1. Field of the Invention
The present invention relates to a security system for validating Web-Based requests, and more specifically, to a security system whereby CGI Variables and Cookie information from a Web-Based client are passed via a security gateway to an enterprise based OLTP security service for validation.
2. Description of the Prior Art
The methods by which companies conduct business with their customers are undergoing fundamental changes, due in large part to World Wide Web technology. In addition, the same technology that makes a company accessible to the world, may be used on internal company networks for conducting operational and administrative tasks.
One of the technologies underlying the World Wide Web is the web browser. Web browsers have become a de facto user interface standard because of their ability to interpret and display information having standard formats (e.g., HyperText Markup Language (HTML), standard test, GIF, etc.). Client software programs, popularly referred to as web-browsers (e.g., Mosaic, Netscape Navigator, Microsoft Internet Explorer, etc.), execute on client systems and issue requests to server systems. The server systems typically execute HyperText Transport Protocol (HTTP) server programs which process requests from the web browsers and deliver data to them. The system that executes an HTTP server program and returns data to the web browser will hereinafter be referred to as a Web Server System. An HTTP server program itself will be referred to as a web server.
A Web Server System has access to on-line documents that contain data written in HyperText Markup Language (HTML). The HTML documents contain display parameters, capable of interpretation by a web browser, and references to other HTML documents and web servers (source: World Wide Web: Beneath the Surf, from UCL Press, by Mark Handley and Jon Crowcroft, on-line at http://www.cs.ucl.ac.uk/staff/jon/book/book.html).
As web browsers are making their mark as a xe2x80x9cstandardxe2x80x9d user interface, many businesses have a wealth of information that is managed by prior art data base management systems such as DMS, RDMS, DB2, Oracle, Ingres, Sybase, Informix, and many others. In addition, many of the database management systems are available as resources in a larger transaction processing system. There are also mission critical applications which still reside on enterprise servers, since these type of systems have resiliency and recovery features historically not available on other smaller types of servers.
One key to the future success of a business may lie in its ability to capitalize on the growing prevalence of web browsers in combination with selectively providing access to the data that is stored in its databases. Common Gateway Interface (CGI) programs are used to provide web browser access to such databases.
The Common Gateway Interface (CGI) is a standard for interfacing external applications, such as web browsers, to obtain information from information servers, such as web servers. The CGI allows programs (CGI programs) to be referenced by a web browser and executed on the Web Server System. For example, to make a UNIX database accessible via the World Wide Web, a CGI program is executed on the Web Server System to: 1) transmit information to the database engine; 2) receive the results from the database engine; and 3) format the data in an HTML document which is returned to the web browser. CGI variables typically include information such as the IP address of the browser, or the port number of the server.
Often associated with CGI Variables, cookies are packets of information which may be sent back to a user system after the user accesses a web site. These packets of information indicate how a user utilized various functions associated with the site. This information will be stored on the user system along with the Uniform Resource Locator (URL) for the web site, and the information is passed back to the server if the user accesses the web site again.
Server software uses the user history provided by the cookies to make decisions regarding how the user request is to be handled. For example, assume the web site involves history. The cookie information will inform the server that the current request is from a user interested in the Civil War. This allows the server to provide the user with advertisements on books related to the Civil War.
There is a growing need for greater assurances that information being passed along the Internet is secure and will not be intercepted. Some of the problems involved with Internet hacking include stolen access, stolen resources, e-mail counterfeiting, vandalization, and Internet agents (worms) (source: Matteo Foschetti, Internet Security, California State University, Fullerton, April 1996, available on-line at: http://www.ecs.fullerton.edu/xcx9cfoschett/security.html). Many consumers have the general perception that transacting business on the Internet is not safe, thus they are reluctant to participate in Internet activities such as on-line shopping, sending messages, submitting to newsgroups, or web surfing. Although some people""s perception of Internet security breaches may be somewhat overblown, figures do prove the vulnerability of the Internet. It has been estimated that over 80% of all computer crimes take place using the Internet. With over 30,000 interconnected networks and 4.8 million attached computers including over 30 million users, there is a legitimate Internet security concern.
Businesses are faced with the challenge of adapting their present usage of yesterday""s technology to new opportunities that are made available with the World Wide Web. Most business application software and underlying databases are not equipped to handle interaction with web browsers. It would therefore be desirable to have a secure, flexible and efficient means for allowing interoperability between enterprise-based business application software and the World Wide Web.
The present invention overcomes many of the disadvantages associated with the prior art by providing a system and method which allows the interchange of Cookie information and standard Common Gateway Interface (CGI) variables between a user system and an On-Line Transaction Processing (OLTP) enterprise server. Previously, the interchange of Cookies and CGI variable information was confined between a user system and a web-server.
In a preferred embodiment of the present invention, when a user accesses a selected web site from a web browser, packets of Cookies are passed from an On-Line Transaction Processing (OLTP) enterprise server to a user system. These packets of Cookies indicate how the user utilized various functions associated with the site. This information is stored on the user system along with the Uniform Resource Locator (URL) for the web site, and is passed back to the OLTP enterprise server if a user accesses the web site again.
CGI Variables are also used to pass information between a user system and an enterprise OLTP server. These CGI variables can include information such as the IP address of the web browser or the port number of the web server.
The present invention passes Cookies and CGI variables between a Personal Computer (PC) based web browser and an enterprise OLTP server via web server, WebTx server and transaction gateway interface components.
The present invention also discloses a specialized form of a transaction gateway, known as a WebTx security gateway. This security gateway runs on a Windows NT or UnixWare web server machine, and is built as a client application to interoperate with an enterprise-based OLTP security service. In an illustrative embodiment, the security gateway receives a OLTP transaction request and associated Cookie/CGI Variable information from the WebTx server, builds a view file using the Cookie and CGI Variables, calls the enterprise-based OLTP security service, then waits for validation of the OLTP transaction request. The security gateway will eventually receive a response from an OLTP security service indicating whether the request was validated by the OLTP server. If the request was validated, the security gateway will allow the request to be processed. That is, the security gateway builds a view buffer associated with the requested OLTP service, then passes the buffer to the requested OLTP service.
The present invention also discloses an enterprise-based OLTP security service, which is used in conjunction with the security gateway of the present invention. This security service processes user-id authentication requests, and if successful, calls an end service requested by a user.
The security service of the present invention offers several significant advantages over prior art security services. The present invention allows all request validation to be performed directly on the enterprise OLTP system. In the past, requests made to a gateway for access to an enterprise OLTP system were validated first on a workstation based gateway server. If the requests were found to be invalid, they were not passed on to the OLTP system. However, maintaining the updated validation information on a workstation as is necessary to validate such requests presents a large administrative burden. In addition, the security and resiliency aspects of an enterprise-based security service are superior to similar functionality available in a workstation based security service.