WO1998039889A1 - System and method for gaining access to information in a distributed computer system - Google Patents

Abstract

A class indicating the degree of open access is allocated to a data packet within the framework of an access control list (ACL) in order to avoid undesired access to said data packet (10, 13). Specific privileges which must be met by a data processing unit (30) in order to gain access to said data packet (10, 13) are also assigned to the data packet (10, 13). These privileges can be stored in the data processing device (31, 34) which is provided with said data packet (10, 13). A request for a data packet (10, 13) can occur in a protected form within the framework of a security procedure.

Description

description

System and method for granting access to information in a distributed computer system

The invention relates to a method for granting access to information in a distributed computer system. The currently most important distributed computer systems are the Internet and the intranet for business purposes. In these systems, network security is a critical factor for the success of these systems.

Computer networks are terminals, controllers, peripheral devices and processors and their interconnections. Such configurations are defined as logical units that are related to the physical units of a network and specify the rules for interactions between these logical units. The components of a network are described by way of example in EP 0 362 105 B1 columns 1 and 2. Many other network systems are operated which, depending on their design and their use, are generally operated as local or supra-local networks, so-called local area networks or wide area networks, which are described in accordance with the network in EP 0 362 105 B1. All of these networks can be interconnected using standardized protocol. When connecting a plurality of such systems, one speaks of a distributed computer system. A prominent representative of such a computer system is the so-called World Wide Web (WWW).

A number of transfer protocols have been established for communication between the computer systems as well as within these computer systems. An important transfer protocol is the TCP / IP (Transmission Control Protocol / Internet Protocol).

Within the networks, some computers work as so-called servers, which the actual users, the so-called named clients can be addressed. The servers can provide different computing resources, documents, programs, etc. In particular, the servers provide the clients with so-called hypertext documents. This is the name given to documents that are created using a so-called "Hypertext Markup Language" (HTML). HTML is a language that generates documents that can be displayed on the client independently of the platform. HTML is an application of the ISO standard 8879: 1986 Information Processing ^' Text and Office Systems; Standard Generalized Markuplanguage (SGML). SGML documents are a sequence of characters that are organized physically as a set of entities and logically in a hierarchy of elements. An SGML document contains data in Form of characters and so-called "markups". These markups describe the structure of the information and give an example of this structure.

In addition to text, graphics, video and the like, the hypertext documents often contain references, so-called links, to other hypertext documents. These links are commands embedded with instructions that allow the client's system to search for the target document. The target document can be associated with another server, which can be located in another network that is part of the distributed computer system. If the HTML standard is used for the hypertext document, the link contains a so-called Uniform Resource Locator (URL), which designates the actual name of a document and the server system from which the document can be accessed.

The HTML pages are transferred between the server and client using a special transfer protocol. An example of such a protocol is the hypertext transfer protocol HTTP, which is specified in the Internet Request for Comments 1945 (RFC1945). Such a protocol contains messages that can either be interpreted as a request for a document or are interpreted as a response to such a request. Requests and responses can be classified depending on their content. For example, the HTTP protocol defines two types of requests: a so-called GET request, which only contains the requested URL and thus the searched document and its server system, and a POST request, which also contains data that was added by the client in addition to the URL .

The client computers with which hypertext documents can be displayed and processed have a corresponding application program, a so-called browser. The browser can be available alone or embedded in another application program on the client computer. This browser reproduces the content of the hypertext document, possibly including other application programs, at the client in the form of texts, images, sounds and video sequences. In addition, a browser allows you to follow the links contained in the hypertext document. From the point of view of the user, this branching to the links takes place by simply clicking with a computer mouse or other pointer instrument on a point marked accordingly in the displayed hypertext document.

The hypertext documents are provided by servers.

To do this, the servers access a document directly or generate it dynamically. In dynamic generation, the servers use application programs, which in turn, like a client, exchange data with a database using a network protocol. The data read from the database is prepared as a hypertext document and sent to the client.

Hypertext documents can contain fields that must be filled in by the client. The filled fields provide the server with the required information. For example, a hypertext document looks like a form to be filled by the user is. This form is sent from the client to the server, where the information received is processed in an application program. The application program can run directly on the server or in a further data processing device outside the server. When using this functionality, it is possible to only make the browser available on a client computer. The hypertext document then serves as a user interface for an application program. This application program then no longer needs to be installed on the client, it is sufficient to provide this user program to the server and to access it by means of a hypertext document and standard browser.

A special group of servers are the so-called proxy servers. These proxy servers only forward the requests and responses they reach to their destination. The proxy servers are also able to cache some responses in a cache. This is particularly useful for responses that contain hypertext documents that are frequently requested. This functionality reduces the network bandwidth required because the amount of data to be transmitted is reduced. Another important task of the proxy server is to carry out security routines. Proxy servers are used to handle incoming messages from a security perspective, for example by encrypting these messages.

When hypertext documents and hypertext user interfaces were made available to applications over distributed networks, there were some security requirements. These requirements concern security of data transmission on the one hand and access to individual documents or groups of documents on the other. With regard to data transmission, various encryption methods are used to make the transmitted data difficult to read or completely unreadable for third parties. With an access protected documents is user-specific access it ^¬ laubt or blocked.

General access protection is described, for example, in Internet Request for Comments 1508 (RFC1508) for the so-called Generic Security Services application program interfaces (GSS-API). A user / client transmits data to the server that prove their identity. For example, this is done by exchanging passwords ^' or by using certain cryptographic methods. If the identity of the client determine the result can be in a Li ^¬ ste be stored and used for subsequent access decisions.

A procedure for exchanging passwords according to the hypertext transfer protocol HTTP is described in Internet Request for Comments 1945 (RFC1945). A cryptographic method for data security is described in the Secure Socket Layer protocol (The SSL Protocol, Version 3.0, Internet Draft, March 1996). An asymmetric procedure, a so-called public key procedure (RSA), is proposed for mutual authentication between server and client.

The known methods have the disadvantages listed below:

1. Problems in coping with situations in which a plurality of clients whose access requests have to be controlled want to access a plurality of servers. One reason for this is the administrative effort that must be expended when the decision to grant access is based on the specific right of a client. This type of rights assignment means that each data source (server) must have an access control list in which all clients with access rights must be included. Such lists are very extensive and difficult to maintain so that they are always up to date. This is why it often happens that clients whose access rights have already expired still have access to protected data because it takes some time before the access control list is updated.

2. The rights are typically assigned by the administrator of the server. But often it would be better to do this

Right to transfer to a security administrator or to leave this right with the owner of the data.

3. The servers always confirm the existence of a hypertext document, even if access to it is subject to access control and is not granted. This confirmation in itself can already mean the release of security-relevant information.

4. The access decision is made solely on the basis of the identity of the client. 5. The identity of the client is always disclosed to the server. In some cases, this path breaks the rules on data protection because the server administrator can determine which client has access to which document. 6. As described above, many hypertext documents are generated dynamically on the server. To do this, the server accesses another system via a network protocol, where the actual content of the document is stored. In these cases, security methods currently used cannot guarantee a secure connection between the server and the database in the background in such a way that these security methods are based on the security attributes of the actual client browser. 7. Often the actual content of documents has to be changed to ensure secure access to them. For example, the SSL process requires that the URL of a document be of a specific type.

The prior art shows solutions to some of these problems in connection with special security application programs. For example, the European Computer Manufacturers Association (ECMA) has port ECMA TR / 46 defines a security architecture whose access control is based on attributes that are assigned to the client.

A special embodiment of these methods was developed under the name SESAME (Secure Europeans System for Applications in a Multivendor Environment). SESAME is defined in the corresponding standard ECMA 235.

A common procedure for integrating security functionality into an application program was defined in RFC 1508 in connection with RFC 2048. This contains the definition of a so-called application program interface (API), which is known as a so-called Generic Security Services API (GSS-API).

The present invention has for its object to show a system for granting access to information in a distributed computer system, which ensures simple and always up-to-date access control in largely anonymous form.

This object is achieved by the features specified in the claims. Data packets, in particular hypertext documents, are not protected by ascertaining the identity of the accessing party, but rather on the basis of the properties of an accessing party. These properties only need to be disclosed to access a protected document. The administrative effort for access is extremely low, since there is no need to maintain access-specific lists that list all the data packets to which access is legal. The topicality of the access authorization is always guaranteed.

By introducing at least three protection classes, of which a first protection class (open) offers unrestricted access to If a data packet is granted and a second protection class (entry) and a third protection class (hidden) provide conditional access to a data packet, the traceability of data packets can be made so difficult that the existence of data packets can also be obscured or completely concealed. Thus, any information about the existence of a data packet of the third protection class is omitted, while data packets of the second protection class are referred to the existence. Temporary, access-specific storage of its properties minimizes the effort for data exchange and thus increases the response time (performance).

