System and method of proxy authentication in a secured network
    1.
    发明授权
    System and method of proxy authentication in a secured network 有权
    安全网络中代理认证的系统和方法

    公开(公告)号:US07716722B2

    公开(公告)日:2010-05-11

    申请号:US11424517

    申请日:2006-06-15

    IPC分类号: G06F15/16

    CPC分类号: G06F21/33 Y10S707/99939

    摘要: A method of controlling access to network services enables an authorized proxy client to access a service on behalf of a user. To permit the client to function as a proxy, the user registers proxy authorization information with a trusted security server. The proxy authorization information identifies the proxy client and specifies the extent of proxy authority granted to the proxy client. When the proxy client wants to access a target service on behalf of the user, it sends a proxy request to the trusted security server. The trusted security server checks the proxy authorization information of the user to verify whether the request is within the proxy authority granted to the proxy client. If so, the trusted security server returns to the proxy client a data structure containing information recognizable by the target service to authenticate the proxy client for accessing the target service on behalf of the user.

    摘要翻译: 控制对网络服务的访问的方法使得授权代理客户端能够代表用户访问服务。 为了允许客户端作为代理,用户使用可信赖的安全服务器注册代理授权信息。 代理授权信息标识代理客户端,并指定授予代理客户端的代理授权的范围。 当代理客户端想要代表用户访问目标服务时,它向可信安全服务器发送代理请求。 受信任的安全服务器检查用户的代理授权信息,以验证请求是否在授予代理客户端的代理授权内。 如果是这样,则可信赖安全服务器向代理客户端返回包含目标服务可识别的信息的数据结构,以便代表用户验证代理客户端来访问目标服务。

    System and method of proxy authentication in a secured network
    2.
    发明授权
    System and method of proxy authentication in a secured network 有权
    安全网络中代理认证的系统和方法

    公开(公告)号:US07113994B1

    公开(公告)日:2006-09-26

    申请号:US09490199

    申请日:2000-01-24

    IPC分类号: G06F15/16

    CPC分类号: G06F21/33 Y10S707/99939

    摘要: A method of controlling access to network services enables an authorized proxy client to access a service on behalf of a user. To permit the client to function as a proxy, the user registers proxy authorization information with a trusted security server. The proxy authorization information identifies the proxy client and specifies the extent of proxy authority granted to the proxy client. When the proxy client wants to access a target service on behalf of the user, it sends a proxy request to the trusted security server. The trusted security server checks the proxy authorization information of the user to verify whether the request is within the proxy authority granted to the proxy client. If so, the trusted security server returns to the proxy client a data structure containing information recognizable by the target service to authenticate the proxy client for accessing the target service on behalf of the user.

    摘要翻译: 控制对网络服务的访问的方法使得授权代理客户端能够代表用户访问服务。 为了允许客户端作为代理,用户使用可信赖的安全服务器注册代理授权信息。 代理授权信息标识代理客户端,并指定授予代理客户端的代理授权的范围。 当代理客户端想要代表用户访问目标服务时,它向可信安全服务器发送代理请求。 受信任的安全服务器检查用户的代理授权信息,以验证请求是否在授予代理客户端的代理授权内。 如果是这样,则可信赖安全服务器向代理客户端返回包含目标服务可识别的信息的数据结构,以便代表用户验证代理客户端来访问目标服务。

    Method and system for secure running of untrusted content
    3.
    发明授权
    Method and system for secure running of untrusted content 失效
    安全运行不受信任内容的方法和系统

    公开(公告)号:US06505300B2

    公开(公告)日:2003-01-07

    申请号:US09097218

    申请日:1998-06-12

    IPC分类号: G06F0124

    摘要: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.

