公开(公告)号：US20130246630A1

公开(公告)日：2013-09-19

申请号：US13420138

申请日：2012-03-14

Applicant: Scott Anthony Exton ,  Keiran Robinson ,  John Sedgmen ,  Ben Lyle Straubinger

Inventor： Scott Anthony Exton ,  Keiran Robinson ,  John Sedgmen ,  Ben Lyle Straubinger

IPC: G06F15/16

CPC classification number: H04L67/02 ,  G06F17/30867 ,  G06F17/30887 ,  H04L63/0281 ,  H04L63/0815 ,  H04L67/143

Abstract: A “sign-off” cookie is generated and stored upon initiation of a web session between a client and a web application executing on a server. The sign-off cookie preferably comprises both an identifier for the session (a “session ID”) together with an identifier (such as a URL) for a sign-off resource (associated with a sign-off mechanism) that can be used to clean-up the web session following its termination. The sign-off cookie may be returned to the client and/or retained within a proxy. Upon termination of the web session, the URL in the sign-off cookie is used to initiate a request to the sign-off mechanism to clean-up the web session. This approach provides for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism.

Abstract translation: 在客户端和在服务器上执行的Web应用程序之间的Web会话发起时，生成并存储“签署”cookie。 签名cookie优选地包括用于会话的标识符（“会话ID”）以及用于签发资源（与签发机制相关联）的标识符（例如URL），其可以用于 在终止后清理网络会话。 签收cookie可能会返回给客户端和/或保留在代理中。 在Web会话终止后，签名cookie中的URL用于发起向签发机制的请求，以清理Web会话。 这种方法提供动态Web会话清理，而不需要任何预配置的签发机制。

公开(公告)号：US20130066943A1

公开(公告)日：2013-03-14

申请号：US13231253

申请日：2011-09-13

Applicant: Simon Gilbert Canning ,  Scott Anthony Exton ,  Neil Ian Readshaw

Inventor： Simon Gilbert Canning ,  Scott Anthony Exton ,  Neil Ian Readshaw

IPC: G06F15/16

CPC classification number: H04L65/80 ,  G06F9/5027 ,  G06F2209/5021

Abstract: An approach is provided in which a number of requests are received from a variety of clients over a computer network. The system uses a processor to calculate request priority values pertaining to the received requests. The calculation of the request priority values is based on one or more attributes that correspond to the respective requests. For example, the attributes could include network level attributes, session attributes, and application specific attributes. Each of the requests is assigned a request priority value. A request may receive the same request priority value as other requests. The requests are queued in a memory based on the request priority values that were assigned to the requests. The queued requests are then serviced in order of request priority so that queued requests assigned higher request priority values are processed before queued requests with lower request priority values.

Abstract translation: 提供了一种方法，其中通过计算机网络从各种客户端接收多个请求。 系统使用处理器来计算与接收到的请求有关的请求优先级值。 请求优先级值的计算基于对应于相应请求的一个或多个属性。 例如，属性可以包括网络级属性，会话属性和应用程序特定属性。 每个请求被分配一个请求优先级值。 请求可能会收到与其他请求相同的请求优先级值。 请求根据分配给请求的请求优先级值在内存中排队。 然后按照请求优先级的顺序对排队的请求进行服务，以便在具有较低请求优先级值的排队请求之前处理分配较高请求优先级值的排队请求。

公开(公告)号：US20120246312A1

公开(公告)日：2012-09-27

申请号：US13071582

申请日：2011-03-25

Applicant: Scott Anthony Exton ,  Davin John Holmes ,  Stephen Viselli ,  Shane Bradley Weeden

Inventor： Scott Anthony Exton ,  Davin John Holmes ,  Stephen Viselli ,  Shane Bradley Weeden

IPC: G06F15/173 ,  G06F21/00

CPC classification number: H04L67/02 ,  G06F21/335 ,  H04L63/168 ,  H04L67/2823 ,  H04L69/08

Abstract: An approach is provided where an HTTP request is received and a Request for Security Token (RST) is created. Parameters are selected from the request and mappings are retrieved corresponding to the parameters. Context attributes are created in the RST corresponding to the parameters. A context attribute type value is set based on an HTTP section where the parameter is located within the HTTP request. The RST is sent to a security token service for processing. In another approach, a Request Security Token Response (RSTR) is received and an HTTP response is created. RSTR parameters are selected and parameter mappings are retrieved corresponding to the selected RSTR parameters from a mapping table with a TYPE value being identified based on the retrieved parameter mapping. Context attributes are added to the HTTP response based on the identified TYPE values. The HTTP response is transmitted to a remote computer system.

