(51) Int Cl.: H04L 29/06 ( ) H04L 12/22 ( )

Transcription

1 (19) (11) EP B1 (12) EUROPEAN PATENT SPECIFICATION (4) Date of publication and mention of the grant of the patent: Bulletin 07/0 (1) Int Cl.: H04L 29/06 (06.01) H04L 12/22 (06.01) (21) Application number: (22) Date of filing: (4) System and method for web server user authentication System und Verfahren zur Web-Server Benutzerauthentifizierung Système et méthode pour l authentification d utilisateur par un web serveur (84) Designated Contracting States: AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE () Priority: US (43) Date of publication of application: Bulletin 00/18 (73) Proprietor: Computer Associates Think, Inc. Islandia, New York (US) (72) Inventors: Creighton Broadhurst, Christopher John Farley Hill Reading RG 1 1UU (GB) Byrne, Barry Anthony Wokingham RG41 4LJ (GB) White, Clive John Berks RG41 3AL (GB) Press, James Bedfordshire, SG 18 OHP (GB) McMahon, Piers Westlea, SN 7EH (GB) (74) Representative: Dunlop, Hugh Christopher R G C Jenkins & Co. 26 Caxton Street London SW1H 0RJ (GB) (6) References cited: WO-A-98/02828 US-A US-A EP B1 Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention). Printed by Jouve, 7001 PARIS (FR)

2 1 EP B1 2 Description [0001] The present invention relates generally to networked computer systems. More particularly, the present invention relates to user authentication and access to back-end or external applications via a web server. In particular, the present invention relates to a method for accessing resources on a network and to a system for providing user access to web server resources. [0002] In a typical web-based server application, user access to information is achieved via a web server, with the application requiring the user to be authenticated by, e.g., a user id and/or a password. When a user desires access to a new application (such as a database management system (DBMS) engine; new applications will often have a different configuration and/or manufacturer than the initial application), such a new server has a login/ authentication procedure which is independent of previous login/authentication procedures encountered by the user. To access the web pages, appropriate identification credentials must be presented to the new application. This is conventionally accomplished by requiring the user to input additional login/authentication information specific to the new application, or by hard-coding a generic login and password in the scripts used by the user s web server to access the new application and dynamically generate a new web page using the output from the application. [0003] Both of these solutions are unsatisfactory. Requiring the user to input additional information places a burden on the user to remember multiple logins and passwords, further places a burden on each server and system administrator to maintain multiple user accounts for each and every access by a user, and is a potential security risk because passwords are transmitted unencrypted over the network. Using a generic or static login and password in a script is a potential security hole and does not readily provide different levels of access based on the identity of the user. [0004] These issues have been addressed by the socalled new technology LAN manager (NTLM) automated authentication system. In the NTLM system, once the user is initially authenticated to a Microsoft network or to a Microsoft Windows NT domain (using a password), similar components (the web browser and server) can assure one another of the user s identity. This assurance occurs transparently to the user. However, this system does not perform authentication to a new application (beyond the server). Thus, the NTLM authentication system is of limited utility for many users. [000] U.S. Patent,689,638 discloses a method and system for accessing independent network resources without prompting the user for authentication data. When the system receives a user request to access an independent network resource, system logon and server authentication data is autonomously supplied to the independent network resource without further user interaction. U.S. Patent,689,638, however, is not concerned with a world-wide web hypertext transfer protocol environment, and is not concerned with authentication information based on the user s role. In the system according to U.S. Patent,689,638, a password cache is maintained in the main memory of a local computer system. The password cache contains a server name, user name and password for each server to be accessed by a particular user. When presented with an access request, network software searches the password cache structure for the server authentication information before passing it on to the server to be accessed. [0006] U.S. Patent,678,041 discloses a system and method that restricts a user s access of Internet information based on a rating category and/or ID associated with a particular terminal through the implementation of a firewall internal to a user s computer network. The firewall prevents the user from accessing certain types of