US20060095779A9 - Uniform resource locator access management and control system and method - Google Patents

Uniform resource locator access management and control system and method Download PDF

Info

Publication number
US20060095779A9
US20060095779A9 US10/127,898 US12789802A US2006095779A9 US 20060095779 A9 US20060095779 A9 US 20060095779A9 US 12789802 A US12789802 A US 12789802A US 2006095779 A9 US2006095779 A9 US 2006095779A9
Authority
US
United States
Prior art keywords
access
user
url
server
list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US10/127,898
Other versions
US7243369B2 (en
US20030200442A1 (en
Inventor
Shivaram Bhat
James Nelson
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Oracle America Inc
Original Assignee
Sun Microsystems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sun Microsystems Inc filed Critical Sun Microsystems Inc
Priority to US10/127,898 priority Critical patent/US7243369B2/en
Assigned to SUN MICROSYSTEMS, INC. reassignment SUN MICROSYSTEMS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NELSON, JAMES F., BHAT, SHIVARAM
Publication of US20030200442A1 publication Critical patent/US20030200442A1/en
Assigned to SUN MICROSYSTEMS, INC. reassignment SUN MICROSYSTEMS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NELSON, JAMES F.
Publication of US20060095779A9 publication Critical patent/US20060095779A9/en
Application granted granted Critical
Publication of US7243369B2 publication Critical patent/US7243369B2/en
Assigned to Oracle America, Inc. reassignment Oracle America, Inc. MERGER AND CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: Oracle America, Inc., ORACLE USA, INC., SUN MICROSYSTEMS, INC.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Definitions

  • the present claimed invention relates generally to the field of Internet and enterprise server systems. More particularly, the present claimed invention relates to access requests in an enterprise server environment
  • the Internet has become the dominant vehicle for data communications with a vast collection of computing resources, interconnected as a network from sites around the world. And with the growth of Internet usage has come a corresponding growth in the usage of Internet devices, wireless devices and services in ways different from the traditional uses of such devices.
  • Directory-enabled applications now power many important processes of an enterprise, including resource planning, value chain-management, security and firewalls, and resource provision. Directory services also play a key role in the deployment of e-business and extranet applications.
  • LDAP Lightweight Directory Access Protocol
  • On-line directories that support the LDAP have become critical components of e-business infrastructure, supporting identity and risk management in several important roles. They provide a dynamic and flexible means of storing information and retrieving it over the Internet LDAP directories can also be configured to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols for authenticated communications. As protected repositories of personal information, LDAP directories are also a key component for the personalized delivery of services to users of the directory and personalized treatment of information contained in the directory.
  • SSL Secure Sockets Layer
  • TLS Transport Layer Security
  • an LDAP directory is a specialized database that is read or searched far more often than it is written to, with a flexible mechanism for ongoing changes in the types of information that can be stored.
  • directories exist in a multitude of applications ranging from operating system management systems, PBX's badge security systems, and HR systems to email and database applications.
  • the cost of implementing and administrating these disparate proprietary directories is great because each one must be managed independently which results in enormous administrative burdens and costs to already strained IT budgets.
  • LDAP complaint systems leverage a single, master directory that owns all user access control information.
  • This directory server becomes the central repository for group and single access control information to all applications on the network.
  • the business value of a unified directory is compelling. Unified directories eliminate redundancy which lowers management costs. In addition, unified directories ensure that applications can run within and outside of an organization so that partners, customers and vendors may participate in network applications where appropriate.
  • Policy and user management leverages the directory as central policy repositories that allows a variety of servers and applications to share a consistent set of policies and user databases.
  • Each application that a user may be trying to access may check whether the user is authenticated and, if authenticated, whether the user can access the requested resource. From a security perspective, the fact that a user can access an application even if the user is not authenticated or authorized may not be acceptable.
  • FIG. 1 is a block diagram illustration of a enterprise server environment
  • the enterprise server environment depicted in FIG. 1 comprises a directory server 110 , or the like, and applications 120 - 150 .
  • a user can directly access each of applications 120 - 150 .
  • Access to each of applications 120 - 150 is subject to the user being authenticated by each individual application.
  • the user In the environment depicted in FIG. 1 , for the user to access protected resources or services, the user must authenticate. If the user authenticates successfully and if the user is authorized to access the resources, the user is given access to the resource.
  • Each application the user is trying to access may check whether the user is authenticated and if authenticated, whether the user can access the requested resource. From a security point of view, the fact that the user can access an application even if the user is not authenticated or authorized may not be acceptable.
  • the user should not access an application or a resource if the user is not authenticated or authorized to use that resource or application.
  • prior art systems of authentication do not provide a convenient way of authenticating and authorizing user access to protected network resources and applications. Also, the prior art does not also provide a convenient way of tracking user authentication and authorization without having to consistently interrupt the user for authenticated credentials for each application accessed.
  • an Internet infrastructure system that has extensibility capabilities to allow access authentication and authorization to web-based resources and services in a business enterprise environment.
  • a need further exists for an improved and less costly device independent system, which improves efficiency and provides access to web-based content to various users of different configurations without losing the embedded features designed for these devices.
  • the URL access control system includes an authentication service system that authenticates user access requests.
  • the user access request is typically directed to protected web-based software applications and services which may be specific to an organization or an entity.
  • the authentication service system includes a user agent policy system that sets user access policies for the protected applications in the directory server.
  • the agent policy requisition and order management module helps organizations streamline the requisitions process in the organization.
  • the present invention further includes a session service that monitors a user's session after the user has been authenticated to access particular files or directories in the enterprise server.
  • the session service enables the present invention to bypass user re-authentication after the user has been initially authenticated and validated.
  • Embodiments of the present invention are directed to a system and a method for accepting user access requests to pre-defined files and applications specific to the particular user and authenticating the user's request to these applications.
  • embodiments of the present invention vary the degree of authenticating a user and granting a user access to URL files and directories over the Internet to an organization's web-based applications and resources.
  • Embodiments of the present invention include a Uniform Resource Locator access module that is implemented as part of a server module in an enterprise server environment
  • the URL access module contains a list of URLs that a user can access upon authentication and authorization by the server.
  • the lists may include an allow access list which includes a list of URLs that a user may access.
  • the list may further include a deny access list that contains a list of URLs that a user may not access in the server.
  • the URL list includes a list of not enforced URLs that define the URLs that are not subject to an access policy enforcement of the server.
  • Embodiments of the present invention also include an authentication service module.
  • the authentication service module provides processes for the user to authenticate to the server.
  • the user may authenticate to the server by several methods that may include user authentication credentials such as user name, user password, user organization, etc.
  • Embodiments of the present invention further include a profile service module that is used to retrieve and track the user profile of a user access to URLs in the server.
  • Embodiments of the present invention also include a URL access service that uses an extensible markup language (XML) over a hypertext transport protocol (HTTP) interface of the authentication service and profile services, respectively, to validate a user's request.
  • the URL access service validates a user's credentials to enforce the user's URL access policy to protected resources and applications in the web-based applications and resources.
  • embodiments also provide a software implemented process based on URL access service using the server's XML interface to validate user requests to a particular URL.
  • each user request to a server is intercepted by the URL access service to determine whether to grant access to a required URL or not
  • Embodiments of the present invention may include cookie technology as part of the request URLs.
  • the URL request is presented to a session service in the server to validate the user's credentials. If the user's credentials are valid, the request proceeds further to the URL access enforcement logic to be processed.
  • Embodiments of the present invention further include URL enforcement logic.
  • the URL enforcement logic provides the server with the ability to process valid URL user requests. If a user's request has valid user credentials, the request proceeds further for URL access enforcement after the user has been authenticated. If the credentials are not valid, the user is requested to authenticate to the server.
  • Embodiments of the present invention further include logic to authenticate and authorize users access to a URL. This is achieved by sending a URL request to the profile service to retrieve a user's URL access policy that is subsequently used to determine which URL list the user may access.
  • Embodiments of the present invention include caching logic of the URL access service for caching the user's credentials and the user's URL access policy.
  • the present invention updates the cache when credentials change or become invalid or when the access policy changes.
  • Embodiments of the present invention also include fail-over logic.
  • the fail-over logic enables the URL policy enforcement service to configure a secondary server independent of the primary server when the primary server fails in order to ensure the continuity of a user's access to the particular URL list
  • embodiments of the present invention may comprise a list of fail-over servers the URL policy service will use upon failure of one or more of the servers.
  • Embodiments of the invention also include a token identification system and method that uniquely identifies an authenticated user to specific applications within the applications environment
  • the token identification mechanism sets a unique identifier for each URL user request after the user's request to particular applications in the directory server is authenticated and validated.
  • the unique identifier allows the present invention to track the user's session activities within specific applications.
  • These applications have pre-defined rights and privileges that may be set to determine which users, entities, and sub-applications may have access to a particular application.
  • FIG. 1 is a block diagram of the Internet infrastructure environment of the prior art
  • FIG. 2 is a block diagram of one embodiment of the Internet infrastructure of the present invention.
  • FIG. 3 is a block diagram of one embodiment of the enterprise server system of the present invention.
  • FIG. 4 is a block diagram of an embodiment of the architecture of the applications and resource access authentication system of the present invention.
  • FIG. 5 is a block diagram of one embodiment of the URL access service module of FIG. 3 ;
  • FIG. 6 is a block diagram of an exemplary process flow implementation of a uniform resource locator access control processes of an embodiment of the present invention.
  • Embodiments of the present invention are directed to a system, an architecture, subsystem and method to manage and control access to a uniform resource locator (URL) resources and applications in a network environment in a way superior to the prior art.
  • a URL enforcement system in an enterprise server system provides user access to resources and applications stored in a server connected to the Internet.
  • an enterprise server system may include a directory server, an Internet web server, or the like.
  • an aspect of the invention encompasses providing a uniform resource locator access enforcement system which provides access to a wide range of applications and other services to online users who may connect to an enterprise server system.
  • FIG. 2 is a block diagram illustration of an enterprise server system environment
  • the enterprise server system environment depicted in FIG. 2 comprises a server 210 and applications 220 - 250 .
  • a user can directly access each of applications 220 - 250 .
  • Access to URLs in each of applications 220 - 250 is subject to the user being authenticated by each individual application.
  • a user's URL request to applications 220 - 250 is centrally handled by a URL access service of the present invention in server 210 .
  • FIG. 3 is a block diagram depiction of one embodiment of the server system of the present invention.
  • the server system shown in FIG. 3 may be a directory server, an Internet webserver, or the like.
  • server 210 comprises login module 300 , URL access service module 310 , authentication module 320 , session module 330 and profile module 340 .
