Patent US2. 00. 60. Method and apparatus for handling custom token propagation without Java .. CROSS REFERENCE TO RELATED APPLICATIONS . AUS9. 20. 04. 02. US1, filed on . AUS9.
US1 filed on . Both related applications are assigned to the same assignee and are incorporated herein by reference. BACKGROUND OF THE INVENTION . Particularly, the present invention relates to security attribute propagation in a network data processing system. Still more particularly, the present invention relates to handling propagation of custom tokens without using Java. Description of Related Art . These transactions include secured transactions, which require authentication and authorization of a user or a service requester. An example of a secured transaction is a banking transaction, which requests a user to enter a login name and password prior to giving access to the user's bank account information.
This type of transaction prevents perpetrators from gaining access to protected information. The single point of authentication is facilitated by using reverse proxy servers (RPS).
A RPS is a proxy server placed in front of the firewall that mirrors an actual Web server behind the firewall, such that malicious attacks on the actual Web server are prevented by denying invalid incoming requests. These attributes include, for example, static attributes from the enterprise user registry and dynamic attributes from custom login logic based upon location, time of day, and authentication strength. By having access to these attributes, application servers, such as, for example, the Web.
Sphere Application Server, may perform necessary authentication and authorization operations. In addition, backend systems may use these attributes to determine identity of the original requester and make access decisions and audit records accordingly. The backend systems include Customer Information Control System (CICS) and DB2 Universal Database, which are products available from International Business Machines Corporation. Such attempts include a trust association interceptor (TAI) interface that acts as a security gateway to the Web. Sphere Application Server for incoming requests that are received through the reverse proxy server. However, the TAI interface is designed to only accept a user name of the authenticated user and ignore all other security attributes that are collected from the original login at the reverse proxy server. Other security attributes may include custom tokens that carry authorization attributes useful to other systems downstream.
These attributes include original authentication strength, client location and IP address, among other custom attributes gathered during a login. Therefore, a need exists for an improved network data processing system that can handle serialization of custom objects without using Java.
SUMMARY OF THE INVENTION . The mechanism of the present invention handles token propagation by allowing a service provider to plug in a first custom login module or a first default login module.
The custom or default login module adds an object implementing one of the four marker token interfaces defined by the present invention to a subject. The present invention then adds serialized bytes along with a name and a version into an opaque token and propagates the opaque token downstream using a communication protocol. The custom login module or the second default login module deserializes the token by retrieving a byte array based on the name and the version and processes the token accordingly. BRIEF DESCRIPTION OF THE DRAWINGS . The invention itself, however, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of an illustrative embodiment when read in conjunction with the accompanying drawings, wherein: . A is a diagram illustrating known interactions between reverse proxy server and servers downstream; . B is a diagram illustrating interactions between reverse proxy server and servers downstream in accordance with a preferred embodiment of the present invention; .
A system for and method of facilitating data communication between (i) a first computer system that runs a legacy application and is operable as a service provider.
A is an exemplary flowchart illustrating operation from a source server's perspective when Web inbound login configuration is loaded in accordance with a preferred embodiment of the present invention; . B is an exemplary flowchart illustrating operation of setting propagation token on thread local in accordance with a preferred embodiment of the present invention; . DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT . Network data processing system 1. Network data processing system 1.
Network 1. 02 may include connections, such as wire, wireless communication links, or fiber optic cables. In addition, clients 1.
These clients 1. 08, 1. Also in the depicted example, server 1. Server 1. 04 may serve authentication purpose for server 1. When a user logs in to server 1. Firewall 1. 22 acts as a gateway for servers 1.
- An invalid-fact-deleter janitor 110 removes any fact that. System and method for unknown type serialization: US20070005593.
- Object-oriented programming is a type of programming in which.
- MessagePack Code Generator. The msgp command will generate serialization methods for all exported type declarations in the file.
Firewalls 1. 22 and 1. Clients 1. 08, 1. Network data processing system 1. At the heart of the Internet is a backbone of high- speed data communication lines between major nodes or host computers, consisting of thousands of commercial, government, educational and other computer systems that route data and messages.
