Size: px
Start display at page:

Download "http://reverseproxy.companynameoom/mail"

Transcription

1 US A1 (19) United States (12) Patent Application Publication (10) Pub. No.: US 2012/ A1 Hayler et al. (43) Pub. Date: May 31, 2012 (54) USER ROLE MAPPING IN WEB (60) Provisional application No. 60/883,398,?led on Jan. APPLICATIONS 4, 2007, provisional application No. 60/826,633,?led on Sep. 22, (75) Inventors: Don L. Hayler, Palo Alto, CA.... (Us); Daniel Vu Lafayette CA Publication Classi?cation (US) (51) Int. Cl. G06F 1 7/20 ( ) (73) Assignee: Oracle International Corporation, (52) US. Cl /239 R e d WOO d Sh Ores CA (U S ) (57) ABSTRACT (21) Appl. No.: 13/364,251 Roles and policies are used to provide display and access to data in a?exible manner. Users and/or Web applications can (22) Filed: Feb 1, 2012 be mapped to user roles that dictate Which displays or other application resources are available to the user or application. Related U s A lication Data Roles are assigned to Web applications individually, allowing ' ' PP for user roles to be used Without requiring an independent (63) Continuation of application No, 12/917,7 64,?led on mapping of users to roles. In some cases, application roles can Nov. 2, 2010, now Pat. No. 8,136,150, Which is a be centrally managed, so that presentation systems also avoid continuation of application No. 11/765,303,?led on Jun. 19, 2007, now Pat. No. 7,865,943. the need for an independent mapping of user or application roles. browser reverse proxyl single sign on credential vault \ web aaplication A web application 8

2 Patent Application Publication May 31, 2012 Sheet 1 0f 19 US 2012/ A1 102 \/ browser \.) Av 110 reverse proxyl single Sign on credentlal vault \ web aaplication A web mplication 8 FIGURE 1

3 Patent Application Publication May 31, 2012 Sheet 2 0f 19 US 2012/ A1 browser main authentication - assword credential vault 202 E?ashwrimary passwommxed string) Z Emmpn-mary passwm?ewndary password A) mammary pal$5m ; secondary password B) hash(primary password password B) Ehash(prima password)( secondary = seoon ary password B web application A web application B FIGURE 2A

4 Patent Application Publication May 31, 2012 Sheet 3 0f 19 US 2012/ A1 browser 220/\J new password : Old Password :1 new primary password main authentication credential vault 202 P Ehash(o d primary password)(?xed string) EmmaId primary pi,w(,,d)(secondary password A) hashwl? primary password)( Secondary password B) web application A web application 8 FIGURE 28

5 Patent Application Publication May 31, 2012 Sheet 4 0f 19 US 2012/ A1 browser 302 \_) A., 304 reverse proxy!.... roles and pollcres slngle srgn on http message http header \ role value message payload 306 \J web apgl'catlon 30a \_) web application B FIGURE 3A

6

7 Patent Application Publication May 31, 2012 Sheet 6 0f 19 US 2012/ A1 402 \J browser 6) request l 404 \_/ reverse proxy/ single sign on 408 \ '<'page et tag identi?er>"\'._/41o pagelet web application?rst web application FIGURE 4A

8 Patent Application Publication May 31, 2012 Sheet 7 0f 19 US 2012/ A1 Amwzva =3? <ommn_ f A:m@:.-H: U... - fomv $250.5?mw E w~?\ Q 5698 $531 fowv ouoo... aw? AZQEWQ $692? >=ov TV 25 $2": m ACNQw\V AQEMQV... Q25?mmmm cosmo=an< KO? mv.oe 6&9; Qw._.< mmmm Hm_wmmn_ L283 cozombxw 052:2 KNNQ

9 Patent Application Publication May 31, 2012 Sheet 8 0f 19 US 2012/ A1 502\ Browser l Interstitial Page Interstitial Page 504\ Component ReverseProxy/ Smgle slgn 0n Interstitial Page Table 510\ 508\ 520\ Pagelet Web Application First Web Application Interstitial Page Producer FIG. 5

10 Patent Application Publication May 31, 2012 Sheet 9 of 19 US 2012/ A1 Dispatcher Sequence Diagram: Handling a Request QOOOQQ User w/ Browser Resource User Security Content Content Post Processing Mapping Authentication Check Retrieval Transformation Content request URI: i i i l 5 map resource_ usersession E E E E ' access? E i E yes/no i l I html content V transformed htrnl \ oontent ' response written with post processed content (cookies added). T T '11 Li '11 L9 FIG. 6 Authentication Module 1 Module 2 Module 3 Authorization Module 1 Module 2 Module 3 Transformation Module 1 Module 2 Module 3 FIG. 7

