Assigned to SAP AG reassignment SAP AG ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JOLFAEI, MASOUD AGHADAVOODI
Publication of US20130191882A1 publication Critical patent/US20130191882A1/en
Priority to US14/157,757 priority patent/US9191389B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates
    • G06F21/335User authentication using certificates for accessing specific resources, e.g. using Kerberos tickets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos

Definitions

  • This description is directed generally to access control, and in particular, to a computer-implemented method, apparatus, and computer program product for access control of remote communication interfaces based on system-specific keys.
  • HTTP Hyper-Text Transfer Protocol
  • FTP File Transfer Protocol
  • RMI Remote Method Invocation
  • CORBA Common Object Request Broker Architecture
  • RCF Remote Function Call
  • One of the security issues which arises in some situations with remote services is that due to the remote accessibility, those services could be called from anywhere whenever network connectivity to the remote service can be established. This may present security risks where accessibility to some services should be restricted to certain programs or users.
  • a computer program product is provided.
  • the computer program product is tangibly embodied on a computer-readable storage medium and includes executable code that, when executed, is configured to cause at least one data processing apparatus to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an
  • a computer implemented method includes receiving, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validating, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determining, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining
  • an apparatus in another general aspect, includes receiving logic configured to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validation logic configured to validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determining logic configured to determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and sending logic configured to send a service reply from the second application to the first application to provide the requested
  • the subject matter described in this specification can be implemented as a method or as a system or using computer program products, tangibly embodied in information carriers, such as a CD-ROM, a DVD-ROM, a semiconductor memory, and a hard disk.
  • Such computer program products may cause a data processing apparatus to conduct one or more operations described herein.
  • the subject matter described herein may also be implemented as a system including a processor and a memory coupled to the processor.
  • the memory may encode one or more programs that cause the processor to perform one or more of the method acts described in this specification.
  • FIG. 1 is a block diagram illustrating a system 108 according to an example implementation.
  • FIG. 2 is a block diagram illustrating a system according to an example implementation.
  • FIG. 3 is a flow chart illustrating operation of an application or application server according to an example implementation.
  • FIG. 1 is a block diagram illustrating a system 108 according to an example implementation.
  • system 108 may include a system computer 110 , which may include a system processor 116 for processing information and a system database 112 for securely storing information, such as one or more keys, e.g., one or more private/public key pairs associated with or assigned to system 108 .
  • System database 112 may be a central system database, where the system 108 (and one or system, for example) may include only one central system database 112 to store, e.g., keys associated with the system.
  • System 108 may also include one or more application servers, such as, for example, application servers 118 , 120 , 122 , etc.
  • each application server may run on a different computing device, such as a different computer, server, etc., where each computing device may include a processor for processing instructions, a disk drive or other storage, memory, and may include input/output devices, for example.
  • Application servers 118 , 120 and 122 and system computer 110 of system 108 may be coupled to each other via an Intranet or Local Area Network (not shown), and may share one or more keys or key pairs stored securely in system database 112 . While only three application servers are shown in FIG. 1 , any number of application servers may be provided within system 108 . Any applications may be run at the same time on the same or on different application servers.
  • a client application 124 which may be a Web browser or other application, may send a request (e.g., a HTTP Get request, a HTTP Post request, or other request) via network 125 (e.g., the Internet) to an application, such as to server application 1 running on application server 118 .
  • server application 1 may obtain service(s) from one or more other applications within system 108 (and possibly from applications located in other systems).
  • server application 2 may provide an administrative service or other service (e.g., credit card authorization service) that should be accessible only to approved or authorized applications.
  • a requesting application may be granted access to obtain a requested service based on 1) a signed ticket validation, and 2) comparison of one or more client context attributes to an access control list associated with a requested application or service.
  • the signed ticket may be, e.g., a document or context information that has been signed or encrypted by system computer 110 using a system key or key associated with the system 108 .
  • Each application server may include one or more server applications running thereon, with each server application providing one or more services.
  • server application 1 (which may be, e.g., a shopping cart application) may reside or run on application server 118 .
  • Server application 2 (which may be, e.g., a credit card authorization application or other administrative application) may reside or run on application server 120 .
  • server application 3 may reside or run on application server 122 .
  • Each application may provide one or more services, e.g., as shopping cart service, a credit card authorization service, etc. These are merely some examples, and many other services may be provided.
  • one or more of the server applications may include (or may expose) a remote interface through which other applications may obtain application services (e.g., credit card authorization).
  • a remote interface may be an interface provided to allow non-local (e.g., located on a different server, or located in a different system) applications or clients (e.g., non-local application instances) to obtain services or invoke the methods of an application via the application's remote interface.
  • the remote interface may include the definition one or more methods or services which may be remotely accessed by other applications.
  • server application 2 may include remote interface 121 , which may include one or more methods (or services) and associated parameters.
  • a result may also be defined for each method or service, to allow a service result for the method to be returned to the requesting application/client.
  • Server application 2 may also include an access control list 123 associated with server application 2 , which may be used to determine which requesting clients or applications should be provided access to the methods or services of server application 2 via the remote interface 121 .
  • the access control list 123 may be specific to or associated with server application 2 , and may identify one or more client applications that may access each of one or more services or methods provided by server application 2 .
  • Access control list 123 may include, for example, a white list or approved list that may identify one or more entities (e.g., clients or applications) that are authorized to access the methods or services of server application 2 .
  • Access control list 123 may alternatively include a black list or denied list which may identify one or more applications, clients or other entities that are not allowed to access (or have access denied to) the methods or services of server application 2 .
  • the white list or black list of access control list 123 may identify applications, clients or other entities based on, for example one or more attributes of a client context which may include a system identifier (ID) that identifies a system of a requesting application (application that has requested access to the methods or services of application 2 ), a user ID that identifies a user of the requesting application, a client ID or application ID that identifies the requesting application (or identifies an instance of the requesting application), an application server ID that identifies the server on which the requesting application is running, a transaction ID associated with a transaction for the requesting application, a software package ID that identifies the software package of the requesting application.
  • ID system identifier
  • a requesting application may obtain requested services from a requested application (e.g., server application 2 ) via a remote interface 121 if the requesting application: 1) provides a signed ticket that is validated (e.g., to confirm integrity of a client context and/or to establish that the requesting application is a trusted party); and 2) it is determined that the first application has authorization to obtain the requested service based on a comparison of one or more attributes of a client context (presented by the requesting application) to an access control list 123 .
  • Each application server may include a remote access engine to perform tasks related to remote access of one or more applications on the application server.
  • application server 120 may include a remote access engine 125 to perform remote access tasks for one or more applications running on application server 120 .
  • Each application on application server 120 may include a remote access and an access control list.
  • Remote access engine 125 may control remote access to applications running on application server 120 or services offered from application server 120 , such as by: 1) validating signed tickets received from requesting applications, and 2) comparing one or more client context attributes or fields received from a requesting application to an access control list 125 in order to determine that a requesting application may obtain the requested services from the requested application.
  • a client application 124 may communicate with one or more application servers 118 , 120 and 122 , and/or one or more applications running on each of the one or more application servers 118 , 120 , 122 , etc.
  • only some of the services provided by the applications may be accessible in general, e.g., to all programs or users, such as a shopping cart service or program.
  • Some of the services and/or server applications may be accessible only to a select set of programs or users. For example, in a first example implementation, some applications or services may be accessible only to other applications or application servers within the same system. Or, in a second example implementation, some applications or services may be accessible only to applications or application servers within a subset of approved systems.
  • access to some of the applications or services may be restricted.
  • access to a remote interface or a remote application or service may be permitted for at least one or more applications within a same system as the requested application (e.g., requesting application and requested application reside on different application servers within the same system) or may be permitted for at least some applications of one or more approved outside systems (e.g., where requesting application and requested application are provided on application servers in different systems).
  • administrative services may be accessible only to a select group of one or more applications or users.
  • some applications may provide their services only to other server applications within the same system. While in other example implementations, some applications may provide services only to applications within a select group of systems. According to an example implementation, access to such restricted services may be provided through the use of a signed ticket that may be provided by the system computer 110 , as described in greater detail below.
  • an access control list may be used to control access to an application.
  • an access control list may identify one or more approved programs or users that may access the service or program.
  • an access control list or white (or approved) list may identify a set of users or programs, e.g., based on Internet Protocol (IP) address, that have been approved or authorized to access an application or service.
  • IP Internet Protocol
  • Other types of access control lists may be used, such as a black list or a list of applications that are denied access to the application or services.
  • access to services or programs or applications may be controlled or restricted through the use and validation of a signed ticket based on a system-specific key (or a key associated with or assigned to a system, such as system 110 ).
  • a key e.g., a system private key or other key associated with system 108
  • one or more private/public key pairs may be associated with (or assigned to) the system 108 and stored in database 112 . Due to the secure storage of keys (e.g., which may be stored in database 112 in an encrypted form) only processor 116 may access and have the ability to decrypt and use the one or more system private keys stored in database 112 .
  • system database 112 may securely store a key pair associated with or assigned to each application server 118 , 120 , and 122 , for example, within a system.
  • system computer 110 may sign a ticket with a requesting application's private key (or with the private key associated with an application server where the requesting application resides), or with the private key associated with an application server where a target or requested service resides or is located (where the requesting service may indicate the target or requested service and requested application server to the system computer 110 as part of a request for signed ticket, for example).
  • a requesting application (e.g., server application 1 ) running (or installed and executed) on a first application server 118 within a system 108 may obtain a signed ticket from a system computer 110 of system 108 .
  • the requesting application (e.g., server application 1 ) may then present or provide such signed ticket to application server 120 to obtain or access a requested service, such as to access a credit card authorization service provided by server application 2 running on application server 120 .
  • Remote access engine 125 may receive the signed ticket and perform ticket validation, as described in greater detail herein.
  • a signed ticket that has been signed by a system computer may indicate that the requesting application that presents such signed ticket is authorized to use any services or applications within the system.
  • the signed ticket may be used to access only some services or applications within a system 108 , for example.
  • the system computer may generate and return the signed ticket using a key associated with the requested application or associated with the application server on which the requested application resides, if the requesting application has permission to access such requested service or application.
  • a signed ticket may provide general authorization for all services or applications within a system or group of systems, or alternatively may only authorize permission for the requesting service to only access specific services or to access services or applications only on specific application servers, for example.
  • remote access engine 125 on the application server 120 may validate the received signed ticket, e.g., via communication with system computer 110 and/or with assistance of system computer 110 . According to an example implementation, if the received signed ticket is validated, this may indicate that the requesting service is authorized or permitted to access the requested service. Alternatively, validation of a signed ticket may be used to confirm the integrity of the provided client context, while use of an access control list may provide a final operation that is performed before allowing the requesting application to obtain requested services from a requested application.
  • the requested service is denied and the requested service and/or the application server on which the requested service resides may send a rejection message to the requesting application (e.g., server application 1 ) indicating that the request for service was denied or rejected.
  • the requesting application e.g., server application 1
  • the requesting application (e.g., server application 1 ) may be referred to as a “client,” and the requested application (e.g., server application 2 ) that may receive the request for service and may fulfill the request for service (if the signed ticket is validated and access to the requested service is authorized based on the access control list 123 ) may be referred to as a “server,” e.g., as applications having a client-server relationship, even though both may be applications residing on servers.
  • a requesting application may determine and/or may generate a client context that may be provided to system computer 110 in order to obtain a signed ticket from system computer 110 .
  • a client context may provide information related to a client (or requesting) application (e.g., server application 1 ), for example.
  • the client context may include one or more fields, which may be provided to system computer 110 in one or more packet headers (e.g., HTTP header(s) or other header(s) of a service request).
  • the client context may include, for example: a system identifier (or system ID) that identifies the system, a transaction ID, a software package from which the requesting application or from which the request is initiated, an application server ID that identifies the server on which the requesting application is running, a user ID that identifies the first application, and/or an address associated with the first application server or the first application.
  • System ID may include an alpha-numeric value that may identify the system 108 , e.g., HRD (e.g., identifying the system for the Human Resources Department of a company), or PRD (e.g., identifying the system for Product Research and Development department of a company). These are merely some examples, and any system IDs may be used.
  • a request from client application 124 may be received via network 125 by server application 1 .
  • client application e.g., Web browser