  • the URL access service module 310 provides the Uniform Resource Locator access control and management of the present invention.
  • the URL access service module 310 provides the server 210 ( FIG. 2 ) with the logic and option to protect Internet software applications and services from unauthorized authenticated users of these applications.
  • the URL access service module 310 of FIG. 3 further provides the server 210 with the access implementation logic to selectively allow access to specified applications (URL) and services within enterprise organizations. By selectively allowing only authorized and authenticated users access to particular files within an organization's file database, the URL access service module 310 ensures that corporate enterprise resources are efficiently and effectively utilized.
  • URL specified applications
  • the authentication module 320 along with URL access service module 310 and session module 330 provide authenticated users of the server 210 with continuous and uninterrupted use of resources and applications available on the server without having to authenticate into each application the user attempts to access.
  • the login module 300 provides login services to the server 210 .
  • Login module 300 includes logic to provide a single-sign-on (SSO) login services to users attempting to access software applications and services on directory server 210 .
  • SSO single-sign-on
  • the function of the single-sign-on services of the authentication module 320 is described in further detail in the co-pending U.S. patent application entitled “WEB-BASED APPLICATIONS SINGLE SIGN ON ACCESS SYSTEM AND METHOD”, filed, Ser. No.______, Attorney Docket No.: SUNP6855/ACM/DKA, which is hereby incorporated by reference herein.
  • URL access service module 310 controls user access to URLs in the server 210 .
  • the URL access service module 310 includes logic that determines which URLs a user may or may not access.
  • the URL access service 310 further includes a list of URLs that specifies which URLs may be retrieved in response to a user's URL access request.
  • Each user request to the server 210 is intercepted by the URL access service 310 using the mechanism provided by the server 210 serving the URL resource. If there is no user credentials in the user's request, URL access service 310 automatically forces the user to authenticate with authentication module 320 at that time. If the user request has user's credentials, for example, in the form of a cookie or as part of the URL request, the request is presented to the session module 330 to validate the user's credentials. If the user's credentials are valid, the request proceeds further for URL access enforcement. If the credentials are invalid, the user is requested to re-authenticate.
  • the session module 330 provides session tracking mechanism to enable the authentication logic of the present invention to track a user's login session to the server 210 .
  • the URL access service module 310 uses the session module 330 to automatically authenticate the user's access to subsequent applications, after the initial login without having to manually re-login.
  • the profile module 340 provides user profile information to the authentication module 320 .
  • the profile module 340 provides an XML over http(s) interface for obtaining user, service and policy information.
  • a user's profile information typically includes the user-name, the user's password, the user's entity within a particular organization.
  • the profile information further defines the user's application access rights which determines or sets forth user's rights to files and directory within applications and resources in the server 210 .
  • the profile module 340 is ideally suitable for policy enforcement agents.
  • FIG. 4 is a block diagram illustration of an internal architecture of one embodiment of the authentication module 320 of the present invention.
  • the authentication module 320 comprise client interface module 400 , authentication interface module 410 , authentication service module 420 and authentication framework module 430 .
  • the client interface module 400 provides a plurality of client interfaces.
  • the first of these is an interface to the authentication service 320 to provide an HTML interface, and the other is in the form of a Java interface that provides Java interfaces.
  • the client interfaces both use the same underlying authentication framework and authentication modules.
  • the authentication services module 420 is provided as a service within a servlet container using Java Servlet in one embodiment.
  • the authentication service module 420 can be deployed in a web server and an applications server that support a servlet container.
  • the client interface module 400 provided by the authentication service module 420 is HTML over HTTP(s), which makes it convenient to use with a web browser. Since most Internet service providers provide Internet solutions via a web browser, using the client interface 400 provides a user with one means of utilizing the teachings of the present invention.
  • the authentication service module 420 (which is implemented as a URL) is a login page for an organization or a service, or users are re-directed to the authentication service URL when users access a resource that is protected.
  • the authentication service module 420 guides the user through a series of one or more screens for credentials gathering (like user name, password, employee number, etc.), based on the requirements of the authentication modules that are configured.
  • the required credentials may be user name and password and may be obtained in one screen.
  • more login screens would be required.
  • the authentication service module 420 relies on the authentication framework module 430 to determine if the user has been successfully authenticated. If the authentication is successful, the user is re-directed to an organizations or a service home page (URL) if the user is authorized access to that particular URL. If the authentication process fails, the user is re-directed to an error page (URL). Both of the re-direction of URLs are configurable by the system administrator.
  • the user is issued an encrypted login token identity using the cookie or URL-rewriting mechanism provided by HTTP in one embodiment.
  • the login token is used to access different applications without having to re-authenticate.
  • the authentication framework module 430 couples the client interface module 400 to the authentication service module 420 .
  • the authentication framework module 430 provides the configuration of authentication modules in the authentication service module 420 based on an organization or a user.
  • the authentication framework module 430 further provides a mechanism to chain a variety of pluggable authentication modules in authentication service module 420 .
  • FIG. 5 is block diagram depiction of one embodiment of the URL access service 310 of the present invention.
  • the URL access service 310 comprise policy agent 500 , Token identification (Token-id) 510 , Cache 520 , URL access list 530 , configuration module 535 , URL access authorization 540 and URL policy enforcement 550 .
  • Token-id Token identification
  • the policy agent 500 provides the URL access service 310 with a way to prevent unauthenticated and unauthorized access to web resources.
  • the policy agent 500 further provides a way to verify user credentials before user requests are presented to a requested resource or service.
  • the policy agent 500 includes custom functions that are executed to verify user credential via URLs.
  • the policy agent 500 intercepts each user request received by the server 210 . Primarily, the policy agent 500 performs two functions: validate a user's sign-on and enforce a user's URL policy.
  • the policy agent 500 includes controls which can intercept every request the server 210 receives before the requested is serviced by the server 210 .
  • policy agent 500 includes one or more pluggable policy agent modules.
  • Token-id 510 of FIG. 5 is coupled to provide a set of user specific unique identifiers that are contained in each user request to the server 210 .
  • Token-id 510 is unique for a user on a given server and it enables the policy agent 500 to use the unique identifiers to set the authentication parameters of each user request.
  • the Token-id 510 also includes information that indicates whether a user's request is subject to URL policy enforcement or not
  • each user's request to the server 210 contains a user identification token. This token is set by the server 210 once the user successfully authenticates. The token is unique for a user on any given server.
  • the policy agent 500 intercepts a request, it looks for the token. The policy agent 500 then uses the server 210 service to verify if the token represents an authenticated user. If the user is authenticated, the request is subjected to the user's URL policy enforcement. If there is no user identification token in the user's request, the user is redirected to the authentication page.
  • Cache module 520 is utilized by the URL access service 310 to store both a user's credentials and a user's URL access policy.
  • the Cache 520 is updated when the user's credentials change or become invalid or when the access policy changes.
  • the URL access service 310 registers with Session module 330 for update notifications from the server 210 .
  • the session service 330 sends a notification to the URL access service 310 to update the Cache 520 .
  • the URL access service 310 registers with the profile module 340 to receive URL policy change notifications.
  • the URL access service 310 receives a notification to update the Cache 520 for that particular user.
  • the configuration module 535 allows the URL access service logic 310 to be configured to log all URL accesses, only URL allow accesses, only URL deny accesses and only URL not enforced accesses respectively or a combination of these.
  • the log files can be used to gather statistics about page visits per user, total number of page visits by all users, all page visits, etc.
  • the URL logging can also be configured to find each user's total authenticated time during that session.
  • the configuration module can also be configured to allow a set of URLs that are allowed for all users of the server 210 irrespective of the organization, role of the user and irrespective of the user's URL policy.
  • the URL access authorization module 540 provides the URL access service 310 the logic to authorize access to a particular URL after a user's credentials are validated.
  • the URL access authorization module 540 receives a user request, the URL access service 310 sends the request to the profile module 340 to retrieve the user's URL access policy.
  • the response from the profile module 340 is compared with the user's request contents to determine the set of access rights the user may have via the URL policy enforcement logic 550 .
  • policy enforcement module 550 is coupled to implement URL access policies in the authentication service module of the present invention. Once a user's identification is verified, the policy agent 500 checks if the user is allowed to access the resource that is in the form of a URL.
  • Each user is given certain URL access policy.
  • the user's URL policy contains three attribute value pairs which are stored in URL access list 530 . These attributes are inherited by the policy agents 500 . These attributes can be application specific, organization specific and modifiable for an entity in an organization's hierarchy.
  • the attributes that may be specified by the policy agent 500 may include an “access allow” list, an “access deny” list and an “access not enforced” list
  • the access allow list is a list of all the URLs that an authenticated user is allowed to access.
  • the access deny list is the list of all URLs that an authenticated user is not allowed to access.
  • the access not enforced list is the list of all URLs that are not subjected to URL policy enforcement. However, the user still requires authentication in order to access this list.
  • the policy enforcement module 550 may implement a wildcard entry mechanism which allows access to all the application resources and services residing on server 210 .
  • the AccessAllowList may contain the following value: http://www.companyname.com/*,/directroyserverServices/*/AccessAll
  • the deny list may also contain a similar wild card value such as: http://www.companyname.com/internal/*,/HiddenServices/*/DenyAll
  • the not enforced list may contain the wild card value of: http://www.companyname/logn,/logouy,/images/*
  • the URL policy enforcement 550 also provides fail over capabilities to the URL access service logic 310 .
  • the server can be configured to go over to a fail-over second server that may be independent of the first server to complete the URL access.
  • the data between the two servers is the same in order to give similar results to the URL access service 310 . Having the fail-over capabilities ensures that the URL access service is always available.
  • FIG. 6 represents a flow diagram depiction of an exemplary process flow in accordance with one embodiment of the URL access processing of the present invention. The steps performed by the diagram of FIG. 6 is performed by a computer system processor executing memory stored instructions which make up a program or an application.
  • the processing of a user's URL access request is initiated at step 600 when a user's URL request is presented to the URL access service 310 .
  • the user is authenticated via the authentication service 330 .
  • the user's request is intercepted by the URL access service 310 at step 620 to check the credentials of the user.
  • the URL access service 310 forces the user to authenticate at step 610 . Further, if the user's credentials are invalid, the URL access service 310 forces the user to again authenticate at step 610 . Also, if the user's request has credentials in the form of a cookie or is part of the request URL, a request is sent to the session service 330 to validate the user's credentials.
  • step 640 the URL request proceeds further for URL access enforcement.
  • the URL access service 310 determines whether the user is authorized to access the URL request.
  • the URL access service 310 sends the URL request to the profile service 340 when it determines that the user's credentials are valid and the user is authorized to access the URL list
  • the profile service retrieves a corresponding URL access policy to match the user's request.
  • the user's URL request is compared with the contents of the URL list to determine which list the user can access.
  • the URL access service 310 determines whether the user's request matches the “not enforced access list” or the “access allow list” respectively. If the user's URL request matches either of the two lists, the user's request is processed at step 680 .
  • the user's URL request does not match either the access allow list or the access not enforced list, the user's URL request is denied and processing terminates at step 695 .