11 Patent Application Publication May 31, 2012 Sheet 10 0f 19 US 2012/ A1 iqqqqq Userw/Browser LoginModule LoginStateMgr ExperienceService ProxyUserLoglnMgr LoginDomalnRedirectMgr i i i a a a 1 resource >1 has a valid i E E i proxy user : i l l Session? "(L i select an i i 5 ' experience for i i i this request / : l l resource 5 E E request has ; E valid SS0 : t l cookie / E E param? : _ : : 5 yes, create proxy t E user session from i : SSO cookie, return : = original resource 5 r l i i no SSO cookie, is request to login I : domain for this experience? i > f i i no, issue redirect to f 5 login domain. start : : this sequence a new : i g : l yes request is on login domain.. will anonymous user sufllce? i ' yes, create 5 anonymous : g proxy user < E J session 5 l t i I r ; i I no, does integrated authentication 1 I i yield a proxy user session? 1 z > ' yes, create speci?c < ; proxy user session, : return original 5 T resource no, can we try interactive logln l 1 pages for this experience? E E ; = no, redirect to f : error page since 5 user can't = 5 authenticate 1 E i yes, redirect to interactive login i l -.- i _. ; J page 5 FIG. 8A

12 Patent Application Publication May 31, 2012 Sheet 11 0f 19 US 2012/ A1 i Q Q Q User wl Browser LoginModule lnteractiveloginstatemgr Other Modules 5 f request resource, skiporfail integrated authentication i 5 redirect to interactive login page from current experience request login page via login resource create anonymous proxy user i session. return anonymous SSO E cookie with response continue processing login resource as a normal resource E return login 4 : page content did login page return special headers? 7 no, not yet. return login page content login page request is POST of login form ' r I continue processing login resource as a normal resource _I_ L.I ' return login page : : content, with i < i headers for username and password did login page return special headers? r--r yes, attempt authentication via security service i I If interstitial pages exist, user is redirected to those. Header processing occurs as above. During interstitials, user is still anonymous. Only after completion does the S80 cookie forthe speci?c user get set and the full proxy user session created. authentication success, redirect to original requested < resource. SSO cookie set to speci?c user I FIG. 8B

13

14 Patent Application Publication May 31, 2012 Sheet 13 0f 19 US 2012/ A1 m 23.03

15 Patent Application Publication May 31, 2012 Sheet 14 0f 19 US 2012/ A1 mailbeacom proxy.plumtree.com request resource marl bea com no proxy user session. is request to login domain for this experience? request to proxy.plumtree.com/ ogin/loginpage.jsp no, redirect user to logrn domain does an SSO cookie and proxy use session exist for this and Http Session? request yes, redirect user to mailbeacom with SSO cookie as query string parameter no SSO cookie, look 6 'xperience based on original requested resource marlbeacom if integrated authenticators exist, challenge browser. i; FIG. 11A

16 Patent Application Publication May 31, 2012 Sheet 15 0f 19 US 2012/ A1 l I request to proxy.plumtree.com/login/loginpagejsp with Authorization header ~ 1 are credentials correct? can we create a proxy user session? check credentials with security service. if failed login, no integrated authenticators remain, and interactive login is allowed... 1 with POST of credentials return content of interactive login page request to proxyplumtree.com/loginlloginpagejsp ; V are credentials correct? can we create a proxy user session? yes, create proxy user session, set 880 cookie, I lredirect user to original requested resource I request to mail.bea.com with valid SSO cookie in query string parameter 7 A return resource content for mail.bea.com FIG. 11B

17 Patent Application Publication May 31, 2012 Sheet 16 0f 19 US 2012/ A1 5.lAuditEaatery i i ' l Auditpacto Object-generating class ResourceRolePair Contains a resource ID and role name. 5 """"""" "j """""" ": i laudltbeqorq 5 i laqqessliegpm 5 : laqqltmgt i : interface for methods 5 1 interface for access ' 5 across all audit records 5 i audit records 5 RunnerAuditMgr Main mass _ AuditRecord Abstract wrapping / \ 1, '"i'icléblrigééééié interface for auth policy "" 5 1 AND resource con?g ; : records i v """"""""""""" AccessRecord ; Class for Access Records lauthorizationcon?g Record \ V lresourcecon?grecord : V v V AuthorizationCon?g Record Class for Authorization Policy Records 4 l 5 AuditData i contain Class for data the linked tables to that the FIG. 12 main audit table records.

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information