  • may submit an HTTP request e.g., HTTP Post to provide information (product identification and credit card information) as part of an order submitted to server application 1 (which may be a shopping cart application).
  • the server application 1 e.g., which may be a shopping cart application
  • Server application 1 may obtain a signed ticket from system computer 110 , e.g., for each service that is to be requested by the requesting application (server application 1 ). For example, server application 1 may determine or generate a client context for this service request. Server application 1 may then send a request to encrypt (or a request for a signed ticket) along with a client context via line 132 to system computer 110 . Server application 1 may use a security related API to access security services provided by system computer 110 , e.g., to request signing or encryption of a value (e.g., client context) provided. Server application 1 may provide a request including a user ID or application ID that is known by system computer 110 as identifying a valid application or user within system 108 . Other information may be provided as well to computer 110 , such as identification of the target (or requested) service/application or identification of the application service on which the target/requested service resides.
  • system computer 110 may generate and return a signed ticket to the server application 1 via line 134 .
  • the signed ticket may include (or may be) the signed or encrypted client context, where the client context may be signed or encrypted using a key that is assigned to or associated with the system 108 , for example.
  • the requesting application may then send a service request via line 136 to the application server 120 on which the requested application (server application 2 ) provides the requested service, such as a credit card authorization service.
  • the service request may include the client context and the signed ticket (e.g., signed client context).
  • the service request, including the client context and the signed client context is received by the remote access engine 125 .
  • a remote access engine (not shown) provided on application server 118 may generate a client context on behalf of server application 1 , and then communicate with system computer 110 on behalf of server application 1 to obtain a signed ticket from system computer 110 , and then submit the request for service from server application 2 with the client context and signed ticket to remote access engine 125 .
  • the remote access engine on application server 118 may generate a client context (e.g., based on the request for service being made by server application 1 ) and then send this client context via line 132 and may receive a signed ticket or signed client context via line 134 .
  • the remote access engine on the application server 118 may then provide this signed ticket, along with the client context and a service request to the remote access engine 125 , in order to request, on behalf of service application 1 , service from server application 2 .
  • server application 1 may include a remote access engine on application server 118 that may generate a client context and then obtain a signed client context or signed ticket from system computer 110 , and then submit a request to the remote access engine 125 requesting service from server application 2 , where the request may include the client context and this signed ticket.
  • a remote access engine on application server 118 may generate a client context and then obtain a signed client context or signed ticket from system computer 110 , and then submit a request to the remote access engine 125 requesting service from server application 2 , where the request may include the client context and this signed ticket.
  • Remote access engine 125 may send a request to system computer 110 via line 138 .
  • the request sent via line 138 may include the received signed ticket and/or the received client context.
  • remote access engine 125 may send a request to decrypt to system computer 110 via line 138 that includes the signed ticket, and computer 110 may decrypt the signed ticket using a system key (such as a public key of a key pair, or other key), and return the decrypted signed ticket (which may typically be the recreated client context) to server application 2 via line 140 .
  • a system key such as a public key of a key pair, or other key
  • remote access engine 125 may send to computer 110 via line 138 a request to encrypt the received client context, and the system computer 110 may encrypt such received client context using a system key associated with system 108 (e.g., system computer 110 may typically use a private key here that is the same private key used by computer 110 to generate the signed ticket provided to server application 1 via line 134 ).
  • a second signed ticket may be generated by system computer and provided back to remote access engine 125 , where the second signed ticket may match a first signed ticket that was provided via line 140 to server application 1 (or a requesting application). The first signed ticket will match the second signed ticket, in the event the same key is used to encrypt the same received client context.
  • system computer 110 may decrypt and return via line 140 to server application 2 a received signed client ticket.
  • Remote access engine 125 may then compare the signed ticket (or signed client context) received from server application 1 via line 136 to the signed ticket (or signed client context) received via line 140 from system computer 110 . A match between these two signed tickets indicates that the received signed ticket received from the requesting application (e.g., server application 1 ) is validated, which means, e.g., that the requesting application (e.g., server application 1 ) is authorized or permitted by the system computer 110 to access the services of the requested service (e.g., server application 2 ). Remote access engine 125 then permits the requesting application to obtain the requested service from server application 2 (the requested application). Also, in one example implementation, a validated signed ticket may operate to ensure integrity of the client context, e.g., that the client context was sent from a trusted party and was not tampered with, for example.
  • remote access engine 125 may complete validation by comparing the received client context received from server application 1 to the decrypted signed client context received from system computer 110 , and where a match indicates validation.
  • remote access engine 125 may perform access control for the requesting application (server application 1 ) to determine if the requesting application may obtain requested service(s) from the requested application. For example, remote access engine 125 may determine whether the requesting application has authorization to obtain services or access the methods of the requested application (server application 2 ) via the remote interface 121 based on a comparison of one or more attributes of the received client context to the access control list 123 associated with the requested application.
  • a client context attribute which may indicate information related to the requesting application, may be compared by remote access engine 125 to an access control list 123 to determine whether the requested services should be provided (e.g., via the remote interface 121 ).
  • remote access engine 125 After the signed ticket has been validated, remote access engine 125 has performed access control and determined that the requesting application is authorized to obtain services or access methods of the requested service based on, then the requested service may be provided by the requested application (e.g., server application 2 ).
  • server application 2 may perform the credit card authorization, and assuming the credit card charge is approved or authorized, a reply is sent via line 142 to server application 1 indicating credit card approval.
  • Server application 1 may then return an order confirmation to the client application via HTTP reply via line 131 to client application 124 .
  • server applications 2 and 3 are transparent to client application 124 , since client application 124 only communicated with or accessed services of server application 1 in this example. Also, any attempt by client application 124 to access services of server application 2 or server application 3 would have been rejected, since client application 124 would not have provided nor obtained the required signed ticket from system computer (and thus validation would have failed).
  • the requested service may be provided if either 1) signed ticket is validated, or the access control based on the client context attribute indicates that the requesting application is authorized to access the requested services.
  • FIG. 2 is a block diagram of a system according to an example implementation.
  • System 108 may include receiving logic 210 configured to receive, by a second application that includes a remote interface and is running on a second application server, a service request received from a first application running on a first application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system.
  • System 108 may also include validation logic 212 configured to validate, by the second application, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application.
  • System 108 further includes determining logic 213 configured to determine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application.
  • System 108 may also include sending logic 214 configured to send a service reply from the second application to the first application to provide the requested service to the first application in response to the determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • FIG. 3 is a flow chart illustrating operation of a server application or server application according to an example implementation.
  • the client implemented method may include several operations, including operations 310 , 320 , 330 and 340 .
  • Operation 310 may include receiving, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system.
  • Operation 320 may include validating, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application. application.
  • Operation 330 may include determining, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application.
  • Operation 340 may include sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • a computer program product is provided that is tangibly embodied on a computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to: to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access
  • a system includes the system computer, the first application server and the first application, and the second application server and the second application.
  • the executable code further causes the first application to obtain the signed ticket the from the system computer based on the following: send the client context from the first application to the system computer; and receive, by the first application, a signed ticket from the system computer that is based on the client context and the key associated with the system.
  • the signed ticket received by the remote access engine from the first application may include a first signed ticket
  • the executable code causing the data processing apparatus to validate may include executable code causing the data processing apparatus to: send, from the remote access engine, the client context to the system computer; receive, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context; and validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
  • the executable code causing the data processing apparatus to send comprises executable code causing the data processing apparatus to send, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context.
  • the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system.
  • the system may include a processor, and a database to store the key associated with the system.
  • the signed ticket includes a signed client context that was signed by the system computer using the key associated with the system.
  • the client context may include at least a system identifier (ID) that identifies the system, a user ID that identifies the system, and an address associated with the first application server or the first application.
  • ID system identifier
  • the service request received by the remote access engine from the first application is sent by the first application to the second application to fulfill a client request received by the first application from a client application, and, the service(s) of the second application are accessible through the first application after validation and not directly accessible to the client application.
  • the system computer may include a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer.
  • the executable code causing the data processing apparatus to receive may include executable code causing the data processing apparatus to receive, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key.
  • the signed ticket received from the first application may include a first signed ticket
  • the executable code causing the data processing apparatus to validate may include executable code causing the data processing apparatus to: send, from the remote access engine, the received client context to the second system computer, receive, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context, and validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
  • some services may be provided only to other applications that belong to a selected group (or sub-set) of systems.
  • Each system may include a system computer, and one or more application servers, with a remote access engine and one or more applications provided on each application server.
  • System computers for each system may store their own system key(s) used to request and authorize services to be performed for other services within the same system, as described above for FIG. 1 .
  • system computer associated with system A may receive a copy of one or more system keys associated with system B
  • a system computer associated with system B may receive and store system keys associated with system A.
  • system keys may be exchanged between system computers of systems A and B, to allow services to be authorized between system A and system B services. That is, this key exchanged between systems A and B may allow a service from a system A application to be performed for a system B application, and to allow a service from a system B application to be performed for a system A application.
  • System C in this example does not share its system keys with other systems nor receive any keys from other systems, and therefore, system C does not (and applications of system C do not) support or authorize cross-system service requests.
  • a requesting application of system A may submit a client context and request to encrypt to the system computer of system A, and may indicate that the request is for a signed ticket to access a system B service.
  • the system computer of system A (which, based on keys exchanged between systems A and B) has a copy of one or more system keys associated with system B) may generate a system B signed ticket by encrypting or signing the received client context using the key associated with system B, and provide the signed ticket back to the requesting system A application.
  • the requesting system A application may then provide the client context and the system B signed ticket to a requested service (or to the remote access engine of system B) within system B.
  • the remote access engine of system B may then, for example, submit the received client context to the system computer of system B, and may receive back a signed client context or signed ticket that was signed with the system B key.
  • the requested service within system B may then compare the system B signed ticket received from the requesting system A application to the signed ticket from the system computer of system B. If these match (meaning the same client context was signed/encrypted with the same system B private key), this indicates that the signed system B ticket is validated and the requested service within system B provides the requested service to the requesting application within system A.
  • the remote engine may perform access control by comparing a client context attribute(s) from the requesting application to an access control list associated with the requested application or server, for example.
  • Implementations of the various techniques described herein may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Implementations may implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers.
  • data processing apparatus e.g., a programmable processor, a computer, or multiple computers.
  • a computer program such as the computer program(s) described above, can be written in any form of programming language, including compiled or interpreted languages, and can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment.
  • a computer program that might implement the techniques mentioned above might be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
  • Method steps may be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output. Method steps also may be performed by, and an apparatus may be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
  • FPGA field programmable gate array
  • ASIC application-specific integrated circuit
  • processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer.
  • a processor will receive instructions and data from a read-only memory or a random access memory or both.
  • Elements of a computer may include at least one processor for executing instructions and one or more memory devices for storing instructions and data.
  • a computer also may include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks.
  • Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks.
  • semiconductor memory devices e.g., EPROM, EEPROM, and flash memory devices
  • magnetic disks e.g., internal hard disks or removable disks
  • magneto-optical disks e.g., CD-ROM and DVD-ROM disks.
  • the processor and the memory may be supplemented by, or incorporated in special purpose logic circuitry.
  • implementations may be implemented on a computer having a display device, e.g., a cathode ray tube (CRT) or liquid crystal display (LCD) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer.
  • a display device e.g., a cathode ray tube (CRT) or liquid crystal display (LCD) monitor
  • keyboard and a pointing device e.g., a mouse or a trackball
  • Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • Implementations may be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation, or any combination of such back-end, middleware, or front-end components.
  • Components may be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (LAN) and a wide area network (WAN), e.g., the Internet.
  • LAN local area network
  • WAN wide area network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Financial Or Insurance-Related Operations Such As Payment And Settlement (AREA)
  • Computer And Data Communications (AREA)

