-
公开(公告)号:US07716722B2
公开(公告)日:2010-05-11
申请号:US11424517
申请日:2006-06-15
申请人: Michael M. Swift , Neta Amit , Richard B. Ward
发明人: Michael M. Swift , Neta Amit , Richard B. Ward
IPC分类号: G06F15/16
CPC分类号: G06F21/33 , Y10S707/99939
摘要: A method of controlling access to network services enables an authorized proxy client to access a service on behalf of a user. To permit the client to function as a proxy, the user registers proxy authorization information with a trusted security server. The proxy authorization information identifies the proxy client and specifies the extent of proxy authority granted to the proxy client. When the proxy client wants to access a target service on behalf of the user, it sends a proxy request to the trusted security server. The trusted security server checks the proxy authorization information of the user to verify whether the request is within the proxy authority granted to the proxy client. If so, the trusted security server returns to the proxy client a data structure containing information recognizable by the target service to authenticate the proxy client for accessing the target service on behalf of the user.
摘要翻译: 控制对网络服务的访问的方法使得授权代理客户端能够代表用户访问服务。 为了允许客户端作为代理,用户使用可信赖的安全服务器注册代理授权信息。 代理授权信息标识代理客户端,并指定授予代理客户端的代理授权的范围。 当代理客户端想要代表用户访问目标服务时,它向可信安全服务器发送代理请求。 受信任的安全服务器检查用户的代理授权信息,以验证请求是否在授予代理客户端的代理授权内。 如果是这样,则可信赖安全服务器向代理客户端返回包含目标服务可识别的信息的数据结构,以便代表用户验证代理客户端来访问目标服务。
-
公开(公告)号:US07113994B1
公开(公告)日:2006-09-26
申请号:US09490199
申请日:2000-01-24
申请人: Michael M. Swift , Neta Amit , Richard B. Ward
发明人: Michael M. Swift , Neta Amit , Richard B. Ward
IPC分类号: G06F15/16
CPC分类号: G06F21/33 , Y10S707/99939
摘要: A method of controlling access to network services enables an authorized proxy client to access a service on behalf of a user. To permit the client to function as a proxy, the user registers proxy authorization information with a trusted security server. The proxy authorization information identifies the proxy client and specifies the extent of proxy authority granted to the proxy client. When the proxy client wants to access a target service on behalf of the user, it sends a proxy request to the trusted security server. The trusted security server checks the proxy authorization information of the user to verify whether the request is within the proxy authority granted to the proxy client. If so, the trusted security server returns to the proxy client a data structure containing information recognizable by the target service to authenticate the proxy client for accessing the target service on behalf of the user.
摘要翻译: 控制对网络服务的访问的方法使得授权代理客户端能够代表用户访问服务。 为了允许客户端作为代理,用户使用可信赖的安全服务器注册代理授权信息。 代理授权信息标识代理客户端,并指定授予代理客户端的代理授权的范围。 当代理客户端想要代表用户访问目标服务时,它向可信安全服务器发送代理请求。 受信任的安全服务器检查用户的代理授权信息,以验证请求是否在授予代理客户端的代理授权内。 如果是这样,则可信赖安全服务器向代理客户端返回包含目标服务可识别的信息的数据结构,以便代表用户验证代理客户端来访问目标服务。
-
公开(公告)号:US06289458B1
公开(公告)日:2001-09-11
申请号:US09157771
申请日:1998-09-21
IPC分类号: G96F1214
CPC分类号: G06F21/6281 , G06F2221/2141
摘要: Providing access control to individual properties of an object is described. In one embodiment, a computer system comprises an operating system operative to control applications and services running on the system. The service maintains a service object having at least one property. Also included in the system is an access control module within the operating system. The access control module includes an access control interface operative to control access to a property of the object.
