摘要:
A method of enabling a Web server to impersonate a Web client to thereby obtain access to files stored in a distributed file system of a distributed computing environment. The distributed computing environment includes a security service for returning a credential to a user authenticated to access the distributed file system. In response to receipt of a transaction request from the Web client, a determination is made whether the transaction request has originated from a user authenticated to access the distributed file system. If so, the Web server is controlled to reuse the credential of the user across multiple file accesses in the distributed file system on behalf of the Web client.
摘要:
An account manager plug-in for a Web server having an application programming interface (API). The plug-in is preferably a computer program product comprising a set of instructions (program code) encoded on a computer-readable substrate. This plug-in includes program code for establishing a set of one or more monitored resources (e.g., UrlCounter, ByteCounter, PageCounter and FailedLoginCounter) and for defining a threshold rule for at least one of the set of monitored resources. As Web transactions occur at the Web server, the account manager is responsive to a monitored resource exceeding a condition of a threshold rule for triggering one of a set of threshold actions. The set of threshold actions, for example, include clearing a record counter, running a given program, sending an e-mail note and disabling or enabling a user account.
摘要:
A method of authenticating a Web client to a Web server connectable to a distributed file system of a distributed computing environment. The distributed computing environment includes a security service for returning a credential to a user authenticated to access the distributed file system. In response to receipt by the Web server of a user id and password from the Web client, a login protocol is executed with the security service. If the user can be authenticated, a credential is stored in a database of credentials associated with authenticated users. The Web server then returns to the Web client a persistent client state object having a unique identifier therein. This object, sometimes referred to as a cookie, is then used to enable the Web client to browse Web documents in the distributed file system. In particular, when the Web client desires to make a subsequest request to the distributed file system, the persistent client state object including the identifier is used in lieu of the user's id and password, which makes the session much more secure. In this operation, the cookie identifier is used as a pointer into the credential storage table, and the credential is then retrieved and used to facilitate multiple file accessess from the distributed file system. At the same time, the Web client may obtain access to Web server (as opposed to distributed file system) documents via conventional user id and password in an HTTP request.
摘要:
A method of enabling an HTTP server plug-in to pass an unmangled environment variable into a CGI process begins by configuring the HTTP server to initially override a CGI service method. When the server processes an HTTP request, the server plug-in, which is called prior to the CGI service method and is running in a process of the HTTP server, inserts a “name value” pair prepended with a marker in a request header parameter block of the HTTP server. Then, the CGI service override method executes the server's original (i.e. native) CGI service method, causing it to run an encapsulation program in the CGI process. This program scans the environment of the CGI process for any string prepended with a given HTTP code (e.g., the string “HTTP_”) and the marker. If it finds any such string, the program strips the given HTTP code and the marker from a remainder of the string and resets the environment variable into the CGI process in an “unmangled” form. The target CGI program is then executed in the CGI process.
摘要:
A method of enabling persistent access by a Web server to files stored in a distributed file system of a distributed computing environment that includes a security service. A session manager is used to perform a proxy login to the security service on behalf of the Web server. Persistent operation of the session manager is ensured by periodically spawning new instances of the session manager process. Each new instance preferably initializes itself against a binding file. A prior instance of the session manager is maintained in an active state for at least a period of time during which the new instance of the session manager initializes itself. Upon receipt of a given transaction request from a Web client to the Web server, a determination is made regarding whether a new instance of the session manager process has been spawned while the Web server was otherwise idle. If so, the Web server is re-bound to the new instance of the session manager process so that the new instance of the session manager process can respond to the transaction request.
摘要:
A test page including a statement invoking an executable periodically reloading the test page is placed on a Web server having a security plug-in to be tested. The test page may include multiple frames, each containing a reference requesting access to the same test page or each performing a different testing function. The test page may be placed in a protected directory, may include an attempt to access the contents of a file within a different protected directory, and may include attempts to access protected CGI executables or other programs or modules which may be run on the Web server. A remote browser is employed to attempt to access the test page using the userid and password employed to login to the browser. Successful or unsuccessful access to the test page verifies proper operation of the security plug-in. The test page is automatically reloaded by the browser at a selected interval, and multiple frames or multiple browser instances each accessing the test page results in stress testing of the security plug-in.
摘要:
A method of authenticating a Web client to a Web server connectable to a distributed file system of a distributed computing environment. The distributed computing environment includes a security service for returning a credential to a user authenticated to access the distributed file system. The method preferably operates within the context of a native operating system environment such as “Windows NT”. Upon initialization of the Web server, a session manager creates a pool of temporary Windows NT user identities. In response to a Web client browser request, a temporary NT user identity is associated with proper DCE credentials. A server process then impersonates the returned NT user identity on a thread which is attempting to access the requested resource.
摘要:
A method of executing Common Gateway Interface (CGI) programs in a computer network having a Web client and a Web server, the server connectable to a secure distributed file system of a distributed computing environment. If a Web client user request requires CGI processing, the requested CGI program is run in a new process spawned from the Web server thread and executing within the context of the temporary user identity set up with the proper DCE credentials. This function is effected by saving the name and path of the user-requested CGI program and then substituting the name and path of an encapsulation CGI program. The encapsulation CGI program starts the user-requested CGI program in a new process (i.e. a desktop) within the context of the temporary user identity (having proper DCE credentials). The encapsulation program thus ensures that the CGI program being executed cannot harm the default Web server desktop.
摘要:
A system and method facilitating an operating system user's ability to reference objects in a distributed file system having an incompatible namespace. Compatibility is thereby provided between DFS namespaces and operating system pathname syntax not supported in the DFS. A DFS pathname prefix is associated with each drive letter that is attached to a DFS IFS driver. Before an IFS driver is used, an application program issues a command to associate a drive letter with a particular IFS driver. The command issued also carries a DFS pathname prefix within a data buffer. The IFS services the command by validating existence of the DFS pathname prefix, and thereafter stores such prefix into an internal table of the buffer where it is associated with the attached drive letter. File system requests later received by the DFS client IFS driver carrying a pathname containing that drive letter will have their file specifications edited by the DFS code prior to processing. The drive letter in the pathname is replaced by the DFS pathname prefix from the IFS driver's internal table, and operating system slashes in operating system pathname are converted to DFS slashes. The operating system user may thereby reference DFS objects relative to a point in the DFS namespace using the operating system's pathname syntax which the user is more comfortable with.
摘要:
A framework for processing signed applets that are distributed over the Internet. Using the framework, an applet that is packaged as a Netscape- or JDK-signed jar file, or as an Internet Explorer-signed cab file, is processed within the same Java runtime environment irrespective of the browser type (i.e. Netscape Communicator, Internet Explorer or JDK) used to execute the applet. When the applet is executed, the framework verifies one or more applet signatures using the same algorithm that was used to sign the applet, verifies the signer(s) of the applet, and stores information about the signers so that they can be honored by a security policy when permissions for the applet are determined.
摘要翻译:用于处理通过互联网分发的签名小程序的框架。 使用框架,打包为Netscape或JDK签名的jar文件或作为Internet Explorer签名的cab文件的小程序在同一个Java运行时环境中处理,无论浏览器类型如Netscape Communicator,Internet Explorer 或JDK)用于执行小程序。 当小程序被执行时,框架使用用于签署小程序的相同算法验证一个或多个小程序签名,验证小应用程序的签名者,并存储关于签名者的信息,以便它们可被 确定小程序的权限时的安全策略。