Abstract

A computer implemented method, computer program product, and computer system is provided for receiving a service request to obtain service from a second application, the service request including a client context and a signed ticket obtained by the first application from a system computer, validating the received signed ticket based on the key associated with the system, determining that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of one or more attributes of the received client context to an access control list associated with the second application, and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.

Description

    TECHNICAL FIELD
  • This description is directed generally to access control, and in particular, to a computer-implemented method, apparatus, and computer program product for access control of remote communication interfaces based on system-specific keys.
    • BACKGROUND
  • Many services, such as some services accessible via Hyper-Text Transfer Protocol (HTTP), File Transfer Protocol (FTP) and other protocols, may be remotely accessed. In order to be remotely accessible, such services may be tagged as remote callable services. There exist different technologies, e.g. Remote Method Invocation (RMI), Common Object Request Broker Architecture (CORBA), Remote Function Call (RFC), to enable services, implemented in different languages, e.g. JAVA, C, C++, ABAP, etc., to be called remotely. One of the security issues which arises in some situations with remote services is that due to the remote accessibility, those services could be called from anywhere whenever network connectivity to the remote service can be established. This may present security risks where accessibility to some services should be restricted to certain programs or users.
  • In a system containing several services, e.g. payment, salary, order entry, shopping cart, product availability check, credit card authorization, etc., only some of the services may be accessible to any client (such as a shopping cart service), while other services (e.g., credit card authorization service, product or inventory check for a requested item, or other administrative services) should be accessible only to a subset of other programs or users.
    • SUMMARY
  • In one general aspect, a computer program product is provided. The computer program product is tangibly embodied on a computer-readable storage medium and includes executable code that, when executed, is configured to cause at least one data processing apparatus to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • In another general aspect, a computer implemented method is provided that includes receiving, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validating, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determining, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • In another general aspect, an apparatus includes receiving logic configured to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validation logic configured to validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determining logic configured to determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and sending logic configured to send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • The subject matter described in this specification can be implemented as a method or as a system or using computer program products, tangibly embodied in information carriers, such as a CD-ROM, a DVD-ROM, a semiconductor memory, and a hard disk. Such computer program products may cause a data processing apparatus to conduct one or more operations described herein.
  • In addition, the subject matter described herein may also be implemented as a system including a processor and a memory coupled to the processor. The memory may encode one or more programs that cause the processor to perform one or more of the method acts described in this specification.
  • The details of one or more implementations are set forth in the accompanying drawings and the description below. Other features will be apparent from the description and drawings, and from the claims.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram illustrating a system 108 according to an example implementation.
  • FIG. 2 is a block diagram illustrating a system according to an example implementation.
  • FIG. 3 is a flow chart illustrating operation of an application or application server according to an example implementation.
    •  DETAILED DESCRIPTION
  • In the following, a detailed description of examples will be given with reference to the drawings. It should be understood that various modifications to the examples may be made. In particular, elements of one example may be combined and used in other examples to form new examples.
  • FIG. 1 is a block diagram illustrating a system 108 according to an example implementation. In the example implementation shown in FIG. 1, system 108 may include a system computer 110, which may include a system processor 116 for processing information and a system database 112 for securely storing information, such as one or more keys, e.g., one or more private/public key pairs associated with or assigned to system 108. System database 112 may be a central system database, where the system 108 (and one or system, for example) may include only one central system database 112 to store, e.g., keys associated with the system. System 108 may also include one or more application servers, such as, for example, application servers 118, 120, 122, etc. In an example implementation, each application server may run on a different computing device, such as a different computer, server, etc., where each computing device may include a processor for processing instructions, a disk drive or other storage, memory, and may include input/output devices, for example. Application servers 118, 120 and 122 and system computer 110 of system 108 may be coupled to each other via an Intranet or Local Area Network (not shown), and may share one or more keys or key pairs stored securely in system database 112. While only three application servers are shown in FIG. 1, any number of application servers may be provided within system 108. Any applications may be run at the same time on the same or on different application servers.
  • A client application 124, which may be a Web browser or other application, may send a request (e.g., a HTTP Get request, a HTTP Post request, or other request) via network 125 (e.g., the Internet) to an application, such as to server application 1 running on application server 118. In order to process or fulfill the request from client application 124, server application 1 may obtain service(s) from one or more other applications within system 108 (and possibly from applications located in other systems). For example, server application 2 may provide an administrative service or other service (e.g., credit card authorization service) that should be accessible only to approved or authorized applications. According to an example embodiment, a requesting application may be granted access to obtain a requested service based on 1) a signed ticket validation, and 2) comparison of one or more client context attributes to an access control list associated with a requested application or service. For example, the signed ticket may be, e.g., a document or context information that has been signed or encrypted by system computer 110 using a system key or key associated with the system 108.
  • Each application server may include one or more server applications running thereon, with each server application providing one or more services. For example, server application 1 (which may be, e.g., a shopping cart application) may reside or run on application server 118. Server application 2 (which may be, e.g., a credit card authorization application or other administrative application) may reside or run on application server 120. And, server application 3 may reside or run on application server 122. These are merely some example servers and server applications, and the disclosure is not limited thereto. Many other applications may be provided. Each application may provide one or more services, e.g., as shopping cart service, a credit card authorization service, etc. These are merely some examples, and many other services may be provided.
  • According to an example embodiment, one or more of the server applications may include (or may expose) a remote interface through which other applications may obtain application services (e.g., credit card authorization). According to an example implementation, a remote interface may be an interface provided to allow non-local (e.g., located on a different server, or located in a different system) applications or clients (e.g., non-local application instances) to obtain services or invoke the methods of an application via the application's remote interface. The remote interface may include the definition one or more methods or services which may be remotely accessed by other applications. For example, server application 2 may include remote interface 121, which may include one or more methods (or services) and associated parameters. A result may also be defined for each method or service, to allow a service result for the method to be returned to the requesting application/client.
  • Server application 2 may also include an access control list 123 associated with server application 2, which may be used to determine which requesting clients or applications should be provided access to the methods or services of server application 2 via the remote interface 121. Thus, the access control list 123 may be specific to or associated with server application 2, and may identify one or more client applications that may access each of one or more services or methods provided by server application 2.
  • Access control list 123 may include, for example, a white list or approved list that may identify one or more entities (e.g., clients or applications) that are authorized to access the methods or services of server application 2. Access control list 123 may alternatively include a black list or denied list which may identify one or more applications, clients or other entities that are not allowed to access (or have access denied to) the methods or services of server application 2. The white list or black list of access control list 123 may identify applications, clients or other entities based on, for example one or more attributes of a client context which may include a system identifier (ID) that identifies a system of a requesting application (application that has requested access to the methods or services of application 2), a user ID that identifies a user of the requesting application, a client ID or application ID that identifies the requesting application (or identifies an instance of the requesting application), an application server ID that identifies the server on which the requesting application is running, a transaction ID associated with a transaction for the requesting application, a software package ID that identifies the software package of the requesting application.
  • According to an example implementation, as described in greater detail below, a requesting application (e.g., server application 1) may obtain requested services from a requested application (e.g., server application 2) via a remote interface 121 if the requesting application: 1) provides a signed ticket that is validated (e.g., to confirm integrity of a client context and/or to establish that the requesting application is a trusted party); and 2) it is determined that the first application has authorization to obtain the requested service based on a comparison of one or more attributes of a client context (presented by the requesting application) to an access control list 123.
  • Each application server may include a remote access engine to perform tasks related to remote access of one or more applications on the application server. For example, application server 120 may include a remote access engine 125 to perform remote access tasks for one or more applications running on application server 120. Each application on application server 120 may include a remote access and an access control list. Remote access engine 125 may control remote access to applications running on application server 120 or services offered from application server 120, such as by: 1) validating signed tickets received from requesting applications, and 2) comparing one or more client context attributes or fields received from a requesting application to an access control list 125 in order to determine that a requesting application may obtain the requested services from the requested application.
  • A client application 124 may communicate with one or more application servers 118, 120 and 122, and/or one or more applications running on each of the one or more application servers 118, 120, 122, etc. According to an example implementation, only some of the services provided by the applications may be accessible in general, e.g., to all programs or users, such as a shopping cart service or program. Some of the services and/or server applications may be accessible only to a select set of programs or users. For example, in a first example implementation, some applications or services may be accessible only to other applications or application servers within the same system. Or, in a second example implementation, some applications or services may be accessible only to applications or application servers within a subset of approved systems. Thus, access to some of the applications or services may be restricted. Thus, according to example embodiments, access to a remote interface or a remote application or service may be permitted for at least one or more applications within a same system as the requested application (e.g., requesting application and requested application reside on different application servers within the same system) or may be permitted for at least some applications of one or more approved outside systems (e.g., where requesting application and requested application are provided on application servers in different systems).
  • For example, administrative services, or other internal services such as a credit card authorization service, product inventory check service, etc., may be accessible only to a select group of one or more applications or users. In some cases, some applications may provide their services only to other server applications within the same system. While in other example implementations, some applications may provide services only to applications within a select group of systems. According to an example implementation, access to such restricted services may be provided through the use of a signed ticket that may be provided by the system computer 110, as described in greater detail below.