In the case of the World Wide Web, data packets are exchanged in the form of hypertext documents. These are divided into at least three categories. A distinction is made between hypertext documents with open access with the classification "open", hypertext documents with access control so-called "entry documents" and hidden hypertext documents with so-called "hidden documents". A hypertext document with the

The classification "open" is transmitted to the browser after a corresponding request, which can be made from any data processing device with the properties of a browser. Hypertext documents with the classification "entry" and "hidden" can only be made available on such browsers whose clients have authenticated before access. As part of this authentication, privileges and therefore access rights must be specified which are sufficient to allow access to the desired hypertext document. A request for access to a hypertext document comes along the classification "entry" or "hidden" from the browser of a client or the privileges that were set during the authentication of the client are not sufficient to access the hypertext document, then the server will deny the existence of the hypertext document The client is denied by Transmission of an error message according to the transfer protocol used.

In the event that the privileges of the client have not yet been established in the context of an authentication and the requested hypertext document is one of the "entry" category, the error message can also indicate that the server has some protected hypertext -Documents managed. This note can be used by the client's browser as a trigger for starting the authentication process.

Access to the hypertext documents is controlled by the classifications "open", "entry" or "hidden". In addition, properties, so-called privileges, must be stored on the server, the possession of which a browser client must prove in order to gain access to hypertext documents classified as "entry" or "hidden". In order to be able to prove these privileges vis-à-vis the server, they must be stored with the browser client. If the set of privileges is generally valid, these access rights must be stored at least temporarily on the browser client. The present invention thus meets the requirements of the Secure Socket Layer SSL, according to which the access rights can also be stored over a relatively long time. Alternatively, the conditions of the ECMA SESAME project can also be met in the present invention, and the access rights can be generated dynamically with the aid of a so-called network security service.

If the access rights of a browser client have been securely registered with the server, then these access rights are temporarily stored on the server. This has the advantage that the access times to hypertext documents are reduced. However, this intermediate storage makes it necessary for subsequent requests and responses to be authenticated in such a way that the server knows with certainty that which browser client it is. Accordingly, within the time period in which the access rights of the browser client are temporarily stored on the server, it is sufficient for the browser client to authenticate itself to the server. There is no need to transfer the access rights again. This is particularly advantageous because connections to certain servers are only available for a short time while accessing a specific hypertext document and are then interrupted again. For these recurring access requests from the browser client and responses from the server, an encryption process can be used to ensure data protection.

According to one embodiment of the invention, the accessing party, in particular the browser client, has the option of transmitting only a reference to his access rights to the server. The server can then access the referenced location and obtain the access rights of the current client. The referenced location can be another network service or a local memory of the server.

According to a development of the invention, a security protocol is used to transmit the access rights or a reference to the access rights. The transmission to the server takes place via so-called Seeurity Protocol Data Units PDU, which are embedded within the transfer protocol used to access the hypertext document.

According to a further development and refinement of the invention, the server has a method for forwarding access rights to downstream data processing devices and thus to server systems of the databases. This makes it possible to adapt the content of a requested hypertext document to the access rights of a browser client. This functionality is particularly advantageous in those cases in which the hypertext documents are used as an interface for applications outside the browser client expire and further process the data it has available. The result of this further processing is presented to the browser client as with a locally running application program. The scope of the result is determined here by the stored access rights. This does not require repeated authentication between the browser client and server and for each subordinate server that can be accessed as part of the arrangement.

A server can be used to convert the access rights of a browser client into a specific transfer protocol that can be processed by downstream servers that do not contain the subject matter of the present invention. The intermediary server that carries out this conversion need not contain the requested hypertext document and thus serves as a so-called proxy server. With this functionality, a large number of servers which do not fulfill the security mechanisms of the present invention can be inserted into the security system via the proxy server. The servers downstream of the proxy can continue to be operated in unchanged form. The hypertext documents or the programs used to generate a document, which are present on such an existing server, can also remain unchanged, and nevertheless access is made possible via the security mechanism according to the invention.

In a corresponding manner, a proxy can also be connected upstream of the browser client, which is used to save the access rights and to transmit them in a secure manner. In this way it is possible to use the present invention with the browser client without having to change a browser program previously used. In such a case, the present invention offers access control, encryption and authentication between the proxy on the browser client side and the server which has the features of the present invention. If the server assigns this If you do not paint, a corresponding proxy server with these features can also be connected upstream, so that existing browsers and servers can continue to be used on both the client and server side.

The present invention can thus be introduced without having to make changes on the part of existing browsers, servers, hypertext documents and corresponding programs.

The invention is explained in more detail below with reference to the drawing. Show:

FIG. 1 shows a schematic illustration of hardware components of a data processing network,

FIG. 2 shows the essential software components of the data processing network according to FIG. 1,

FIG. 3 shows a schematic illustration of a reference from one hypertext document to another,

FIG. 4 shows a schematic illustration of the implementation of a reference according to FIG. 3,

FIG. 5 shows an example of an access control list,

FIG. 6 shows an elevation of a server module with a security mechanism,

FIG. 7 shows an elevation of a browser module with a security mechanism,

FIG. 8 shows an elevation of a server without a security module and an additional proxy module with a security mechanism, FIG. 9 shows an elevation of a browser without a security module and additionally a proxy with a security module,

FIG. 10 shows a visualization of a data exchange for access to a hypertext document of the entry class,

FIG. 11 shows a tabular representation of different address forms and address components,

FIG. 12 shows a flowchart for the access mechanism on the browser side,

FIG. 13 shows a flowchart of the access mechanism on the server side and

FIG. 14 shows a detail of the flow diagram of the access mechanism on the server side according to FIG. 12.

Figure 1 shows a schematic representation of a data processing network. This data processing network contains a personal computer PC or workstation PC which is coupled to a host computer 21 via a network line 22. This host computer 21 is in turn coupled via a further network line 23 to at least one further host computer 24. The host computers 21, 24 and the personal computer PC are part of a known network architecture.

The exemplary embodiment uses this network architecture for the needs of a distributed computer system, in particular for the so-called World Wide Web WWW. The software components of this WWW are shown in Figure 2. At the personal computer PC, the so-called client, software is loaded, which is referred to as a browser 30 and enables access to hypertext documents 10 (see FIG. 3). This browser 30 can also support the security mechanisms according to the invention. If he does not do this, a proxy 35 can optionally be available on the personal computer PC Security requirements met. This proxy 35 then fulfills the security requirements according to the invention. The network line 22 transmits data from the browser 30 to the host computer 21 via a transfer protocol 32. An example of such a transfer protocol 32 is the hypertext transfer protocol

HTTP. At the host computer 21, the transmitted data are received by a web server program 31, hereinafter referred to as server 31. If this server 31 does not contain the required security mechanisms, a proxy program, hereinafter referred to as proxy 31, can be inserted between network line 22 and server 31, which supports these security mechanisms according to the invention. The server 31 has access to network components running in the background via the network line 23. The server 31 can access a database 34, for example, via a special transfer protocol 33. To access this

Database, the network protocol 33 can fundamentally differ from the network protocol 32. The network protocol 33 can be tailored to the needs of the database 34.

A data exchange takes place in the form of so-called hypertext documents 10 with the distributed computer system according to FIG. 1 and the software distributed thereon according to FIG. 2. Such hypertext documents 10 are shown in FIG. A hypertext document 10 contains data in the form of characters 11, images 12, videos 12 or audio sequences and in the form of references 14, so-called links, to further hypertext documents 13.

As shown in FIG. 4, these hypertext documents 10, 13 are assigned to different servers 31, 41. The hypertext document 10 is assigned to the server 31 and the hypertext document 13 is assigned to the server 41. If the hypertext document 10 is called up by the browser 30, this call is transmitted to the server 31 via the transfer protocol 32. The call contains the name of the server 31, the name of the hypertext document 10 and the location at which this hypertext document 10 is stored at server 31. This information is known as the so-called unique resource layer URL. The transfer protocol used, in this example HTTP, is also specified in the URL. For example, a complete URL is HTTP: // host. sweet. ie. / documents / docl. If this document is found using the URL, it is packaged in accordance with the regulations of the transfer protocol HTTP used and transmitted to the browser 30. The browser 30 is able to display this hypertext document 10 on the screen of the personal computer PC or to make it audible. The hypertext document 10 contains a link to the hypertext document 13. This link is a complete URL. Using this URL, the browser 30 sends a request packaged in a transfer protocol 32 to the server 41, which is mentioned in the URL. On the basis of the information from the URL, the server 41 can find the hypertext document 13 and transmit it to the browser 30. The browser 30 can also display the hypertext document 13.

Access to hypertext documents 10, 13 can also be prevented. There are three categories of hypertext documents 10, 13: General accessible documents, restricted accessible documents and hidden documents. These categories are also referred to as "open", "entry" and "hidden". Each server 31, 41 that manages documents classified in this way has an access control list ACL. Such an access control list ACL is shown in FIG. 5. The access control list contains ACL document-specific statements about the classification of the document, necessary privileges to access the document and additional instructions for performing access to the hypertext document 10, 13. The document is specified by entering the complete URL in the first column of a line Document takes place in the three categories "open", "entry" and "hidden". Such a classification can also be completely dispensed with. In such a system, role-dependent access mechanisms (privileges) can still be used.