Abstract

In an enterprise server environment having a uniform resource locator (URL) access management and control system. The server includes a user authentication logic to authenticate users attempting to connect to the server to access URL file and directories residing in the server. In one embodiment of the present invention, the user is provided with an identification token and a user URL access policy which allows the user's credentials to be validated and permitted access to a list of URLs in the directory server. In one embodiment of the present invention, a URL access enforcement logic uses the user's URL access policy to determine which URLs in the directory server a user may or may not access. The user's URL access policy may include an access deny or an access allow value which respectively denies or allows the user access to particular URL.

Description

    CROSS REFERENCE TO RELATED APPLICATION
  • This is related to Shivaram Bhat et al., co-filed U.S. patent application Ser. No., filed on ______, titled “WEB-BASED APPLICATIONS SINGLE SIGN ON SYSTEM AND METHOD”, attorney docket No.: SUN/P6855/ACM/DKA. To the extent not repeated herein, the contents of this patent application are incorporated herein by reference.
  • FIELD OF THE INVENTION
  • The present claimed invention relates generally to the field of Internet and enterprise server systems. More particularly, the present claimed invention relates to access requests in an enterprise server environment
  • BACKGROUND ART
  • The Internet has become the dominant vehicle for data communications with a vast collection of computing resources, interconnected as a network from sites around the world. And with the growth of Internet usage has come a corresponding growth in the usage of Internet devices, wireless devices and services in ways different from the traditional uses of such devices.
  • The growing base of Internet users has become accustomed to readily accessing Internet-based services, which traditionally were restricted or limited to the “client/server” environment, at any time from any location. Accessibility of traditional business services and products over the Internet means enterprises need to adjust to new paradigms of transacting business.
  • Consequently, some organizations are, for example, implementing a variety of web-based business resources and services. As businesses migrate to implementing numerous business applications on the Internet, and web-based applications become pervasive in the enterprise business environment, businesses must find ways to protect their valuable resources and services over the Internet
  • To achieve this, some businesses implement several access authentication schemes in order to ascertain valid user access to protected resources in a corporate computer server. To access protected resources or services, users within a typical business enterprise environment must authenticate themselves to access web-based resources.
  • In this way, business organizations are making a transition from unsophisticated network infrastructure to an ”intelligent” network infrastructure. Additionally, directory services are becoming an essential part of today's network-centric computing infrastructure. In making such a transition, efficient management of services and resources offered by such intelligent networks becomes critical. Today, managing organizations' mission critical applications for users and policies is a time-consuming individual configuration process that is unsuitable for enterprises and service providers seeking to create intelligent networks.
  • User management and policy based tools for managing services are becoming an important requisite for intelligent networks which must be capable of dynamically providing services. Furthermore, as businesses extend their intranet services to extranets to include suppliers, business partners, and customers providing access control increases in size and complexity. Organizations responding to the rapidly changing conditions of today's business environments, need to simplify and automate the configuration and control of access to their services.
  • Directory-enabled applications now power many important processes of an enterprise, including resource planning, value chain-management, security and firewalls, and resource provision. Directory services also play a key role in the deployment of e-business and extranet applications.
  • One of the drivers behind the widespread market adoption of directory services is the momentum of the open Lightweight Directory Access Protocol (LDAP) standard, which provides a common language for applications and servers regardless of the underlying operating environment As organizations learn to move with more financial, organizational and competitive agility in the market place, decisions about directory services infrastructure have a direct effect on business processes and the bottom line.
  • On-line directories that support the LDAP have become critical components of e-business infrastructure, supporting identity and risk management in several important roles. They provide a dynamic and flexible means of storing information and retrieving it over the Internet LDAP directories can also be configured to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols for authenticated communications. As protected repositories of personal information, LDAP directories are also a key component for the personalized delivery of services to users of the directory and personalized treatment of information contained in the directory.
  • In general, an LDAP directory is a specialized database that is read or searched far more often than it is written to, with a flexible mechanism for ongoing changes in the types of information that can be stored.
  • Today, directories exist in a multitude of applications ranging from operating system management systems, PBX's badge security systems, and HR systems to email and database applications. The cost of implementing and administrating these disparate proprietary directories is great because each one must be managed independently which results in enormous administrative burdens and costs to already strained IT budgets. However, LDAP complaint systems leverage a single, master directory that owns all user access control information.
  • This directory server becomes the central repository for group and single access control information to all applications on the network. The business value of a unified directory is compelling. Unified directories eliminate redundancy which lowers management costs. In addition, unified directories ensure that applications can run within and outside of an organization so that partners, customers and vendors may participate in network applications where appropriate.
  • Furthermore, policy and management is a step in that direction. Policy and user management leverages the directory as central policy repositories that allows a variety of servers and applications to share a consistent set of policies and user databases.
  • Additionally, organizations need to implement user access authentication and authorization schemes to enable user access to protected corporate resources and services. There are several ways to which users' authentication and access policies can be entered.
  • Each application that a user may be trying to access may check whether the user is authenticated and, if authenticated, whether the user can access the requested resource. From a security perspective, the fact that a user can access an application even if the user is not authenticated or authorized may not be acceptable.
  • FIG. 1 is a block diagram illustration of a enterprise server environment The enterprise server environment depicted in FIG. 1 comprises a directory server 110, or the like, and applications 120-150. In the environment depicted in FIG. 1, a user can directly access each of applications 120-150. Access to each of applications 120-150 is subject to the user being authenticated by each individual application.
  • In the environment depicted in FIG. 1, for the user to access protected resources or services, the user must authenticate. If the user authenticates successfully and if the user is authorized to access the resources, the user is given access to the resource.
  • There are several ways in which the user's authentication and access policies can be enforced. Each application the user is trying to access may check whether the user is authenticated and if authenticated, whether the user can access the requested resource. From a security point of view, the fact that the user can access an application even if the user is not authenticated or authorized may not be acceptable.
  • Ideally, the user should not access an application or a resource if the user is not authenticated or authorized to use that resource or application. In order to prevent an authenticated or unauthorized access to web resources, there should be a way to verify user's credentials before the user's request is sent to the requested resource or is serviced by the web or directory server.
  • However, prior art systems of authentication do not provide a convenient way of authenticating and authorizing user access to protected network resources and applications. Also, the prior art does not also provide a convenient way of tracking user authentication and authorization without having to consistently interrupt the user for authenticated credentials for each application accessed.
  • As the number of business applications on the Internet increases, having an efficient and robust way of controlling user's access to directories and files over the Internet is a requirement to ensure an efficient use of Internet resources and applications within an organization.
  • SUMMARY OF INVENTION
  • Accordingly, to take advantage of the myriad of Internet based applications resources and services being developed, an Internet infrastructure system is needed that has extensibility capabilities to allow access authentication and authorization to web-based resources and services in a business enterprise environment. Further, a need exists for a system and method of tracking user access to network resources and application services in order to provide authentication and authorization to user access requests for users within the business environment. A need further exists for “out-of-the-box” solutions to allow technically unsophisticated end-users to connect to the Internet and access sophisticated web-based applications and resource requests without having to manually authenticate with each application or resource on each access. A need further exists for an improved and less costly device independent system, which improves efficiency and provides access to web-based content to various users of different configurations without losing the embedded features designed for these devices.
  • What is described in one embodiment is a uniform resource locator (URL) access configuration and control system having a Internet server supporting a robust authentication and authorization system. This system provides access to a list of URLs to Internet applications resources and services in a corporate directory server system. In one embodiment of the present invention, the URL access control system includes an authentication service system that authenticates user access requests. The user access request is typically directed to protected web-based software applications and services which may be specific to an organization or an entity.
  • In one embodiment of the present invention, the authentication service system includes a user agent policy system that sets user access policies for the protected applications in the directory server. The agent policy requisition and order management module helps organizations streamline the requisitions process in the organization.
  • The present invention further includes a session service that monitors a user's session after the user has been authenticated to access particular files or directories in the enterprise server. The session service enables the present invention to bypass user re-authentication after the user has been initially authenticated and validated.
  • Embodiments of the present invention are directed to a system and a method for accepting user access requests to pre-defined files and applications specific to the particular user and authenticating the user's request to these applications. In general, embodiments of the present invention vary the degree of authenticating a user and granting a user access to URL files and directories over the Internet to an organization's web-based applications and resources.
  • Embodiments of the present invention include a Uniform Resource Locator access module that is implemented as part of a server module in an enterprise server environment The URL access module contains a list of URLs that a user can access upon authentication and authorization by the server. The lists may include an allow access list which includes a list of URLs that a user may access. The list may further include a deny access list that contains a list of URLs that a user may not access in the server. Additionally, the URL list includes a list of not enforced URLs that define the URLs that are not subject to an access policy enforcement of the server.
  • Embodiments of the present invention also include an authentication service module. The authentication service module provides processes for the user to authenticate to the server. In the present invention, the user may authenticate to the server by several methods that may include user authentication credentials such as user name, user password, user organization, etc.
  • Embodiments of the present invention further include a profile service module that is used to retrieve and track the user profile of a user access to URLs in the server. Embodiments of the present invention also include a URL access service that uses an extensible markup language (XML) over a hypertext transport protocol (HTTP) interface of the authentication service and profile services, respectively, to validate a user's request. The URL access service validates a user's credentials to enforce the user's URL access policy to protected resources and applications in the web-based applications and resources.
  • To achieve the URL access control of the present invention, embodiments also provide a software implemented process based on URL access service using the server's XML interface to validate user requests to a particular URL. In one embodiment of the present invention, each user request to a server is intercepted by the URL access service to determine whether to grant access to a required URL or not Embodiments of the present invention may include cookie technology as part of the request URLs. The URL request is presented to a session service in the server to validate the user's credentials. If the user's credentials are valid, the request proceeds further to the URL access enforcement logic to be processed.
  • Embodiments of the present invention further include URL enforcement logic. The URL enforcement logic provides the server with the ability to process valid URL user requests. If a user's request has valid user credentials, the request proceeds further for URL access enforcement after the user has been authenticated. If the credentials are not valid, the user is requested to authenticate to the server.
  • Embodiments of the present invention further include logic to authenticate and authorize users access to a URL. This is achieved by sending a URL request to the profile service to retrieve a user's URL access policy that is subsequently used to determine which URL list the user may access.
  • Embodiments of the present invention include caching logic of the URL access service for caching the user's credentials and the user's URL access policy. The present invention updates the cache when credentials change or become invalid or when the access policy changes. Embodiments of the present invention also include fail-over logic. The fail-over logic enables the URL policy enforcement service to configure a secondary server independent of the primary server when the primary server fails in order to ensure the continuity of a user's access to the particular URL list Additionally, embodiments of the present invention, may comprise a list of fail-over servers the URL policy service will use upon failure of one or more of the servers.
  • Embodiments of the invention also include a token identification system and method that uniquely identifies an authenticated user to specific applications within the applications environment The token identification mechanism sets a unique identifier for each URL user request after the user's request to particular applications in the directory server is authenticated and validated. The unique identifier allows the present invention to track the user's session activities within specific applications. These applications have pre-defined rights and privileges that may be set to determine which users, entities, and sub-applications may have access to a particular application.
  • These and other objects and advantages of the present invention will no doubt become obvious to those of ordinary skill in the art after having read the following detailed description of the preferred embodiments which are illustrated in the various drawing figures.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The accompanying drawings, which are incorporated in and form a part of this specification, illustrates embodiments of the invention and, together with the description, serve to explain the principles of the invention:
  • FIG. 1 is a block diagram of the Internet infrastructure environment of the prior art;
  • FIG. 2 is a block diagram of one embodiment of the Internet infrastructure of the present invention;
  • FIG. 3 is a block diagram of one embodiment of the enterprise server system of the present invention;
  • FIG. 4 is a block diagram of an embodiment of the architecture of the applications and resource access authentication system of the present invention;
  • FIG. 5 is a block diagram of one embodiment of the URL access service module of FIG. 3; and
  • FIG. 6 is a block diagram of an exemplary process flow implementation of a uniform resource locator access control processes of an embodiment of the present invention.
  • DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • Reference will now be made in detail to the preferred embodiments of the invention, examples of which are illustrated in the accompanying drawings. While the invention will be described in conjunction with the preferred embodiments, it will be understood that they are not intended to limit the invention to these embodiments.
  • On the contrary, the invention is intended to cover alternatives, modifications and equivalents, which may be included within the spirit and scope of the invention as defined by the appended Claims. Furthermore, in the following detailed description of the present invention, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it will be obvious to one of ordinary skill in the art that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail as not to unnecessarily obscure aspects of the present invention.