Method and apparatus for generating serialization code. A system serialization capability is provided to facilitate processing in those environments that allow multiple processors to update the same resources. Type Definitions (DTDs.
Of course, network data processing system 1. LAN), or a wide area network (WAN). FIG. 1, is depicted in accordance with a preferred embodiment of the present invention. Data processing system 2.
An improved method, apparatus, and computer instructions for generating trace data. In response to detecting a trace event a determination is made as to whether.
SMP) system including a plurality of processors 2. Alternatively, a single processor system may be employed. Also connected to system bus 2.
I/O bus bridge 2. I/O bus 2. 12. Memory controller/cache 2. I/O bus bridge 2. A number of modems may be connected to PCI local bus 2.
Typical PCI bus implementations will support four PCI expansion slots or add- in connectors. Communications links to clients 1. FIG. 1 may be provided through modem 2. PCI local bus 2. 16 through add- in connectors. In this manner, data processing system 2. A memory- mapped graphics adapter 2. I/O bus 2. 12 as depicted, either directly or indirectly.
For example, other peripheral devices, such as optical disk drives and the like, also may be used in addition to or in place of the hardware depicted. The depicted example is not meant to imply architectural limitations with respect to the present invention. IBM e. Server. 3, a block diagram of a data processing system is shown in which the present invention may be implemented. Data processing system 3. FIG. 1, in which code or instructions implementing the processes of the present invention may be located.
In the depicted example, data processing system 3. MCH) 3. 08 and a south bridge and input/output (I/O) controller hub (ICH) 3. Processor 3. 02, main memory 3. MCH 3. 08. Graphics processor 3. MCH through an accelerated graphics port (AGP), for example.
PCI/PCIe devices may include, for example, Ethernet adapters, add- in cards, PC cards for notebook computers, etc. PCI uses a cardbus controller, while PCIe does not. ROM 3. 24 may be, for example, a flash binary input/output system (BIOS). Hard disk drive 3. CD- ROM drive 3. 30 may use, for example, an integrated drive electronics (IDE) or serial advanced technology attachment (SATA) interface. A super I/O (SIO) device 3. ICH 3. 10. The operating system may be a commercially available operating system such as Windows XP.
An object oriented programming system, such as the Java. The processes of the present invention are performed by processor 3. Other internal hardware or peripheral devices, such as flash memory, equivalent non- volatile memory, or optical disk drives and the like, may be used in addition to or in place of the hardware depicted in FIG. Also, the processes of the present invention may be applied to a multiprocessor data processing system.
The depicted example in FIG. For example, data processing system 3. PDA. 4. A, a diagram illustrating known interactions between reverse proxy server and servers downstream is depicted. A, client 4. 02 may be implemented as a data processing system, such as data processing system 3. FIG. Reverse proxy server 4. FIG. Examples of static login attributes include user id, password, groups the user is a member of, and the full username, for example, John R. Typically, reverse proxy server 4.
This username is converted to a secure authentication token which is then the only information passed to server 2. Thus, no dynamic attributes may be propagated downstream. Only static login attributes are presented to server 2. Other original login information including attributes in user registry 4.
Therefore, server 1. Since the original login information at server 1.
Particularly, in a high traffic flow system, remote registry calls become very expensive and inefficient. In addition, since the user registry is accessible by many different processes, it often becomes a bottleneck when multiple processes compete for a registry lookup. B, a diagram illustrating interactions between reverse proxy server and servers downstream is depicted in accordance with a preferred embodiment of the present invention. As illustrated in FIG.
B, when client 4. Using the mechanism of the present invention, server 1. Reverse proxy server 5.
TAI) 5. 06, which acts as a security gateway between end user 5. The user identity may include a user id and password. The TAI interface in turn passes the user's identity to application server 5. Web. Sphere Application Server. With the present invention, a default JAAS login module 5.
JAAS login configuration implemented by application server 5. Subject stored at run time.
The Subject is created using TAI. Subject method 5. Thus, using a default or custom login module of the present invention, authorization and authentication information may now be propagated downstream to other servers. The mechanism of the present invention enables identification of a token and handling of the token at a target server downstream based on a name and a version given to the token when the token is serialized upstream.