Internet information (e.g., prevents children from accessing obscene material, prevents workers from accessing nonwork related material, etc.). Thus, U.S. Patent,678,041 is concerned with an internal authorization to access remote resources (which are presumed to be public resources), and is not concerned with a system in which authentication information is required by the remote resources. [0007] U.S. Patent,764,890 relates to method and system for adding a secured network server to a network for access by a client. The client is authenticated by an authenticating agent, which returns success or failure information to the network server in dependence upon whether the client provided a valid password to the authenticating agent. The success or failure information is evaluated by the network server to determine whether the client is to be allowed access to its services. [0008] WO 98/02828 describes a method and system for providing an end-user with Internet access and for allocating a cost associated with that access. Upon a valid log in to a local access provider s point of presence, valid user account and ID numbers are transmitted by a credit server to an Internet browser for storage in a cookie. The credit server checks that the cookie contains the valid user account and ID numbers when subsequent communications are received at the point of presence from the end-user. [0009] It would be desirable to allow a user to easily, automatically, and transparently authorized to access, via a web server, a plurality of applications which require authentication, whether in an intranet or internet environment. It would further be desirable for such a scheme to be implemented in a hypertext transfer protocol (HTTP) environment, and to maintain the security of the network. It would further be desirable to allow access regardless of whether the applications are operating in the same or different environments. [00] It is an object of the present invention to provide an improved method for accessing resources on a network and an improved system for providing user access to web server resources, preferably achieving the advan- 2

3 3 EP B1 4 tages mentioned above. [0011] The above object is achieved by a method for accessing resources on a network according to claim 1, an apparatus for accessing resources on a network according to claim 8, and a computer readable storage medium according to claim. Preferred embodiments are subject of the subclaims. [0012] In particular, the present invention overcomes the above-described problems, and achieves additional advantages, by providing for a system and method for authenticating a user in a web server environment, by providing for an authentication scheme in which users are logged in and authenticated a single time, yet can access multiple applications via a web server. According to exemplary embodiments, an initial authentication is performed to access a first application via a first server, and the user s identity is mapped into a network credential which includes a user role. Additional applications are accessed by providing the network credential to a script, retrieving script access values for the additional applications based on the network credential and presenting the script access values (as, for example, user name and password) to the additional applications. [0013] The authentication scheme according to the present invention allows a user to access numerous protected resources with a single authentication procedure, greatly improving the user s ease of system use. Further, the use of role-based authentication simplifies system administration burdens. The present invention is particularly advantageous in an intranet environment. [0014] The present invention will be more completely understood upon reading the following detailed description of exemplary embodiments in conjunction with the accompanying drawings, in which like reference indicia designate like elements. It shows: FIG. 1 FIG. 2 a block diagram of an intranet network in which the present invention can be implemented; and a flow chart describing a method of automatically authenticating a user to back end applications in a network according to the present invention [001] Referring now to FIG. 1, a computer network suitable for the method and system of the present invention is shown. The network includes a plurality of computer workstations and a plurality of servers 12 residing on host machine 13. Each workstation includes a web browser 14 which serves as a user interface to allow the user to access resources in the network. Each server 12 acts as a gateway to provide the user access to various resources, including static HTML (web) pages 18, backend applications (e.g., a database management system running on the same machine as the web server) and external applications 22 (which run on a different machine than the web server). Access to the back end or external applications is provided through a script or application 17. Each server 12 is configured to allow access by a user to the server resources only upon user authentication to the