1. Field of the Invention
The present invention relates to a computer system, and deals more particularly with a method, system, and computer program product for dynamically refreshing client credentials in a distributed, client/server environment.
2. Description of the Related Art
The client/server networking environment provides for distribution of computer-performed work across multiple computers and allows sharing of resources (such as databases, processors, and applications) among multiple users. The benefits of the client/server environment are substantial, including cost savings and reliability, among others. These benefits, however, come at the expense of a number of problems which are associated with client/server or distributed processing. One such problem is the need to provide security to keep unauthorized users from accessing valuable assets such as company databases where trade secrets, financial information and employee information are stored. Even more problematic is the need to ensure that a server application, acting on behalf of an authorized client, has access to only those resources that the client is authorized to use.
Within the client/server environment, a user begins processing by using an application located on a client machine. The client-side application is typically focused on the task of communicating with the user via displays (for example, enabling the user to make requests and then see the results), while the server-side application is typically focused on the tasks of collecting the information needed for the user""s request, processing the information, and sending the results of the processing back to the client machine. In the early days of client/server computing, a client application communicated with a server application which completed the processing, or series of tasks, on a single machine, and then returned the results of the processing to the requesting client. As technology in networks and computers evolved, however, so did the complexity of client/server environments. Today, a client/server application may ultimately interoperate with several servers before completing the request and returning the results of the processing to the client. The required processing, or series of tasks, may be distributed among several servers, with each server providing the processing of a particular task. For example, a simple client request may require extracting data from a database, processing the extracted data, and then returning the results to the requesting client. The server machine receiving the request may delegate the data extraction task to a database server, receive the data from the database server, delegate the task of processing the data to a processing server, and return the results to the client when the processing server has completed.
The complexity of the client/server environment has affected the way servers complete tasks initiated by a client. Since multiple servers may be involved in completing the client-initiated tasks, the server applications need to process tasks atomically (i.e. all parts of a task either complete successfully, or all modifications which may have been performed for the incomplete task must be xe2x80x9crolled backxe2x80x9d or xe2x80x9cbacked outxe2x80x9d). If a task on one server fails for any reason, then the other server""s tasks may need to be terminated (in the case of those still running), canceled (for those tasks that have not been initiated), or backed out (for those tasks that did complete prior to the failure). This leads to very complex distributed application programming code.
With the increasing complexity in the client/server environment, several measures for providing secure communications and protecting resources have been developed. Two measures that address security issues in overall computer use, including the client/server environment, are authentication and authorization.
One aspect of protecting resources is the ability to ensure the person attempting to access the system is, in fact, the person they are purporting to be. This is known as xe2x80x9cauthenticationxe2x80x9d and typically involves a user providing a user name (or other identifier) to indicate to the system who the user is and a password (or a secret) used to indicate that it is, in fact, the legitimate user for that user name and not someone trying to impersonate him. Authentication may also include some determination of system-wide privileges or limitations placed on a user. For example, a user may have the ability to make administrative changes to a particular system or cluster of systems, but not to all systems in a computer complex. Authentication is typically done once at the beginning of each user session.
Another aspect of protecting resources is the ability to ensure that an authenticated user is authorized to access a protected resource. An employee, for example, may be authorized to access information related to the work calendar showing the company""s designated holidays. This same employee, however, may not be authorized to access the salary database for all employees in the company. In this case, the user may be provided with credentials which indicate the privileges or limitations for this user to access specific information. This aspect is called xe2x80x9cauthorizationxe2x80x9d.
In a multi-server application environment, authenticating users against password databases may impede performance since the server may have to communicate to distant security servers over a busy network to get to the appropriate password database. When multiple servers are involved in the application, the impact of having multiple accesses to the password database can affect overall performance of the application. To alleviate the need for each server to check a client""s password, a client can create a signed credential that includes a specification of the resources a user is authorized to access, as stated above. This credential is only provided after a client is authenticated and provides a valid password. The credential can then be passed along to the server application which can, in turn, validate the credential locally and thereby avoid performance problems associated with validating a user""s password. This is common practice today and is well known to those familiar with the art.