  • Embodiments of the present invention are directed to a system, an architecture, subsystem and method to manage and control access to a uniform resource locator (URL) resources and applications in a network environment in a way superior to the prior art. In accordance with an aspect of the invention, a URL enforcement system in an enterprise server system provides user access to resources and applications stored in a server connected to the Internet. In the present invention, an enterprise server system may include a directory server, an Internet web server, or the like.
  • In the following detailed description of the present invention, a system and method for Internet protocol based resource and applications access control system are described. Numerous specific details are not set forth in order to provide a thorough understanding of the present invention. However, it will be recognized by one skilled in the art that the present invention may be practiced without these specific details or with equivalents thereof.
  • Generally, an aspect of the invention encompasses providing a uniform resource locator access enforcement system which provides access to a wide range of applications and other services to online users who may connect to an enterprise server system.
  • FIG. 2 is a block diagram illustration of an enterprise server system environment The enterprise server system environment depicted in FIG. 2 comprises a server 210 and applications 220-250. In the environment depicted in FIG. 2, a user can directly access each of applications 220-250. Access to URLs in each of applications 220-250 is subject to the user being authenticated by each individual application.
  • In the environment depicted in FIG. 2, for the user to access protected resources or services, the user must authenticate. If the user authenticates successfully and if the user is authorized to access the resources, the user is given access to the resource. In the environment shown in FIG. 2, a user's URL request to applications 220-250 is centrally handled by a URL access service of the present invention in server 210.
  • FIG. 3 is a block diagram depiction of one embodiment of the server system of the present invention. The server system shown in FIG. 3 may be a directory server, an Internet webserver, or the like. In the exemplary directory shown in FIG. 3, server 210 comprises login module 300, URL access service module 310, authentication module 320, session module 330 and profile module 340.
  • The URL access service module 310 provides the Uniform Resource Locator access control and management of the present invention. The URL access service module 310 provides the server 210 (FIG. 2) with the logic and option to protect Internet software applications and services from unauthorized authenticated users of these applications.
  • The URL access service module 310 of FIG. 3 further provides the server 210 with the access implementation logic to selectively allow access to specified applications (URL) and services within enterprise organizations. By selectively allowing only authorized and authenticated users access to particular files within an organization's file database, the URL access service module 310 ensures that corporate enterprise resources are efficiently and effectively utilized.
  • Further, the authentication module 320 along with URL access service module 310 and session module 330 provide authenticated users of the server 210 with continuous and uninterrupted use of resources and applications available on the server without having to authenticate into each application the user attempts to access.
  • The login module 300 provides login services to the server 210. Login module 300 includes logic to provide a single-sign-on (SSO) login services to users attempting to access software applications and services on directory server 210. The function of the single-sign-on services of the authentication module 320 is described in further detail in the co-pending U.S. patent application entitled “WEB-BASED APPLICATIONS SINGLE SIGN ON ACCESS SYSTEM AND METHOD”, filed, Ser. No.______, Attorney Docket No.: SUNP6855/ACM/DKA, which is hereby incorporated by reference herein.
  • Still referring to FIG. 3, URL access service module 310 controls user access to URLs in the server 210. The URL access service module 310 includes logic that determines which URLs a user may or may not access. The URL access service 310 further includes a list of URLs that specifies which URLs may be retrieved in response to a user's URL access request.
  • Each user request to the server 210 is intercepted by the URL access service 310 using the mechanism provided by the server 210 serving the URL resource. If there is no user credentials in the user's request, URL access service 310 automatically forces the user to authenticate with authentication module 320 at that time. If the user request has user's credentials, for example, in the form of a cookie or as part of the URL request, the request is presented to the session module 330 to validate the user's credentials. If the user's credentials are valid, the request proceeds further for URL access enforcement. If the credentials are invalid, the user is requested to re-authenticate.
  • The session module 330 provides session tracking mechanism to enable the authentication logic of the present invention to track a user's login session to the server 210. The URL access service module 310 uses the session module 330 to automatically authenticate the user's access to subsequent applications, after the initial login without having to manually re-login.
  • The profile module 340 provides user profile information to the authentication module 320. The profile module 340 provides an XML over http(s) interface for obtaining user, service and policy information. A user's profile information typically includes the user-name, the user's password, the user's entity within a particular organization.
  • The profile information further defines the user's application access rights which determines or sets forth user's rights to files and directory within applications and resources in the server 210. The profile module 340 is ideally suitable for policy enforcement agents.
  • FIG. 4 is a block diagram illustration of an internal architecture of one embodiment of the authentication module 320 of the present invention. As shown in FIG. 4, the authentication module 320 comprise client interface module 400, authentication interface module 410, authentication service module 420 and authentication framework module 430.
  • The client interface module 400 provides a plurality of client interfaces. The first of these is an interface to the authentication service 320 to provide an HTML interface, and the other is in the form of a Java interface that provides Java interfaces. Although there are two client interfaces, both use the same underlying authentication framework and authentication modules.
  • The authentication services module 420 is provided as a service within a servlet container using Java Servlet in one embodiment. Thus, the authentication service module 420 can be deployed in a web server and an applications server that support a servlet container. The client interface module 400 provided by the authentication service module 420 is HTML over HTTP(s), which makes it convenient to use with a web browser. Since most Internet service providers provide Internet solutions via a web browser, using the client interface 400 provides a user with one means of utilizing the teachings of the present invention.
  • In a typical implementation of the present invention, the authentication service module 420 (which is implemented as a URL) is a login page for an organization or a service, or users are re-directed to the authentication service URL when users access a resource that is protected. The authentication service module 420 guides the user through a series of one or more screens for credentials gathering (like user name, password, employee number, etc.), based on the requirements of the authentication modules that are configured.
  • For simple authentication modules like LDAP and Unix, the required credentials may be user name and password and may be obtained in one screen. However, for complicated challenged-response type authentication algorithms, more login screens would be required.
  • Once the user has provided the required credentials, the authentication service module 420 relies on the authentication framework module 430 to determine if the user has been successfully authenticated. If the authentication is successful, the user is re-directed to an organizations or a service home page (URL) if the user is authorized access to that particular URL. If the authentication process fails, the user is re-directed to an error page (URL). Both of the re-direction of URLs are configurable by the system administrator.
  • Once a user has been authenticated successfully, the user is issued an encrypted login token identity using the cookie or URL-rewriting mechanism provided by HTTP in one embodiment. The login token is used to access different applications without having to re-authenticate.
  • The authentication framework module 430 couples the client interface module 400 to the authentication service module 420. The authentication framework module 430 provides the configuration of authentication modules in the authentication service module 420 based on an organization or a user. The authentication framework module 430 further provides a mechanism to chain a variety of pluggable authentication modules in authentication service module 420.
  • FIG. 5 is block diagram depiction of one embodiment of the URL access service 310 of the present invention. As shown in FIG. 5, the URL access service 310 comprise policy agent 500, Token identification (Token-id) 510, Cache 520, URL access list 530, configuration module 535, URL access authorization 540 and URL policy enforcement 550.
  • The policy agent 500 provides the URL access service 310 with a way to prevent unauthenticated and unauthorized access to web resources. The policy agent 500 further provides a way to verify user credentials before user requests are presented to a requested resource or service. The policy agent 500 includes custom functions that are executed to verify user credential via URLs. The policy agent 500 intercepts each user request received by the server 210. Primarily, the policy agent 500 performs two functions: validate a user's sign-on and enforce a user's URL policy.
  • User access to web resources and services are only granted after the policy agent 500 has completed verification of the user credentials. The policy agent 500 includes controls which can intercept every request the server 210 receives before the requested is serviced by the server 210. In one embodiment of the present invention, policy agent 500 includes one or more pluggable policy agent modules.
  • Token-id 510 of FIG. 5 is coupled to provide a set of user specific unique identifiers that are contained in each user request to the server 210. Token-id 510 is unique for a user on a given server and it enables the policy agent 500 to use the unique identifiers to set the authentication parameters of each user request.
  • The Token-id 510 also includes information that indicates whether a user's request is subject to URL policy enforcement or not In the present invention, once the user is authenticated to the server 210, each user's request to the server 210 contains a user identification token. This token is set by the server 210 once the user successfully authenticates. The token is unique for a user on any given server.
  • Once the policy agent 500 intercepts a request, it looks for the token. The policy agent 500 then uses the server 210 service to verify if the token represents an authenticated user. If the user is authenticated, the request is subjected to the user's URL policy enforcement. If there is no user identification token in the user's request, the user is redirected to the authentication page.
  • Cache module 520 is utilized by the URL access service 310 to store both a user's credentials and a user's URL access policy. The Cache 520 is updated when the user's credentials change or become invalid or when the access policy changes. To update the Cache 520, the URL access service 310 registers with Session module 330 for update notifications from the server 210. When a user's credentials become invalid, the session service 330 sends a notification to the URL access service 310 to update the Cache 520.
  • Similarly, the URL access service 310 registers with the profile module 340 to receive URL policy change notifications. When the user's URL policy changes, the URL access service 310 receives a notification to update the Cache 520 for that particular user.
  • The configuration module 535 allows the URL access service logic 310 to be configured to log all URL accesses, only URL allow accesses, only URL deny accesses and only URL not enforced accesses respectively or a combination of these. The log files can be used to gather statistics about page visits per user, total number of page visits by all users, all page visits, etc. The URL logging can also be configured to find each user's total authenticated time during that session. The configuration module can also be configured to allow a set of URLs that are allowed for all users of the server 210 irrespective of the organization, role of the user and irrespective of the user's URL policy.
  • The URL access authorization module 540 provides the URL access service 310 the logic to authorize access to a particular URL after a user's credentials are validated. When the URL access authorization module 540 receives a user request, the URL access service 310 sends the request to the profile module 340 to retrieve the user's URL access policy. The response from the profile module 340 is compared with the user's request contents to determine the set of access rights the user may have via the URL policy enforcement logic 550.
  • Still referring to FIG. 5, policy enforcement module 550 is coupled to implement URL access policies in the authentication service module of the present invention. Once a user's identification is verified, the policy agent 500 checks if the user is allowed to access the resource that is in the form of a URL.
  • Each user is given certain URL access policy. The user's URL policy contains three attribute value pairs which are stored in URL access list 530. These attributes are inherited by the policy agents 500. These attributes can be application specific, organization specific and modifiable for an entity in an organization's hierarchy.
  • The attributes that may be specified by the policy agent 500 may include an “access allow” list, an “access deny” list and an “access not enforced” list The access allow list is a list of all the URLs that an authenticated user is allowed to access. The access deny list is the list of all URLs that an authenticated user is not allowed to access. And the access not enforced list is the list of all URLs that are not subjected to URL policy enforcement. However, the user still requires authentication in order to access this list.
  • While enforcing the URL access policy, deny privileges takes precedence over allow privileges. An empty deny list will allow only those resources that are allowed by the allow list. An empty allow list will not allow access to any resources except those in the not enforced list. By default, the policy enforcement module 550 may implement a wildcard entry mechanism which allows access to all the application resources and services residing on server 210.
  • For example, the AccessAllowList may contain the following value: http://www.companyname.com/*,/directroyserverServices/*/AccessAll, the deny list may also contain a similar wild card value such as: http://www.companyname.com/internal/*,/HiddenServices/*/DenyAll, and the not enforced list may contain the wild card value of: http://www.companyname/logn,/logouy,/images/*
  • However, since the deny list takes precedence over the allow list, anything in the deny list will not be allowed to be accessed even if the allow list contains the wild card entry. If the URL policy cannot be resolved between the deny list and allow list, the access will not be allowed to that resource.
  • The URL policy enforcement 550 also provides fail over capabilities to the URL access service logic 310. For example, if the URL access service logic 310 is accessing a particular first server for enforcing user authentication and URL access policy and that particular server happens to become inoperative, the server can be configured to go over to a fail-over second server that may be independent of the first server to complete the URL access. The data between the two servers is the same in order to give similar results to the URL access service 310. Having the fail-over capabilities ensures that the URL access service is always available.
  • FIG. 6 represents a flow diagram depiction of an exemplary process flow in accordance with one embodiment of the URL access processing of the present invention. The steps performed by the diagram of FIG. 6 is performed by a computer system processor executing memory stored instructions which make up a program or an application.
  • As shown in FIG. 6, the processing of a user's URL access request is initiated at step 600 when a user's URL request is presented to the URL access service 310. At step 610, the user is authenticated via the authentication service 330. Upon authenticating, the user's request is intercepted by the URL access service 310 at step 620 to check the credentials of the user.
  • At step 630, if the user's request does not include any credentials, the URL access service 310 forces the user to authenticate at step 610. Further, if the user's credentials are invalid, the URL access service 310 forces the user to again authenticate at step 610. Also, if the user's request has credentials in the form of a cookie or is part of the request URL, a request is sent to the session service 330 to validate the user's credentials.
  • If the user's credentials are valid, processing proceeds to step 640 where the URL request proceeds further for URL access enforcement. And the URL access service 310 determines whether the user is authorized to access the URL request.
  • At step 650, the URL access service 310 sends the URL request to the profile service 340 when it determines that the user's credentials are valid and the user is authorized to access the URL list The profile service retrieves a corresponding URL access policy to match the user's request.
  • At step 660, the user's URL request is compared with the contents of the URL list to determine which list the user can access. At step 670, after comparing the contents of the URL list with the user's URL request, the URL access service 310 determines whether the user's request matches the “not enforced access list” or the “access allow list” respectively. If the user's URL request matches either of the two lists, the user's request is processed at step 680.
  • If, on the other hand, the user's URL request does not match either the access allow list or the access not enforced list, the user's URL request is denied and processing terminates at step 695.
  • The foregoing descriptions of specific embodiments of the present invention have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the Claims appended hereto and their equivalents.