Abstract translation: 提供了一种接收HTTP请求并创建了安全令牌请求（RST）的方法。 从请求中选择参数，并根据参数检索映射。 在与参数对应的RST中创建上下文属性。 上下文属性类型值是根据参数位于HTTP请求中的HTTP部分进行设置的。 RST发送到安全令牌服务进行处理。 在另一种方法中，接收到请求安全令牌响应（RSTR），并创建HTTP响应。 选择RSTR参数，并且从具有基于所检索的参数映射识别的TYPE值的映射表中，与所选择的RSTR参数对应地检索参数映射。 基于识别的TYPE值，将上下文属性添加到HTTP响应中。 HTTP响应被发送到远程计算机系统。

公开(公告)号：US09930093B2

公开(公告)日：2018-03-27

申请号：US13420138

申请日：2012-03-14

Applicant: Scott Anthony Exton ,  Keiran Robinson ,  John Sedgmen ,  Ben Lyle Straubinger

Inventor： Scott Anthony Exton ,  Keiran Robinson ,  John Sedgmen ,  Ben Lyle Straubinger

IPC: G06F15/16 ,  H04L29/08 ,  G06F17/30 ,  H04L29/06

CPC classification number: H04L67/02 ,  G06F17/30867 ,  G06F17/30887 ,  H04L63/0281 ,  H04L63/0815 ,  H04L67/143

Abstract: A “sign-off” cookie is generated and stored upon initiation of a web session between a client and a web application executing on a server. The sign-off cookie preferably comprises both an identifier for the session (a “session ID”) together with an identifier (such as a URL) for a sign-off resource (associated with a sign-off mechanism) that can be used to clean-up the web session following its termination. The sign-off cookie may be returned to the client and/or retained within a proxy. Upon termination of the web session, the URL in the sign-off cookie is used to initiate a request to the sign-off mechanism to clean-up the web session. This approach provides for dynamic web session clean-up without requiring any pre-configuration of the sign-off mechanism.

公开(公告)号：US08701163B2

公开(公告)日：2014-04-15

申请号：US13152943

申请日：2011-06-03

Applicant: Christopher John Hockings ,  Simon Gilbert Canning ,  Scott Anthony Exton ,  Neil Ian Readshaw

Inventor： Christopher John Hockings ,  Simon Gilbert Canning ,  Scott Anthony Exton ,  Neil Ian Readshaw

IPC: G06F21/00

CPC classification number: G06F21/6218 ,  G06F2221/2141

Abstract: An authorization method is implemented in an authorization engine external to an authorization server. The authorization server includes a cache. The external authorization engine comprises an authorization decision engine, and a policy analytics engine. The method begins when the authorization decision engine receives a request for an authorization decision. The request is generated (at the authorization server) following receipt of a client request for which an authorization decision is not then available at the server. The authorization decision engine determines an authorization policy to apply to the client request, applies the policy, and generates an authorization decision. The authorization decision is then provided to the policy analytics engine, which stores previously-generated potential cache directives that may be applied to the authorization decision. Preferably, the cache directives are generated in an off-line manner (e.g., during initialization) by examining each security policy and extracting one or more cache dimensions associated with each such policy. The policy analytics engine determines an applicable cache directive, and the decision is augmented to include that cache directive. The decision (including the cache directive) is then returned to the authorization server, where the decision is applied to process the client request. The cache directive is then cached for re-use at the authorization server.

Abstract translation: 在授权服务器外部的授权引擎中实现授权方法。 授权服务器包括缓存。 外部授权引擎包括授权决策引擎和策略分析引擎。 当授权决策引擎接收到授权决定的请求时，该方法开始。 在接收到客户端请求之后（在授权服务器）生成该请求，在该请求中，服务器当前不具有授权决定。 授权决策引擎确定应用于客户端请求的授权策略，应用策略，并生成授权决策。 然后将授权决定提供给策略分析引擎，策略分析引擎存储先前生成的可能应用于授权决策的潜在缓存指令。 优选地，通过检查每个安全策略并提取与每个这样的策略相关联的一个或多个高速缓存维度，以离线方式（例如，在初始化期间）生成高速缓存指令。 策略分析引擎确定适用的缓存指令，并且扩展该决定以包括该缓存指令。 然后将决定（包括缓存指令）返回给授权服务器，在该服务器中应用该决定来处理客户端请求。 然后高速缓存指令被缓存以在授权服务器上重新使用。