server. The network also includes an X.00 or other suitable directory 16, which is a network wide data storage resource. More details about X.00 directories are contained in document ITU-T Rec.X.00 (1993) "Information Technology-Open Systems Interconnection - The Directory: Overview of Concepts, Models and Services." [0016] To login to the network, an initial user authentication is performed, such as by a user inputting authentication information into one of the computer workstations. According to an aspect of the present invention, the initial authentication information is mapped to a role of the user. Examples of roles can include, but are not limited to, "executive", "clerk", "accounting" etc. Roles can be related to particular departments of an organization, with special designations for department heads. It is assumed that the number of potential user roles will be less than the number of potential users of the network. The user s role determines which applications, and hence which network resources, can be accessed by that user. For purposes of explanation, it is assumed that the network of FIG. 1 is part of an intranet. As will be appreciated by those of ordinary skill in the art, an intranet is a network which uses the same types of software and components as the Internet, but the intranet is reserved for private use only. It is increasingly common for private entities to have web servers which are accessible only to certain persons. While the discussion assumes an intranet environment, it will of course be appreciated that the principles of the present invention can be readily adapted for use in other network environments. [0017] For each user, the directory 14 stores information which allows the user s authentication information to be mapped into a network credential which includes a role of the user. The network credential can then be formed into a cookie. Once logged in and initially authenticated to the network, a user may freely access any of the applications allowed by the role. [0018] To access additional resources not included in the initial list, the user inputs a request to access additional resources, which may be associated with the user s initial server or a new server in the network. Access to the back end or external application is achieved using a script (a series of commands which can be executed without user interaction) or other similar means accessible as a web server resource. The script is written by the system administrator, stored on the same host machine as the web server, and provides the login code for the server/application. The user name and password are not hardcoded into the script, but rather are stored in script access procedure variables (SV) having names chosen by the system administrator. The password values are preferably encrypted to enhance security. The SV s are stored in a database which can be the directory 16 or another suitable database (such as database 19 associated with the server host 13) accessible to the server. According to an aspect of the present invention, in re- 3

4 EP B1 6 sponse to a user request through the browser, the script retrieves the SV value from the directory 16 based on an SV name contained in the script, the user s role and identity (contained in a cookie provided to the script). In this manner, the identity and password used by the user to access the third party application are determined by the user s role and individual identity. [0019] Referring now to FIG. 2, a flow chart describing an exemplary method according to the present invention is shown. The method begins in step 0, where a user logs on to the network (e.g., the network shown in FIG. 1) using any conventional login procedure, and the browser accesses a web server. In step 2, an initial authentication procedure is performed, and is accepted by the server to establish a user identity to the server. The initial authentication can be achieved using basic authentication (which requires user interaction), NTLM (which requires no user interaction), X.09 certificate (which may or may not require user interaction), or other suitable means. More details about X.09 certificates are provided in document ITU-T Rec.X.09 (1993), entitled "Information Technology - Open Systems Interconnection: The Directory: Authentication Framework." In step 4, it is determined whether the user already has a cookie containing a network credential. If there is not yet a user cookie, one is created in step 6 by consulting the directory 16 to map the user s identity to an intermediate identity and a user role, which are used to form a network credential. If no mapping can be found between the user s local identity and a network credential, a "no-map" cookie is created to prevent repeated failed lookups. The user s network credential, including user role, is formed into a cookie by appending the identity of the user s terminal to the credential, and making a cryptographic seal of the result. The cookie is then preferably encoded. As will be appreciated by those of ordinary skill in the art, a cookie is a message given to a