-
公开(公告)号:US06453353B1
公开(公告)日:2002-09-17
申请号:US09248764
申请日:1999-02-12
申请人: Teresa Win , Emilio Belmonte
发明人: Teresa Win , Emilio Belmonte
IPC分类号: G06F1516
CPC分类号: H04L63/067 , G06F21/604 , G06F21/6218 , H04L63/105
摘要: A single secure sign-on gives a user access to authorized Web resources, based on the user's role in the organization that controls the Web resources. The information resources are stored on a protected Web server. A user of a client or browser logs in to the system. A runtime module on the protected server receives the login request and intercepts all other request by the client to use a resource. The runtime module connects to an access server that can determine whether a particular user is authentic and which resources the user is authorized to access. User information is associated with roles and functional groups of an organization to which the user belongs; the roles are associated with access privileges. The access server connects to a registry server that stores information about users, roles, functional groups, resources, and associations among them. The access server and registry server exchange encrypted information that authorized the user to use the resource. The user is presented with a customized Web page showing only those resources that the user may access. Thereafter, the access server can resolve requests to use other resources without contacting the registry server. The registry server controls a flexible, extensible, additive data model stored in a database that describes the user, the resources, roles of the user, and functional groups in the enterprise that are associated with the user.
摘要翻译: 基于用户在控制Web资源的组织中的角色,单个安全登录使用户可以访问授权的Web资源。 信息资源存储在受保护的Web服务器上。 客户端或浏览器的用户登录到系统。 受保护服务器上的运行时模块接收登录请求,并拦截客户端使用资源的所有其他请求。 运行时模块连接到可以确定特定用户是否可信的访问服务器,以及用户被授权访问哪些资源。 用户信息与用户所属的组织的角色和功能组相关联; 角色与访问权限相关联。 访问服务器连接到注册表服务器,用于存储有关用户,角色,功能组,资源和关联的信息。 访问服务器和注册表服务器交换授权用户使用资源的加密信息。 用户被呈现给定制的网页,仅显示用户可以访问的那些资源。 此后,访问服务器可以解决使用其他资源的请求,而无需联系注册服务器。 注册表服务器控制存储在数据库中的灵活的,可扩展的附加数据模型,该模型描述与用户相关联的企业中的用户,资源,角色和企业中的功能组。
-
2.发明授权公开(公告)号:US07155737B1
公开(公告)日:2006-12-26
申请号:US09309360
申请日:1999-05-11
申请人: Mario Lim , Teresa Win , Emilio Belmonte
发明人: Mario Lim , Teresa Win , Emilio Belmonte
IPC分类号: G06F12/02 , G06F13/28 , H04L9/00 , G06F15/173
CPC分类号: G06F21/33 , G06F21/41 , G06F21/51 , H04L9/3247 , H04L63/083 , H04L63/10 , H04L63/123
摘要: A method and apparatus is provided for securely executing access control functions that may be customized by or on behalf of administrators of information access systems. Examples of such functions include changing a password of a user, determining whether or not data specifying a user and a password identifies an authentic user, and displaying a message indicating whether a login attempt was successful. An access control function is mapped to a digital signature. The digital signature is used to verify that an executable element retrieved for executing the access control function is the proper executable element. The access control functions may be invoked upon the occurrence of access control events, such as a user successfully logging onto an information access system or the modification of a user's password. A mapping contains data used to determine what events are tied to what access control functions, and whether the access control function should be executed. Upon the occurrence of an extension event that is tied to an extension, an executable element for the extension is retrieved. After executing an extension, data is returned to the caller of the extension. The returned data may be a hash table that includes other objects, such as strings or even other hash tables. The access control functions are developed in manner that exploits the power and simplicity of the inheritance feature of object oriented programming.