公开(公告)号：US08447857B2

公开(公告)日：2013-05-21

申请号：US13071582

申请日：2011-03-25

Applicant: Scott Anthony Exton ,  Davin John Holmes ,  Stephen Viselli ,  Shane Bradley Weeden

Inventor： Scott Anthony Exton ,  Davin John Holmes ,  Stephen Viselli ,  Shane Bradley Weeden

IPC: G06F15/16 ,  G06F15/173

CPC classification number: H04L67/02 ,  G06F21/335 ,  H04L63/168 ,  H04L67/2823 ,  H04L69/08

Abstract: An approach is provided where an HTTP request is received and a Request for Security Token (RST) is created. Parameters are selected from the request and mappings are retrieved corresponding to the parameters. Context attributes are created in the RST corresponding to the parameters. A context attribute type value is set based on an HTTP section where the parameter is located within the HTTP request. The RST is sent to a security token service for processing. In another approach, a Request Security Token Response (RSTR) is received and an HTTP response is created. RSTR parameters are selected and parameter mappings are retrieved corresponding to the selected RSTR parameters from a mapping table with a TYPE value being identified based on the retrieved parameter mapping. Context attributes are added to the HTTP response based on the identified TYPE values. The HTTP response is transmitted to a remote computer system.

Abstract translation: 提供了一种接收HTTP请求并创建了安全令牌请求（RST）的方法。 从请求中选择参数，并根据参数检索映射。 在与参数对应的RST中创建上下文属性。 上下文属性类型值是根据参数位于HTTP请求中的HTTP部分进行设置的。 RST发送到安全令牌服务进行处理。 在另一种方法中，接收到请求安全令牌响应（RSTR），并创建HTTP响应。 选择RSTR参数，并且从具有基于所检索的参数映射识别的TYPE值的映射表中，与所选择的RSTR参数对应地检索参数映射。 基于识别的TYPE值，将上下文属性添加到HTTP响应中。 HTTP响应被发送到远程计算机系统。

公开(公告)号：US20100023454A1

公开(公告)日：2010-01-28

申请号：US12180903

申请日：2008-07-28

Applicant: Scott Anthony Exton ,  Benjamin Brewer Harmon ,  Christopher John Hockings ,  Paul William Jensen

Inventor： Scott Anthony Exton ,  Benjamin Brewer Harmon ,  Christopher John Hockings ,  Paul William Jensen

IPC: G06Q40/00

CPC classification number: H04L63/0892 ,  G06F21/31 ,  G06Q20/10 ,  G06Q20/382 ,  G06Q20/40 ,  H04L63/0281 ,  H04L63/08 ,  H04L63/10 ,  H04L2463/102

Abstract: One embodiment provides a computer-implemented method for transaction authorization within a security service. The computer-implemented method intercepts a request by a security service, wherein a transaction identifier is cached to form a cached transaction identifier, and requests the requester to authenticate to form an authentication request. The computer-implemented method further determines whether the requester was authenticated, and responsive to a determination the requester was authenticated, receives authentication information, including an associated transaction identifier. The request is intercepted and the cached transaction identifier inserted. The computer-implemented method further determines whether the cached transaction identifier is equivalent to the authentication information, including an associated transaction identifier, and responsive to a determination that the cached transaction identifier is equivalent to authentication information, including an associated transaction identifier, passes the request to the application.

Abstract translation: 一个实施例提供了一种用于安全服务内的交易授权的计算机实现的方法。 计算机实现的方法拦截安全服务的请求，其中事务标识符被缓存以形成缓存的事务标识符，并请求请求者进行认证以形成认证请求。 计算机实现的方法还确定请求者是否被认证，并且响应于请求者被认证的确定，接收包括相关联的事务标识符的认证信息。 该请求被拦截并插入了缓存的事务标识符。 计算机实现的方法还确定高速缓存的事务标识符是否等同于认证信息，包括相关联的事务标识符，并且响应于确定高速缓存的事务标识符等同于包括相关联的事务标识符的认证信息的确定，传递请求 到应用程序。

公开(公告)号：US09578111B2

公开(公告)日：2017-02-21

申请号：US13491706

申请日：2012-06-08

Applicant: Bhavan Kumar Kasivajjula ,  Scott Anthony Exton ,  Keiran Robinson

Inventor： Bhavan Kumar Kasivajjula ,  Scott Anthony Exton ,  Keiran Robinson

IPC: H04L29/08

CPC classification number: H04L67/146 ,  H04L67/142

Abstract: The problem of sharing session information across client contexts is addressed by binding initial session information to a persistent, short-lived and one-time use temporary identifier. This identifier is persisted on a client side (e.g., through a cookie jar) that is shared among the different client contexts that can share the original session. This temporary identifier, in turn, allows one or more other sessions to use the original session information by acting as an index into that session information, which is stored on the server side. Preferably, this temporary identifier contains a unique identifier (ID) that is generated as a sufficiently-complex random number. A mapping back to the real session identifier is maintained on the server side for this short-lived ID.