web browser by a web server to record aspects of the interaction history between the browser and server, and which is stored by the web browser to facilitate access to additional server resources. The cookie is preferably configured to disappear when the browser program is closed by the user. In step 8, the cookie is returned to the browser. [00] Note that if there is already a cookie for the user, the process skips steps 6 and 8, and proceeds to step 1. [0021] In step 1, the user attempts access to a new application (a back-end application resident on the same host machine as the web server or an external application not resident on the same host machine as the web server) by inputting a request to the browser, which then attempts to access the requested resources. These additional resources may or may not be accessible to the user based on the user s assigned role. In step 112, the browser obtains authentication information, in the form of SV values necessary to access the back-end or external application, by accessing a script for single sign on stored with the web server, and transferring the cookie to the script The script retrieves the script access variable for the back-end or external application based on the network credential (including the user role), and presents the SV values to the new application. Step 112 is performed automatically by the browser without any action required on the part of the user beyond presenting the request in step 8. In step 114, the desired application grants access based on the authentication information obtained in step 112. [0022] While the foregoing description includes many details and specificities, these are included only for purposes of illustration, and are not intended to limit the invention. Many modifications to the examples described above will be readily apparent to those of ordinary skill in the art which do not depart from the scope of the invention, as defined by the following claims and their legal equivalents. [0023] The roles can also be understood as a means for classifying the users and can preferably include respective classification parameters. Further, a cookie can also have the form of a small program, a program part, or a set of parameters. Claims 1. Method for accessing resources (18,, 22) on a network, characterised by the steps of: performing (0, 2) an initial authentication of a user via a web server (12); creating (6) a network credential for the authenticated user, the network credential including at least a role of the user; receiving (1) a user request to access a resource (18,, 22) via the web server (12); automatically accessing (112) a script (17) configured to determine script access values based on the network credential, the script access values providing authentication information for the resource (18,, 22); and presenting (112) the script access values to the resource (18,, 22). 2. Method according to claim 1, characterized in that the step of creating a network credential comprises selecting a user role from a plurality of roles, and wherein the number of roles is less than the number of network users. 3. Method according to claim 1 or 2, characterized in that the method further comprises the step of forming (6) a cookie from the network credential. 4. Method according to claim 3, characterized in that the method further comprises a step of transferring the network credential to the script (17), performed 4

5 7 EP B1 8 by transferring(8) the cookie.. Method according to any one of the preceding claims, characterized in that the step of creating (6) is performed by mapping user initial authentication data to the network credential by consulting an X.00 directory (16). 6. Method according to any one of the preceding claims, wherein the step of performing (0, 2) the initial authentication comprises mapping the user to a user role. 7. Method according to any one of the preceding claims, further comprising: 1 network credential by consulting an X.00 directory (16). 13. An apparatus according to any one of claims 8 to 12, wherein the means for performing an initial authentication comprises mapping the user to a user role. 14. An apparatus according to any one claims 8 to 13, further comprising: means for determining a user name and password based on the script access values; and means for presenting the determined user name and password for user access to the resource (18,, 22). determining a user name and password based on the script access values; and presenting the determined user name and password for user access to the resource (18,, 22). 8. An apparatus for accessing resources (18,, 22) on a network, characterised by: means for performing an initial authentication of a user; means for creating a network credential for the authenticated user, the network credential including at least a role of the user; means for receiving a user request to access a resource (18,, 22); means for automatically accessing a script (17) configured to determine a script access value based on the network credential, the script access value providing authentication information for the resource (18,, 22); and means for presenting the script access values to the resource (18,, 22). 