摘要翻译: 提供了一种方法和装置,用于安全执行可由信息访问系统的管理员或代表其定制的访问控制功能。 这种功能的实例包括改变用户的密码,确定用户指定的数据和密码是否识别真实用户,以及显示指示登录尝试是否成功的消息。 访问控制功能映射到数字签名。 数字签名用于验证检索用于执行访问控制功能的可执行元素是否是正确的可执行元素。 访问控制功能可以在诸如用户成功登录到信息访问系统或修改用户密码的访问控制事件时被调用。 映射包含用于确定哪些事件与什么访问控制功能相关联的数据以及是否应执行访问控制功能。 发生与扩展关联的扩展事件时,检索扩展的可执行元素。 执行扩展后,数据将返回给扩展的主叫方。 返回的数据可以是包括其他对象(例如字符串或甚至其他哈希表)的哈希表。 访问控制功能以利用面向对象编程的继承特征的功能和简单性的方式开发。
-
公开(公告)号:US06182142B2
公开(公告)日:2001-01-30
申请号:US09113609
申请日:1998-07-10
申请人: Teresa Win , Emilio Belmonte
发明人: Teresa Win , Emilio Belmonte
IPC分类号: G06F1300
CPC分类号: H04L63/067 , G06F19/00 , G06F21/604 , G06F21/6218 , H04L63/105 , H04L67/306
摘要: Using a method for controlling access to information resources, a single secure sign-on gives the user access to authorized resources, based on the user's role in the organization. The information resources are stored on a protected server. A user of a client or browser logs in to the system. A runtime module on the protected server receives the login request and intercepts all other request by the client to use a resource. The runtime module connects to an access server that can determine whether a particular user is authentic and which resources the user is authorized to access. User information is associated with roles and functional groups of an organization to which the user belongs; the roles are associated with access privileges. The access server connects to a registry server that stores information about users, roles, functional groups, resources, and associations among them. The access server and registry server exchange encrypted information that authorized the user to use the resource. The access server passes encrypted tokens that define the user's roles and authorization rights to the browser or client, which stores the tokens in memory. The user is presented with a customized display showing only those resources that the user may access. Thereafter, the access server can resolve requests to use other resources based on the tokens without contacting the registry server.
摘要翻译: 使用一种方法来控制对信息资源的访问,单个安全登录使用户可以根据用户在组织中的角色访问授权资源。 信息资源存储在受保护的服务器上。 客户端或浏览器的用户登录到系统。 受保护服务器上的运行时模块接收登录请求,并拦截客户端使用资源的所有其他请求。 运行时模块连接到可以确定特定用户是否可信的访问服务器,以及用户被授权访问哪些资源。 用户信息与用户所属的组织的角色和功能组相关联; 角色与访问权限相关联。 访问服务器连接到注册表服务器,用于存储有关用户,角色,功能组,资源和关联的信息。 访问服务器和注册表服务器交换授权用户使用资源的加密信息。 访问服务器将加密的令牌传递给用户的角色和授权权限,该浏览器或客户端将令牌存储在内存中。 向用户呈现仅显示用户可访问的资源的定制显示。 此后,访问服务器可以解析基于令牌使用其他资源的请求,而不需要联系注册服务器。
-
公开(公告)号:US6161139A
公开(公告)日:2000-12-12
申请号:US248762
申请日:1999-02-12
申请人: Teresa Win , Emilio Belmonte
发明人: Teresa Win , Emilio Belmonte
CPC分类号: H04L63/067 , G06F19/00 , G06F21/604 , G06F21/6218 , H04L63/105 , H04L67/306
摘要: Described is a method that comprises storing information that defines administration roles, that associates a user with one or more of the administrative roles, and that associates each administration role with one or more administrative privileges. An administrative privilege authorizes at least one administrative function. When the user requests the execution of an administrative function, the requests is honored only when one of the user's administrative roles includes an administrative privilege that authorizes the requested administrative function. In addition, information is stored that associates each of a plurality of users with one or more administrative roles. At least two users administer the access control computer system from different locations, or from computers connected to two different local area networks. Information associating a user with one or more administrative roles may be stored in a cookie, which may be encrypted. The information stored in the cookie is used to determine whether an administrative function requested by a user may be executed on behalf of the user.
摘要翻译: 描述了一种方法,其包括存储定义管理角色的信息,其将用户与一个或多个管理角色相关联,并且将每个管理角色与一个或多个管理特权相关联。 管理权限至少授权一个管理职能。 当用户请求执行管理功能时,只有当其中一个用户的管理角色包含授权请求的管理功能的管理权限时才会请求该请求。 此外,存储将多个用户中的每一个与一个或多个管理角色相关联的信息。 至少两个用户从不同的位置或连接到两个不同局域网的计算机管理访问控制计算机系统。 将用户与一个或多个管理角色相关联的信息可以存储在可被加密的cookie中。 存储在cookie中的信息用于确定用户所请求的管理功能是否可以代表用户执行。
-
-
-
搜索结果
4 条记录 (耗时 0.021 秒)