  • According to an example embodiment, an access control list may be used to control access to an application. For example, an access control list may identify one or more approved programs or users that may access the service or program. For example, an access control list or white (or approved) list may identify a set of users or programs, e.g., based on Internet Protocol (IP) address, that have been approved or authorized to access an application or service. Other types of access control lists may be used, such as a black list or a list of applications that are denied access to the application or services.
  • However, according to an example implementation, access to services or programs or applications may be controlled or restricted through the use and validation of a signed ticket based on a system-specific key (or a key associated with or assigned to a system, such as system 110). A key, e.g., a system private key or other key associated with system 108, may be securely stored in system database 112. For example, one or more private/public key pairs may be associated with (or assigned to) the system 108 and stored in database 112. Due to the secure storage of keys (e.g., which may be stored in database 112 in an encrypted form) only processor 116 may access and have the ability to decrypt and use the one or more system private keys stored in database 112. For example, there may be one private/public key pair, or many key pairs assigned to or associated with a system 108. In one example implementation, system database 112 may securely store a key pair associated with or assigned to each application server 118, 120, and 122, for example, within a system. For example, system computer 110 may sign a ticket with a requesting application's private key (or with the private key associated with an application server where the requesting application resides), or with the private key associated with an application server where a target or requested service resides or is located (where the requesting service may indicate the target or requested service and requested application server to the system computer 110 as part of a request for signed ticket, for example).
  • According to an example embodiment, a requesting application (e.g., server application 1) running (or installed and executed) on a first application server 118 within a system 108 may obtain a signed ticket from a system computer 110 of system 108. The requesting application (e.g., server application 1) may then present or provide such signed ticket to application server 120 to obtain or access a requested service, such as to access a credit card authorization service provided by server application 2 running on application server 120. Remote access engine 125 may receive the signed ticket and perform ticket validation, as described in greater detail herein.
  • In one example implementation, a signed ticket that has been signed by a system computer may indicate that the requesting application that presents such signed ticket is authorized to use any services or applications within the system. Or alternatively, the signed ticket may be used to access only some services or applications within a system 108, for example. For example, if a requesting application requests a signed ticket to access a specific service or a service on a specific application server, then the system computer may generate and return the signed ticket using a key associated with the requested application or associated with the application server on which the requested application resides, if the requesting application has permission to access such requested service or application. Thus, a signed ticket may provide general authorization for all services or applications within a system or group of systems, or alternatively may only authorize permission for the requesting service to only access specific services or to access services or applications only on specific application servers, for example.
  • For example, remote access engine 125 on the application server 120 (same server on which the server application 2 that provides the requested service is running) Remote access engine 125 may validate the received signed ticket, e.g., via communication with system computer 110 and/or with assistance of system computer 110. According to an example implementation, if the received signed ticket is validated, this may indicate that the requesting service is authorized or permitted to access the requested service. Alternatively, validation of a signed ticket may be used to confirm the integrity of the provided client context, while use of an access control list may provide a final operation that is performed before allowing the requesting application to obtain requested services from a requested application. On the other hand, if the received signed ticket does not validate (or is not validated by the requested service based on communication with the system computer 110), then the requested service is denied and the requested service and/or the application server on which the requested service resides may send a rejection message to the requesting application (e.g., server application 1) indicating that the request for service was denied or rejected.
  • In some cases, the requesting application (e.g., server application 1) may be referred to as a “client,” and the requested application (e.g., server application 2) that may receive the request for service and may fulfill the request for service (if the signed ticket is validated and access to the requested service is authorized based on the access control list 123) may be referred to as a “server,” e.g., as applications having a client-server relationship, even though both may be applications residing on servers.
  • Thus, a requesting application may determine and/or may generate a client context that may be provided to system computer 110 in order to obtain a signed ticket from system computer 110. A client context may provide information related to a client (or requesting) application (e.g., server application 1), for example. In an example implementation, the client context may include one or more fields, which may be provided to system computer 110 in one or more packet headers (e.g., HTTP header(s) or other header(s) of a service request). The client context may include, for example: a system identifier (or system ID) that identifies the system, a transaction ID, a software package from which the requesting application or from which the request is initiated, an application server ID that identifies the server on which the requesting application is running, a user ID that identifies the first application, and/or an address associated with the first application server or the first application. System ID may include an alpha-numeric value that may identify the system 108, e.g., HRD (e.g., identifying the system for the Human Resources Department of a company), or PRD (e.g., identifying the system for Product Research and Development department of a company). These are merely some examples, and any system IDs may be used.
  • Some examples will now be described with reference to FIG. 1. A request from client application 124 may be received via network 125 by server application 1. For example, client application (e.g., Web browser) may submit an HTTP request, e.g., HTTP Post to provide information (product identification and credit card information) as part of an order submitted to server application 1 (which may be a shopping cart application). The server application 1 (e.g., which may be a shopping cart application) may need to check product inventory to confirm the requested items are in stock (e.g., performed by server application 3) and to run a credit card authorization (e.g., performed by server application 2).
  • Server application 1 may obtain a signed ticket from system computer 110, e.g., for each service that is to be requested by the requesting application (server application 1). For example, server application 1 may determine or generate a client context for this service request. Server application 1 may then send a request to encrypt (or a request for a signed ticket) along with a client context via line 132 to system computer 110. Server application 1 may use a security related API to access security services provided by system computer 110, e.g., to request signing or encryption of a value (e.g., client context) provided. Server application 1 may provide a request including a user ID or application ID that is known by system computer 110 as identifying a valid application or user within system 108. Other information may be provided as well to computer 110, such as identification of the target (or requested) service/application or identification of the application service on which the target/requested service resides.
  • According to one example implementation, system computer 110 (including processor 116) may generate and return a signed ticket to the server application 1 via line 134. According to one example implementation, the signed ticket may include (or may be) the signed or encrypted client context, where the client context may be signed or encrypted using a key that is assigned to or associated with the system 108, for example.
  • The requesting application (e.g., server application 1) may then send a service request via line 136 to the application server 120 on which the requested application (server application 2) provides the requested service, such as a credit card authorization service. The service request may include the client context and the signed ticket (e.g., signed client context). The service request, including the client context and the signed client context is received by the remote access engine 125.
  • Rather than server application or the requesting application generating a client context and then communicating with system computer 110 to obtain a signed ticket, a remote access engine (not shown) provided on application server 118 may generate a client context on behalf of server application 1, and then communicate with system computer 110 on behalf of server application 1 to obtain a signed ticket from system computer 110, and then submit the request for service from server application 2 with the client context and signed ticket to remote access engine 125. Thus, for example, the remote access engine on application server 118 may generate a client context (e.g., based on the request for service being made by server application 1) and then send this client context via line 132 and may receive a signed ticket or signed client context via line 134. The remote access engine on the application server 118 may then provide this signed ticket, along with the client context and a service request to the remote access engine 125, in order to request, on behalf of service application 1, service from server application 2.
  • Alternatively, server application 1 may include a remote access engine on application server 118 that may generate a client context and then obtain a signed client context or signed ticket from system computer 110, and then submit a request to the remote access engine 125 requesting service from server application 2, where the request may include the client context and this signed ticket.
  • Remote access engine 125 may send a request to system computer 110 via line 138. The request sent via line 138 may include the received signed ticket and/or the received client context. In one example implementation, remote access engine 125 may send a request to decrypt to system computer 110 via line 138 that includes the signed ticket, and computer 110 may decrypt the signed ticket using a system key (such as a public key of a key pair, or other key), and return the decrypted signed ticket (which may typically be the recreated client context) to server application 2 via line 140. Or in another example implementation, remote access engine 125 may send to computer 110 via line 138 a request to encrypt the received client context, and the system computer 110 may encrypt such received client context using a system key associated with system 108 (e.g., system computer 110 may typically use a private key here that is the same private key used by computer 110 to generate the signed ticket provided to server application 1 via line 134). In this manner, a second signed ticket may be generated by system computer and provided back to remote access engine 125, where the second signed ticket may match a first signed ticket that was provided via line 140 to server application 1 (or a requesting application). The first signed ticket will match the second signed ticket, in the event the same key is used to encrypt the same received client context. Alternatively, system computer 110 may decrypt and return via line 140 to server application 2 a received signed client ticket.
  • Remote access engine 125 may then compare the signed ticket (or signed client context) received from server application 1 via line 136 to the signed ticket (or signed client context) received via line 140 from system computer 110. A match between these two signed tickets indicates that the received signed ticket received from the requesting application (e.g., server application 1) is validated, which means, e.g., that the requesting application (e.g., server application 1) is authorized or permitted by the system computer 110 to access the services of the requested service (e.g., server application 2). Remote access engine 125 then permits the requesting application to obtain the requested service from server application 2 (the requested application). Also, in one example implementation, a validated signed ticket may operate to ensure integrity of the client context, e.g., that the client context was sent from a trusted party and was not tampered with, for example.
  • Alternatively, if the decrypted signed client context is provided via line 140, remote access engine 125 may complete validation by comparing the received client context received from server application 1 to the decrypted signed client context received from system computer 110, and where a match indicates validation.