9. An apparatus according to claim 8, characterized in that the means for creating a network credential comprises means for selecting a user role from a plurality of roles, and wherein the number of roles is less than the number of network users.. An apparatus according to claim 8 or 9, characterized in that the apparatus further comprises means for forming a cookie from the network credential. 11. An apparatus according to claim, characterized in that the apparatus further comprises means for transferring the network credential to the script by transferring the cookie. 12. An apparatus according to any one of claims 8 to 11, characterized in that the means for creating is arranged to map user initial authentication data to the System for providing user access to web server resources, comprising: an apparatus (12) according to any one of claims 8 to 14, the apparatus (12) configured to grant access only upon user authentication; a browser (14) communicating between the user and the apparatus (12), the browser (14) being capable of accessing initial user authentication information; and a directory (16) for storing data defining mappings between initial user authentication data and network credentials, the network credentials including at least a user role; wherein the browser (14) provides user access to the resource (18,, 22) via the apparatus (12) based on the initial authentication information, and by consulting the directory (16) transparently to the user. 16. System according to claim 1, characterized in that the apparatus (12) is an intranet network server. 17. System according to claim 1 or claim 16, characterized in that the browser (14) communicates with the apparatus (12) according to a hypertext transfer protocol format. 18. System according to any one of claims 1 to 17, characterized in that the apparatus (12) creates a cookie including the user role, and the browser (14) provides access to the resource (18,, 22) by providing the cookie to a script (17) which is stored on the network. 19. System according to claim 12, characterized in that the apparatus (12) accesses script access values stored in a database for the resource (18,, 22) based on the cookie.. A computer readable storage medium including ma-

6 9 EP B1 chine-readable instructions which, when executed by a suitable processor, result in performance of a method according to any one of claims 1 to 7. Patentansprüche 1. Verfahren zum Zugriff auf Ressourcen (18,, 22) in einem Netzwerk, gekennzeichnet durch die folgenden Schritte: Durchführen (0, 2) einer Anfangs-Authentifizierung eines Benutzers über einen Web-Server (12); Erzeugen (6) von einer Netzwerkreferenz für den authentifizierten Benutzer, wobei die Netzwerkreferenz zumindest eine Rolle des Benutzers aufweist; Empfangen (1) einer Benutzeranfrage, um über den Web-Server (12) auf eine Ressource (18,, 22) zuzugreifen; Automatisches Zugreifen (112) auf ein Skript (17), welches dafür konfiguriert ist, basierend auf der Netzwerkreferenz Skriptzugriffswerte zu ermitteln, wobei die Skriptzugriffswerte Authentifizierungsdaten für die Ressource (18,, 22) bereitstellen; und Vorlegen (112) der Skriptzugriffswerte der Ressource (18,, 22). 2. Verfahren nach Anspruch 1, dadurch gekennzeichnet, dass der Schritt des Erzeugens einer Netzwerkreferenz das Auswählen einer Benutzerrolle aus einer Vielzahl von Rollen umfasst, und wobei die Anzahl der Rollen geringer ist als die Anzahl der Netzwerkbenutzer. 3. Verfahren nach Anspruch 1 oder 2, dadurch gekennzeichnet, dass das Verfahren ferner den Schritt des Bildens (6) eines Cookies aus der Netzwerkreferenz umfasst. 4. Verfahren nach Anspruch 3, dadurch gekennzeichnet, dass das Verfahren ferner einen Schritt des Übertragens der Netzwerkreferenz zu dem Skript (17) umfasst, welcher durchgeführt wird, indem das Cookie übertragen (8) wird.. Verfahren nach einem der vorhergehenden Ansprüche, dadurch gekennzeichnet, dass der Schritt des Erzeugens (6) durchgeführt wird, indem die Anfangs-Authentifizierungsdaten des Benutzers durch Abfragen eines X.00-Verzeichnisses (16) in die Netzwerkreferenz aufgenommen werden. 6. Verfahren nach einem der vorhergehenden Ansprüche, wobei der Schritt des Durchführens (0, 2) der Anfangs-Authentifizierung das Aufnehmen des Benutzers in einer Benutzerrolle umfasst. 7. Verfahren nach einem der vorhergehenden Ansprüche, ferner umfassend: Ermitteln eines Benutzernamens und eines Passworts basierend auf den Skriptzugriffswerten; und Vorlegen des ermittelten Benutzernamens und des Passworts für den Benutzerzugriff der Ressource (18,, 22). 8. Vorrichtung zum Zugriff auf Ressourcen (18,, 22) in einem Netzwerk, gekennzeichnet durch: Mittel zur Durchführung einer Anfangs-Authentifizierung eines Benutzers; Mittel zur Erzeugung einer Netzwerkreferenz für den authentifizierten Benutzer, wobei die Netzwerkreferenz zumindest eine Rolle des Benutzers aufweist; Mittel zum Empfangen einer Benutzeranfrage, um auf eine Ressource (18,, 22) zuzugreifen; Mittel zum automatischen Zugreifen auf ein Skript (17), welches dafür konfiguriert ist, basierend auf der Netzwerkreferenz einen Skriptzugriffswert zu ermitteln, wobei der Skriptzugriffswert Authentifizierungsdaten für die Ressource (18,, 22) bereitstellt; und Mittel zum Vorlegen der Skriptzugriffswerte der Ressource (18,, 22). 