Claims (30)

1. A Uniform Resource Locator (URL) access enforcement system comprising:
a server having a centrally controlled URL access enforcement system; and
a plurality of web-based applications that are accessed via said centrally controlled URL access enforcement system.
2. The URL access enforcement system of claim 1, wherein said server comprises an authentication service logic for authenticating user access credentials of a user access request to said server.
3. The URL access enforcement system of claim 1, further comprising: a uniform resource locator (URL) access control logic for controlling user access requests to URLs in the server; and a login logic for providing a login interface for providing user connection to the server.
4. The URL access enforcement system of claim 3, wherein said URL access control logic comprises a policy agent logic for executing a set of authentication functions in the server to verify authentication credentials of a user attempting to connect to the server.
5. The URL access enforcement system of claim 1, further comprising a URL policy enforcement logic for enforcing URL access policies of each authenticated user connecting to the server to access a list of URL files and directories.
6. The URL access enforcement system of claim 5, wherein said URL access policy is unique to each authenticated user connecting to said server.
7. The URL access enforcement system of claim 3, wherein said URL access control logic further comprises an identification token for uniquely identifying each authenticated user that successfully connects to the server.
8. The URL access enforcement system of claim 7, wherein said URL access control logic further comprises a URL access list, comprising a list of URLs that an authenticated user connected to the server can access.
9. The URL access enforcement system of claim 8, wherein said URL access list comprises an access allow list that comprises a respective list of URLs that each authenticated user is permitted to access.
10. The URL access enforcement system of claim 8, wherein said URL access list comprises an access deny list that contains a respective list of URLs that each authenticated user is not permitted to access.
11. An enterprise server system, comprising:
authentication service logic for authenticating user access credentials in a user access request targeting the server system;
session service logic for tracking and monitoring a user access session to directories and files in the server system;
profile logic for storing a user profile defining each user's access to said directories and said files in the server system;
uniform resource locator (URL) access control logic for controlling user access requests to URLs in the server system; and
login logic for providing a login interface between each user and the server system.
12. The server system of claim 11, wherein said authentication service logic comprises an authentication framework module for configuring a plurality of authentication modules based on characteristics of an organization.
13. The server system of claim 12, wherein said authentication service logic further comprises authentication interfaces substantially based on the hypertext transport protocol (HTTP).
14. The server system of claim 11, wherein said URL access control logic comprises a policy agent logic for executing a set of authentication functions in the server system to verify authentication credentials of each user attempting to connect to the server system.
15. The server system of claim 11, wherein said URL access control logic further comprises a URL policy enforcement logic for enforcing URL access policies of each authenticated user connecting to the server system to access.
16. The server system of claim 15 wherein said URL access policy is unique to each authenticated user connecting to said server system.
17. The server system of claim 15, wherein said URL access control logic further comprises an identification token for uniquely identifying said authenticated user who successfully connects to the server system.
18. The server system of claim 15, wherein said URL access control logic further comprises a URL access list comprising a list of URLs that an authenticated user connected to the server system can access.
19. The server system of claim 18, wherein said URL access list comprises an access allow list that contains a respective list of URLs that each authenticated user is permitted to access.
20. The server system of claim 19, wherein said URL access list also comprises an access deny list that contains a respective list of URLs that each authenticated user is not permitted to access.
21. The server system of claim 19, wherein said URL access list also comprises an access not enforced list that contains a respective list of URLs not subject to the URL enforcement policy of the URL access control logic, but which each authenticated user is permitted to access.
22. The server system of claim 15, wherein said URL access control logic further comprises a cache for storing updated user credentials and URL access policy information.
23. The server system of claim 18, wherein said the contents of said URL access list is modifiable for each entity using the server system within a business enterprise.
24. The server system of claim 20, wherein an authenticated user's access to said access deny list precedes access to said access allow list in said URL list.
25. The server system of claim 21, wherein access to said access not enforced list requires said user profile and authentication characteristics.
26. A method for enforcing uniform resource locator (URL) files and directories in a server environment, said method comprising:
authenticating a user URL request transmitted to said server from a user;
establishing a session for said user URL request to identify said user across different requests to the server;
providing an identification token to uniquely identify said user URL request; and
providing a URL enforcement policy for determining which URL files and directories said user URL request can access.
27. The method of claim 26, wherein said providing a URL enforcement policy comprises intercepting user credentials in said user URL request to validate said credentials.
28. The method of claim 27, wherein said intercepting said user credentials comprises checking valid user credentials to determine whether said user request has authorization to access a list of URLs in said server.
29. The method of claim 26, wherein said user URL request can access an access allow list that contains a list of URLs said user has authorization to access.
30. The method of Claim of 26, wherein said user URL request can access an access deny list that contains a list of URLs that said user does not have authorization to access.
US10/127,898 2001-08-06 2002-04-22 Uniform resource locator access management and control system and method Active 2024-07-31 US7243369B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/127,898 US7243369B2 (en) 2001-08-06 2002-04-22 Uniform resource locator access management and control system and method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US31051901P 2001-08-06 2001-08-06
US10/127,898 US7243369B2 (en) 2001-08-06 2002-04-22 Uniform resource locator access management and control system and method

Publications (3)

Publication Number Publication Date
US20030200442A1 US20030200442A1 (en) 2003-10-23
US20060095779A9 true US20060095779A9 (en) 2006-05-04
US7243369B2 US7243369B2 (en) 2007-07-10

Family

ID=29215356

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/127,898 Active 2024-07-31 US7243369B2 (en) 2001-08-06 2002-04-22 Uniform resource locator access management and control system and method

Country Status (1)

Country Link
US (1) US7243369B2 (en)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040091114A1 (en) * 2002-08-23 2004-05-13 Carter Ernst B. Encrypting operating system
US20060005234A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Method and apparatus for handling custom token propagation without Java serialization
US20060015727A1 (en) * 2004-06-30 2006-01-19 International Business Machines Corporation Method and apparatus for identifying purpose and behavior of run time security objects using an extensible token framework
US20060021016A1 (en) * 2004-06-30 2006-01-26 International Business Machines Corporation Method and apparatus for tracking security attributes along invocation chain using secure propagation token
US20060059544A1 (en) * 2004-09-14 2006-03-16 Guthrie Paul D Distributed secure repository
US20060095788A1 (en) * 2004-11-03 2006-05-04 Alexandre Bronstein Authenticating a login
US20060195795A1 (en) * 2005-02-25 2006-08-31 Gale Martin J System, a method and a computer program for transmitting an input stream
US20060200566A1 (en) * 2005-03-07 2006-09-07 Ziebarth Wayne W Software proxy for securing web application business logic
US20060259492A1 (en) * 2005-05-12 2006-11-16 Bitpass, Inc. Methods of controlling access to network content referenced within structured documents
US20070027807A1 (en) * 2005-07-29 2007-02-01 Alexandre Bronstein Protecting against fraud by impersonation
US20070107051A1 (en) * 2005-03-04 2007-05-10 Carter Ernst B System for and method of managing access to a system using combinations of user information
US20080010368A1 (en) * 2006-07-10 2008-01-10 Dan Hubbard System and method of analyzing web content
US20080244732A1 (en) * 2007-03-30 2008-10-02 Data Center Technologies Password protection for file backups
US20080263652A1 (en) * 2007-04-20 2008-10-23 Microsoft Corporation Request-specific authentication for accessing web service resources
US20080313703A1 (en) * 2007-06-14 2008-12-18 Microsoft Corporation Integrating Security by Obscurity with Access Control Lists
US20090158299A1 (en) * 2007-10-31 2009-06-18 Carter Ernst B System for and method of uniform synchronization between multiple kernels running on single computer systems with multiple CPUs installed
US7877437B1 (en) 2000-05-08 2011-01-25 H.E.B., Llc Method and apparatus for a distributable globe graphical object
WO2011046567A1 (en) * 2009-10-16 2011-04-21 Hewlett-Packard Development Company, L.P. Resource access control management
US20110173683A1 (en) * 2009-07-07 2011-07-14 Netsweeper, Inc. System and method for providing customized response messages based on requested website
US20110185298A1 (en) * 2001-05-08 2011-07-28 Sondre Skatter Method and apparatus for a distributable globe graphical object
US8051175B2 (en) 2000-05-08 2011-11-01 Envoii Technologies, Llc Architecture for a system of portable information agents
US8181010B1 (en) * 2006-04-17 2012-05-15 Oracle America, Inc. Distributed authentication user interface system
US8566461B1 (en) * 2004-06-09 2013-10-22 Digital River, Inc. Managed access to media services
US8566918B2 (en) * 2011-08-15 2013-10-22 Bank Of America Corporation Method and apparatus for token-based container chaining
US8752123B2 (en) 2011-08-15 2014-06-10 Bank Of America Corporation Apparatus and method for performing data tokenization
US8776166B1 (en) * 2006-07-17 2014-07-08 Juniper Networks, Inc. Plug-in based policy evaluation
US20140310789A1 (en) * 2013-04-15 2014-10-16 International Business Machines Corporation User access control to a secured application
US9069943B2 (en) 2011-08-15 2015-06-30 Bank Of America Corporation Method and apparatus for token-based tamper detection
US9166979B2 (en) 2012-10-01 2015-10-20 International Business Machines Corporation Protecting online meeting access using secure personal universal resource locators
US20160028737A1 (en) * 2013-09-20 2016-01-28 Oracle International Corporation Multiple resource servers interacting with single oauth server
US9350718B2 (en) 2011-09-29 2016-05-24 Oracle International Corporation Using representational state transfer (REST) for consent management
CN108885651A (en) * 2016-04-05 2018-11-23 开利公司 Voucher licensed service
US11303627B2 (en) 2018-05-31 2022-04-12 Oracle International Corporation Single Sign-On enabled OAuth token