    摘要翻译: 为不受信任的内容提供限制的执行上下文,例如计算机代码或从网站下载的其他数据,电子邮件消息及其任何附件,以及在服务器上运行的脚本或客户端进程。 为不受信任的内容设置了限制的过程,并且内容尝试的任何操作都受到过程的限制,这可能基于各种标准。 每当进程尝试访问资源时,将与该进程关联的令牌与该资源的安全信息进行比较,以确定是否允许访问类型。 因此,每个资源的安全信息决定了受限制的过程以及不可信内容的访问程度。 一般来说,用于为每个不受信任的内容过程设置限制的标准是指示内容可能受信任或不受信任的信息。

    Extensible security system and method for controlling access to objects in a computing environment
    4.
    发明授权
    Extensible security system and method for controlling access to objects in a computing environment 有权
    用于控制计算环境中对象访问的可扩展安全系统和方法

    公开(公告)号:US06412070B1

    公开(公告)日:2002-06-25

    申请号:US09157882

    申请日:1998-09-21

    IPC分类号: G06F1214

    摘要: A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.

    摘要翻译: 一种用于在计算环境中扩展系统对象的访问控制的方法和计算系统,超越传统权限,如读取,写入,创建和删除。 根据本发明,系统管理员或用户应用程序能够创建对象类型唯一的控制权限。 可以创建与对象的任何特定属性无关的权限,而是定义用户如何控制对象。 被称为控制访问数据结构的一个新对象是为每个唯一的控制权定义的,并将控制权与计算环境的一个或多个对象相关联。 为了授予对信任用户的权利,定义了改进的访问控制条目(ACE),其保存受信任用户的唯一标识符和控制访问数据结构的唯一标识符。

    Object type specific access control
    7.
    发明授权
    Object type specific access control 有权
    对象类型特定访问控制

    公开(公告)号:US06625603B1

    公开(公告)日:2003-09-23

    申请号:US09157768

    申请日:1998-09-21

    IPC分类号: G06F1700

    摘要: Providing object type specific access control to an object is described. In one embodiment, a computer system comprises an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry. The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.

    摘要翻译: 对对象提供对象类型特定的访问控制被描述。 在一个实施例中,计算机系统包括可操作以控制应用和在计算机上运行的服务的操作系统。 服务维护具有到访问控制条目的链接的服务对象。 访问控制条目包含对对象类型执行操作的访问权限。 系统还包括操作系统内的访问控制模块。 访问控制模块包括访问控制接口并且操作以授予或拒绝对对象执行操作的访问权限。

    System and method of user logon in combination with user authentication for network access
    8.
    发明授权
    System and method of user logon in combination with user authentication for network access 有权
    用户登录的系统和方法与网络访问的用户认证相结合

    公开(公告)号:US06427209B1

    公开(公告)日:2002-07-30

    申请号:US09549794

    申请日:2000-04-14

    IPC分类号: H04L900

    摘要: A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.

    摘要翻译: 组合用户登录认证的系统和方法通过利用与网络访问控制服务器的通信进行用户认证来提供增强的登录性能,以提供用户登录所需的用户帐户数据。 当用户登录计算机时,计算机利用网络访问控制服务器启动网络访问控制过程,以获得对网络服务的访问,包括用户正在登录的计算机。 在访问控制过程中,网络访问控制服务器对用户进行身份验证,并向目录服务查询用户的帐户数据。 网络访问控制服务器在网络访问控制过程中包括在发送到计算机的通信分组之一中的用户帐户数据。 计算机从通信包中检索用户帐户数据,并使用数据完成用户登录。

    Per property access control mechanism
    9.
    发明授权
    Per property access control mechanism 有权
    每个属性访问控制机制

    公开(公告)号:US06289458B1

    公开(公告)日:2001-09-11

    申请号:US09157771

    申请日:1998-09-21

    IPC分类号: G96F1214

    CPC分类号: G06F21/6281 G06F2221/2141

    摘要: Providing access control to individual properties of an object is described. In one embodiment, a computer system comprises an operating system operative to control applications and services running on the system. The service maintains a service object having at least one property. Also included in the system is an access control module within the operating system. The access control module includes an access control interface operative to control access to a property of the object.

    摘要翻译: 描述对对象的各个属性的访问控制。 在一个实施例中,计算机系统包括可操作以控制在系统上运行的应用和服务的操作系统。 该服务维护具有至少一个属性的服务对象。 系统中还包括操作系统中的访问控制模块。 访问控制模块包括访问控制接口,其操作以控制对对象的属性的访问。