The privileges required to access the hypertext document are entered in the third column of a line. Access rights are divided into roles and graduations of roles. Such roles are known from ECMA 235 and ECMA TR / 46, where they are defined as binding. Examples of roles are administrators, role: admin, openness of the document, clearance: topsecret or clearance: restricted, and customers. These individual roles can have different levels of authorization, for example levels 1 to 6. It is also possible to only specify authentication as the access requirement. In this case, for example, the right ANY is entered in the third column.

The fourth column contains instructions that the server must execute if the desired document cannot simply be read from a memory and sent. Figure 5 shows two types of instructions: The instruction

"Program" contains the name of a program, for example "AdminP", which the server 31 has to execute. Such a program then generates a hypertext document 10, 13 and makes it available to the server 31. The server 31 can then send it to the browser client 30. The "ad on" instruction is used to instruct the server to add a command sequence, a so-called "string", to the current request in HTTP format, which contains the access rights mentioned in the table with regard to the requested document 10, 13. The request expanded in this way is forwarded to another server. The condition for this type of command execution is that the hypertext document is generated by a program or that it can be obtained from another server via the HTTP protocol.

A decision as to whether access to a document designated in the first column of FIG. 5 is permitted, is based exclusively on the document name specified in this column. If the requested document name is not included in this column and this document is available on the server, then it is basically a document of the "open" class.

FIG. 6 shows the functional components of a server 31 which contains the present invention. On the network side, the server contains a transfer protocol converter 61. This receives incoming requests via the network 25 and the network lines 22. These requirements meet the requirements of the network protocol TCP / IP and the HTTP format. The protocol converter 61 is able to convert incoming requests by means of its “parser functionality” into such a form that it can be further processed in the server. Likewise, it is able to reply from the server in accordance with the requirements of the network 25 in A further component of the server is the access control unit ACU This unit ACU has an algorithm which accesses the access control list ACL according to FIG. 5 using the name of a hypertext document 10, 13 On the basis of the decision criteria contained in the algorithm, the access control unit ACU is able to make a decision about a right to access this hypertext document 10, 13. The access control unit ACU is also able to include further ones in the decision table ACL Information, especially that of columns 3 and 4 to admit.

Another server component is the privilege generator 63. This unit 63 is able to determine the access rights of a requester. She is also responsible for protecting requests and responses. In doing so, it uses a security context. One such privilege generator is the GSS-API, as described in RFC 1508. The access rights become temporary for current access from a browser client 30 to a server 31, 41 generated by the privilege generator 63.

Another unit of the server 31, 41 is the intermediate memory 64, in which the access rights generated in the privilege generator 63 are temporarily stored. Likewise, the security context that may be used is temporarily stored in this buffer 64. The storage time in the buffer 64 can be limited to a current access, but can also be several hours or days. The storage period is freely definable.

The three components “access control unit ACU”, “privilege generator 63” and “buffer store 64” are controlled by the security control unit 65. This unit 65 contains a status machine that enables or blocks actual access to a hypertext document 10, 13. For this decision to be able to implement it corresponds to the units mentioned ACU, 63, 64.

The server 31, 41 contains a further component 66. This document access unit 66 is able to access the desired hypertext documents 10, 13 in a document memory 67. If it is a hypertext document 10, 13 that first has to be generated by a program run, then the document access unit 66 is able to start external programs 68 that generate the desired hypertext document 10, 13. For this purpose, the document access unit 66 corresponds to the program execution unit 68 via a commonly used interface, such as the common gateway interface (CGI) or a specific interface. If the desired hypertext document 10, 13 is present, the document access unit 66 transmits it the safety control unit 65.

The components that are available on the browser client side 30 are shown in FIG. The browser 30 contains a user interface 72 which transfers the hypertext documents 10, 13 for display on the personal computer PC. For this purpose, the user interface 72 converts the format of the hypertext document 10, 13 in such a way that it can be reproduced by the functional units monitor or sound card. The functionality of the other components of the browser 30 corresponds to the corresponding units 63, 64, 65, 61 of the server. The privilege generator 73 generates the available access rights and provides the corresponding mechanisms for protecting the requests to be sent and the responses received, the security context required. Like the server 31, 41, these mechanisms are defined, for example, by the GSS-API according to RFC 1508.

The access rights and security contexts obtained are temporarily stored in the buffer memory 74. These two units 73, 74 are coordinated by the browser-side security control unit 75, which forwards the corresponding information in the direction of the network. A protocol converter 71 is arranged between the network 25 and the security control unit 75, and its browser functionality converts the information in accordance with the network protocol used and the form of presentation of the information used in the browser 30.

Servers 31, 41 are already in use which do not contain the components according to FIG. 6. In order to be able to continue using such servers 31, 41, a proxy server 36 according to FIG. 8 can be inserted between network 25 and server 31, 41. Such a proxy server 36 is largely identical to a server as shown in FIG. 6. However, hypertext documents 10, 13 are not permanently stored in the proxy server 36. Exception is only saved for frequently requested documents 10, 13. On the network side, the proxy server 36 contains the protocol converter 61 via which requests and responses are implemented. A proxy server-side security control unit 85 corresponds co co 1 \ _ K P> cn o Cn o cn o cn σ d σ rt öd d rt d rt N d: tr ∑:> ∑: tr CΛ CΛ P- σ C: σ σ. CL cn cn rrj 3 σ <d CTl 3 o P- Φ P- P 3 Φ Φ od tr d Φ Φ d P- Φ Φ P- 3 P- tr P- 00 P- rt rt P do Φ Φ co P- vQ P cn O cn d rt? Φ 3 ω P- o φ p- P n Φ Φ Φ φ Φ Φ O cn P rt dn ∑: Φ NO Φ P cn rt rt tr rt tr ≥. cn P CL d X cn dd

P σ tr ω ri ^¬ P ⁾ ∑: P- 'P- Φ φ Φ cn cn Φ Φ Φ Φ P- CΛ - φ ^• <o & d CL

Φ PJ φ d Φ t- ^> d φ rt tr PP ⁾ P- PPP n- P Φ% φ n Φ P 1 CL Φ P ¹ Hi CL Φ d l- ¹ ri ^¬ P rt ω P d φ P- N Φ d Φ φ tr N P- y? tr d CΛ ^ d OP rt o tt) cn. y? 3 3 d Φ d <Hi co Φ ∑: TJ d O φ d 00 d Φ d rt P CL d CL cn P Φ tr φ σ. P- Φ P Φ Ό P P- Tl vQ P ⁾ J- »CL φ to

P * PJ P> co σ φ VO φ TJ ≥. PJ P öd Φ <• rt P od Ό Pi rt • cn <3 P> P> Φ 3 do 3 d cn P- 3 CO rt P φ VO d ∑: P P- J cn .r cϊ- O rt Φ Φ P- o P vQ

• ^ cn φ N o rt J ^. ω Φ o cn dd Ό o N d P cn P- P cn ^ ^> ∑; d to P öd rt cn TJ Hi Φ XN • d ∑: TJ rt d Φ H y? ∑: d CL rt ddn Φ d ∑: P- φ PJ P- d: P: P ^ <∑: CL CL cn P- Φ Pi rt o O Φ vQ Φ Φ Hl tr co tr P ¹ P- vQ P- pi

CO P- dd tr o P 1 φ <φ Φ Φ φ d N rt P- P ¹ Φ CTl co rt cn Pi cn cn CL PX U3 Dd P o P rt P CL Z o rt CL ¹ CL P- Φ Φ Hi O cn

CL TJ O P- * CL P> P y? 3 1 cn σ Φ Φ; . d Φ Φ P- Φ P- rt J P d P d: tr y?

Φ P- tr 3 vQ 1 Φ - »o TJ öd ∑: CΛ ∑: PJ 3 P o 3 d cn n Φ d N P- P ^J P Φ O

P φ P- Φ öd d ZP φ Φ Φ Φ rt yt P ¹ cn tr CD cn 00 cn φ n Φ dd

P ^J N rt d P CL cn o P d P P- P- Φ CΛ P 'Φ TJ CΛ Φ CTl Φ Cn vQ d tr P- Φ cn rt pi ∑: o TJ Φ Φ rt O d CL rt cn d P - P rt P φ d φ vQ rt rt P- JP

P ^J φ P- t ∑: PPPO rt rt Φ Φ φ o Ω Φ N o P PJ S Φ tr rt Φ d Φ o

PJ P- cn Φ o cn O yt ON d P- tr P- Φ rt <to d Φ d φ tr d P- cn dnd 3 φ X CL o O yT φ • yT P ⁾ d Φ <d P o φ d vQ P- rt d ∑: Φ co

CΛ φ tr Φ TJ P • <; P- n OPO: d H Φ φ> r P vQ Φ cn tr CL Φ P- cn • <tr Φ φ cn Φ do 1 Φ. P ^J ω σ d cn φ tr P cn αj o cn P y? Φ pj: P 3 O Ό Φ P- dd co öd P * n P- d P- Φ tr -JP "P- o N CL P ¹ φ P d