  • If the signed ticket has been validated, then remote access engine 125 may perform access control for the requesting application (server application 1) to determine if the requesting application may obtain requested service(s) from the requested application. For example, remote access engine 125 may determine whether the requesting application has authorization to obtain services or access the methods of the requested application (server application 2) via the remote interface 121 based on a comparison of one or more attributes of the received client context to the access control list 123 associated with the requested application.
  • For example, while there may be many applications within an authorized system that may be able to obtain a signed ticket to access an application, it may be desirable to limit or restrict access to such application or service to only some of such applications. Thus, a client context attribute, which may indicate information related to the requesting application, may be compared by remote access engine 125 to an access control list 123 to determine whether the requested services should be provided (e.g., via the remote interface 121).
  • After the signed ticket has been validated, remote access engine 125 has performed access control and determined that the requesting application is authorized to obtain services or access methods of the requested service based on, then the requested service may be provided by the requested application (e.g., server application 2). In this example, server application 2 may perform the credit card authorization, and assuming the credit card charge is approved or authorized, a reply is sent via line 142 to server application 1 indicating credit card approval. Server application 1 may then return an order confirmation to the client application via HTTP reply via line 131 to client application 124.
  • However, the access or usage of server applications 2 and 3 is transparent to client application 124, since client application 124 only communicated with or accessed services of server application 1 in this example. Also, any attempt by client application 124 to access services of server application 2 or server application 3 would have been rejected, since client application 124 would not have provided nor obtained the required signed ticket from system computer (and thus validation would have failed).
  • Also, in other example embodiments, it may not be necessary for both ticket validation and access control be performed before providing the requested service. For example, the requested service may be provided if either 1) signed ticket is validated, or the access control based on the client context attribute indicates that the requesting application is authorized to access the requested services.
  • FIG. 2 is a block diagram of a system according to an example implementation. System 108 may include receiving logic 210 configured to receive, by a second application that includes a remote interface and is running on a second application server, a service request received from a first application running on a first application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system. System 108 may also include validation logic 212 configured to validate, by the second application, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application. System 108 further includes determining logic 213 configured to determine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application. System 108 may also include sending logic 214 configured to send a service reply from the second application to the first application to provide the requested service to the first application in response to the determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • FIG. 3 is a flow chart illustrating operation of a server application or server application according to an example implementation. The client implemented method may include several operations, including operations 310, 320, 330 and 340.
  • Operation 310 may include receiving, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system.
  • Operation 320 may include validating, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application. application.
  • Operation 330 may include determining, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application.
  • Operation 340 may include sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • According to another example implementation, a computer program product is provided that is tangibly embodied on a computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to: to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system; validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application; determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
  • In an example implementation, a system includes the system computer, the first application server and the first application, and the second application server and the second application. In another example implementation, the executable code further causes the first application to obtain the signed ticket the from the system computer based on the following: send the client context from the first application to the system computer; and receive, by the first application, a signed ticket from the system computer that is based on the client context and the key associated with the system.
  • According to another example implementation, the signed ticket received by the remote access engine from the first application may include a first signed ticket, and wherein the executable code causing the data processing apparatus to validate may include executable code causing the data processing apparatus to: send, from the remote access engine, the client context to the system computer; receive, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context; and validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
  • According to another example implementation, the executable code causing the data processing apparatus to send comprises executable code causing the data processing apparatus to send, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context. And the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system.
  • According to another example implementation, the system may include a processor, and a database to store the key associated with the system. The signed ticket includes a signed client context that was signed by the system computer using the key associated with the system.
  • In an example implementation, the client context may include at least a system identifier (ID) that identifies the system, a user ID that identifies the system, and an address associated with the first application server or the first application.
  • In another example implementation, the service request received by the remote access engine from the first application is sent by the first application to the second application to fulfill a client request received by the first application from a client application, and, the service(s) of the second application are accessible through the first application after validation and not directly accessible to the client application.
  • According to another example implementation, the system computer may include a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer. The executable code causing the data processing apparatus to receive may include executable code causing the data processing apparatus to receive, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key.
  • In an example implementation, the signed ticket received from the first application may include a first signed ticket, wherein the executable code causing the data processing apparatus to validate may include executable code causing the data processing apparatus to: send, from the remote access engine, the received client context to the second system computer, receive, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context, and validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
  • An example implementation that involves multi-system validation will now be briefly described. According to an example implementation, some services may be provided only to other applications that belong to a selected group (or sub-set) of systems. For example, there may be three systems, including system A, system B and system C. Each system may include a system computer, and one or more application servers, with a remote access engine and one or more applications provided on each application server. System computers for each system may store their own system key(s) used to request and authorize services to be performed for other services within the same system, as described above for FIG. 1.
  • In addition, a system computer associated with system A may receive a copy of one or more system keys associated with system B, and a system computer associated with system B may receive and store system keys associated with system A. Thus, in this example, system keys may be exchanged between system computers of systems A and B, to allow services to be authorized between system A and system B services. That is, this key exchanged between systems A and B may allow a service from a system A application to be performed for a system B application, and to allow a service from a system B application to be performed for a system A application.
  • System C in this example does not share its system keys with other systems nor receive any keys from other systems, and therefore, system C does not (and applications of system C do not) support or authorize cross-system service requests.
  • For example, with respect to systems A and B, a requesting application of system A may submit a client context and request to encrypt to the system computer of system A, and may indicate that the request is for a signed ticket to access a system B service. The system computer of system A (which, based on keys exchanged between systems A and B) has a copy of one or more system keys associated with system B) may generate a system B signed ticket by encrypting or signing the received client context using the key associated with system B, and provide the signed ticket back to the requesting system A application.
  • The requesting system A application may then provide the client context and the system B signed ticket to a requested service (or to the remote access engine of system B) within system B. The remote access engine of system B may then, for example, submit the received client context to the system computer of system B, and may receive back a signed client context or signed ticket that was signed with the system B key. The requested service within system B may then compare the system B signed ticket received from the requesting system A application to the signed ticket from the system computer of system B. If these match (meaning the same client context was signed/encrypted with the same system B private key), this indicates that the signed system B ticket is validated and the requested service within system B provides the requested service to the requesting application within system A. After validation of the signed ticket is performed, the remote engine may perform access control by comparing a client context attribute(s) from the requesting application to an access control list associated with the requested application or server, for example.
  • Implementations of the various techniques described herein may be implemented in digital electronic circuitry, or in computer hardware, firmware, software, or in combinations of them. Implementations may implemented as a computer program product, i.e., a computer program tangibly embodied in an information carrier, e.g., in a machine-readable storage device or in a propagated signal, for execution by, or to control the operation of, data processing apparatus, e.g., a programmable processor, a computer, or multiple computers. A computer program, such as the computer program(s) described above, can be written in any form of programming language, including compiled or interpreted languages, and can be deployed in any form, including as a stand-alone program or as a module, component, subroutine, or other unit suitable for use in a computing environment. A computer program that might implement the techniques mentioned above might be deployed to be executed on one computer or on multiple computers at one site or distributed across multiple sites and interconnected by a communication network.
  • Method steps may be performed by one or more programmable processors executing a computer program to perform functions by operating on input data and generating output. Method steps also may be performed by, and an apparatus may be implemented as, special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application-specific integrated circuit).
  • Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read-only memory or a random access memory or both. Elements of a computer may include at least one processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer also may include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto-optical disks, or optical disks. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices; magnetic disks, e.g., internal hard disks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROM disks. The processor and the memory may be supplemented by, or incorporated in special purpose logic circuitry.
  • To provide for interaction with a user, implementations may be implemented on a computer having a display device, e.g., a cathode ray tube (CRT) or liquid crystal display (LCD) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.
  • Implementations may be implemented in a computing system that includes a back-end component, e.g., as a data server, or that includes a middleware component, e.g., an application server, or that includes a front-end component, e.g., a client computer having a graphical user interface or a Web browser through which a user can interact with an implementation, or any combination of such back-end, middleware, or front-end components. Components may be interconnected by any form or medium of digital data communication, e.g., a communication network. Examples of communication networks include a local area network (LAN) and a wide area network (WAN), e.g., the Internet.
  • While certain features of the described implementations have been illustrated as described herein, many modifications, substitutions, changes and equivalents will now occur to those skilled in the art. It is, therefore, to be understood that the appended claims are intended to cover all such modifications and changes as fall within the scope of the embodiments.