9. Vorrichtung nach Anspruch 8, dadurch gekennzeichnet, dass das Mittel zum Erzeugen der Netzwerkreferenz ein Mittel zum Auswählen einer Benutzerrolle aus einer Vielzahl von Rollen umfasst, und wobei die Anzahl der Rollen geringer ist als die Anzahl der Netzwerkbenutzer.. Vorrichtung nach Anspruch 8 oder 9, dadurch gekennzeichnet, dass die Vorrichtung ferner ein Mittel zum Bilden eines Cookies aus der Netzwerkreferenz umfasst. 11. Vorrichtung nach Anspruch, dadurch gekennzeichnet, dass die Vorrichtung ferner ein Mittel zum Übertragen der Netzwerkreferenz zu dem Skript durch Übertragen des Cookies umfasst. 12. Vorrichtung nach einem der Ansprüche 8 bis 11, dadurch gekennzeichnet, dass das Mittel zum Erzeugen so eingerichtet ist, dass die Anfangs-Authentifizierungsdaten des Benutzers durch Abfragen eines X.00-Verzeichnisses (16) in die Netzwerkreferenz aufgenommen werden. 13. Vorrichtung nach einem der Ansprüche 8 bis 12, wobei das Mittel zum Durchführen einer Anfangs-Au- 6

7 11 EP B1 12 thentifizierung das Aufnehmen des Benutzers in einer Benutzerrolle umfasst. 14. Vorrichtung nach einem der Ansprüche 8 bis 13, ferner umfassend: Mittel zum Ermitteln eines Benutzernamens und eines Passworts basierend auf den Skriptzugriffswerten; und Mittel zum Vorlegen des ermittelten Benutzernamens und des Passworts für den Benutzerzugriff der Ressource (18,, 22). 1. System zum Bereitstellen des Benutzerzugriffs auf Web-Server-Ressourcen, umfassend: eine Vorrichtung (12) nach einem der Ansprüche 8 bis 14, wobei die Vorrichtung (12) dafür konfiguriert ist, den Zugriff nur nach einer Benutzer-Authentifizierung zu gewähren; einen Browser (14), welcher zwischen dem Benutzer und der Vorrichtung (12) Daten austauscht, wobei der Browser (14) auf die Daten der Anfangs-Authentifizierung des Benutzers zugreifen kann; und ein Verzeichnis (16) zum Speichern von Daten, welche die Aufnahme der Daten der Anfangs- Authentifizierung des Benutzers in der Netzwerkreferenz definieren, wobei die Netzwerkreferenz zumindest eine Benutzerrolle aufweisen; wobei der Browser (14) über die Vorrichtung (12) basierend auf den Daten der Anfangs-Authentifizierung und durch ein für den Benutzer transparentes Abfragen des Verzeichnisses (16) den Benutzerzugriff auf die Ressource (18,, 22) bereitstellt. 16. System nach Anspruch 1, dadurch gekennzeichnet, dass es sich bei der Vorrichtung (12) um einen Intranet-Netzwerk-Server handelt. 17. System nach Anspruch 1 oder 16, dadurch gekennzeichnet, dass der Browser (14) mit der Vorrichtung (12) Daten in einem Hypertext-Transferprotokoll-Format austauscht. 18. System nach einem der Ansprüche 1 bis 17, dadurch gekennzeichnet, dass die Vorrichtung (12) ein Cookie erzeugt, welches die Benutzerrolle aufweist, und dass der Browser (14) den Zugriff auf die Ressource (18,, 22) bereitstellt, indem er das Cookie einem Skript (17) bereitstellt, welches in dem Netzwerk gespeichert ist System nach Anspruch 18, dadurch gekennzeichnet, dass die Vorrichtung (12) auf Skriptzugriffswerte zugreift, welche basierend auf dem Cookie in einer Datenbank für die Ressource (18,, 22) gespeichert sind.. Computerlesbares Speichermedium, welches maschinenlesbare Befehle aufweist, welche, wenn sie von einem geeigneten Prozessor ausgeführt werden, zur Ausführung eines Verfahrens nach einem der Ansprüche 1 bis 7 führen. Revendications 1. Procédé pour accéder à des ressources (18,, 22) sur un réseau, caractérisé par les étapes consistant à : exécuter (0, 2) une authentification initiale d un utilisateur par l intermédiaire d un serveur web (12) ; créer (6) un justificatif d identité réseau pour l utilisateur authentifié, le justificatif d identité réseau comprenant au moins un rôle de l utilisateur ; recevoir (1) de l utilisateur une demande d accès à une ressource (18,, 22) par l intermédiaire du serveur web (12) ; accéder automatiquement (112) à un script (17) configuré pour déterminer des valeurs d accès de script en fonction du justificatif d identité réseau, les valeurs d accès de script fournissant des informations d authentification pour la ressource (18,, 22) ; et présenter (112) les valeurs d accès de script à la ressource (18,, 22). 2. Procédé selon la revendication 1, caractérisé en ce que l étape de création d un justificatif d identité réseau comprend la sélection d un rôle d utilisateur parmi plusieurs rôles, le nombre de rôles étant inférieur au nombre d utilisateurs de réseau. 3. Procédé selon la revendication 1 ou 2, caractérisé en ce que le procédé comprend en outre l étape de formation (6) d un cookie à partir du justificatif d identité réseau. 4. Procédé selon la revendication 3, caractérisé en ce que le procédé comprend en outre une étape de transfert du justificatif d identité réseau vers le script (17), exécutée par un transfert (8) du cookie.. Procédé selon l une quelconque des revendications précédentes, caractérisé en ce que l étape de création (6) est exécutée en faisant correspondre des données d authentification initiale de l utilisateur avec le justificatif d identité réseau en consultant un répertoire X.00 (16). 6. Procédé selon l une quelconque des revendications 7