5 to CL Φ cn P σ rj tr Φ Φ C. d P- P- CΛ co Hi Ό P- rt d Φ CΛ P ^J P tr φ d öd Φ do $ P- N> 3 dd CΛ φ rt d P- cn d P ¹ Hi T. cn d Φ rt σ. φ d vQ P cn ri ^¬ Hi ∑: Hi Φ cn P- tr CΛ P Cn CL n Φ 3 cn Φ rt CL PO Φ> £ -. P- rt P o tt ⁾ d: cn O cn Φ φ rt Φ tr L d Φ tr rt cn PJ P- J Φ X rt

P p- ∑: öd d P Φ P φ P- rt rt P Φ Q Φ rt Φ N Φ d d rt cn N P α Φ Φ rt

* _ * Hi cn P P CL P d N cn Φ P J Φ rt P rt rt Hl Φ P- d PJ PJ P P 1 d

Hi Φ O CL φ Φ Φ rt P- Φ cn N L tr N CL O n d d ö n co tr O cn P ∑: co PJ P Φ cn P Φ rt P- o ∑: Φ Φ CL Φ Φ P j φ CO d o

CL cn -. cn Cn d d H "ω rt tr tr Φ d P- P- H d 3 P Φ P- PJ P> P-? N *»

PJ J co Φ d rt CΛ IΩ p- ¹ cn Φ H rt Φ ⁾ OP d cn P- O dd

P d P CΛ d vQ tr P- J-> Φ φ yt rt ^ CΛ cn OD d rt vQ vQ φ cn cn vQ tr α vQ Hi. £ - P- 3 φ J: n P- Φ JN Φ d σ ^ P P-. φ Φ rt Φ rt φ Φ Φ

Φ d co n cn d tr v • J d P- d rt 00 H Φ PJ O o PJ cn φ d cn • dd 3 cn Φ do tr φ rt Φ Φ tv> vQ dd Φ Ω «. rt rt X d 3 rt d • α Ό rt rt rt P- CL ^ 1 Φ rt PJ P φ vQ ei ^¬ d Φ csi φ Φ • φ 3 Φ rt P- φ Pt cn TJ

Φ d PJ P ¹ PN d Φ tr J d cn Φ ZPZ d cn 1 d P ⁾ cn σ φ p- cn P> n P

P ^J CΛ d ^• »tr rt cn P- Φ dd φ cn n ^ Φ Φ CΛ d P- TJ P- cn n rt o tr P- tc Φ cn Φ d P- vQ CL rt Φ en o P CO P φ TJ φ φ cn rt P Φ Φ tr • Φ <1 rt -J P- d CL Φ rt Φ N rt rt P CL P ¹ >? d PPP Hl φ P Φ

S P P- P-

<^ cn rt d Φ d cn d φ rt N • 3 φ φ rt o <tr: Ω CΛ P ⁾ P- P ¹

Φ φ P- cn CL 3 d P- Φ rt d 3 cn cn X φ J tr CL tr P- <rt cn co Φ φ ö PP vQ CL d ∑: Φ dd Φ d: P- TJ ^ P P- H PJ Φ n O d vQ

Φ rt d Φ Φ CΛ Φ rt Φ tr CL rr 00 P 1 rt d cn d tr P W PJ P-

P Φ CO P cn rt P- P- P- N Hi 3 Cd Dd Φ P- Ω Φ CΛ co φ d cn CL Φ vQ cn ^ d φ

X P * N φ o rt ∑: O P P P Φ CL n Φ σ. d vQ Φ P J O T. o d

Öd rt TJ ∑: tr Φ Φ P TJ O O rt φ d tr H cn tr d d Φ CL tr vQ

P 1 P- P Φ Φ P P CL P ∑: ∑: P cn 3 § Φ <Φ> r Φ p- CΛ Φ vQ CL P Φ Φ o cn P- o P P Φ y? Φ o cn cn PJ P- * d Φ P J H- Φ O P- Φ rt d cn d

∑: rt P- X rt tr d Φ P rt φ Φ vQ O TJ CL H Pi dd tr rt P Φ P- Φ cn Φ Z Φ CΛ d OPP Φ tr P ö cn O d tr C- d cn O d X CΛ φ P

Φ P- d 1 sΩ o P- TJ d y? d Φ o J P- P- Φ tr P- 1 3 rt Φ PJ

P d 1 CO P rt P VD vQ O co co - P X cn φ co vQ P- Φ rt 1 P φ rt

1 cn o co Φ t- ¹ CD 00 1 3 σ. rt rt P rt 1 P- o 1 1 d 1 1 1 1 P

co co r M P> P ¹ cn 0 cn 0 Cn 0 Cn

φ ∑: vQ CL CL vQ P- CL P- ^ σ <et Z Dd cn φ PJ Dd σ Dd P- d: CL CL CL ∑: φ DJ CL Pi i φ \ -> co

P- P- Φ Φ φ π Φ Φ PJ D ⁾ p- P- φ Φ φ XO P- d P 0 X d tr PJ PJ φ P- P- d Φ P cn co 0 d φ vQ PH ¹ TJ vQ d CΛ cn vQ φ PP P- P- tr d cn 0 yT P- rt P- ¹ P cn rt P d tr cn DJ D ⁾ φ Φ rt 1 Φ d J Φ rt cn PJ φ vQ ∑: cn Φ P- J cn • CL PJ d cn cn PJ cn cn tr σ. , tr 2, tc cn P d PJ Φ rt 3 φ cn 3 rt PO d vQ d Λ Cn cn P- d Φ

Dd P- Φ 0 0 Φ PJ H P- P n P Φ rt vQ Φ Φ Φ J tr Hi CL σ Φ Φ CL φ Hi Φ nd φ φ d π CΛ P d 3 Pi n P ¹ cn ^ & Φ d Φ C- Φ P dd P Φ PJ P- P- cn P Φ tr CL CL

N. d 0. rt Φ Φ TJ tr P ¹ T. rt Hi N rt tr tr cn rt N Φ dd ω Φ d O CL P 5 Φ Φ φ P- 3 tr 1 dd 1 PO V- φ cn rt P- cn Φ tr Φ φ 1 Φ dd rt

P- d> Φ H ^> ≥; Hi TJ. vQ d: d H CL P- P- d co d P- öd n vQ Φ 0 PP ddyndd P- d PJ d P P- Φ dd CL Hl Φ ω n • 00 vQ d Φ P tr Φ ^ rt cn P rt CΛ Φ tr ^ d cn rt Φ 3 P ^J d 0 φ N vQ CL Φ O cn rt tr P- CL P 0 rt Z • n Φ N t 0 P Φ Φ p- d P- d tP 3 P ^J α rt cn φ 1-1 P Φ dd P tr rt ∑: C- Φ tr ri ^¬ d co rt * P- P dd vQ P- PJ Φ cn O Φ P- P- 3 d CL σ d Φ d rt <ω Hi d tr P ¹ tt ⁾ vQ * 0 _* d <Φ dd P- 3 P- P CL yt vQ n P- d Φ 0 ∑; P- Hl • Φ ∑: φ P cn φ cn H yT Φ vQ P φ φ n CL P- 0 rt tr rt v P> r P- dd P Φ P φ n φ P P- cn O tr vQ P ω tr ∑: P- φ & Φ dc PP φ CL Dd Pi P P- tr P 3 tc Hi rt J Φ $

Φ P> φ CL P- φ Hl N ∑: d 3 0 P- Φ dd: α o rt 3 Φ><Hi Φ P ¹ d cn co Hi

P- l-> P Φ P- P • O 3 d P- vQ Φ ∑: d 3 r vQ Φ co P- Φ Φ P ¹ J cn CL n P ¹ O d cn cn P3 CL P P- d cn H d cn φ cn tr cn P- CL Φ? P ¹ tc Φ tr • P

Φ P- rt π H ö CL rt P- p: CL N rt P- Φ 3 <x) J PJ d rt σ P- d PO rt Pl P-: CL ω d 73 vQ Φ id Φ PJ Φ Λ rt d cn φ P φ PP d. 0 d d rt d P3 rt rt σ Φ tx Φ P- tr 1 cn d P C d N y Dd P Φ t CL P r d vQ Φ rt CL TJ • N Φ P

Φ CL cn 3 Φ TJ cn DJ d Φ Φ O tr to co P cn n φ P- σ d vQ X P- ri ^¬ P d

X Φ dd 0 φ nd P P- 3 ω p- d 00 OO tr P- Φ P ⁾ P- 3 P ¹ rt 0 φ Hi ött ⁾ d rt PX 0 - cn P tr vQ 73 n φ d cn ∑ : d Φ rt Φ Φ "0 1 ¹ Φ Φ cn dd vQ

Φ rt tr φ O rt s Φ tr Dd P ∑: PJ cn P> d T cn cn d 0 P "ö P- CΛ cn cn P

P co H rt rt 1 φ Hi tr CΛ Φ P Φ rt CL Φ P ¹ CL CL Φ Φ rt P ¹ O φ P- rt tr t 0 G- d φ PJ φ N ∑: ≥; cn 0 Φ vQ CΛ d 0 Φ P- N Φ P Φ P- φ φ>? P- O vQ PJ ∑: Dd

Φ P- tr d rt P- P- N PJ O ∑: P cn P- 3 0 ∑: cn d P- ^ d Φ φ P d tr Φ P ¹ % cn PI d P- Φ φ s PJ vQ P- tr d Pt cn rt d co 0 P- Φ d φ X d N 3 tr Φ tr Φ Φ

Φ Φ tc d 3 d rt Φ Φ P d Φ co Pi Φ 0 3 P vQ φ tr P- (T Φ Φ Φ P Φ P P Φ

P * <CL Φ vQ tr n Hi P P- ¹ ω O P- T. CL Φ ∑: cn tr dd P- tr vQ cn rt ö rt J P_ P- P Φ CL rt CL Φ O 0 P d vQ d ∑: Φ rt Φ rt P ⁾ : vQ rt rt Φ rt Φ Φ co! _.

