1. Field of the Invention
The present invention relates to the field of data processing. More specifically, embodiments of the present invention relate to providing a method for a wireless electronic device (e.g., a portable computer system, a palmtop computer system, cell phone, pager or any other hand held electronic device) to connect with authenticated access to Intranet web applications.
2. Related Art
Computer systems have evolved into extremely sophisticated devices that may be found in many different settings. Computer systems typically include a combination of hardware (e.g., semiconductors, circuit boards, etc.) and software (e.g., computer programs). As advances in semiconductor processing and computer architecture push the performance of computer hardware higher, more sophisticated computer software has evolved to take advantage of the higher performance of the hardware, resulting in computer systems today that are much more powerful than just a few years ago.
Other changes in technology have also profoundly affected how people use computers. For example, the widespread proliferation of computers prompted the development of computer networks that allow computers to communicate with each other. With the introduction of the personal computer (PC), computing became accessible to large numbers of people. Networks for personal computers were developed to allow individual users to communicate with each other. In this manner, a large number of people within a company could communicate at the same time with a central software application running on one computer system.
As corporations utilize increasingly distributed and open computing environments, the security requirements of an enterprise typically grow accordingly. The complexity of employee, customer and partner access to critical information, while assuring proper security, has proven to be a major hurdle. For example, many organizations implement applications that allow their external business partners, as well as their own internal employees, to access sensitive information resources within the enterprise. In the absence of adequate security measures, an enterprise may be subject to the risk of decreased security and confidentiality.
As a result, authentication mechanisms are usually implemented to protect information resources from unauthorized users. Examples of network security products include firewalls, digital certificates, virtual private networks, and single sign-on systems. Some of these products provide limited support for resource-level authorization. For example, a firewall can screen access requests to an application or a database, but does not provide object-level authorization within an application or database.
Single Sign-On (SSO) products, for example, maintain a list of resources an authenticated user can access by managing the login process to many different applications. However, firewalls, SSO and other related products are very limited in their ability to implement a sophisticated security policy characteristic of many of today""s enterprises. They are limited to attempting to manage access at a login, or xe2x80x9claunch level, xe2x80x9d which is an all or nothing approach that can""t implement an acceptable level of security that is demanded by businesses supporting Intranets.
FIG. 1A illustrates a prior art system 100 of a palmtop or xe2x80x9cpalm sizedxe2x80x9d computer system 104 connected to other computing systems and an Intranet via a cradle. Specifically, system 100 comprises a palmtop device 104 connected to PC 103, which can be a serial communication bus, but could be any of a number of well known communication standards and protocols, e.g., a parallel bus, Ethernet, Local Area Network (LAN), and the like. PC 103 is connected to server 101 and database 102 by an authenticated network connection. In the prior art system 100, two authentication parameters are achieved to provide a secure connection. First, PC 103 is physically connected to the server 101 to establish a network connection. The physical location of PC 103 is usually sufficient for the network connection to be approved. Secondly, when applications on server 101 are used, the user of PC 103 must provide a user name and password to authorize use. In this configuration, security and authentication is achieved first on the network level by authenticating the user""s login name and password or device identification over the network and secondly on the application level by again authenticating the users login name and password.
Similarly, FIG. 1B is a prior art system 105 illustrating a palmtop computer connected to other computer systems and the Internet via a modem or dial up device. Specifically, palm device 104 is connected to modem 106, which can be a serial communication bus, but could be of any of a number of well known communication standards and protocols, e.g., a parallel bus, Ethernet, Local Area Network (LAN), and the like. Modem 106 is connected to server 101 and database 102 by an authenticated dial-up network connection. In the prior art system 105, two authentication parameters are achieved to provide a secure connection. First, modem 106 must provide a correct user name and password to the server 101 to establish a network connection. Secondly, when applications on server 101 are used, the user of palm device 104 must provide a user name and password to authenticate use. In this configuration, security and authentication is achieved first on the network level by authenticating the user""s login name and password or device identification when the modem makes a connection to the network and secondly on the application level by again authenticating the users login name and password.
In these two configurations, a secure authentication process occurs in which two layers of authentication occur. First a network authentication is processed and secondly, an application authentication occurs. At least one of the authentication processes rely on the user supplying a user name and a password and both require network level authentication.
Unfortunately, most wireless communications do not support double authentication. Due to the differences between ECC encryption associated with wireless protocol and SSL encryption associated with traditional IP protocol, security and authentication mechanisms associated with mobile and wireless need to be modified to provide the same level of security as does the traditional land based communications. For example, mobile and wireless devices often access web servers through Internet gateways that provide no assurance of the identity of a device or user. In other words, they provide no network level of security. Intranet security guidelines for most companies usually require both authentication of a device to the network and of a user to each application before access to internal resource can be permitted.
Therefore, there exists a need for a mechanism which allows wireless devices to establish secure and authenticated connections to applications that reside on Intranet networks.
In accordance with the present invention, a system and method are disclosed to permit portable wireless devices secure and authenticated access to applications that are on an Intranet server. Embodiments of the present invention provide a flexible, inexpensive way for wireless network users to access Intranet applications while protecting Intranet resources (e.g., enterprise resources) against unauthorized access. In addition, the invention does not impose the authentication burden upon individual applications or require the use of application specific middleware or specific mobile application framework.
Embodiments of the present invention include a method and server system for exchanging data between a hand-held wireless electronic device and another computer system. This system allows a wireless electronic device to securely communicate with an Intranet by verifying two authentication parameters to provide network level authentication. The first authentication parameter is the device serial number and a password which authenticates the network connection. The second authentication parameter is a user name and password that authenticates the user""s access to applications on the Intranet. In one embodiment of the present invention, the system uniquely integrates the authentication parameters into every query the wireless device makes to the Intranet by adding the parameters to each link that is communicated to the device from the Intranet service. In this configuration, the authentication parameters maintain the session between the wireless device and the Intranet. Beneficially, the authentication parameters are not stored on any particular network device and do not burden either the server or the wireless device with maintaining the session. In another embodiment of the present invention, the server system uses a link rewriter service for examining web pages generated by applications of the Intranet to identify links that point to any application that is resident on the Intranet. Once an Intranet link is queried, the link rewriter uses a look up table in a database to rewrite the link to include a keyword that designates both the targeted application and its Intranet server. If a link is not resident on the Intranet, it will not be rewritten thereby causing it to be executed/routed over the Internet.
More specifically, the present invention includes a server system comprising a network translator for communicating with wireless electronic devices and translating between wireless communication protocol and IP communication protocol. The server system also contains an Intranet comprising a plurality of Intranet servers, each comprising applications. In addition is a proxy server coupled to the network translator and Intranet. The proxy server is for routing queries received from the wireless electronic device to an appropriate server destination and for routing responses to wireless electronic devices. The proxy server comprises a link rewriter service for examining web pages generated by applications of the Intranet to identify links that point to any application that resides in the Intranet, translating each identified link to include a keyword that designates both the targeted application and its Intranet server. The proxy server also comprises a routing service for examining queries sent from the wireless electronic device and for routing queries with recognized keywords to the Intranet and for routing others to the Internet.