Claims (23)

What is claimed is:
1. A computer program product, the computer program product being tangibly embodied on a computer-readable storage medium and including executable code that, when executed, is configured to cause at least one data processing apparatus to:
receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;
validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;
determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and
send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
2. The computer program product of claim 1 wherein a system includes the system computer including a central system database, the first application server and the first application, and the second application server and the second application.
3. The computer program product of claim 1 wherein a system includes the system computer that stores the key associated with the system, the system also including the first application server and the first application and the second application server and the second application, and wherein the executable code further causes a remote access engine running on the first application server to obtain the signed ticket from the system computer based on the following:
send the client context to the system computer; and
receive, by the remote access engine running on the first application server, a signed ticket from the system computer that is based on the client context and the key associated with the system.
4. The computer program product of claim 1 wherein the signed ticket received by the remote access engine from the first application comprises a first signed ticket, and wherein the executable code causing the data processing apparatus to validate comprises executable code causing the data processing apparatus to:
send, from the remote access engine, the client context to the system computer;
receive, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context;
validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
5. The computer program product of claim 4 wherein:
the executable code causing the data processing apparatus to send comprises executable code causing the data processing apparatus to send, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context; and
the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system.
6. The computer program product of claim 1 wherein the system computer comprises:
a processor; and
a central database for the system to securely store the key associated with the system;
wherein the signed ticket includes a signed client context that was signed by the system computer using the key associated with the system.
7. The computer program product of claim 1 wherein the client context comprises at least a system identifier (ID) that identifies the system.
8. The computer program product of claim 1 wherein the client context comprises at least a system identifier (ID) that identifies the system, an application ID that identifies the first application, and an address associated with the first application server or the first application.
9. The computer program product of claim 1 wherein the client context comprises at least one of: a system identifier (ID) that identifies the system of the first application, a user ID that identifies a user of the first application, a client ID or application ID that identifies the first application (or identifies an instance of the first application), an application server ID that identifies the server on which the first application is running, a transaction ID associated with a transaction for the requesting application, a software package ID that identifies the software package of the first application.
10. The computer program product of claim 1 wherein the service request received by the remote access engine from the first application is sent by the first application to the second application to fulfill a client request received by the first application from a client application, the service(s) of the second application being accessible through the first application after validation and are not directly accessible to the client application.
11. The computer program product of claim 1 wherein, the system computer comprises a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer; and
wherein the executable code causing the data processing apparatus to receive comprises executable code causing the data processing apparatus to receive, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key.
12. The computer program product of claim 11, wherein the signed ticket received from the first application comprises a first signed ticket, wherein the executable code causing the data processing apparatus to validate comprises executable code causing the data processing apparatus to:
send, from the remote access engine, the received client context to the second system computer;
receive, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context;
validate, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
13. The computer program product of claim 1 wherein the access control list associated with second application comprises at least one of:
a white list or accept list that identifies one or more entities that are authorized to access the remote interface of the second application; and/or
a black list or deny list that identifies one or more entities that are not authorized to access the remote interface of the second application.
14. A computer implemented method comprising:
receiving, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;
validating, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;
determining, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and
sending a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
15. The computer implemented method of claim 14 wherein the receiving comprises receiving, by a remote access engine running on the second application server from a remote access engine on the first application server that is part of or operating on behalf of the first application, the service request.
16. The computer implemented method of claim 14 wherein a system includes the system computer, the first application server and the first application, and the second application server and the second application, wherein the signed ticket received from the first application, if validated, indicates that the first application has indirect access to the key associated with the system via the system computer and, thus, indicates that the first application is authorized to obtain or access services from the second application.
17. The computer implemented method of claim 14 wherein the signed ticket received by the remote access engine from the first application comprises a first signed ticket, and wherein the validating comprises:
sending, from the remote access engine, the client context to the system computer;
receiving, by the remote access engine, a second signed ticket from the system computer that is based on the key associated with the system and the client context; and
validating, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
18. The computer implemented method of claim 17 wherein the sending comprises sending, from the remote access engine, the client context to the system computer with a request to sign or encrypt the client context; and
the receiving comprises receiving, by the remote access engine, the second signed ticket from the system computer, the second signed ticket including the client context that has been signed or encrypted by the system computer using the key associated with the system.
19. The computer implemented method of claim 14 wherein the system computer comprises a first system computer, wherein a first system includes the first system computer, the first application server, and the first application, and wherein a second system includes the second application server, the second application, and a second system computer, and wherein the key includes a system private key that is stored by both the first system computer and the second system computer; and
wherein the receiving comprises receiving, by the remote access engine, a service request from the first application, the service request including a client context and a signed ticket obtained by the first application from the first system computer, the signed ticket being based on the client context and the system private key.
20. The computer implemented method of claim 19, wherein the signed ticket received from the first application comprises a first signed ticket, wherein the validating comprises:
sending, from the remote access engine, the received client context to the second system computer;
receiving, by the remote access engine, a second signed ticket from the second system computer that is based on the system key and the client context; and
validating, by the remote access engine, the first signed ticket received from the first application by comparing the first signed ticket received from the first application to the second signed ticket received from the second system computer, wherein a match between the first and second signed tickets indicates that the first signed ticket is validated.
21. An apparatus comprising:
receiving logic configured to receive, by a remote access engine running on the second application server from a first application running on a first application server, a service request to obtain service from a second application that includes a remote interface and is running on the second application server, the service request including a client context and a signed ticket obtained by the first application from a system computer, wherein the signed ticket is based on the client context and a key associated with a system;
validation logic configured to validate, by the remote access engine, the received signed ticket based on the key associated with the system, wherein a validated signed ticket from the first application indicates that the first application is authorized to receive service from the second application;
determining logic configured to determine, by the remote access engine, in response to the signed ticket being validated, that the first application has authorization to obtain the requested service via the remote interface of the second application based on a comparison of an attribute of the received client context to an access control list associated with the second application; and
sending logic configured to send a service reply from the second application to the first application to provide the requested service to the first application in response to determining that the first application has authorization to obtain the requested service via the remote interface of the second application.
22. The apparatus of claim 21 wherein the system computer comprises:
a processor; and
a database to store the key associated with the system;
wherein the signed ticket includes a signed client context that was signed by the system computer using the key associated with the system.
23. The apparatus of claim 21 wherein the client context comprises at least a system identifier (ID) that identifies the system.
US13/353,558 2012-01-19 2012-01-19 Access control of remote communication interfaces based on system-specific keys Abandoned US20130191882A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US13/353,558 US20130191882A1 (en) 2012-01-19 2012-01-19 Access control of remote communication interfaces based on system-specific keys
US14/157,757 US9191389B2 (en) 2012-01-19 2014-01-17 Access control of remote communication interfaces based on system-specific keys