P £. φ Φ φ cn P- • φ P co vQ 3 Φ rt 3: H- PJ P P- (- ^■ rt P- Φ d X 0 Φ

Φ CΛ CL P P- N Ό φ cn t → 3 0 Φ P- PJ TJ 3 Φ P- d rt rt 3 Φ rt P ¹ rt d CL rt cn cn Φ rt p * σ. P Pt 0 PJ cn d rt P PJ: P rt cn Φ cn Φ P d 0 O cn Φ 1 ∑: cn JP Φ 0 Dd O σ 3 S. 0 rt P- O. rt P- 0 &> OP pj: rt Φ d • _* y? O rt σ Φ tc

CL d X CL 3 • n 0 Φ PJ P- d tr Φ O X TJ t tr Φ O CL P- CL O td 0 P- •

P- vQ Dd rt φ pi: 00 tr 3 öd rt rt O P- P d * <CL O P- rt d tr dd P ¹ Hl d Φ yt cn J

Φ Φ P 1 cn d 0 Φ D>: Φ N 0 d φ n J 1 Φ P ¹ Φ h- ^■ d t_ι. Φ N co Φ rt P d cn Φ d vQ O σ Φ co dd P- ∑: P Φ P-? P Φ t P Φ Hl d P- vQ Φ dd Cn P? 3 P cn Φ ∑: 0 0 Φ Φ cn Φ dd rt φ PP P- Φ dn CL y tr rt O φ Φ Φ CL rt rt tr cn y? tö CL d Ό P α φ rt y? 0 td d tc Hi tr P ¹ 0 tc PJ P "Λ P- d PJ Φ

P- Φ Φ IX Φ φ CL P- y? ? ö PJ ∑: P- PJ ∑: P Φ CL cn Φ O n P- dd d P- d d rt tr X

Φ d P 3 cn d CΛ Φ φ TJ tr ¹ d tr P- Φ d cn Hi Φ% n> tr d P CL φ Φ Φ φ rt

P- Φ CL rt Φ cn * P vQ Φ PP d Φ P- * d cn Φ tr hd ∑: 0 φ DJ P- cn d P ¹ P- 1 cn P- co d φ Λ tr P Pi O tr Φ cn rt rt P d Φ P Φ y? Φ Φ Z P- ω d rt 0 ü rt ω 0 rt P φ PJ = <! Λ PJ rt φ PO • _" " • CL tr d: rt d: tr PJ P- P- w rt ω tr • tc d O

Φ rt cn P Φ φ O vQ Φ d co d P- tr Φ cn d d ω φ. Φ ^ P- yt

P. P- J <rt PP> r P- P- CL 0 CL CL Cn d Φ! - ^■ X cn Φ d P Φ P- T. P "n ω P- P" Hi φ. cn <0 dn Φ P- PJ P- vQ P P- rt Φ P co ö cn rt d φ co tr 3 σ φ 0 PJ P φ P- \ -> d tr P φ cn φ <3 O 1 3 <! d J co DJ Hi P rt Φ

P- 2; ^ CL cn ö co P cn P ¹ rt Φ Φ cn cn OO Φ tr d: Φ O vQ P 0 P cn CTi ri ^¬ CL _^ dd CΛ O P- * cn rt cn P Φ DJ H CL P ¹ Φ tr - d P PJ DJ P- cn CΛ tt ⁾ Φ rt

0 P ¹ d tr φ _^ «*> ∑: rt ^ d Φ d vQ Φ CL d Φ CL P- d vQ d 0> • Φ XP CL cn

CL P- 3 co d φ cn d CL P- • 0 Z P- Pi Φ P d P d Φ Hi i Φ Hi tr P- rt PJ

P- cn P ⁾ : tr Φ d P- J φ P Φ d 1 dd P- Hi cn tr co rt 1 cn P »φ rt d J ⁾ L P- φ d 3 P- Φ tr vQ CL vQ d φ P - d cn Φ cn 0

1 Φ d d φ ω Hl P- 1 P- Φ P- φ d d 3 d

1 1 d φ P- φ 3 1

co co IV) MP ¹ P ¹

Cn o cn O Cn o Cn

P vQ O CΛ Ω tc TJ ö ö <CΛ td rt CL DJ DJ CL CL> P Φ tc dd tr tr rt Φ _^ <! N d J σ cn d P CL Φ tr * P oo Φ PP PJ Φ PP ^J Φ P ddd 3 P DJ Φ Φ P ^" z Φ P Φ o ≥: Φ o DJ φ P Φ J o pr Pt P ddd PO cn d φ cn d rt HO d P d Φ P TJ ^• »d CΛ 3

PT 3 P <d Φ vQ d d CL ω ∑: vQ tr TJ ∑: vQ cn CO φ tr d Φ

3 Φ P P 3 y co Dd Ω <cn PJ ≥: CΛ CL PJ cn rt J φ cn co J 5 d 5 T.

P DJ d P rt PJ Φ Φ> CL φ tr O Φ d PJ P Φ P> Q Φ • P P <Φ 3 CΛ rt K PJ

Φ d tr Φ Φ 3 dd PPP Ω 3 Ω do rt Φ P φ P ¹ o Ω Φ CΛ Φ o

Hi cn Φ CO PX 3 rt rt d Φ cn NP ¹ 1 tr φ tr IV) Φ rt 1 J φ * _* * Φ Dd cn P ¹

Φ Hi P ^ J Hi rt PJ N tr TJ ∑: cn π d Φ 3 d o d cn d 5 • <rt

P d O 1 d P> d Φ co PP rt P- CL PP <• 73 ∑: vQ cn ∑: rt ∑; I Φ. CL rt tr LP ^J σ cn o vQ H d φ cn JPP d tr rt o Φ P CL Φ Φ rt P cn Φ td H cn Φ

• PP CL Q o Hl P rt vQ Ω d Φ φ d Φ 3 O Λ Φ PPND ⁾ PJ tr 2 pr cn cn d φ Φ rt PT d PHP tr CL d α P CL P dd Φ cn Φ d CL P cn • d Φ d P tr P> Hi PJ P CL Φ P rt <! rt Φ Dd φ Φ rt cn Φ P CL Φ Φ N. ϊ vQ CΛ Φ P co Hi vQ Hi PJ d vQ O o cn PP cn Cn φ vQ P CL Ω Ω NPI cn P CL P φ d cn Φ Hi N Φ co 3 H cn o Φ rt CO d CL rt vQ DJ tr . d rt Φ d φ Ω D> dddo Φ d cn d Dd do rt rt ∑: POP Φ N φ tc d • _* rt

P tr cn rt vQ CL PPP. Dd Φ cn Hi <V φ PP ddo Φ Φ d Φ to cn φ d ∑: Φ P o ξ P d Hi Φ dd Pi cn CL cn P σ ZP tr P tc d P> Φ P tr d Ω cn Z td o Φ Φ OP o P d PJ J rt TJ tr rt tr Φ P d φ tr vQ o P φ t tr rt CΛ Pi cn ∑: cn PP Hl ^ ^, P Φ P • JPP Φ

P Φ% P - d PJ P CL rt Φ O cn d CL co CL d PJ PP d cn P ¹ CL rt rt P Φ P tr d rt Φ φ PPP vQ Φ vQ d Φ o cn PJ Φ PJ vQ d PJ rt cn tr 73 rt P Hi P ¹ φ Hl d *> 3 CL PP Φ vQ P rt cn P 3 & Φ N d Φ Φ Φ d ö σi cn rt Hi co P CTi ^ co φ tr z cn d N PJ d φ Φ tr P vQ P. α cn 3 o

00 ω Φ rt Φ CTi CL Q o P rt co d Φ d d d iQ Φ d N P TJ φ J P P rt 3 rt X J PJ P PJ P CΛ d o d P vQ 3 Φ Φ d N P φ Φ CL PJ

CL Φ rt dd σ. d φ d φ CΛ ddd cn d P ∑: vQ cn P CL DJ o Φ _* * cn Φ P d

P d 1 cn oo P cn 1 d vQ PJ 3 Ω tr I- ¹ CΛ vQ d Φ P Ω Φ 3 vQ rt • φ H φ φ φ Φ σ - φ d P 3> CL P tr Φ o Φ Φ d cn d tr rt Φ Φ PP vQ