Families Citing this family (126)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6266774B1 (en) 1998-12-08 2001-07-24 Mcafee.Com Corporation Method and system for securing, managing or optimizing a personal computer
US7743404B1 (en) * 2001-10-03 2010-06-22 Trepp, LLC Method and system for single signon for multiple remote sites of a computer network
US9710852B1 (en) 2002-05-30 2017-07-18 Consumerinfo.Com, Inc. Credit report timeline user interface
US9400589B1 (en) 2002-05-30 2016-07-26 Consumerinfo.Com, Inc. Circular rotational interface for display of consumer credit information
US7614078B1 (en) * 2003-04-02 2009-11-03 Cisco Technology, Inc. Threshold access based upon stored credentials
US7496953B2 (en) * 2003-04-29 2009-02-24 International Business Machines Corporation Single sign-on method for web-based applications
US20050120204A1 (en) * 2003-12-01 2005-06-02 Gary Kiwimagi Secure network connection
US20050120223A1 (en) * 2003-12-01 2005-06-02 Gary Kiwimagi Secure authenticated network connections
US20050120240A1 (en) * 2003-12-01 2005-06-02 Gary Kiwimagi Secure authenticated network connections
US7664838B2 (en) * 2004-05-10 2010-02-16 Nortel Networks Limited System and method for translating application program network service requests into actions and performing those actions through the management and/or control plane responsive to previously defined policies and previous requests by the same or another application program
US7647319B2 (en) * 2004-09-06 2010-01-12 Canon Kabushiki Kaisha Information processing apparatus, information processing method, program, and storage medium
US9143502B2 (en) * 2004-12-10 2015-09-22 International Business Machines Corporation Method and system for secure binding register name identifier profile
EP1828920B1 (en) * 2004-12-20 2012-06-13 EMC Corporation Consumer internet authentication service
US20060149730A1 (en) * 2004-12-30 2006-07-06 Curtis James R Client authenticated web browser with access approval mechanism
US7802294B2 (en) * 2005-01-28 2010-09-21 Microsoft Corporation Controlling computer applications' access to data
US7810153B2 (en) 2005-01-28 2010-10-05 Microsoft Corporation Controlling execution of computer applications
US8484718B2 (en) * 2006-08-03 2013-07-09 Citrix System, Inc. Systems and methods for enabling assured records using fine grained auditing of virtual private network traffic
US8743778B2 (en) * 2006-09-06 2014-06-03 Devicescape Software, Inc. Systems and methods for obtaining network credentials
US9326138B2 (en) 2006-09-06 2016-04-26 Devicescape Software, Inc. Systems and methods for determining location over a network
US8032922B2 (en) * 2006-12-18 2011-10-04 Oracle International Corporation Method and apparatus for providing access to an application-resource
US8285656B1 (en) 2007-03-30 2012-10-09 Consumerinfo.Com, Inc. Systems and methods for data verification
US8127986B1 (en) 2007-12-14 2012-03-06 Consumerinfo.Com, Inc. Card registry systems and methods
US9990674B1 (en) 2007-12-14 2018-06-05 Consumerinfo.Com, Inc. Card registry systems and methods
US8418222B2 (en) * 2008-03-05 2013-04-09 Microsoft Corporation Flexible scalable application authorization for cloud computing environments
US8196175B2 (en) * 2008-03-05 2012-06-05 Microsoft Corporation Self-describing authorization policy for accessing cloud-based resources
US8364767B2 (en) * 2008-06-11 2013-01-29 International Business Machines Corporation Message processing in a messaging service client device
US8990896B2 (en) 2008-06-24 2015-03-24 Microsoft Technology Licensing, Llc Extensible mechanism for securing objects using claims
US8312033B1 (en) 2008-06-26 2012-11-13 Experian Marketing Solutions, Inc. Systems and methods for providing an integrated identifier
US8640244B2 (en) * 2008-06-27 2014-01-28 Microsoft Corporation Declared origin policy
US9256904B1 (en) 2008-08-14 2016-02-09 Experian Information Solutions, Inc. Multi-bureau credit file freeze and unfreeze
US8171533B2 (en) * 2008-09-29 2012-05-01 International Business Machines Corporation Managing web single sign-on applications
US8964726B2 (en) * 2008-10-01 2015-02-24 Twilio, Inc. Telephony web event system and method
US20100263022A1 (en) * 2008-10-13 2010-10-14 Devicescape Software, Inc. Systems and Methods for Enhanced Smartclient Support
US8060424B2 (en) 2008-11-05 2011-11-15 Consumerinfo.Com, Inc. On-line method and system for monitoring and reporting unused available credit
EP2296338A1 (en) * 2009-09-11 2011-03-16 Gemalto SA Method of protecting access to data on a network
EP2483791B1 (en) * 2009-09-30 2018-01-17 Amazon Technologies, Inc. Modular device authentication framework
US20110113474A1 (en) * 2009-11-11 2011-05-12 International Business Machines Corporation Network system security managment
US9742811B2 (en) 2010-03-18 2017-08-22 Nominum, Inc. System for providing DNS-based control of individual devices
US10263958B2 (en) 2010-03-18 2019-04-16 Nominum, Inc. Internet mediation
US20110231769A1 (en) * 2010-03-18 2011-09-22 Tovar Tom C Systems and Methods for Scheduling Online Access
US9191393B2 (en) * 2010-03-18 2015-11-17 Nominum, Inc. Internet mediation
US20110231892A1 (en) * 2010-03-18 2011-09-22 Tovar Tom C Systems and Methods for Restricting Online Access
US20110231768A1 (en) * 2010-03-18 2011-09-22 Tovar Tom C Systems and Methods for Suggestive Redirection
US9992234B2 (en) 2010-03-18 2018-06-05 Nominum, Inc. System for providing DNS-based control of individual devices
US20110231896A1 (en) * 2010-03-18 2011-09-22 Tovar Tom C Systems and methods for redirection of online queries to genuine content
US8793650B2 (en) 2010-06-11 2014-07-29 Microsoft Corporation Dynamic web application notifications including task bar overlays
US8863001B2 (en) 2010-06-11 2014-10-14 Microsoft Corporation Web application home button
US9164671B2 (en) 2010-06-11 2015-10-20 Microsoft Technology Licensing, Llc Web application navigation domains
US8671384B2 (en) 2010-06-11 2014-03-11 Microsoft Corporation Web application pinning including task bar pinning
US8434135B2 (en) 2010-06-11 2013-04-30 Microsoft Corporation Creating and launching a web application with credentials
US8429546B2 (en) 2010-06-11 2013-04-23 Microsoft Corporation Creating task sessions
US8595551B2 (en) 2010-06-11 2013-11-26 Microsoft Corporation Web application transitioning and transient web applications
US8607054B2 (en) * 2010-10-15 2013-12-10 Microsoft Corporation Remote access to hosted virtual machines by enterprise users
US8689004B2 (en) 2010-11-05 2014-04-01 Microsoft Corporation Pluggable claim providers
US9147042B1 (en) 2010-11-22 2015-09-29 Experian Information Solutions, Inc. Systems and methods for data verification
EP2676399A4 (en) 2011-02-14 2016-02-17 Devicescape Software Inc Systems and methods for network curation
US9665854B1 (en) 2011-06-16 2017-05-30 Consumerinfo.Com, Inc. Authentication alerts
US9483606B1 (en) 2011-07-08 2016-11-01 Consumerinfo.Com, Inc. Lifescore
US9106691B1 (en) 2011-09-16 2015-08-11 Consumerinfo.Com, Inc. Systems and methods of identity protection and management
US8738516B1 (en) 2011-10-13 2014-05-27 Consumerinfo.Com, Inc. Debt services candidate locator
US9319381B1 (en) 2011-10-17 2016-04-19 Nominum, Inc. Systems and methods for supplementing content policy
JP2013149081A (en) * 2012-01-19 2013-08-01 Nintendo Co Ltd Information processing program, information processing device, information processing system, and information processing method
JP5798503B2 (en) * 2012-01-31 2015-10-21 株式会社日立ソリューションズ File list generation method and system, file list generation device, and program
JP5759915B2 (en) * 2012-02-15 2015-08-05 株式会社日立ソリューションズ File list generation method and system, program, and file list generation device
US9853959B1 (en) 2012-05-07 2017-12-26 Consumerinfo.Com, Inc. Storage and maintenance of personal data
US8904510B2 (en) * 2012-07-17 2014-12-02 Microsoft Corporation Authenticating a user for testing purposes
US9654541B1 (en) 2012-11-12 2017-05-16 Consumerinfo.Com, Inc. Aggregating user web browsing data
US9916621B1 (en) 2012-11-30 2018-03-13 Consumerinfo.Com, Inc. Presentation of credit score factors
US10255598B1 (en) 2012-12-06 2019-04-09 Consumerinfo.Com, Inc. Credit card account data extraction
US9697263B1 (en) 2013-03-04 2017-07-04 Experian Information Solutions, Inc. Consumer data request fulfillment system
US9870589B1 (en) 2013-03-14 2018-01-16 Consumerinfo.Com, Inc. Credit utilization tracking and reporting
US10102570B1 (en) 2013-03-14 2018-10-16 Consumerinfo.Com, Inc. Account vulnerability alerts
US9406085B1 (en) 2013-03-14 2016-08-02 Consumerinfo.Com, Inc. System and methods for credit dispute processing, resolution, and reporting
US10664936B2 (en) 2013-03-15 2020-05-26 Csidentity Corporation Authentication systems and methods for on-demand products
US9633322B1 (en) 2013-03-15 2017-04-25 Consumerinfo.Com, Inc. Adjustment of knowledge-based authentication
US8732853B1 (en) 2013-03-22 2014-05-20 Dropbox, Inc. Web-based system providing sharable content item links with link sharer specified use restrictions
US9509719B2 (en) * 2013-04-02 2016-11-29 Avigilon Analytics Corporation Self-provisioning access control
US10685398B1 (en) 2013-04-23 2020-06-16 Consumerinfo.Com, Inc. Presenting credit score information
US9721147B1 (en) 2013-05-23 2017-08-01 Consumerinfo.Com, Inc. Digital identity
US9426183B2 (en) 2013-07-28 2016-08-23 Acceptto Corporation Authentication policy orchestration for a user device
US9443268B1 (en) 2013-08-16 2016-09-13 Consumerinfo.Com, Inc. Bill payment and reporting
US10102536B1 (en) 2013-11-15 2018-10-16 Experian Information Solutions, Inc. Micro-geographic aggregation system
US10325314B1 (en) 2013-11-15 2019-06-18 Consumerinfo.Com, Inc. Payment reporting systems
US9477737B1 (en) 2013-11-20 2016-10-25 Consumerinfo.Com, Inc. Systems and user interfaces for dynamic access of multiple remote databases and synchronization of data based on user rules
US9529851B1 (en) 2013-12-02 2016-12-27 Experian Information Solutions, Inc. Server architecture for electronic data quality processing
US10262362B1 (en) 2014-02-14 2019-04-16 Experian Information Solutions, Inc. Automatic generation of code for attributes
USD759689S1 (en) 2014-03-25 2016-06-21 Consumerinfo.Com, Inc. Display screen or portion thereof with graphical user interface
USD760256S1 (en) 2014-03-25 2016-06-28 Consumerinfo.Com, Inc. Display screen or portion thereof with graphical user interface
USD759690S1 (en) 2014-03-25 2016-06-21 Consumerinfo.Com, Inc. Display screen or portion thereof with graphical user interface
US10325259B1 (en) 2014-03-29 2019-06-18 Acceptto Corporation Dynamic authorization with adaptive levels of assurance
US9892457B1 (en) 2014-04-16 2018-02-13 Consumerinfo.Com, Inc. Providing credit data in search results
US10373240B1 (en) 2014-04-25 2019-08-06 Csidentity Corporation Systems, methods and computer-program products for eligibility verification
US9497222B2 (en) * 2014-05-20 2016-11-15 International Business Machines Corporation Identification of web form parameters for an authorization engine
US9961059B2 (en) 2014-07-10 2018-05-01 Red Hat Israel, Ltd. Authenticator plugin interface
US10154082B2 (en) 2014-08-12 2018-12-11 Danal Inc. Providing customer information obtained from a carrier system to a client device
US9461983B2 (en) * 2014-08-12 2016-10-04 Danal Inc. Multi-dimensional framework for defining criteria that indicate when authentication should be revoked
CN105528352B (en) * 2014-09-29 2019-04-09 国际商业机器公司 The method for establishing mobile communication subscriber and the corresponding relationship of its network account information
US10387980B1 (en) 2015-06-05 2019-08-20 Acceptto Corporation Method and system for consumer based access control for identity information
US11334852B2 (en) * 2016-12-08 2022-05-17 Airwatch Llc Secured attachment management
US11025635B2 (en) * 2017-01-30 2021-06-01 Ncr Corporation Secure remote support authorization
US11227001B2 (en) 2017-01-31 2022-01-18 Experian Information Solutions, Inc. Massive scale heterogeneous data ingestion and user resolution
US10503545B2 (en) 2017-04-12 2019-12-10 At&T Intellectual Property I, L.P. Universal security agent
US10855793B2 (en) * 2017-09-25 2020-12-01 Splunk Inc. Proxying hypertext transfer protocol (HTTP) requests for microservices
US10558604B2 (en) * 2017-12-20 2020-02-11 Qualcomm Incorporated Communication interface transaction security
US11367323B1 (en) 2018-01-16 2022-06-21 Secureauth Corporation System and method for secure pair and unpair processing using a dynamic level of assurance (LOA) score
US11133929B1 (en) 2018-01-16 2021-09-28 Acceptto Corporation System and method of biobehavioral derived credentials identification
US11455641B1 (en) 2018-03-11 2022-09-27 Secureauth Corporation System and method to identify user and device behavior abnormalities to continuously measure transaction risk
US11005839B1 (en) 2018-03-11 2021-05-11 Acceptto Corporation System and method to identify abnormalities to continuously measure transaction risk
US10911234B2 (en) 2018-06-22 2021-02-02 Experian Information Solutions, Inc. System and method for a token gateway environment
US20200074541A1 (en) 2018-09-05 2020-03-05 Consumerinfo.Com, Inc. Generation of data structures based on categories of matched data items
US10963434B1 (en) 2018-09-07 2021-03-30 Experian Information Solutions, Inc. Data architecture for supporting multiple search models
CN110968848B (en) * 2018-09-29 2023-12-05 北京奇虎科技有限公司 User-based rights management method and device and computing equipment
US11315179B1 (en) 2018-11-16 2022-04-26 Consumerinfo.Com, Inc. Methods and apparatuses for customized card recommendations
US11238656B1 (en) 2019-02-22 2022-02-01 Consumerinfo.Com, Inc. System and method for an augmented reality experience via an artificial intelligence bot
CN109918876A (en) * 2019-03-18 2019-06-21 京东方科技集团股份有限公司 Permission filter method and permission filter device
US10922631B1 (en) 2019-08-04 2021-02-16 Acceptto Corporation System and method for secure touchless authentication of user identity
US11096059B1 (en) 2019-08-04 2021-08-17 Acceptto Corporation System and method for secure touchless authentication of user paired device, behavior and identity
CN112395586A (en) * 2019-08-15 2021-02-23 奇安信安全技术(珠海)有限公司 File access control method, device, system, storage medium and electronic device
US10824702B1 (en) 2019-09-09 2020-11-03 Acceptto Corporation System and method for continuous passwordless authentication across trusted devices
US10951606B1 (en) 2019-12-04 2021-03-16 Acceptto Corporation Continuous authentication through orchestration and risk calculation post-authorization system and method
US11329998B1 (en) 2020-08-31 2022-05-10 Secureauth Corporation Identification (ID) proofing and risk engine integration system and method
CN112491902B (en) * 2020-12-01 2023-05-30 北京中软华泰信息技术有限责任公司 URL-based web application authority access control system and method
US11880377B1 (en) 2021-03-26 2024-01-23 Experian Information Solutions, Inc. Systems and methods for entity resolution
WO2023158718A1 (en) * 2022-02-16 2023-08-24 Glance Networks, Inc. Restricting screenshare of web pages to select list of allowed website urls
US20230376879A1 (en) * 2022-05-18 2023-11-23 Cisco Technology, Inc. Observability profile mapping for teleworker observability
CN116633687A (en) * 2023-07-20 2023-08-22 深圳市永达电子信息股份有限公司 Terminal safety access method, system and controller