摘要翻译: 描述对对象的各个属性的访问控制。 在一个实施例中,计算机系统包括可操作以控制在系统上运行的应用和服务的操作系统。 该服务维护具有至少一个属性的服务对象。 系统中还包括操作系统中的访问控制模块。 访问控制模块包括访问控制接口,其操作以控制对对象的属性的访问。
-
公开(公告)号:US06505300B2
公开(公告)日:2003-01-07
申请号:US09097218
申请日:1998-06-12
申请人: Shannon Chan , Gregory Jensenworth , Mario C. Goertzel , Bharat Shah , Michael M. Swift , Richard B. Ward
发明人: Shannon Chan , Gregory Jensenworth , Mario C. Goertzel , Bharat Shah , Michael M. Swift , Richard B. Ward
IPC分类号: G06F0124
CPC分类号: G06F21/6218 , G06F21/53 , G06F2221/2101 , G06F2221/2141 , G06F2221/2145 , G06F2221/2149
摘要: Restricted execution contexts are provided for untrusted content, such as computer code or other data downloaded from websites, electronic mail messages and any attachments thereto, and scripts or client processes run on a server. A restricted process is set up for the untrusted content, and any actions attempted by the content are subject to the restrictions of the process, which may be based on various criteria. Whenever a process attempt to access a resource, a token associated with that process is compared against security information of that resource to determine if the type of access is allowed. The security information of each resource thus determines the extent to which the restricted process, and thus the untrusted content, has access. In general, the criteria used for setting up restrictions for each untrusted content's process is information indicative of how trusted or untrusted the content is likely to be.
摘要翻译: 为不受信任的内容提供限制的执行上下文,例如计算机代码或从网站下载的其他数据,电子邮件消息及其任何附件,以及在服务器上运行的脚本或客户端进程。 为不受信任的内容设置了限制的过程,并且内容尝试的任何操作都受到过程的限制,这可能基于各种标准。 每当进程尝试访问资源时,将与该进程关联的令牌与该资源的安全信息进行比较,以确定是否允许访问类型。 因此,每个资源的安全信息决定了受限制的过程以及不可信内容的访问程度。 一般来说,用于为每个不受信任的内容过程设置限制的标准是指示内容可能受信任或不受信任的信息。
-
5.发明授权Extensible security system and method for controlling access to objects in a computing environment 有权用于控制计算环境中对象访问的可扩展安全系统和方法公开(公告)号:US06412070B1
公开(公告)日:2002-06-25
申请号:US09157882
申请日:1998-09-21
IPC分类号: G06F1214
CPC分类号: G06F9/468 , G06F21/604 , G06F21/6218 , G06F2221/2141 , Y10S707/99939
摘要: A method and computing system for extending access control of system objects in a computing environment beyond traditional rights such as read, write, create and delete. According to the invention, a system administrator or user application is able to create control rights that are unique to the type of object. Rights can be created that do not relate to any specific property of the object, but rather define how a user may control the object. A novel object, referred to as a control access data structure, is defined for each unique control right and associates the control right with one or more objects of the computing environment. In order to grant the right to a trusted user, an improved access control entry (ACE) is defined which holds a unique identifier of the trusted user and a unique identifier of the control access data structure.
摘要翻译: 一种用于在计算环境中扩展系统对象的访问控制的方法和计算系统,超越传统权限,如读取,写入,创建和删除。 根据本发明,系统管理员或用户应用程序能够创建对象类型唯一的控制权限。 可以创建与对象的任何特定属性无关的权限,而是定义用户如何控制对象。 被称为控制访问数据结构的一个新对象是为每个唯一的控制权定义的,并将控制权与计算环境的一个或多个对象相关联。 为了授予对信任用户的权利,定义了改进的访问控制条目(ACE),其保存受信任用户的唯一标识符和控制访问数据结构的唯一标识符。
-
6.发明授权公开(公告)号:US06401211B1
公开(公告)日:2002-06-04
申请号:US09525419
申请日:2000-03-15
IPC分类号: G06F1100
CPC分类号: H04L67/306 , G06F21/33 , H04L63/0807 , H04L63/102 , H04L69/329
摘要: A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.
-
7.发明授权System and method for managing and authenticating services via service principal names 有权通过服务主体名称管理和认证服务的系统和方法公开(公告)号:US07308709B1
公开(公告)日:2007-12-11
申请号:US09560079
申请日:2000-04-27
CPC分类号: H04L63/0807 , G06Q20/3674 , H04L63/0407
摘要: A methododology is provided for facilitating authentication of a service. The methodology includes making a request to a first party for authentication of a service, the request including a first alias. A list of aliases associated with the service is then searched enabling a second party making the request to access the service if a match is found between the first alias and at least one alias of the list of aliases.