PO Φ Φ d φ P TJ P ¹ P ^J rt rt P co P cn Ω CL d. _^ d Φ OP PJ 2

CL d PT P d CL rt co P rt J CΛ o Φ vQ Φ rt <Td Ω tr d • P P CΛ tr 3 J

PJ dd PJ cn d Ω 1 Φ IV) ^• • Φ dd φ P tr d CL d σ ∑: rt φ Dd rt 3 cn vQ 3 φ CΛ cn TJ vQ tr CL £ PH "CTϊ tr PP rt rt P vQ PJ P > CΛ P "Φ IV ⁾ cn Φ 3 Φ PP φ Φ φ <φ PP tc cn Φ d Φ N φ N φ d ∑: CΛ t__ CL P

Φ Φ d P ∑: Φ P d P Ω Φ P d Φ S ~ - PON rt? d cn Φ Dd [_J P d CΛ d P rt TJ <P Ω Hl CL tr P d Hi J rt P> P tc Φ CO \ φ P CΛ Dd φ? Φ rt d P φ φ tr Hi »PJ CL Φ φ 00 P Ό * d CΛ ∑: P α CL! __ φ P cn tr P ¹ OP CL Φ d co 3 Φ P. Cn PJ dd T. Pi vQ CΛ PP Φ [_j σ cn d <! J Φ o X Φ d PJ CL Hi PP ¹ φ d rt rt vQ tr DJ Φ o 1-1 Dd PP Φ d Dd oo P

P P "* • • <o P P- d PJ o cn tr Φ Φ Φ CL φ Φ 3 P T. P • CL d cn • 3 vQ ΪÖ Ω

Φ rt 1 P ¹ r_ φ Hi d P 3 φ P dd X Φ d P φ rt P Hi M Φ σ PJ Φ J φ

OP ¹ CΛ y cn d P- d PH rt cn φ rt Φ φ Hi Dd PJ CL d σ oddd cn tr 00 co Φ Φ cn Hi PJ N co 1 d P ∑: X cn rs d Φ P 3 Φ p ⁾ α ; φ Cn PP CL TJ P φ PO Ω dd ö CΛ PJ P rt α PP d φ PJ d • d N <Φ PJ P φ H d tr P tr P iQ O Φ σ vQ P 1 Φ φ CΛ α P dd tr

CL PJ d φ Hl cn O cn Hi d φ CL Φ P P DJ Φ CL ö cn Ω CΛ Φ Tj P TJ Φ J rt Φ σ

Φ d P P Φ vQ φ o vQ cn Φ P P d <rt d o tr Dd d P d P d Φ Hi P

Hi d P vQ P cn * Ω P tr Hi 3 Φ φ • DJ pr rt rt • vQ N o pr rt P φ

Dd Ω co rt Φ PJ vQ I- ¹ trö Φ Hi φ P d P «d D ⁾ Φ TJ d P rt PJ Φ CΛ d

P CL PT CTl • ∑: 3 tc rt o PP PJ P ω d cn cn y rt Dd PP TJ O d rt td CL φ vQ PP ^J dy

Φ Φ P PJ Dd d 3 IV ⁾ P Ω rt rt P rt φ Φ cn CL P dtd CΛ P d Φ tr Φ P φ cn co X d PJ φ d P ¹ PJ O CL ^ JP tr tr Φ dd cn P Φ tr N tr d DJ Ω P »rt & rt Ω cn PJ NP> 3 P- <φ 2J Ω PJ d TJ Hi Hi rt Ω d P Φ d Φ P PJ vQ tr P> P Hi tr d P ^• ^ Φ P ¹ o P Dd tr

PP Φ cn tr rt H 3 d cn dd rt o cn P ⁾ OP> P • vQ TJ d PJ 3 Φ rt cn OP CL TJ rt CL Φ • rt ω d φ - * O tr P o P φ d P- d * τ) σ Φ

1 rt Φ P Φ φ X CL CΛ. 1 vQ Z P CL Ω 1 J φ ∑: vQ CΛ P o i d

N d Φ P rt P Φ CL P> o φ Φ tr 3 rt P PJ Φ P 3 o Φ dl 1 Φ P φ co tr P 1 P> Φ Φ PP d D ⁾ 3 1 cn rt co dd 1 Φ 1 1 1 1

The hypertext document 10, 13 thus available to the server 31 or the proxy server 36 is packaged in a protocol-compliant response, optionally encrypted, and sent back to the browser 30. This processes the hypertext document 10, 13 in such a way that it is in turn displayed on the client's personal computer PC. The process sequences in the browser 30 are explained below using the flow chart according to FIG.

In a first step 201, the browser 30 issues a request in the form of a get request to the safety control unit via the user interface 72. The requested hypertext document 10, 13 belongs to a security class “open”, “entry” or “hidden” that is not known on the browser side. Almost any number of additional security classes can be defined. The only restriction on the number of security classes is the amount of processable classes with reasonable administrative effort.

If a browser 38 of a conventional type is used, the document request arrives at the security control unit 75 via the user interface 72, the protocol converter 94, the security network 93 and the proxy browser-side protocol converter 91. In any case, the security control unit 65, 75 in step 202 carry out a comparison of the desired server domain with server domains known from the browser and selects a decision with step 203.

If the decision is positive, then a context is stored in the buffer 74. In this case, this context is used to package the request. This packaging and unpacking is known under the terms "wrapping" and "unwrapping" in the context of GSS_API, RFC 1508. The GSS-WRAP and GSS-UNWRAP functions are used in the invention as follows: The safety control unit 75 receives a get message in plain text, for example “Get URL1”. A corresponding one CO co IV) r P> P ¹

Cn o Cn o cn o Cn

∑: CL d: cn TJ Hi cn ZP ^» vQ S 73 CL d ^» vQ d: PJ tc t- ¹ σ. CL co Φ * vz Pi d rt N pr P- pi

PJ tr P- DJ Φ φ Φ co Φ Φ J Φ d co Φ tr P-. £> w

P- d H P- o 3 d DJ Φ PJ Φ d d φ o o

P cn Φ Ω Ω P rt rt P ¹ d _t PP Φ t-3 Φ φ CL DJ Ω P dd rt dd

CL P tr PT rt NNN P- d tr 5 P α TJ vQ d ω: Hi Φ Ω tr d Z: vQ _^ rt rt

DJ rt Φ Φ ∑: d Φ Φ CL P- cn vQ P- rt D> φ tr: rt φ P CL rt DJ tr cn Φ Φ

3 d CL φ • P Φ P Hi P- d Φ d P- Φ TJ Ω Φ d • P- Φ Φ Ω Φ Hl ∑: X X

P- vQ Φ d tc P Φ P- Hl PPH tr O Φ tr ^• z P Hi Λ Ω PP tr P do rt rt rt Φ d rt Dd • <CTi pr tr P φ CL O φ rt Φ cn P- J rt rt • tr P vQ d P

Hi ∑: φ TJ 1— 'P rt Φ P PJ P-. P rt d Φ Ω P Φ • rt CD TJ P- φ PJ ∑: ∑: o Hl Φ P- φ -> M o cn P CL CL Ω 73 P- tr DJ d • ω J Ω tr rt d P- P -

Φ P Φ CL 3 P cn ∑: tr Φ Φ P tr tr ¹ ö CL S cn d P vQ V ∑: CΛ q tr Φ P- cn PP

3 CL tr Φ rt - cn DJ P dd P φ Φ P ¹ P- φ Φ O Φ P- φ CΛ P- 1 d rt d O CL

Φ P "P φ Φ d Φ rt <! Φ d ω d φ d cn P ^J 3 Ω d Ω PS Φ ^• » d cn

CΛ P vQ d X d P Φ cn d cn CL ^ cn cn Ω tr • tr Pl CL T) o p- N PJ

Ω rt Φ d rt rt d: CL cn P Ω vQ P- Φ φ PJ tr TJ rt P o py Ω P- ∑; Q Ω d d tr Φ cn 3 TJ 1 tr Φ z cn tr φ tr 3 H vQ Φ PJ σ P- P DJ hd rt Φ o CΛ tr 3 cn

H Ω DJ σ Φ CL P- P- Φ P CL H Φ P- ^ d 3 Φ P cn cn φ rt 3 1 Φ Pi P CΛ

P- tc tr Φ Ω OP P- rt P P- Φ Φ rt N rt d P- cn rt P rt DJ cn T] rt Φ PJ 1 CL <CL rt * <P ^J P- PT pr rt Φ P- P_ rt P- ω Φ φ d rt d>. Φ D ⁾ rt d 1 P ds: P- Φ Φ rt TJ PJ d rt d P vQ P- tr P- α t rt d O d 3 CΛ IV) P- tc d CΛ rt Hl Φ P

Φ 3 PJ cn Φ CL vQ d tr CΛ Ω Φ rt Φ rt d CL 3 φ o Φ H pr rt •? 3

Φ vQ φ J

K. P Φ d Φ vQ Φ dp ⁾ Φ d φ Φ tr P p- P ^J Φ rt Φ rt P Cn PH rt P α T) <DJ co o rt d S d Φ P cn vQ N pd O rt P Φ d <rt TJ P- P- ö P- Φ Ω ∑:

