1. Statement of the Technical Field
The present invention relates in general to method and system for controlling access of a client system to an access protected remote resource via a Web Application, especially a Portal application, using a rewriter proxy.
2. Description of the Related Art
A rewriter proxy is defined as a component which routes incoming user client requests to access protected remote resources as well as processes and modifies the returned content so that links point to the rewriter proxy instead of the access protected remote resource. An access protected remote resource means any resource that provides content that is protected against unauthorized access, e.g. by using a firewall. In this regard, FIG. 1 shows the prior art communication flow between client system, portal application using rewriter proxy, and access protected remote resources.
In a typical web application communication scenario, especially a portal application scenario, a user of a client system authenticates itself against the portal application and receives a portal page with a portlet that contains links to access protected remote resources behind a firewall which are not accessible for the client directly. Therefore a resource proxy has to ensure that all incoming client requests as well incoming responses from the access protected remote resources are respectively rerouted to their destination.
To achieve this it is a common technique of the rewriter proxy application to detect such links to access protected remote resources in the incoming content provided by the remote application and to rewrite these links in a way that the rewritten URIs point to the rewriter proxies and contain the original remote location as some kind of parameter. The rewritten URIs are then part of the generated content and replace the original URIs. The user of the client system which displays the content which includes these rewritten links, sends a request to the rewriter proxy asking to handle the link traversal. In order to serve the request the rewriter proxy gets the original location of the access protected remote resource from the rewritten URI and retrieves the resource content to which the links refers.
More specifically, with respect to FIG. 1, there is shown a prior art communication process between client system 1, portal application 2 using rewriter proxy 14, and access protected remote resources 3. For example access protected remote resources 3 are databases, transaction systems, syndicated content provider, remote web sites which are connected with the portal application by network (e.g. Internet).
Access protected remote resources 3 mean that a user client cannot directly access remote resources but all user requests are rerouted via the rewriter proxy 14 to the access protected remote resources 3 (e.g. access protected remote resources are secured by a Firewall). The communication process begins with a client request to a portal application 2. After successful authentication, the portal application 2 provides a first portal page 7 to the client system 1. All links included in that portal page 7 that provide access to access protected remote resources 3 are rewritten by the rewriter proxy 14 insofar that the original URI 9 pointing to the access protected remote resource 3 is replaced by the URI of the rewriter proxy 14.
Preferably, the original URI 9 is added as a parameter in that rewritten URI 10. When the user of the client system 1 activates a link included in the portal page 7, a request including the rewritten URI 10 is sent to rewriter proxy 14 that reads the rewritten URI 10 and extracts the URI 9 of the access protected remote resource 3. Then the rewriter proxy 14 connects to the access protected remote resource 3 and subsequently rewrites all the URIs 9 received from the access protected remote resource 3.
The described and commonly used technique of rewriting resource URIs as handled by a rewriter proxy opens a potential security hole which allows users to access remote applications which are protected by security setups that prohibit the access to the users but grant access to the remote application for the proxy application only. The security holes arises from the fact that most rewriter proxy generate resource URIs in a manner that does not guarantee that a user is not able to create URIs that reference known protected resources and which appear valid and thus are served by the proxy application. Often the location of the access protected remote resource is simply encoded in the generated resource URI in plaintext.
An attacker knowing the location of an access protected remote resource of interest can inspect the content for a valid rewritten resource URI and can change the value of the resource location parameter to the location of the protected resource he wants to retrieve. The modified resource URI can than be used to send a request to the rewriter proxy to retrieve the access protected remote resource. Thus the attacker can use the rewriter proxy to tunnel through the firewall.
To combat potential security threats, one solution includes the rewriter proxy managing some kind of access table that holds URIs to all access protected remote resources. When a user sends a request to an access protected resource the rewriter proxy checks against this table if the user is allowed to access that resource. Yet, this technique requires an access control check on each request and also increases the configuration effort with increasing number of access protected remote resources.
Another known solution is to store each resource URIs that appears in the remote content in a session object. When the rewriter proxy rewrites the resource URIs, a reference to the URI session object is inserted into the rewritten URI instead of the resource location. This ensures that users can only access resources which have passed the rewriter proxy. On the other hand it has several disadvantages namely users can not bookmark the rewritten resource URIs, caching of resources by caching proxies is not possible, and high memory consumption is given.
Therefore, it is object of the present invention to provide a method and system method and system for controlling access of a client system to an access protected remote resource via a Web Application, especially a portal application, using a rewriter proxy avoiding disadvantages of the prior art.