8 13 EP B1 14 précédentes, dans lequel l étape d exécution (0, 2) de l authentification initiale comprend la mise en correspondance de l utilisateur avec un rôle d utilisateur. 7. Procédé selon l une quelconque des revendications précédentes, comprenant en outre : la détermination d un nom d utilisateur et d un mot de passe en fonction des valeurs d accès de script ; et la présentation du nom d utilisateur et du mot de passe déterminés pour un accès de l utilisateur à la ressource (18,, 22). 8. Appareil pour accéder à des ressources (18,, 22) sur un réseau, caractérisé par : 1 justificatif d identité réseau en consultant un répertoire X.00 (16). 13. Appareil selon l une quelconque des revendications 8 à 12, dans lequel les moyens pour exécuter une authentification initiale comprennent la mise en correspondance de l utilisateur avec un rôle d utilisateur. 14. Appareil selon l une quelconque des revendications 8 à 13, comprenant en outre : des moyens pour déterminer un nom d utilisateur et un mot de passe en fonction des valeurs d accès de script ; et des moyens pour présenter le nom d utilisateur et le mot de passe déterminés pour un accès de l utilisateur à la ressource (18,, 22). des moyens pour exécuter une authentification initiale d un utilisateur ; des moyens pour créer un justificatif d identité réseau pour l utilisateur authentifié, le justificatif d identité réseau comprenant au moins un rôle de l utilisateur ; des moyens pour recevoir une demande de l utilisateur pour accéder à une ressource (18,, 22) ; des moyens pour accéder automatiquement à un script (17) configuré pour déterminer une valeur d accès de script en fonction du justificatif d identité réseau, la valeur d accès de script fournissant des informations d authentification pour la ressource (18,, 22) ; et des moyens pour présenter les valeurs d accès de script à la ressource (18,, 22). 9. Appareil selon la revendication 8, caractérisé en ce que les moyens pour créer un justificatif d identité réseau comprennent des moyens pour sélectionner un rôle d utilisateur parmi plusieurs rôles, le nombre de rôles étant inférieur au nombre d utilisateurs de réseau.. Appareil selon la revendication 8 ou 9, caractérisé en ce que l appareil comprend en outre des moyens pour former un cookie à partir du justificatif d identité réseau. 11. Appareil selon la revendication, caractérisé en ce que l appareil comprend en outre des moyens pour transférer le justificatif d identité réseau vers le script par un transfert du cookie. 12. Appareil selon l une quelconque des revendications 8 à 11, caractérisé en ce que les moyens de création sont conçus pour faire correspondre des données d authentification initiale de l utilisateur avec le Système pour fournir à un utilisateur un accès à des ressources de serveur web, comprenant : un appareil (12) selon l une quelconque des revendications 8 à 14, l appareil (12) étant configuré pour ne donner l accès qu en cas d authentification de l utilisateur ; un navigateur (14) communiquant entre l utilisateur et l appareil (12), le navigateur (14) étant capable d accéder à des informations d authentification initiale de l utilisateur ; et un répertoire (16) pour stocker des données définissant des mises en correspondance entre des informations d authentification initiale de l utilisateur et des documents d identification réseau, les documents d identification réseau comprenant au moins un rôle d utilisateur ; dans lequel le navigateur (14) fournit à l utilisateur un accès à la ressource (18,, 22) par l intermédiaire de l appareil (12) en fonction des informations d authentification initiale, et par une consultation du répertoire (16) de façon transparente pour l utilisateur. 16. Système selon la revendication 1, caractérisé en ce que l appareil (12) est un serveur réseau intranet. 17. Système selon la revendication 1 ou la revendication 16, caractérisé en ce que le navigateur (14) communique avec l appareil (12) selon un format de protocole de transfert hypertexte. 18. Système selon l une quelconque des revendications 1 à 17, caractérisé en ce que l appareil (12) crée un cookie comprenant le rôle d utilisateur, et le navigateur (14) permet un accès à la ressource (18,, 22) en fournissant le cookie à un script (17) qui est stocké sur le réseau. 8

9 1 EP B Système selon la revendication 12, caractérisé en ce que l appareil (12) accède à des valeurs d accès de script stockées dans une base de données pour la ressource (18,, 22) en fonction du cookie.. Support de stockage lisible par ordinateur comprenant des instructions lisibles par machine qui, lorsqu elles sont exécutées par un processeur approprié, ont pour résultat l exécution d un procédé selon l une quelconque des revendications 1 à

10 EP B1

11 EP B1 11