The present invention relates to managing access to resources accessible over a network.
Computer networks have become ubiquitous in business, industry, and education. Networks have one or more resources, such as application programs that provide various computing functions, which are available to all users. Development of the globally accessible, packet-switched network known as the Internet has enabled network resources to become available worldwide. Development of the hypertext protocol (xe2x80x9cHTTPxe2x80x9d) that implements the World Wide Web (the xe2x80x9cwebxe2x80x9d) enables networks to serve as a platform for global electronic commerce. In particular, through the web a business easily exchanges information with its customers, suppliers and partners worldwide. Because some exchanged information is valuable and sensitive, access to it should be limited to selected users. Thus, there is a need to provide selective access information available over the web.
One approach to solving the foregoing problem is to protect a set of resources accessible over the network with an access control mechanism. An access control mechanism is a combination of software and hardware configured to manage access to a set of resources connected to a network. Often, the access control mechanism is commercial software, which is purchased as off-the-shelf software from vendors of access control mechanisms. A resource is a source of information, identified by an identifier, such as a uniform resource locator (xe2x80x9cURLxe2x80x9d) or an internet protocol (xe2x80x9cIPxe2x80x9d) address. A resource protected by an access control system may be a static file (xe2x80x9cpagexe2x80x9d) containing code conforming to the Hypertext Markup Language (xe2x80x9cHTMLxe2x80x9d) or a dynamically generated page created by programs based on the Common Gateway Interface (xe2x80x9cCGIxe2x80x9d). Examples of resources include a web page, a complete web site, a web-enabled database, and an applet.
FIG. 1 is a block diagram that depicts an exemplary network architecture 100 that includes a system protected by an access control mechanism 101. Exemplary network architecture 100 includes a browser 110 coupled by a communication link to a network 102. The block shown for browser 110 represents a terminal, workstation computer, or an equivalent that executes a standard browser program or an equivalent, such as Netscape Navigator, Internet Explorer, or NCSA Mosaic. Network 102 is a compatible information communication network, preferably the Internet. In alternate embodiments, the browser 100 is a client process or client workstation of any convenient type, and the network 102 is a data communication network that can transfer information between the client and a server that is also coupled to the network.
The term server is used here to refer to one or more computer software or hardware elements which are dedicated to providing requested functions (xe2x80x9cservicesxe2x80x9d) on behalf of clients that transmit requests. A server may be a software module which may be invoked by and executed by a client process, a separate process that receives requests from other client processes running the same computer system, or a set of processes running on a set of computers, where the processes respond to requests by clients running on other computers.
Access control system 190 is coupled to network 102 and supplies services used to manage access to protected servers 150, including user authentication and verification services, in a manner which shall be later described in greater detail. Protected servers 150 are also coupled to network 102 and supply one or more resources.
Before a user may access a resource from protected servers 150, the user must first log in to access control system 190, supplying information to access control system 190 used to authenticate the user. Users may log in either with a digital certificate transmitted to access control system 190 or by opening a login page supplied by access control system 190 with browser 110 and entering a name and password. Once the user is authenticated, an authenticated session is associated with the user, and the user may then access one or more resources on protected servers during the life of the authenticated session.
For this purpose, access control system 190 transmits one ore more identification data, e.g., cookies, to browser 110 that are used, at least in part, by a protected server to verify that the user has been authenticated. Cookies are pieces of information which a server may create and transmit to a browser, to cause the browser to store the cookie and retransmit it in subsequent requests to servers. A cookie may be associated with a domain name used to identify the IP address of a server. A domain name is an identifier that identifies a set or one or more IP addresses. Examples of domain names are xe2x80x98enCommerce.comxe2x80x99 or xe2x80x98uspto.govxe2x80x99. A browser transmits a cookie in conjunction with a request to the server to access a resource, transmitting the cookies as part of the request. The cookies transmitted are associated with the domain name of the server.
A domain name may be used in an address that identifies a resource, such as a URL. For example, a domain may be used to identify resources xe2x80x9csample1File.htmxe2x80x9d and xe2x80x9csample2File.htmxe2x80x9d, by using the URL xe2x80x9cwww.demoDomain/sample2File.htmxe2x80x9d, where xe2x80x98demoDomainxe2x80x99 is the domain name. The domain name corresponds to the IP address of a server that may supply a resource.
A domain is a set of resources which may identified by the domain""s name. Thus, xe2x80x98sample1File.htmxe2x80x99 sample2File.htmxe2x80x99 are resources that belong to the same domain. The process of accessing a resource via a request that identifies the resource using a domain name is referred as accessing the domain.
When a protected server receives a request for access from a client who has been authenticated, the protected server receives xe2x80x9caccess control cookiesxe2x80x9d for the domain of the server. The access control cookies may contain information used to verify that a user has been authenticated, and may contain data that specifies the user""s privileges. A privilege is a right to access a particular resource. Access control cookies are typically encrypted for security purposes.
A major drawback to a conventional access control system is that it only controls access to a set of servers and resources that belong to one domain. The underlying reason for this limitation is as follows. When a conventional access control system supplies access control cookies to a user that has just been authenticated, the cookies transmitted are associated with the domain of the access control system. When the browser requests access to another resource in another domain, the access control cookies are not transmitted because they are associated with the other domain. Thus, each domain name used to deploy a set of servers or resources requires its own implementation and maintenance of an access control system, adding to the expense of securing resources accessible over a network. In addition, for each domain name a user must login. Thus, the user may be encumbered by repetitious login procedures, or the number of domain names that may be used are limited by efforts to avoid encumbering the user.
Based on the foregoing, it is clearly desirable to provide an access control system that may be used to manage access to a set of resources deployed under multiple domain names, particular, requires a user to login just once to access the set of resources.
A mechanism that uses a single access control system to manage access by users to resources that belong to multiple domains is disclosed. According to one aspect, a server is associated with each domain in a set of domains. Access to resources in the domains is governed by an access control system. A first server for a first domain transmits a data token to a client seeking access to a resource in a second domain. The client transmits the data token to a second server in the other domain. The second server uses the data token to verify that the user is, authorized to access resources protected by the access control system. Once determining that the user is authorized to access resources, access control xe2x80x9ccookiesxe2x80x9d are transmitted to client.
According to another aspect of the present invention, when the client requests access to a resource in the second domain, and the request did not include access control cookies for the second domain, data is transmitted to the browser causing it to generate another request to the first server. The first server ensures that the user has been authenticated before transmitting the data token to the browser. In addition, the first server may cause copies of access control cookies for the user to be stored for later transmission to the second server.