-J Φ Φ DJ tc rt d <CΛ <φ <Φ CL d Φ X d φ ∑: • o d P- φ ∑: P pr P-

X d P * • Φ P- J Φ N P- Φ rt PJ d CO rt? . d P P- TJ d vQ φ cn Φ TJ Φ cn

PJ rt d TJ P- P Ω d P d Ω P cn P ¹ do CL P σ o Φ P PJ d Ω d 1 t 3 Φ ds 1 tr vQ PJ tr P- P-? , tr <d co DJ cn d <α Ω tr

Hl σ d Φ P P- Φ Φ P CL do cn vQ φ O P- O rt cn o 3 rt P- CL φ T] Φ pr CL Φ o vQ rt CL rt d P Pi tr Φ Φ P ¹ rt Φ Hl d P- P Φ d P- Ω Φ P d rt Φ d pr P CL Φ Φ d tr o Φ d rt • ∑: Φ rt Hi X Ω cn P- rt g tr ω TJ d Φ P cn

Φ P- d XP CL CL Φ P P- Φ CL: P Φ Φ rt tr rt φ Φ rt cn PJ IX ^* CL TJ

3 3 Hi d rt Φ P- CL rt Tj d d σ d rt X d Φ rt Φ P- cn φ Ω rt P- Z H Φ

Φ Hi Q 1 O 3 tr rt Φ d P- P P- cn rt PJ d Hi P ¹ t cn ω tr d pr P- Φ PJ d P-

* IV) d cn ö tr P ω P d vQ tc Ω Φ Ω P- d 'rt d: P- h- ¹ Pl rt DJ Φ rt O Ω Pl Ω 4-

Φ rt ∑: O Φ CΛ o cn rt vQ d * <tr cn tr Φ d 3 TJ P d rt Pl vQ pr P- φ d> Q tr O tr

P d CL pr d Ω ∑: rt Φ PJ Hl φ rt dd Φ PJ J φ PJ d φ PP Φ cn P> d P- tr cn Φ Φ φ φ d: d Φ CL Ω CL cn CL Φ d rt z PJ d P-

O φ y 3 P o cn tr P Φ d tc P- d P tr i CL pr P- Φ DJ JP CL d Φ PJ PJ Ω PJ d _^ Ω Φ Φ P- P Φ ^► <d rt P td tc CL Φ rt Φ P- P o Φ rt P Ω cn d tr rt - ~

DJ tr CL d ω rt cn P TJ t- ¹ Φ Φ d ^► <PJ P- P cn d DJ cn P d tr d rt P-. £ »

P ¹ Φ rt Ω rt Φ d φ J co X d rt JP Φ CL Φ Φ d rt P- P- Φ P td rt O

CO dd tr P- d P o rt • TJ Φ rt Q Φ d 3 Hl φ T cn P- P Φ Φ d Φ o. d P ¹ P co rt vQ rt cn d 1 JP Φ <CΛ P tr SPO rt CΛ Ω vQ d P do rt Dd o P- o P- cn Φ P- d σ σ Ω rt X Φ CΛ dd co P- Φ rt P • rt tr φ vQ; rt

3 ö Φ P Φ o. vQ Φ X rt CL o P- pr Φ rt P 1 CΛ P ∑: d cn Φ 3 P rt tr Pl P- Q d

TJ P- UO tr Φ H- rt P- pr φ d X TJ α Φ O P- cn σ ddd tr Φ O d φ P ∑: P> Φ Z dd 1 <P ¹ dd rt CL P ⁾ d PZ cn Hi DJ CΛ; P- pr P- P- Pi rt rt 3 rt P- cn co d P- tr σ Φ J- »3 vQ 1 Φ Ω ∑: <ω Ω Φ vQ Ω TJ Φ rt cn cn o • 3

Φ g Ω φ Φ P TJ Φ o cn φ φ cn σ P pr P Φ φ tr cn φ tr O d rt P α Φ

P DJ tr P tr d CL P P- pr φ d P <. or PJ PP Φ rt P CΛ ^« . P CL 3 σ dead

P rt 1 DJ o rt d td P rt P ⁾ o pr tc φ TJ 1 d N P- P3 Φ Φ P- PJ Φ Ir ¹ J d Φ nds: CL rt 3 P cn cn PP d P3 1 co r. cn P rt ^ _^ . P CL P- φ rt P P> oy rt - CL Φ DJ o: Φ vQ P- tr vQ 3 P3 t- \ Tj o J <3 rt CΛ TJ φ d P-; ö

Φ P- φ P- cn pr tr d Φ Ω P- Φ PJ Φ PJ d P- Φ O TJ PJ 3 <O <P-

CL O φ cn O φ rt tr tr cn P- d d Ω d CL Φ P- d CΛ IV) φ Ω cn φ d Φ <. φ

DJ CL CL d rt Φ vQ \ - ^j P d rt rt rt vQ rt S tr; , P- d Ω φ o Ω pr cn

H Φ rt Φ P- »rt> o P Φ P Φ

P> P- P- d Φ P rt φ rt tr ∑: P 0- P- vQ TJ d TJ P Φ vQ d P Φ Φ l- ^J do cn P- P- d pr P "cn P- P- • Φ <DJ φ Hi Φ D ⁾ PJ ∑: P

Φ vQ co cn d P- DJ Ω 3 vQ PJ o cn Ω o P 3 φ tr P 1 Ω pr Φ 1 g P * rt Φ 1 M tr α d P ⁾ tr d P Φ d pr J 1 d

1 1 d 1 rt 1 1 1 1 1

and the desired hypertext document 10, 13 is displayed with step 208 on the personal computer PC of the browser client 31.

In the event that it is determined in step 203 that no context for the server 31 is stored in the buffer, the browser client 30 sends an unprotected request to this server 31 with step 210 and waits for a response. This answer is checked in step 211 ^' to determine whether it is an error message. If this is not the case, the answer is shown in a step 213 on the personal computer PC of the browser client 30. If, on the other hand, it is an error message, a further step 212 checks whether the error message is accompanied by a security-relevant note stating that it is a document of the “entry” class. If this is not the case, the error message is displayed in the Step 213 is shown on the personal computer PC, but if there is such an indication, then a step 214 initiates a method for establishing a context with respect to the desired server 31.

The method according to step 214 for creating a so-called initial context token ICT is a GSS-API concept that designates data of a protocol that is exchanged between units with the intention that a security context is agreed between the two bodies. More is said about this in the introduction to Internet Requestor Comments 1508 (RFC 1508). It is a multi-stage process, at the end of which the complete context for the desired server 31 is present and is stored in the buffer memory 74. A first stage of the ICT is generated. In step 215, an inquiry is made as to whether the ICT is now fully formed. If this is not the case, the previously formed ICT is sent to the desired server 31. This server 31 generates a response ICT and sends it to the browser-side security control unit 75 (see also Figure 14). With step 217, the browser-side security control unit 75 waits for a response from the server 31. If this is present, this response is processed and in a step 218 it is then determined whether the initial context token ICT is completely present. If this is the case, steps 214, 215, 216, 217 and 218 are repeated. When the complete ICT is finally available, the corresponding context is stored in the buffer 74 in step 219. The fully present ICT is reported to step 204 and transmitted. This triggers the resend of the get message with which access to a specific hypertext document 10, 13 of the desired server 31 is to be obtained. Steps 204, 205, 206 and 207 or 208 are carried out for this purpose.

The server-side security strategy is explained on the basis of FIG. The processes described below generally take place in the server 31. However, if the hypertext documents 10, 13 are stored in a customary server 37, the described process sequences take place in the proxy server 36.

The server 31 receives a get request via the network 25 and its protocol converter 61. Upon receipt of this get request, the security control unit 75 prepares the get request in such a way that it can use the access control unit ACU and the access control list ACL contained therein to decide whether it is a hypertext document 10, 13 of the “open” class This question is answered in step 302. If the answer is affirmative, the security control unit 65 requests the desired hypertext document 10, 13 via the document access unit in the document memory 67 or the program execution unit 68. If the documents are managed by another server 37, this is done accordingly causes a transmission of this document from the server 37 to the proxy server 36. The hypertext document 10, 13 obtained is transmitted to the browser client 30 and reproduced there. co CO IV »IV) P ^1»

Cn O cn O Cn o cn

<<tr sd TJ P <CL l S rt α ∑: Φ ω = sd CL d P ¹ d CL cn Φ σ: co tr CL rt P- to Φ DJ P- P Φ od Φ P- Φ P- φ d Ω P- p- d Φ O φ Φ P- P- o ¹ tr d Φ Φ Φ dp ⁾

P- P d Hi Ω d: vQ P d tr P P Φ P- rt tr P Ω d - d rt Ω d pr J φ vQ P- P d d

P * PJ vQ o tr Hi d vQ vQ P- ¹ CL rt rt tr: α tr VQ T] • tr φ d cn PP CL φ CL cn PP rt rt P ^J PJ φ • CΛ Φ pj: rt rt Φ 1— "3 cn J P- Φ Φ 73 P- φ rt tr 3 CL pj: d P- P tr Ω P - ¹ N tr P- tr co P σ d φ Φ Φ PH) P- Φ d