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/353,558 US20130191882A1 (en) 2012-01-19 2012-01-19 Access control of remote communication interfaces based on system-specific keys

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/157,757 Continuation US9191389B2 (en) 2012-01-19 2014-01-17 Access control of remote communication interfaces based on system-specific keys

Publications (1)

Publication Number Publication Date
US20130191882A1 true US20130191882A1 (en) 2013-07-25

Family

ID=48798348

Family Applications (2)

Application Number Title Priority Date Filing Date
US13/353,558 Abandoned US20130191882A1 (en) 2012-01-19 2012-01-19 Access control of remote communication interfaces based on system-specific keys
US14/157,757 Active US9191389B2 (en) 2012-01-19 2014-01-17 Access control of remote communication interfaces based on system-specific keys

Family Applications After (1)

Application Number Title Priority Date Filing Date
US14/157,757 Active US9191389B2 (en) 2012-01-19 2014-01-17 Access control of remote communication interfaces based on system-specific keys

Country Status (1)

Country Link
US (2) US20130191882A1 (en)

Cited By (28)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130086386A1 (en) * 2010-10-29 2013-04-04 Code Systems Corporation Method and system for restricting execution of virtual applications to a managed process environment
US20130254411A1 (en) * 2012-03-21 2013-09-26 Verizon Patent And Licensing Inc. Direct communication between applications in a cloud computing environment
US20140137213A1 (en) * 2012-01-19 2014-05-15 Masoud Aghadavoodi Jolfaei Access control of remote communication interfaces based on system-specific keys
US20140244818A1 (en) * 2013-02-28 2014-08-28 Microsoft Corporation Restlike api that supports a resilient and scalable distributed application
US20150143485A1 (en) * 2012-05-29 2015-05-21 Mineyuki TAMURA Cloud security management system
US9104517B2 (en) 2010-01-27 2015-08-11 Code Systems Corporation System for downloading and executing a virtual application
US9207934B2 (en) 2008-08-07 2015-12-08 Code Systems Corporation Method and system for virtualization of software applications
US9208169B2 (en) 2010-07-02 2015-12-08 Code Systems Corportation Method and system for building a streaming model
US9208004B2 (en) 2010-04-17 2015-12-08 Code Systems Corporation Method of hosting a first application in a second application
US9229748B2 (en) 2010-01-29 2016-01-05 Code Systems Corporation Method and system for improving startup performance and interoperability of a virtual application
US20160099915A1 (en) * 2014-10-07 2016-04-07 Microsoft Corporation Security context management in multi-tenant environments
US20160112380A1 (en) * 2013-05-28 2016-04-21 Orange Technique for distributing a piece of content in a content distribution network
WO2016082756A1 (en) * 2014-11-25 2016-06-02 Hangzhou H3C Technologies Co., Ltd. Application access authority control
US9749393B2 (en) 2010-01-27 2017-08-29 Code Systems Corporation System for downloading and executing a virtual application
US9773017B2 (en) 2010-01-11 2017-09-26 Code Systems Corporation Method of configuring a virtual application
US9779111B2 (en) 2008-08-07 2017-10-03 Code Systems Corporation Method and system for configuration of virtualized software applications
CN108052803A (en) * 2018-01-02 2018-05-18 联想(北京)有限公司 A kind of access control method, device and electronic equipment
US10102239B2 (en) 2015-07-13 2018-10-16 Sap Se Application event bridge
US10110663B2 (en) 2010-10-18 2018-10-23 Code Systems Corporation Method and system for publishing virtual applications to a web server
US10127375B2 (en) * 2015-03-07 2018-11-13 Protegrity Corporation Enforcing trusted application settings for shared code libraries
US20190089705A1 (en) * 2017-09-19 2019-03-21 Amazon Technologies, Inc. Policy activation for client applications
US10425292B1 (en) * 2018-10-17 2019-09-24 Servicenow, Inc. Functional discovery and mapping of serverless resources
US10432704B2 (en) 2016-03-23 2019-10-01 Sap Se Translation of messages using sensor-specific and unified protocols
US10482231B1 (en) * 2015-09-22 2019-11-19 Amazon Technologies, Inc. Context-based access controls
US10652338B2 (en) 2017-06-19 2020-05-12 Sap Se Event processing in background services
US10992660B2 (en) * 2015-06-24 2021-04-27 Amazon Technologies, Inc. Authentication and authorization of a privilege-constrained application
US11140169B1 (en) * 2018-10-31 2021-10-05 Workday, Inc. Cloud platform access system
CN114006705A (en) * 2021-12-28 2022-02-01 深圳市名竹科技有限公司 Digital signature processing method and device, computer equipment and storage medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11373803B2 (en) 2017-08-11 2022-06-28 Applied Materials, Inc. Method of forming a magnetic core on a substrate
US11720534B2 (en) 2021-03-18 2023-08-08 Sap Se Remote code execution

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7089585B1 (en) * 2000-08-29 2006-08-08 Microsoft Corporation Method and system for authorizing a client computer to access a server computer
US20080148183A1 (en) * 2006-12-18 2008-06-19 Michael Danninger Method and system for providing themes for software applications
US20080301468A1 (en) * 2007-05-29 2008-12-04 Masana Murase Cryptographic Secure Program Overlays
US20090007250A1 (en) * 2007-06-27 2009-01-01 Microsoft Corporation Client authentication distributor
US20100017859A1 (en) * 2003-12-23 2010-01-21 Wells Fargo Bank, N.A. Authentication system for networked computer applications
US20110145590A1 (en) * 1999-06-01 2011-06-16 AOL, Inc. Secure data exchange between data processing systems
US20110154465A1 (en) * 2009-12-18 2011-06-23 Microsoft Corporation Techniques for accessing desktop applications using federated identity
US20110153853A1 (en) * 2009-12-18 2011-06-23 Microsoft Corporation Remote application presentation over a public network connection
US20120050455A1 (en) * 2010-04-07 2012-03-01 Justin Santamaria Supporting hands-free services via a hands-free device for ip video calls
US20120089980A1 (en) * 2010-10-12 2012-04-12 Richard Sharp Allocating virtual machines according to user-specific virtual machine metrics
US20120102549A1 (en) * 2010-10-06 2012-04-26 Citrix Systems, Inc. Mediating resource access based on a physical location of a mobile device
US20120226749A1 (en) * 2011-03-04 2012-09-06 Scott Dale Cross social network data aggregation
US20120330875A1 (en) * 2011-06-24 2012-12-27 Angele Juergen Structure index
US20130006878A1 (en) * 2011-06-30 2013-01-03 International Business Machines Corporation Nanostructure tracking of product data signatures

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7689832B2 (en) * 2000-09-11 2010-03-30 Sentrycom Ltd. Biometric-based system and method for enabling authentication of electronic messages sent over a network
CN102246489B (en) * 2008-10-08 2014-05-28 思杰系统有限公司 Systems and methods for connection management for asynchronous messaging over http
EP2489150B1 (en) * 2009-11-05 2018-12-26 VMware, Inc. Single sign on for a remote user session
US20110202989A1 (en) * 2010-02-18 2011-08-18 Nokia Corporation Method and apparatus for providing authentication session sharing
US9160737B2 (en) * 2010-02-26 2015-10-13 Microsoft Technology Licensing, Llc Statistical security for anonymous mesh-up oriented online services
US8370914B2 (en) * 2010-12-15 2013-02-05 Microsoft Corporation Transition from WS-Federation passive profile to active profile
US8806192B2 (en) * 2011-05-04 2014-08-12 Microsoft Corporation Protected authorization for untrusted clients
US20130191882A1 (en) * 2012-01-19 2013-07-25 Sap Ag Access control of remote communication interfaces based on system-specific keys

Patent Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20110145590A1 (en) * 1999-06-01 2011-06-16 AOL, Inc. Secure data exchange between data processing systems
US7089585B1 (en) * 2000-08-29 2006-08-08 Microsoft Corporation Method and system for authorizing a client computer to access a server computer
US20100017859A1 (en) * 2003-12-23 2010-01-21 Wells Fargo Bank, N.A. Authentication system for networked computer applications
US20080148183A1 (en) * 2006-12-18 2008-06-19 Michael Danninger Method and system for providing themes for software applications
US20080301468A1 (en) * 2007-05-29 2008-12-04 Masana Murase Cryptographic Secure Program Overlays
US20090007250A1 (en) * 2007-06-27 2009-01-01 Microsoft Corporation Client authentication distributor
US20110154465A1 (en) * 2009-12-18 2011-06-23 Microsoft Corporation Techniques for accessing desktop applications using federated identity
US20110153853A1 (en) * 2009-12-18 2011-06-23 Microsoft Corporation Remote application presentation over a public network connection
US20120050455A1 (en) * 2010-04-07 2012-03-01 Justin Santamaria Supporting hands-free services via a hands-free device for ip video calls
US20120102549A1 (en) * 2010-10-06 2012-04-26 Citrix Systems, Inc. Mediating resource access based on a physical location of a mobile device
US20120089980A1 (en) * 2010-10-12 2012-04-12 Richard Sharp Allocating virtual machines according to user-specific virtual machine metrics
US20120226749A1 (en) * 2011-03-04 2012-09-06 Scott Dale Cross social network data aggregation
US20120330875A1 (en) * 2011-06-24 2012-12-27 Angele Juergen Structure index
US20130006878A1 (en) * 2011-06-30 2013-01-03 International Business Machines Corporation Nanostructure tracking of product data signatures