Abstract translation: 通过将初始会话信息绑定到持久的，短期的和一次性的临时标识符来解决跨客户机上下文共享会话信息的问题。 该标识符被持久化在客户端（例如，通过cookie jar），该客户端侧可以在可以共享原始会话的不同客户端上下文之间共享。 这个临时标识符又允许一个或多个其他会话通过充当存储在服务器端的会话信息中的索引来使用原始会话信息。 优选地，该临时标识符包含作为足够复杂的随机数生成的唯一标识符（ID）。 在服务器端维护该短暂ID的映射回到真正的会话标识符。

公开(公告)号：US09203922B2

公开(公告)日：2015-12-01

申请号：US12786616

申请日：2010-05-25

Applicant: Simon Gilbert Canning ,  Scott Anthony Exton ,  Neil Ian Readshaw

Inventor： Simon Gilbert Canning ,  Scott Anthony Exton ,  Neil Ian Readshaw

IPC: H04L29/06 ,  H04L29/08

CPC classification number: H04L67/2819 ,  H04L63/0815 ,  H04L63/168 ,  H04L67/02 ,  H04L67/142 ,  H04L67/2842 ,  H04L67/2895

Abstract: An intermediary (such as a web reverse proxy), which is located between a web browser and one or more backend applications, manages cookies that are provided by the backend applications and returned to the web browser during a user session. When a session sign-off event is initiated in the reverse proxy, HTTP “Set-Cookie” headers are sent back to the web browser to destroy the cookies (in the browser) that represent sessions with the one or more backend application(s).

Abstract translation: 位于Web浏览器和一个或多个后端应用程序之间的中介（例如Web反向代理）管理由后端应用程序提供并在用户会话期间返回到Web浏览器的Cookie。 当在反向代理中启动会话签发事件时，将HTTP“Set-Cookie”头发送回Web浏览器以销毁表示与一个或多个后端应用程序的会话的Cookie（在浏览器中） 。

公开(公告)号：US08560712B2

公开(公告)日：2013-10-15

申请号：US13101458

申请日：2011-05-05

Applicant: Christopher John Hockings ,  Trevor Scott Norvill ,  Scott Anthony Exton

Inventor： Christopher John Hockings ,  Trevor Scott Norvill ,  Scott Anthony Exton

IPC: G06F15/16

CPC classification number: H04L63/20 ,  G06F21/31 ,  G06F21/552 ,  H04L63/0245 ,  H04L63/08 ,  H04L63/101

Abstract: A method for detecting and applying security policy to active client requests within a secure user session begins by applying a first heuristic to a plurality of requests for a particular resource to identify a pattern indicating of an active client. In one embodiment, the heuristic evaluates a frequency of requests for the particular resource across one or more secure user sessions. Later, upon receipt of a new request for the particular resource, a determination is then made whether the new request is consistent with the pattern. If so, an action is taken with respect to a secure session policy. In one embodiment, the action bypasses the secure session policy, which policy is associated with an inactivity time-out that might otherwise have been triggered upon receipt of the new request. In addition, a second heuristic may be applied to determine whether a response proposed to be returned (in response to the new request) is expected by the active client. If so, the response is returned unaltered. If, however, applying the second heuristic indicates that the response proposed to be returned is not expected by the active client, the response is modified to create a modified response, which is then returned.

Abstract translation: 用于在安全用户会话内检测和应用安全策略到主动客户端请求的方法开始于对特定资源的多个请求应用第一启发式以识别指示活动客户端的模式。 在一个实施例中，启发式对一个或多个安全用户会话的特定资源的请求频率进行评估。 之后，当接收到针对特定资源的新请求时，确定新请求是否与模式一致。 如果是这样，就采取安全会话策略。 在一个实施例中，该动作绕过安全会话策略，该策略与可能在接收到新请求时触发的不活动超时相关联。 此外，可以应用第二启发式来确定主动客户端是否期望提出要返回的响应（响应于新请求）。 如果是这样，则返回的响应不会改变。 然而，如果应用第二个启发式表示活动客户端不希望提出要返回的响应，则修改响应以创建经修改的响应，然后返回。