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092196A (en) * 1997-11-25 2000-07-18 Nortel Networks Limited HTTP distributed remote user authentication system
US6233618B1 (en) * 1998-03-31 2001-05-15 Content Advisor, Inc. Access control of networked data
US20010007133A1 (en) * 1998-10-28 2001-07-05 Mark Moriconi System and method for maintaining security in a distributed computer network
US20010044894A1 (en) * 1997-03-28 2001-11-22 Yoko Saito Security management method for network system
US20020010768A1 (en) * 1998-12-17 2002-01-24 Joshua K. Marks An entity model that enables privilege tracking across multiple treminals
US20020010785A1 (en) * 2000-07-19 2002-01-24 Yasufumi Katsukawa Application hosting apparatus
US20020046268A1 (en) * 1997-07-28 2002-04-18 Leon Y.K. Leong Method of performing a network management transaction using a web-capable agent
US20020138763A1 (en) * 2000-12-22 2002-09-26 Delany Shawn P. Runtime modification of entries in an identity system
US6539430B1 (en) * 1997-03-25 2003-03-25 Symantec Corporation System and method for filtering data received by a computer system
US20030074580A1 (en) * 2001-03-21 2003-04-17 Knouse Charles W. Access system interface
US20030074248A1 (en) * 2001-03-31 2003-04-17 Braud Kristopher P. Method and system for assimilating data from disparate, ancillary systems onto an enterprise system
US20030079147A1 (en) * 2001-10-22 2003-04-24 Ching-Chuan Hsieh Single sign-on system for application program
US20030088648A1 (en) * 2001-11-02 2003-05-08 Gilles Bellaton Supporting access control checks in a directory server using a chaining backend method
US7028181B1 (en) * 2000-06-09 2006-04-11 Northrop Grumman Corporation System and method for efficient and secure revocation of a signature certificate in a public key infrastructure
US7092370B2 (en) * 2000-08-17 2006-08-15 Roamware, Inc. Method and system for wireless voice channel/data channel integration

Family Cites Families (42)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5434974A (en) 1992-03-30 1995-07-18 International Business Machines Corporation Name resolution for a multisystem network
US5544322A (en) 1994-05-09 1996-08-06 International Business Machines Corporation System and method for policy-based inter-realm authentication within a distributed processing system
US5634122A (en) 1994-12-30 1997-05-27 International Business Machines Corporation System and method for multi-level token management for distributed file systems
US5802062A (en) 1996-06-19 1998-09-01 At&T Corp Preventing conflicts in distributed systems
US5850511A (en) 1996-10-28 1998-12-15 Hewlett-Packard Company Computer implemented methods and apparatus for testing a telecommunications management network (TMN) agent
US6026440A (en) 1997-01-27 2000-02-15 International Business Machines Corporation Web server account manager plug-in for monitoring resources
US6587867B1 (en) 1997-05-22 2003-07-01 Mci Communications Corporation Internet-based subscriber profile management of a communications system
US6226666B1 (en) 1997-06-27 2001-05-01 International Business Machines Corporation Agent-based management system having an open layered architecture for synchronous and/or asynchronous messaging handling
US6263432B1 (en) 1997-10-06 2001-07-17 Ncr Corporation Electronic ticketing, authentication and/or authorization security system for internet applications
US6362836B1 (en) 1998-04-06 2002-03-26 The Santa Cruz Operation, Inc. Universal application server for providing applications on a variety of client devices in a client/server network
US6317838B1 (en) 1998-04-29 2001-11-13 Bull S.A. Method and architecture to provide a secured remote access to private resources
US6243816B1 (en) 1998-04-30 2001-06-05 International Business Machines Corporation Single sign-on (SSO) mechanism personal key manager
US6182142B1 (en) 1998-07-10 2001-01-30 Encommerce, Inc. Distributed access management of information resources
US6453353B1 (en) 1998-07-10 2002-09-17 Entrust, Inc. Role-based navigation of information resources
JP4545317B2 (en) 1998-10-28 2010-09-15 ヤフー! インコーポレイテッド Internet browser interface control method and controllable browser interface
US6687229B1 (en) 1998-11-06 2004-02-03 Lucent Technologies Inc Quality of service based path selection for connection-oriented networks
EP1009130A1 (en) 1998-12-11 2000-06-14 International Business Machines Corporation Distributed directory services for locating network resources in a very large packet switching network
US6226752B1 (en) 1999-05-11 2001-05-01 Sun Microsystems, Inc. Method and apparatus for authenticating users
US6668322B1 (en) 1999-08-05 2003-12-23 Sun Microsystems, Inc. Access management system and method employing secure credentials
DE60031755T2 (en) 1999-09-24 2007-09-06 Citicorp Development Center, Inc., Los Angeles A method and apparatus for authenticated access to a plurality of network operators by a single login
US6513158B1 (en) 1999-11-15 2003-01-28 Espial Group Inc. Method and apparatus for running multiple java applications simultaneously
US6799208B1 (en) 2000-05-02 2004-09-28 Microsoft Corporation Resource manager architecture
US7046680B1 (en) 2000-11-28 2006-05-16 Mci, Inc. Network access system including a programmable access device having distributed service control
GB2373418A (en) 2001-03-16 2002-09-18 Kleinwort Benson Ltd Method and system to provide and manage secure access to internal computer systems from an external client
US6785756B2 (en) 2001-05-10 2004-08-31 Oracle International Corporation Methods and systems for multi-policy resource scheduling
US20020184535A1 (en) 2001-05-30 2002-12-05 Farah Moaven Method and system for accessing a resource in a computing system
US20020184507A1 (en) 2001-05-31 2002-12-05 Proact Technologies Corp. Centralized single sign-on method and system for a client-server environment
US7415671B2 (en) 2001-06-08 2008-08-19 Computer Associates Think, Inc. Interactive hierarchical status display
US8036939B2 (en) 2001-06-08 2011-10-11 Servigistics, Inc. Reporting in a supply chain
US7380271B2 (en) 2001-07-12 2008-05-27 International Business Machines Corporation Grouped access control list actions
US6957261B2 (en) 2001-07-17 2005-10-18 Intel Corporation Resource policy management using a centralized policy data structure
US6920494B2 (en) 2001-10-05 2005-07-19 International Business Machines Corporation Storage area network methods and apparatus with virtual SAN recognition
US20030093509A1 (en) 2001-10-05 2003-05-15 Li Raymond M. Storage area network methods and apparatus with coordinated updating of topology representation
US7350226B2 (en) 2001-12-13 2008-03-25 Bea Systems, Inc. System and method for analyzing security policies in a distributed computer network
US7260645B2 (en) 2002-04-26 2007-08-21 Proficient Networks, Inc. Methods, apparatuses and systems facilitating determination of network path metrics
US20040054791A1 (en) 2002-09-17 2004-03-18 Krishnendu Chakraborty System and method for enforcing user policies on a web server
US20040103170A1 (en) 2002-11-21 2004-05-27 Borzilleri James V. Extended domain name method, apparatus, and system
US20040128615A1 (en) 2002-12-27 2004-07-01 International Business Machines Corporation Indexing and querying semi-structured documents
US7076562B2 (en) 2003-03-17 2006-07-11 July Systems, Inc. Application intermediation gateway
US20040213258A1 (en) 2003-04-25 2004-10-28 Sundaresan Ramamoorthy Implementing information technology management policies
US7594256B2 (en) 2003-06-26 2009-09-22 Sun Microsystems, Inc. Remote interface for policy decisions governing access control
US20040267749A1 (en) 2003-06-26 2004-12-30 Shivaram Bhat Resource name interface for managing policy resources

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6539430B1 (en) * 1997-03-25 2003-03-25 Symantec Corporation System and method for filtering data received by a computer system
US20010044894A1 (en) * 1997-03-28 2001-11-22 Yoko Saito Security management method for network system
US20020046268A1 (en) * 1997-07-28 2002-04-18 Leon Y.K. Leong Method of performing a network management transaction using a web-capable agent
US6092196A (en) * 1997-11-25 2000-07-18 Nortel Networks Limited HTTP distributed remote user authentication system
US6233618B1 (en) * 1998-03-31 2001-05-15 Content Advisor, Inc. Access control of networked data
US20010007133A1 (en) * 1998-10-28 2001-07-05 Mark Moriconi System and method for maintaining security in a distributed computer network
US20020010768A1 (en) * 1998-12-17 2002-01-24 Joshua K. Marks An entity model that enables privilege tracking across multiple treminals
US7028181B1 (en) * 2000-06-09 2006-04-11 Northrop Grumman Corporation System and method for efficient and secure revocation of a signature certificate in a public key infrastructure
US20020010785A1 (en) * 2000-07-19 2002-01-24 Yasufumi Katsukawa Application hosting apparatus
US7092370B2 (en) * 2000-08-17 2006-08-15 Roamware, Inc. Method and system for wireless voice channel/data channel integration
US20020138763A1 (en) * 2000-12-22 2002-09-26 Delany Shawn P. Runtime modification of entries in an identity system
US20030074580A1 (en) * 2001-03-21 2003-04-17 Knouse Charles W. Access system interface
US20030074248A1 (en) * 2001-03-31 2003-04-17 Braud Kristopher P. Method and system for assimilating data from disparate, ancillary systems onto an enterprise system
US20030079147A1 (en) * 2001-10-22 2003-04-24 Ching-Chuan Hsieh Single sign-on system for application program
US20030088648A1 (en) * 2001-11-02 2003-05-08 Gilles Bellaton Supporting access control checks in a directory server using a chaining backend method