摘要翻译: 提供了一种便于认证服务的方法学。 该方法包括向第一方请求服务认证,该请求包括第一别名。 然后搜索与服务相关联的别名的列表,使得如果在第一别名和别名列表的至少一个别名之间找到匹配,则允许进行请求的第二方访问该服务。
-
公开(公告)号:US06625603B1
公开(公告)日:2003-09-23
申请号:US09157768
申请日:1998-09-21
IPC分类号: G06F1700
CPC分类号: G06F9/468 , G06F21/6218 , G06F2221/2141 , Y10S707/99939 , Y10S707/99944 , Y10S707/99952
摘要: Providing object type specific access control to an object is described. In one embodiment, a computer system comprises an operating system operative to control an application and a service running on a computer. The service maintains a service object having a link to an access control entry. The access control entry contains an access right to perform an operation on an object type. The system further includes an access control module within the operating system. The access control module includes an access control interface and operates to grant or deny the access right to perform the operation on the object.
摘要翻译: 对对象提供对象类型特定的访问控制被描述。 在一个实施例中,计算机系统包括可操作以控制应用和在计算机上运行的服务的操作系统。 服务维护具有到访问控制条目的链接的服务对象。 访问控制条目包含对对象类型执行操作的访问权限。 系统还包括操作系统内的访问控制模块。 访问控制模块包括访问控制接口并且操作以授予或拒绝对对象执行操作的访问权限。
-
9.发明授权System and method of user logon in combination with user authentication for network access 有权用户登录的系统和方法与网络访问的用户认证相结合公开(公告)号:US06427209B1
公开(公告)日:2002-07-30
申请号:US09549794
申请日:2000-04-14
IPC分类号: H04L900
CPC分类号: H04L67/306 , G06F21/33 , H04L63/0807 , H04L63/102 , H04L69/329
摘要: A system and method of combined user logon-authentication provides enhanced logon performance by utilizing communications with a network access control server for user authentication to provide user account data required for user logon. When a user logs on a computer, the computer initiates a network access control process with a network access control server for obtaining access to network services, including the computer that the user is logging on. During the access control process, the network access control server authenticates the user and queries a directory service for the account data for the user. The network access control server includes the user account data in one of the communication packets sent to the computer in the network access control process. The computer retrieves the user account data from the communication packet and uses the data to complete the user logon.
摘要翻译: 组合用户登录认证的系统和方法通过利用与网络访问控制服务器的通信进行用户认证来提供增强的登录性能,以提供用户登录所需的用户帐户数据。 当用户登录计算机时,计算机利用网络访问控制服务器启动网络访问控制过程,以获得对网络服务的访问,包括用户正在登录的计算机。 在访问控制过程中,网络访问控制服务器对用户进行身份验证,并向目录服务查询用户的帐户数据。 网络访问控制服务器在网络访问控制过程中包括在发送到计算机的通信分组之一中的用户帐户数据。 计算机从通信包中检索用户帐户数据,并使用数据完成用户登录。
-
10.发明授权公开(公告)号:US07698381B2
公开(公告)日:2010-04-13
申请号:US09886146
申请日:2001-06-20
IPC分类号: G06F15/16
CPC分类号: H04L63/0807 , G06F21/31 , G06F21/33 , G06F2221/2115
摘要: Methods and systems are provided for controlling the scope of delegation of authentication credentials within a network environment. A server is configured to provide a trusted third-party with a ticket authenticating the server, information about a target service that a server seeks to access on behalf of the client, and a service ticket associated with the client. This service ticket may be provided by the client or may be a previously granted service ticket granted to the server for itself in the name of the client. The trusted third-party grants a new service ticket to access the target service to the server, in the client's name, if such delegation is permitted according to delegation constraints associated with the client.
摘要翻译: 提供了方法和系统,用于控制网络环境中的认证凭证委派的范围。 服务器被配置为向受信任的第三方提供认证服务器的票据,关于服务器寻求代表客户端访问的目标服务的信息以及与客户端相关联的服务票据。 该服务票可以由客户提供,也可以是以客户名称授予给服务器的以前授予的服务票据。 如果根据与客户端相关联的委托限制允许这种授权,则可信第三方将以客户端的名称授予新的服务票证以访问服务器。
-
-
-
-
-
-
-
-
-
搜索结果
41 条记录 (耗时 0.024 秒)