To ensure that a user cannot gain indefinite access to protected resources once a credential is obtained, credentials typically expire after some period of time, after which they are no longer accepted as valid. If a credential expires before all associated tasks are completed, the server application typically causes completed tasks to be backed out and the client receives an error code indicating that the credential needs to be refreshed for the operation to be performed. Since the client""s password is required to obtain a new credential, the server application cannot act on behalf of the client to request the refreshed credentials. Therefore, the client is required to repeat the process of revalidating the user with a password, obtaining another credential for the protected resources needed by the server application, and retrying the operation. The impact to the client is wasted time caused by the failed processing of the initial request and the need for the request to be re-started after the credentials are refreshed. The impact on the client/server environment can be significant in that the processing time up to the point of the credential expiration is wasted time. In addition, the servers which did complete tasks associated with the request have the additional burden of backing out those tasks which had completed. The need to deal with these problems as part of the normal path of request processing can also lead to increased program complexity.
Accordingly, what is needed is a technique for enabling a server to dynamically refresh a client""s credentials in a client/server environment, without disruption to an ongoing secure process being performed for an otherwise authorized client. This technique must preserve a system administrator""s ability to invalidate credentials which have been compromised.
An object of the present invention is to provide a technique whereby a client credential is dynamically refreshed in a client/server environment.
Another object of the present invention is to provide this technique in a complex, multi-server environment, without requiring a restart of in-process secure operations.
A further object of the present invention is to provide this technique in a manner that preserves a system administrator""s ability to invalidate compromised credentials and user accounts.
Other objects and advantages of the present invention will be set forth in part in the description and in the drawings which follow and, in part, will be obvious from the description or may be learned by practice of the invention.
To achieve the foregoing objects, and in accordance with the purpose of the invention as broadly described herein, the present invention provides a method, system, and computer program product for use in a client/server computing environment for dynamically refreshing user credentials without disruption of an on-going secure process. In a first aspect, this technique comprises: generating a user credential for a user of a client machine, wherein this user credential comprises authorization data for the user, an authenticated identity of the user, an expiration time of the credential, and a last authentication time of the user; requesting, by the user, an execution of a secure process on a server connected to the client machine through a network; providing the user credential to the server for use with the requested execution; performing the requested execution; and refreshing the credential if the credential is determined to be expired during the execution, wherein the expiration is determined by checking the expiration time, and wherein the execution continues by using the refreshed credential.
Preferably, the credential refreshing further comprises: comparing the last authentication time to a system-wide invalidation time and to a user-specific invalidation time for the user to determine whether the user credential is refreshable; generating the refreshed credential from the user credential, wherein the expiration time is set to a new expiration time, when the user credential is refreshable; and generating an error condition and halting further execution when the user credential is not refreshable. The credential refreshing may further comprise ensuring that an account of said user is still valid.
Alternatively, the credential refreshing may further comprise: comparing the last authentication time to a system-wide invalidation time; and halting execution when the comparison determines that the last authentication time is earlier than the system-wide invalidation time.
In another aspect, this technique comprises: generating a user credential for a user of a client machine, wherein the user credential comprises authorization data for this user, an authenticated identity of the user, and a time value for the credential; for requesting, by the user, an execution of a secure process on a server connected to the client machine through a network; providing said the credential to the server for use with the requested execution; performing the requested execution; and refreshing the credential if the credential is determined to be expired during execution, wherein the expiration is determined by checking the time value, and wherein execution continues by using the refreshed credential.
In this aspect, the credential refreshing preferably further comprises: comparing the time value to a system-wide invalidation time and to a user-specific invalidation time for this user to determine whether the user credential is refreshable; generating the refreshed credential from the user credential, wherein the time value is set to a new time value, when the user credential is refreshable; and generating an error condition and halting further execution when the user credential is not refreshable.
This aspect may also further comprise: comparing the time value to a system-wide invalidation time; and halting execution when the comparison determines that the time value is less than the system-wide invalidation time. The comparison may further comprise ensuring that an account of said user is still valid.
In this aspect, the time value may comprise either: (I) an expiration time computed by adding a predetermined credential validity period to a last authentication time of the user, or (ii) a credential creation time set to a last authentication time of the user, and wherein the expiration of the time value is computed by adding a predetermined credential validity period to the time value.
The present invention will now be described with reference to the following drawings, in which like reference numbers denote the same element throughout.