Cited By (83)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7877437B1 (en) 2000-05-08 2011-01-25 H.E.B., Llc Method and apparatus for a distributable globe graphical object
US8051175B2 (en) 2000-05-08 2011-11-01 Envoii Technologies, Llc Architecture for a system of portable information agents
US8291082B2 (en) 2000-05-08 2012-10-16 H.E.B. Llc Architecture for a system of portable information agents
US20110185298A1 (en) * 2001-05-08 2011-07-28 Sondre Skatter Method and apparatus for a distributable globe graphical object
US20040091114A1 (en) * 2002-08-23 2004-05-13 Carter Ernst B. Encrypting operating system
US8407761B2 (en) * 2002-08-23 2013-03-26 Exit-Cube, Inc. Encrypting operating system
US7810133B2 (en) * 2002-08-23 2010-10-05 Exit-Cube, Inc. Encrypting operating system
US9098712B2 (en) * 2002-08-23 2015-08-04 Exit-Cube (Hong Kong) Limited Encrypting operating system
US20130290727A1 (en) * 2002-08-23 2013-10-31 Exit-Cube, Inc. Encrypting operating system
US20100217970A1 (en) * 2002-08-23 2010-08-26 Exit-Cube, Inc. Encrypting operating system
US9043481B1 (en) 2004-06-09 2015-05-26 Digital River, Inc. Managed access to media services
US8566461B1 (en) * 2004-06-09 2013-10-22 Digital River, Inc. Managed access to media services
US20060021016A1 (en) * 2004-06-30 2006-01-26 International Business Machines Corporation Method and apparatus for tracking security attributes along invocation chain using secure propagation token
US7526799B2 (en) * 2004-06-30 2009-04-28 International Business Machines Corporation Method for tracking security attributes along invocation chain using secure propagation token
US7634803B2 (en) 2004-06-30 2009-12-15 International Business Machines Corporation Method and apparatus for identifying purpose and behavior of run time security objects using an extensible token framework
US20060015727A1 (en) * 2004-06-30 2006-01-19 International Business Machines Corporation Method and apparatus for identifying purpose and behavior of run time security objects using an extensible token framework
US20060005234A1 (en) * 2004-06-30 2006-01-05 International Business Machines Corporation Method and apparatus for handling custom token propagation without Java serialization
US20060059544A1 (en) * 2004-09-14 2006-03-16 Guthrie Paul D Distributed secure repository
US20060095788A1 (en) * 2004-11-03 2006-05-04 Alexandre Bronstein Authenticating a login
US8171303B2 (en) 2004-11-03 2012-05-01 Astav, Inc. Authenticating a login
WO2006052601A3 (en) * 2004-11-03 2007-06-21 Astav Inc Authenticating a login
US7512893B2 (en) * 2005-02-25 2009-03-31 International Business Machines Corporation System, a method and a computer program for transmitting an input stream
US20060195795A1 (en) * 2005-02-25 2006-08-31 Gale Martin J System, a method and a computer program for transmitting an input stream
US8219823B2 (en) 2005-03-04 2012-07-10 Carter Ernst B System for and method of managing access to a system using combinations of user information
US9449186B2 (en) 2005-03-04 2016-09-20 Encrypthentica Limited System for and method of managing access to a system using combinations of user information
US20070107051A1 (en) * 2005-03-04 2007-05-10 Carter Ernst B System for and method of managing access to a system using combinations of user information
US20060200566A1 (en) * 2005-03-07 2006-09-07 Ziebarth Wayne W Software proxy for securing web application business logic
US20060259492A1 (en) * 2005-05-12 2006-11-16 Bitpass, Inc. Methods of controlling access to network content referenced within structured documents
US8566462B2 (en) * 2005-05-12 2013-10-22 Digital River, Inc. Methods of controlling access to network content referenced within structured documents
US20070027807A1 (en) * 2005-07-29 2007-02-01 Alexandre Bronstein Protecting against fraud by impersonation
US8181010B1 (en) * 2006-04-17 2012-05-15 Oracle America, Inc. Distributed authentication user interface system
AU2007273085B2 (en) * 2006-07-10 2012-07-12 Websense, Inc. System and method of analyzing web content
US8020206B2 (en) * 2006-07-10 2011-09-13 Websense, Inc. System and method of analyzing web content
US9723018B2 (en) 2006-07-10 2017-08-01 Websense, Llc System and method of analyzing web content
US8978140B2 (en) 2006-07-10 2015-03-10 Websense, Inc. System and method of analyzing web content
US20080010368A1 (en) * 2006-07-10 2008-01-10 Dan Hubbard System and method of analyzing web content
US9485278B2 (en) * 2006-07-17 2016-11-01 Juniper Networks, Inc. Plug-in based policy evaluation
US8776166B1 (en) * 2006-07-17 2014-07-08 Juniper Networks, Inc. Plug-in based policy evaluation
US20140317682A1 (en) * 2006-07-17 2014-10-23 Juniper Networks, Inc. Plug-in based policy evaluation
US20080244732A1 (en) * 2007-03-30 2008-10-02 Data Center Technologies Password protection for file backups
US7941405B2 (en) * 2007-03-30 2011-05-10 Data Center Technologies Password protection for file backups
US9832185B2 (en) 2007-04-20 2017-11-28 Microsoft Technology Licensing, Llc Request-specific authentication for accessing web service resources
US9183366B2 (en) 2007-04-20 2015-11-10 Microsoft Technology Licensing, Llc Request-specific authentication for accessing Web service resources
US10104069B2 (en) 2007-04-20 2018-10-16 Microsoft Technology Licensing, Llc Request-specific authentication for accessing web service resources
US9590994B2 (en) 2007-04-20 2017-03-07 Microsoft Technology Licensing, Llc Request-specific authentication for accessing web service resources
EP2149102A1 (en) * 2007-04-20 2010-02-03 Microsoft Corporation Request-specific authentication for accessing web service resources
US8656472B2 (en) 2007-04-20 2014-02-18 Microsoft Corporation Request-specific authentication for accessing web service resources
EP2149102A4 (en) * 2007-04-20 2014-05-14 Microsoft Corp Request-specific authentication for accessing web service resources
US20080263652A1 (en) * 2007-04-20 2008-10-23 Microsoft Corporation Request-specific authentication for accessing web service resources
WO2008130760A1 (en) * 2007-04-20 2008-10-30 Microsoft Corporation Request-specific authentication for accessing web service resources
US8424105B2 (en) 2007-06-14 2013-04-16 Microsoft Corporation Integrating security by obscurity with access control lists
US7984512B2 (en) * 2007-06-14 2011-07-19 Microsoft Corporation Integrating security by obscurity with access control lists
CN101681492A (en) * 2007-06-14 2010-03-24 微软公司 Come integrated security by ambiguity with Access Control List (ACL)
US20080313703A1 (en) * 2007-06-14 2008-12-18 Microsoft Corporation Integrating Security by Obscurity with Access Control Lists
US20090158299A1 (en) * 2007-10-31 2009-06-18 Carter Ernst B System for and method of uniform synchronization between multiple kernels running on single computer systems with multiple CPUs installed
US20140033270A1 (en) * 2009-07-07 2014-01-30 Netsweeper Inc. System and method for providing customized response messages based on requested website
US8578453B2 (en) * 2009-07-07 2013-11-05 Netsweeper Inc. System and method for providing customized response messages based on requested website
US9246946B2 (en) * 2009-07-07 2016-01-26 Netsweeper (Barbados) Inc. System and method for providing customized response messages based on requested website
US20110173683A1 (en) * 2009-07-07 2011-07-14 Netsweeper, Inc. System and method for providing customized response messages based on requested website
WO2011046567A1 (en) * 2009-10-16 2011-04-21 Hewlett-Packard Development Company, L.P. Resource access control management
US8752123B2 (en) 2011-08-15 2014-06-10 Bank Of America Corporation Apparatus and method for performing data tokenization
US9069943B2 (en) 2011-08-15 2015-06-30 Bank Of America Corporation Method and apparatus for token-based tamper detection
US8566918B2 (en) * 2011-08-15 2013-10-22 Bank Of America Corporation Method and apparatus for token-based container chaining
US9531697B2 (en) 2011-09-29 2016-12-27 Oracle International Corporation Configurable adaptive access manager callouts
US10084823B2 (en) 2011-09-29 2018-09-25 Oracle International Corporation Configurable adaptive access manager callouts
US9374356B2 (en) 2011-09-29 2016-06-21 Oracle International Corporation Mobile oauth service
US9350718B2 (en) 2011-09-29 2016-05-24 Oracle International Corporation Using representational state transfer (REST) for consent management
US9544294B2 (en) 2011-09-29 2017-01-10 Oracle International Corporation Pluggable authorization policies
US9565178B2 (en) 2011-09-29 2017-02-07 Oracle International Corporation Using representational state transfer (REST) for consent management
US9578014B2 (en) 2011-09-29 2017-02-21 Oracle International Corporation Service profile-specific token attributes and resource server token attribute overriding
US9699170B2 (en) 2011-09-29 2017-07-04 Oracle International Corporation Bundled authorization requests
US9166979B2 (en) 2012-10-01 2015-10-20 International Business Machines Corporation Protecting online meeting access using secure personal universal resource locators
US9569604B2 (en) * 2013-04-15 2017-02-14 International Business Machines Corporation User access control to a secured application
US20140310789A1 (en) * 2013-04-15 2014-10-16 International Business Machines Corporation User access control to a secured application
US20160028737A1 (en) * 2013-09-20 2016-01-28 Oracle International Corporation Multiple resource servers interacting with single oauth server
US9860234B2 (en) 2013-09-20 2018-01-02 Oracle International Corporation Bundled authorization requests
US9450963B2 (en) * 2013-09-20 2016-09-20 Oraclle International Corporation Multiple resource servers interacting with single OAuth server
US9407628B2 (en) 2013-09-20 2016-08-02 Oracle International Corporation Single sign-on (SSO) for mobile applications
CN108885651A (en) * 2016-04-05 2018-11-23 开利公司 Voucher licensed service
US20190121946A1 (en) * 2016-04-05 2019-04-25 Carrier Corporation Credential licensing service
US11516664B2 (en) * 2016-04-05 2022-11-29 Carrier Corporation Credential licensing service
US11303627B2 (en) 2018-05-31 2022-04-12 Oracle International Corporation Single Sign-On enabled OAuth token
US11736469B2 (en) 2018-05-31 2023-08-22 Oracle International Corporation Single sign-on enabled OAuth token

Also Published As

Publication number Publication date
US7243369B2 (en) 2007-07-10
US20030200442A1 (en) 2003-10-23

Similar Documents

Publication Publication Date Title
US7243369B2 (en) Uniform resource locator access management and control system and method
US20030200465A1 (en) Web based applications single sign on system and method
US10298594B2 (en) Graduated authentication in an identity management system
US7231661B1 (en) Authorization services with external authentication
US7398311B2 (en) Selective cache flushing in identity and access management systems
US7194764B2 (en) User authentication
US7412720B1 (en) Delegated authentication using a generic application-layer network protocol
US6052785A (en) Multiple remote data access security mechanism for multitiered internet computer networks
US8935418B2 (en) Access system interface
US8204999B2 (en) Query string processing
US7464162B2 (en) Systems and methods for testing whether access to a resource is authorized based on access information
US7080077B2 (en) Localized access
US7134137B2 (en) Providing data to applications from an access system
US7249369B2 (en) Post data processing
US8661539B2 (en) Intrusion threat detection
US20040054791A1 (en) System and method for enforcing user policies on a web server
US20070143829A1 (en) Authentication of a principal in a federation
WO2005069823A2 (en) Centralized transactional security audit for enterprise systems
WO2002005487A1 (en) A system for logging access system events and providing identity management and access management for a network
CA2415868A1 (en) Systems and methods for authenticating a user to a web server

Legal Events

Date Code Title Description
AS Assignment

Owner name: SUN MICROSYSTEMS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BHAT, SHIVARAM;NELSON, JAMES F.;REEL/FRAME:012824/0938;SIGNING DATES FROM 20011108 TO 20020128

Owner name: SUN MICROSYSTEMS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:BHAT, SHIVARAM;NELSON, JAMES F.;SIGNING DATES FROM 20011108 TO 20020128;REEL/FRAME:012824/0938

AS Assignment

Owner name: SUN MICROSYSTEMS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NELSON, JAMES F.;REEL/FRAME:016074/0485

Effective date: 20041203

STCF Information on status: patent grant

Free format text: PATENTED CASE

FPAY Fee payment

Year of fee payment: 4

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: ORACLE AMERICA, INC., CALIFORNIA

Free format text: MERGER AND CHANGE OF NAME;ASSIGNORS:ORACLE USA, INC.;SUN MICROSYSTEMS, INC.;ORACLE AMERICA, INC.;REEL/FRAME:037302/0772

Effective date: 20100212

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12