Cited By (59)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9864600B2 (en) 2008-08-07 2018-01-09 Code Systems Corporation Method and system for virtualization of software applications
US9779111B2 (en) 2008-08-07 2017-10-03 Code Systems Corporation Method and system for configuration of virtualized software applications
US9207934B2 (en) 2008-08-07 2015-12-08 Code Systems Corporation Method and system for virtualization of software applications
US9773017B2 (en) 2010-01-11 2017-09-26 Code Systems Corporation Method of configuring a virtual application
US10409627B2 (en) 2010-01-27 2019-09-10 Code Systems Corporation System for downloading and executing virtualized application files identified by unique file identifiers
US9104517B2 (en) 2010-01-27 2015-08-11 Code Systems Corporation System for downloading and executing a virtual application
US9749393B2 (en) 2010-01-27 2017-08-29 Code Systems Corporation System for downloading and executing a virtual application
US9229748B2 (en) 2010-01-29 2016-01-05 Code Systems Corporation Method and system for improving startup performance and interoperability of a virtual application
US11321148B2 (en) 2010-01-29 2022-05-03 Code Systems Corporation Method and system for improving startup performance and interoperability of a virtual application
US11196805B2 (en) 2010-01-29 2021-12-07 Code Systems Corporation Method and system for permutation encoding of digital data
US9569286B2 (en) 2010-01-29 2017-02-14 Code Systems Corporation Method and system for improving startup performance and interoperability of a virtual application
US10402239B2 (en) 2010-04-17 2019-09-03 Code Systems Corporation Method of hosting a first application in a second application
US9208004B2 (en) 2010-04-17 2015-12-08 Code Systems Corporation Method of hosting a first application in a second application
US9626237B2 (en) 2010-04-17 2017-04-18 Code Systems Corporation Method of hosting a first application in a second application
US9639387B2 (en) 2010-07-02 2017-05-02 Code Systems Corporation Method and system for prediction of software data consumption patterns
US9218359B2 (en) 2010-07-02 2015-12-22 Code Systems Corporation Method and system for profiling virtual application resource utilization patterns by executing virtualized application
US9208169B2 (en) 2010-07-02 2015-12-08 Code Systems Corportation Method and system for building a streaming model
US9251167B2 (en) 2010-07-02 2016-02-02 Code Systems Corporation Method and system for prediction of software data consumption patterns
US10158707B2 (en) 2010-07-02 2018-12-18 Code Systems Corporation Method and system for profiling file access by an executing virtual application
US10114855B2 (en) 2010-07-02 2018-10-30 Code Systems Corporation Method and system for building and distributing application profiles via the internet
US10108660B2 (en) 2010-07-02 2018-10-23 Code Systems Corporation Method and system for building a streaming model
US9483296B2 (en) 2010-07-02 2016-11-01 Code Systems Corporation Method and system for building and distributing application profiles via the internet
US9984113B2 (en) 2010-07-02 2018-05-29 Code Systems Corporation Method and system for building a streaming model
US10110663B2 (en) 2010-10-18 2018-10-23 Code Systems Corporation Method and system for publishing virtual applications to a web server
US9209976B2 (en) 2010-10-29 2015-12-08 Code Systems Corporation Method and system for restricting execution of virtual applications to a managed process environment
US9747425B2 (en) 2010-10-29 2017-08-29 Code Systems Corporation Method and system for restricting execution of virtual application to a managed process environment
US9106425B2 (en) * 2010-10-29 2015-08-11 Code Systems Corporation Method and system for restricting execution of virtual applications to a managed process environment
US20130086386A1 (en) * 2010-10-29 2013-04-04 Code Systems Corporation Method and system for restricting execution of virtual applications to a managed process environment
US9191389B2 (en) * 2012-01-19 2015-11-17 Sap Se Access control of remote communication interfaces based on system-specific keys
US20140137213A1 (en) * 2012-01-19 2014-05-15 Masoud Aghadavoodi Jolfaei Access control of remote communication interfaces based on system-specific keys
US8898314B2 (en) * 2012-03-21 2014-11-25 Verizon Patent And Licensing Inc. Direct communication between applications in a cloud computing environment
US20130254411A1 (en) * 2012-03-21 2013-09-26 Verizon Patent And Licensing Inc. Direct communication between applications in a cloud computing environment
US20150143485A1 (en) * 2012-05-29 2015-05-21 Mineyuki TAMURA Cloud security management system
US20140244818A1 (en) * 2013-02-28 2014-08-28 Microsoft Corporation Restlike api that supports a resilient and scalable distributed application
US9838375B2 (en) * 2013-02-28 2017-12-05 Microsoft Technology Licensing, Llc RESTlike API that supports a resilient and scalable distributed application
US10044682B2 (en) * 2013-05-28 2018-08-07 Orange Technique for distributing a piece of content in a content distribution network
US20160112380A1 (en) * 2013-05-28 2016-04-21 Orange Technique for distributing a piece of content in a content distribution network
US20160099915A1 (en) * 2014-10-07 2016-04-07 Microsoft Corporation Security context management in multi-tenant environments
US9967319B2 (en) * 2014-10-07 2018-05-08 Microsoft Technology Licensing, Llc Security context management in multi-tenant environments
WO2016082756A1 (en) * 2014-11-25 2016-06-02 Hangzhou H3C Technologies Co., Ltd. Application access authority control
CN105704094A (en) * 2014-11-25 2016-06-22 杭州华三通信技术有限公司 Application access authority control method and device
US10127375B2 (en) * 2015-03-07 2018-11-13 Protegrity Corporation Enforcing trusted application settings for shared code libraries
US10853473B2 (en) 2015-03-07 2020-12-01 Protegrity Corporation Enforcing trusted application settings for shared code libraries
US11537704B2 (en) 2015-03-07 2022-12-27 Protegrity Corporation Enforcing trusted application settings for shared code libraries
US11960590B2 (en) 2015-03-07 2024-04-16 Protegrity Corporation Enforcing trusted application settings for shared code libraries
US10992660B2 (en) * 2015-06-24 2021-04-27 Amazon Technologies, Inc. Authentication and authorization of a privilege-constrained application
US10102239B2 (en) 2015-07-13 2018-10-16 Sap Se Application event bridge
US10482231B1 (en) * 2015-09-22 2019-11-19 Amazon Technologies, Inc. Context-based access controls
US10432704B2 (en) 2016-03-23 2019-10-01 Sap Se Translation of messages using sensor-specific and unified protocols
US10652338B2 (en) 2017-06-19 2020-05-12 Sap Se Event processing in background services
US10931673B2 (en) * 2017-09-19 2021-02-23 Amazon Technologies, Inc. Policy activation for client applications
US20190089705A1 (en) * 2017-09-19 2019-03-21 Amazon Technologies, Inc. Policy activation for client applications
CN108052803A (en) * 2018-01-02 2018-05-18 联想(北京)有限公司 A kind of access control method, device and electronic equipment
US10425292B1 (en) * 2018-10-17 2019-09-24 Servicenow, Inc. Functional discovery and mapping of serverless resources
US11611489B2 (en) 2018-10-17 2023-03-21 Servicenow, Inc. Functional discovery and mapping of serverless resources
US11140169B1 (en) * 2018-10-31 2021-10-05 Workday, Inc. Cloud platform access system
US20210409415A1 (en) * 2018-10-31 2021-12-30 Workday, Inc. Cloud platform access system
US11658980B2 (en) * 2018-10-31 2023-05-23 Workday, Inc. Cloud platform access system
CN114006705A (en) * 2021-12-28 2022-02-01 深圳市名竹科技有限公司 Digital signature processing method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
US20140137213A1 (en) 2014-05-15
US9191389B2 (en) 2015-11-17

Similar Documents

Publication Publication Date Title
US9191389B2 (en) Access control of remote communication interfaces based on system-specific keys
US10939295B1 (en) Secure mobile initiated authentications to web-services
US11963006B2 (en) Secure mobile initiated authentication
US11899820B2 (en) Secure identity and profiling system
US11520912B2 (en) Methods, media, apparatuses and computing devices of user data authorization based on blockchain
US20230291571A1 (en) Dynamic management and implementation of consent and permissioning protocols using container-based applications
US11063925B1 (en) Client registration for authorization
US10162982B2 (en) End user control of personal data in the cloud
US20190158482A1 (en) Token based network service among iot applications
US8788819B2 (en) System and method for a cloud-based electronic communication vault
US9306922B2 (en) System and method for common on-behalf authorization protocol infrastructure
US20220360446A1 (en) Dynamic implementation and management of hash-based consent and permissioning protocols
US20220303258A1 (en) Computer-implemented system and method
WO2021127577A1 (en) Secure mobile initiated authentications to web-services
US20190386968A1 (en) Method to securely broker trusted distributed task contracts
JP7223067B2 (en) Methods, apparatus, electronics, computer readable storage media and computer programs for processing user requests
CN112541828B (en) System, method, device, processor and storage medium for realizing open securities management and open securities API access control
Park et al. Secure device control scheme with blockchain in a smart home
Veeresh et al. Data Privacy in Cloud Computing, An Implementation by Django, A Python-Based Free and Open-Source Web Framework
CN117422416A (en) Block chain-based business handling method, device, equipment, medium and product
CN115051801A (en) Access permission state determination system, method, electronic device and storage medium
CN114697114A (en) Data processing method, device, electronic equipment and medium
Al Hamadi Secure Multi-Agent System for Location Based Services

Legal Events

Date Code Title Description
AS Assignment

Owner name: SAP AG, GERMANY

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JOLFAEI, MASOUD AGHADAVOODI;REEL/FRAME:030131/0926

Effective date: 20120110

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION