WO2014088400A1 - Système de délégation - Google Patents

Système de délégation Download PDF

Info

Publication number
WO2014088400A1
WO2014088400A1 PCT/MY2013/000220 MY2013000220W WO2014088400A1 WO 2014088400 A1 WO2014088400 A1 WO 2014088400A1 MY 2013000220 W MY2013000220 W MY 2013000220W WO 2014088400 A1 WO2014088400 A1 WO 2014088400A1
Authority
WO
WIPO (PCT)
Prior art keywords
module
login
server
delegation
session
Prior art date
Application number
PCT/MY2013/000220
Other languages
English (en)
Inventor
Teong TAN CHIN
Eng KHOR SWEE
Kheen CHIN CHEE
Hamid SHAQHAWI ABDUL
Wee CHEN WOON
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2014088400A1 publication Critical patent/WO2014088400A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to a delegation system for authorizing and delegating a task of a web application.
  • a user or a delegator may need to delegate certain tasks of the application to another user or a delegatee.
  • the delegation poses a few challenges as the delegator may need to restrict the delegatee's access to only functions and data that are required to perform the delegated tasks.
  • the delegator needs to also restrict the access to only the delegatee.
  • the delegation cannot be done by simply revealing a password to access the software applications.
  • US Patent Publication No. 2002/0046352 A1 discloses a method for enabling participants in an information technology (IT) system or a computer network to delegate user authority to other system participants.
  • the method of the present invention includes the generation of a proxy authorization.
  • the proxy authorization, or proxy is used by the IT system to insure that a given participant may have access to resources on the basis of a permission granted and intended by another user or agent of the IT system, and that the grantor of the permission is authorized to issue the access and/authorities as designated by or within the proxy authorization.
  • a medical record repository for example may allow unlimited access to particular individual patient records to an individual medical doctor.
  • the doctor can then authorize a specific pharmacy to have limited access to designated portions of the medical records of certain of the patients to whom the doctor is authorized access.
  • the pharmacy may then allow access to distinct and different subsets of the portions of the records, to which the pharmacy is authorized access to by a proxy issued by the doctor, to an insurance company, to a billing clerk, and to pharmacists.
  • proxies thereby allows for efficient B2B collaborative message processing using languages such as XML.
  • proxies thereby allows for efficient B2B collaborative message processing using languages such as XML.
  • such system does not restrict access to certain functions of a software application that are required to perform the delegated tasks. Instead, the system only restricts access to data or records in a resource repository.
  • the delegation system must be able to delegate in cloud computing environment which includes multiple software applications having different configurations and settings.
  • the present invention provides a delegation system.
  • the delegation system comprises at least one application server (100), at least one client device (200), and a delegation server (300).
  • the delegation server (300) further includes a user authentication module (310), wherein said user authentication module (310) is used to authenticate users of said delegation server (300), and wherein said user authentication module (310) is connected to the login module (320); a login module (320), wherein said login module (320) is configured to divide a login credential of a delegator into two portions, encrypting and decrypting both portions of the login credential, concatenating the two portions of the login credential; a session recording module (330), wherein said session recording module (330) is used to record login session data; a session playback module (340); wherein said session playback module (340) is used to playback the recorded session data, and wherein said session playback module (340) is connected to the session filtering and rendering module (350); a session filtering and rendering module (350), wherein said session filtering
  • the present invention also provides a method for delegating a task in a web application by using a delegation system.
  • the method is characterised by the steps of accessing a delegation server (300) by using a client device (200); requesting for a URL address of an application server (100) hosting the web application by the delegation server (300); providing the URL address of the application server (100) by the client device (200); initiating recording login session data by a session recording module (330) of the delegation server (300); communicating with the application server (100) by an application server listener and forwarder module (360) of the delegation server (300); logging into the web application by providing a login credential; performing any actions in the web application by the client device (200) to and recording the actions as the login session data by the session recording module (330); reaching a destination page of the web application performing the delegated task; discontinuing recording login session data by the session recording module (330); configuring web controls of the web application by the client device (200) through the delegation server (300); selecting a delegatee to
  • encrypting both portions of the login credential includes hashing a first portion of the login credential and encrypting a second portion of the login credential into an image by using a digital watermarking technique.
  • the present invention also provides a method for performing a delegated task in a web application by using a delegation system.
  • the method is characterised by the steps of: (a) accessing a delegation server (300) by using a client device (200); (b) determining whether an active duration defined to perform the delegated task has expired; (c) uploading an image of an encrypted second portion of a delegator's login credential by the client device (200); (d) decrypting the second portion of the login credential from the uploaded image by a login module (320) of the delegation server (300); (e) retrieving and de-hashing a corresponding hashed first portion of the login credential by a login module (320) of the delegation server (300); (f) concatenating the first portion of the login credential with the second portion of the login credential to form the login credential; (g) initiating communication with an application server (100) of the web application by the delegation server (300); (h) sending the login credential to the web application from the delegation server
  • FIG. 1 shows a block diagram of a delegation system according to an embodiment of the present invention.
  • FIG. 2 shows a block diagram of a delegation server (300) according to an embodiment of the present invention.
  • FIG. 3 shows a flowchart of a method for delegating a task in a web application by using the delegation system of FIG. 1.
  • FIG. 4 shows a flowchart of a method for performing a delegated task in a web application by using the delegation system of FIG. 1.
  • FIG. 5 shows an exemplary image of an encrypted second portion of a login credential.
  • FIG. 1 shows a block diagram of a delegation system according to an embodiment of the present invention.
  • the delegation system comprises of at least one application server (100), at least one client device (200), and a delegation server (300).
  • the application server (100), the client device (200) and the delegation server (300) are connected to a network such as Internet or intranet.
  • the application server (100) is used for hosting at least one web application such as financial management application, human resource management application, customer relationship management application and etc.
  • the web application is a software application that is accessible by users through a web browser. The users securely access the web application by using login credentials to authenticate their identity.
  • the at least one client device (200) can either be used as a delegator or a delegatee, wherein a delegator refers to a user of the client device (200) having a login credential to access the web application while a delegatee refers to a user of the client device (200) that is delegated with a task in the web application by the delegator. Examples of such computing device (200) may include but not limited to laptop, mobile phone, a computer, handheld communication device, and handheld computing device.
  • the delegation server (300) is used to allow the delegator to delegate a task to the delegatee. Moreover, the delegation server (300) hides or disables certain functions and information in the web application when the delegatee is accessing the web application to perform the delegated task.
  • the delegation server (300) comprises of a user authentication module (310), a login module (320), a session recording module (330), a session playback module (340), a session filtering and rendering module (350), an application server listener and forwarder module (360), and a user notification module (370).
  • the user authentication module (310) is used to authenticate users of the delegation server (300).
  • the user authentication module (310) is connected to the login module (320).
  • the login module (320) is used to divide a login credential of the delegator into two portions, wherein a first portion is encrypted and stored in the delegation server (300), while a second portion is encrypted and embedded into an image using digital watermarking technique. The second portion is sent to the delegatee to access the web application.
  • the login module (320) is also used to join and decrypt both portions of the login credential for the delegatee to access the web application by using the delegator's login credential.
  • the session recording module (330) is used to record login session data.
  • the session recording module (330) records the login session data by capturing all HTTP actions which include GET and POST actions performed by the delegator and storing those HTTP actions.
  • the session playback module (340) is used to simulate web-based interaction activities defined by delegator.
  • the session playback module (340) is connected to the session filtering and rendering module (350).
  • the session filtering and rendering module (350) is used to render HTML controls according to permissions and restrictions as defined by delegator.
  • the application server listener and forwarder module (360) is used to communicate with the application server (100) hosting the web application.
  • the user notification module (370) is used to send the image of the second portion of the delegator's login credential to the delegatee, wherein the image is used by the delegatee to access the web application to perform the delegated task.
  • the image is sent in an email to the delegatee.
  • a delegator accesses the delegation server (300) by using a web browser of the client device (200) and thereon, logs into the delegation server (300) by providing a username and a password.
  • the user authentication module (310) determines the validity of the username and password provided by the delegator. If the username and password are invalid, the delegator is denied access to the delegation server (300) as in step 403. Thus, the delegator is unable to perform the delegation process.
  • the delegation server (300) requests for the delegator to provide a URL address of the application server (100) hosting the web application as in step 404. Moreover, the delegation server (300) requests for the delegator to initiate recording the delegator's login session data as in step 405.
  • the application server listener and forwarder module (360) initiates communication with the application server (100) and the session recording module (330) starts to record the delegator's login session data while accessing the web application.
  • the delegator accesses the web application through the delegation server (300), wherein the delegation server (300) acts as a proxy for the application server (100).
  • step 306 the delegator logs into the web application by providing a login credential.
  • the login credential provided by the delegator is recorded by the session recording module (330). If the login credential is invalid, the delegator is denied access to the web application of the application server and thereon, the delegator is required to stop the recording of the login session data.
  • the delegator performs any action in the web application as required to reach a destination page of the web application, wherein the destination page is a webpage for the delegatee to start performing the delegated task. While the delegator performs those actions, the session recording module (330) records those actions until the delegator reaches the destination page and/or stops recording the login session data (decision 407, steps 408 and 409).
  • the login session data includes a series of navigation to be replayed by the delegation server (300) to redirect the delegatee to the destination page as determined by the delegator.
  • the delegator defines the configuration for each web controls of the web application to either enable, disable, hide, or show, wherein the configuration is the HTML tag property defined for a web control of the web application.
  • a web control such as a button, text, table and etc. can be enabled, disabled, hidden or shown to the delegatee when accessing the web application.
  • the configurations of the web controls and its corresponding page name and uniform resource locator (URL) are stored in the delegation server (300) as in step 411.
  • step 412 the delegator selects a delegatee to be delegated with the task in the web application by providing an email address of the delegatee. Moreover, the delegator specifies an active duration for the delegatee to access the web application and perform the delegated task, wherein the delegatee will not be able to access the web application and perform the delegated task after the expiration of the active duration. Once the delegator has selected the delegatee, the delegator logs out from the delegation server (300).
  • the login module (320) extracts the recorded login credential and encodes it into two portions, wherein a first portion of the login credential is hashed and stored by the login module, and a second portion of the login credential is encrypted into an image by using a digital watermarking technique which is a process for embedding and hiding the login credential in an image.
  • a login credential of '12345678' is divided into two portions, wherein the first portion is '1234' and the second portion is '5678'.
  • the first portion is hashed to 'ab23bae0@#3$' while the second portion is encrypted into an image as shown in FIG. 5.
  • the delegation server (300) does not store a copy of the second portion of the image.
  • step 414 the user notification module (370) sends a message to the delegatee, wherein the message includes URL address of the delegation server (300) and the image of the encrypted second portion of delegator's login credential.
  • FIG. 4 there is shown a flowchart of a method for performing a delegated task in a web application by using a delegation system of FIG. 1.
  • a delegatee accesses the delegation server (300) by using a web browser of the client device (200) upon receiving the message sent from the delegation server (300).
  • the delegatee logs into the delegation server (300) by providing a username and a password.
  • the user authentication module (310) determines the validity of the username and password provided by the delegatee. If the username and password are invalid, the delegatee is denied access to the delegation server (300) as in decision 502 and step 503. Thus, the deiegator is unable to perform the delegated task in the web application.
  • the delegation server (300) checks whether the active duration defined for the delegatee has expired. If the active duration has expired, the delegatee is denied access to the delegation server (300) as in decision 504 and step 503. Otherwise, the delegation server request for the delegatee uploads the image of the encrypted second portion of the delegator's login credential as in decision 504 and step 505.
  • the login module (320) decrypts the second portion of delegator's login credential from the uploaded image as in step 506. Thereon, the login module (320) retrieves the hashed first portion of the delegator's login credential as in step 507. The hashed first portion is de-hashed and concatenated with the second portion to form the delegator's login credential as in step 508.
  • step 509 the delegation server (300) initiates communication with the application server (100) of the web application and sends the login credential to the web application. If the login credential is invalid, the delegatee is denied access to the web application to perform the delegated task as in decision 510 and step 511.
  • the session playback module (340) plays back the login session data as in decision 510 and step 512, wherein the login session data is a series of HTTP commands as recorded by the deiegator and the series of HTTP commands are re-played by the session playback module (340) to the delegatee if the login credential is valid.
  • the recorded actions include redirecting from page A to page B and thereon, to page C as the destination page; the delegatee is automatically redirected to page C once the login credential is valid.
  • the application server listener and forwarder module (360) retrieves a webpage of the web application from the application server (100) and extract all stored configurations for the web controls of the retrieved webpage as defined by the delegator as in step 513. Based on each configuration, the session filtering and rendering module (350) finds the corresponding HTML tag from the HTML source obtained from the web application server (100), and the session filtering and rendering module (350) modifies the HTML tag property to hide the web control if the configuration defines that the web control should be hidden, or modifies the HTML tag property to disable the web control if the configuration defines that the web control should be disabled as in step 514. Once all configurations have been applied to the webpage, the modified webpage is delivered to the delegatee to perform the delegated task as in step 515.
  • steps 513 to 515 are repeated.
  • the delegatee logs out from the web application and the delegation server (300) as in decision 517 and step 518. While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specifications are words of description rather than limitation and various changes may be made without departing from the scope of the invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention porte sur un système de délégation. Le système de délégation comprend au moins un serveur d'application (100), au moins un dispositif client (200) et un serveur de délégation (300). Le serveur de délégation (300) est utilisé pour permettre au délégant de déléguer une tâche au délégataire. En outre, le serveur de délégation (300) dissimule ou désactive certaines fonctions et informations dans l'application web lorsque le délégataire est en train d'accéder à l'application web pour effectuer la tâche déléguée. Le serveur de délégation (300) comprend un module d'authentification d'utilisateur (310), un module d'ouverture de session (320), un module d'enregistrement de session (330), un module de reproduction de session (340), un module de filtrage et de rendu de session (350), un module de surveillance et de transfert de serveur d'application (360) et un module de notification d'utilisateur (370).
PCT/MY2013/000220 2012-12-07 2013-12-03 Système de délégation WO2014088400A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2012701115 2012-12-07
MYPI2012701115A MY154224A (en) 2012-12-07 2012-12-07 A delegation system

Publications (1)

Publication Number Publication Date
WO2014088400A1 true WO2014088400A1 (fr) 2014-06-12

Family

ID=50029184

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2013/000220 WO2014088400A1 (fr) 2012-12-07 2013-12-03 Système de délégation

Country Status (2)

Country Link
MY (1) MY154224A (fr)
WO (1) WO2014088400A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447041A (zh) * 2014-09-02 2016-03-30 阿里巴巴集团控股有限公司 网页处理方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020046352A1 (en) 2000-10-05 2002-04-18 Ludwig George Stone Method of authorization by proxy within a computer network
US20020083014A1 (en) * 2000-06-30 2002-06-27 Brickell Ernie F. Delegating digital credentials
EP1383265A1 (fr) * 2002-07-16 2004-01-21 Nokia Corporation Procédé de génération de signatures par procuration (proxy)

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020083014A1 (en) * 2000-06-30 2002-06-27 Brickell Ernie F. Delegating digital credentials
US20020046352A1 (en) 2000-10-05 2002-04-18 Ludwig George Stone Method of authorization by proxy within a computer network
EP1383265A1 (fr) * 2002-07-16 2004-01-21 Nokia Corporation Procédé de génération de signatures par procuration (proxy)

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
VRANCKEN Z ZELTSAN ALCATEL-LUCENT B: "Using OAuth for Recursive Delegation; draft-vrancken-oauth-redelegation-00.txt", USING OAUTH FOR RECURSIVE DELEGATION; DRAFT-VRANCKEN-OAUTH-REDELEGATION-00.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 1 September 2009 (2009-09-01), XP015064118 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447041A (zh) * 2014-09-02 2016-03-30 阿里巴巴集团控股有限公司 网页处理方法及装置

Also Published As

Publication number Publication date
MY154224A (en) 2015-05-15

Similar Documents

Publication Publication Date Title
JP7007985B2 (ja) 鍵を有するリソースロケーター
JP6389895B2 (ja) 要求によって供給される鍵を用いたデータセキュリティ
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
Erdos et al. Shibboleth architecture draft v05
US20090328177A1 (en) Enabling private data feed
CN107534667A (zh) 密钥导出技术
TW201141176A (en) Method and apparatus for providing trusted single sing-on access to applications and internet-based services
US20120311331A1 (en) Logon verification apparatus, system and method for performing logon verification
CA3034665A1 (fr) Methodes et systemes permettant de controler l`acces a une ressource protegee
JP2011176435A (ja) 秘密鍵共有システム、方法、データ処理装置、管理サーバ、及びプログラム
CN114762291A (zh) 共享用户的用户特定数据的方法、计算机程序和数据共享系统
JP2011145754A (ja) シングルサインオンシステムと方法、認証サーバ、ユーザ端末、サービスサーバ、プログラム
WO2014088400A1 (fr) Système de délégation
RU2805668C1 (ru) Предоставление и получение одного или более наборов данных через сеть цифровой связи
JP2023506500A (ja) デジタル通信ネットワークを介した1又は複数のデータセットの提供及び取得
Ayhan et al. Federated multi-agency credentialing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13824675

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13824675

Country of ref document: EP

Kind code of ref document: A1