PJ = Φ P- Φ CL P vQ d tr Φ Pt tr Φ rt rt Φ cn 'rt P- 3 ddd: Hi d & φ rt d P- rt P φ o PJ P- d P d ^> Φ P- rt Φ CL Φ rt rt ^ Hi ω dd Φ d 3

CL rt d P tr PJ z φ Hl P- d 3 P Φ d cn φ cn Φ rt pr Φ Φ φ

P- d Tj d tr P- P- rt CL Φ rt <CL d 3 P d Φ P- J ^» do CL cn CΛ cn vQ d P- vQ Tj CL vQ P d φ Φ P- rt Φ PJ 73 CΛ P - Φ CL P d P o rt d P- d rt Ω

Φ vQ vQ DJ Φ Φ P- φ d P d Φ P d Φ Ω Ω pi Φ ^ P o rt d P- tr cn d PJ - P cn 3 φ PJ d Λ tr tr CL S! <Ϊ Ω • tr P vQ rt tr P P- i tr P d P ¹ Ω tr PH <3 CO P d P rt d PJ φ Φ Φ tr l->. O d P- PJ P- Ω o Φ * _* t tr Φ CΛ o. Φ O tr ∑; Φ P- d cn P- P d Φ co Φ d J d rt tr d P>P> CL o Φ Ω Pl P φ sΩ Φ Φ ω rt PJ vQ cn cn PJ rt d O cn vQ rt rt d co Φ ∑ : lod tr PJ P P- P rt rt tr Φ φ PP α CL CL Φ Φ d

Φ rt d P- cn CL H tr P cn Z rt CL N • tr • Φ Φ Φ cn P- dn P ¹ co P-

X ∑: d P tr cn φ P- PJ tr rt Φ d Φ d co φ d 5 Φ s PP P- cn o rt O Ω rt o DJ: Cd CL Φ Φ rt rt d Φ Φ P dddo P- 3 tr tc P- 1 Tj Ω rt N d α ^ tr

P tr PP d • rt CL P- d CL vQ CL J ^ rt P- PJ rt U φ Pi ^ tr Φ d rt d rt α rt φ o P- Φ Φ rt Φ P- tr Dd CL d Φ o tr P ¹ tr Φ dd:

Φ Φ P ∑: d P- ∑; i d CΛ d d o Hl PJ P P- rt Pt P- PJ P- d X CL tr d cn rt cn rt Φ PJ ott d Ω Φ CL Φ P o Φ Φ d φ cn CL 3 n ∑; rt Φ y

• tr φ Φ cn P d co - vQ tr d cn φ φ cn _^ ∑: d P ^J Φ y P cn CL t- ¹ P- OP t φ P P- CL d P d P- P rt cn _* rt cn Φ 3 Φ Φ Φ P Pl tr TJ Φ π S cn d <Φ PJ ∑: Hi P- d Pt d vQ o Φ - d Φ d p- <α OP P-

P. Φ Ω co φ O d CL d P- Φ rt O φ φ Φ tr P Φ vQ rt ^ sdo X "Φ dd tr o 3 _^ » Φ P cn rt PJ P 3 P- cn CΛ cn Φ CL Φ d P- Φ cn Hi dd HP CL rt dd rt L vQ O 3 tr dd tr tc dd rt σ

P- P- vQ CΛ cn ∑: Φ vQ J-. tr N CΛ φ Φ P- Φ cn pj: PJ d rt PJ CL cn _^ o

Ω cn Φ φ Ω rt P- <d Φ Φ o PJ d Ω d Φ cn z P- d vQ P d% φ Φ Pl P- X "tr P- tr cn tr pj: P φ P- cn ¹ d tr cn Ω P- Ω CL • <CL φ P P- O Ω O rt Ω Φ Φ P d P öd d rt CL Φ P 73 rt Φ tr P tr Φ 3 _* * Φ P d P3 tr tr y tr dd P- CL PJ P φ Φ ∑: P- P- Φ ^ cn P- CL Φ 1— 'P- I- ¹ rt to φ φ φ CL rt P- P- P ot- ¹ P- d rt iQ Ω d P rt rt ∑: rt Φ d 3 Φ d Φ d

P DJ Φ rt vQ d tr ∑: φ P Φ Φ rt d CL ö pr 3 3 ^ ^, P- • X vQ dy cn rt vQ d CL rt Φ cn d rt P 3 Φ PJ O rt P- P- t P rt P CΛ rt

P- cn P- »C-. <! φ P- Φ rt co cn cn pr • rt Φ d N P- CL tc 1 P- Ω tr Φ cn α tr Φ oo P- rt P cn CL T] CΛ O rt cn d P- dd J ö Hi tr pj : P- p- Φ rt CL cn P- J-. P dd TJ CL Φ P- Ω 00 3 Φ d Tj 3 ∑: P- do Hi PP ¹ d Ω P

_^ P- φ Φ P φ d co P PJ P vQ tr tr Φ φ d P- P- Φ d CL t cn P- rt Φ tr φ P φ P- 3 vQ o Φ cn d P cn PJ cn d cn d tc vQ Dd P- φ d IX "rt • d pi

∑: cn P- φ cn Ω cn P P- or rt φ • d P cn Φ 3 o rt d ¹

Φ Φ ∑: d vQ CΛ TJ vQ tr c. rt cn CL 3 TJ P o P- rt Φ d • -3 73 3 PJ

P P Hi P- Φ rt Ω P Φ Φ Φ P3 P rt Ω Φ P- Φ P- φ ∑: CL d d rt co P Φ cn

CL P φ. tr o cn d cn tfc »tr Ω X Φ CΛ PP> cn PJ φ Φ rt P o P- Λ Φ cn φ DJ Φ PN Φ CL <co φ rt tr P- cn Ω rt rv> Φ P 3 cn o cn Hi d P- Φ d $ vQ P- d Pt P- Φ d Φ cn Φ d O ^• - cn Φ tr Φ PJ Hi Φ d rt Φ 3 rt cn rt cn CL P- P ^j : O 73 d rt PPX tr d CΛ cn o PJ rt cn φ;

CL Z cn rt rt cn Φ T] Ω PJ tr Φ CL 3 P- P- rt Φ co Pi Ω P- Φ d rt d o

P- od co TJ rt φ tr P Φ <Λ Φ Φ ^T rt 1 cn o ^• ^ tr Ω P- tr X "TJ φ P DJ d P CL CL tr tr P Φ d P Φ P Φ rt σ Ω P tr P ¹ d J Φ tr vQ φ rt Ω ω Φ P- o Φ d Φ P Φ P- rt tr o tr vQ P- co tr d P- P> Φ d__

CΛ tr DJ Ω φ co cn d Φ 3 P- φ CO cn Φ d P "co pr P Φ PJ rt d Φ d d cn

Ω CL 3 tr cn CL P rt PZ rt P- φ O Φ od P- ω cn rt y CL P- Φ CL Ω tr Φ P- 3 Φ d: 3 Φ Φ P- ¹ Φ cn dd CL P -J 3 Φ φ cn φ rt cn Φ tr ∑:

PP tr φ d tr n CL Φ P- rt p ^j : P- Φ 3 Φ tr d CO Φ P Φ I- ¹ d: P-

P- P d CL φ P3 Φ P ^J d • d vQ N Pt vQ P Φ φ d Φ 1 Φ O P- P CL rt rt P rt Φ 1 φ PP 1 φ 1 rt d O Φ P- rt 1 cn σi dn Φ ^* * α 1 P 1 d P P3 1 1 1 α P 1

co co IV) IV) 1— ^» P ¹ cn o cn o Cn o Cn tr CL σ cn vQ co Hi <CΛ tr vQ 3 vQ CO <! dd P- 5 Hl 3 CL dd P- vQ Pl P> vQ 3 to Pt d α rt

Φ Φ o rt P d Φ P- Φ Ω P- P Φ: P- d o P d d: Φ P- P d Φ cn co DJ P- d φ J P- Φ

P- rt X "P P- vQ cn φ P tr d P- P- cn Φ Q do Hl P Φ o Cn rr d rt vQ P- Ω Φ rt dd Hi P rt TJ P rt Hi d cn d P ∑; φ O CL cn Z Φ rt <vQ P rt tr J-.

3 X ^* Hi P- co J P- Φ Hi tr Φ P- CL cn P- P d cn P- Φ CL Φ cn α P- Pi <o oo P- Φ rt cn Hi d Ω rt P cn Φ d N Hi φ Φ d CL Φ dd Φ d P ¹ P- P φ Pi Hl oo P ¹ cn φ d P- pr Hi CL iQ X ^* rt P P- • d Hi PP φ Φ d vQ P- P Φ φ N ∑ : 3 Hi φ P ¹ rt O o cn PJ P rt Φ Φ rt 3 cn 1 3 P Ω 1 3 rt cn ∑: P- cn cn vQ P ¹ tr to dd X "cn P- Φ vQ Ω σ X" ond dd PJ tr o Φ Φ P CΛ P rt φ cn P-

∑: d P ¹ Φ rt o cn Hi d P- rt tr P- ood CΛ d P d rt CΛ P P- CL Ω Φ vQ d rt cn o vQ od P d Hi dd Φ rt π Φ dd vQ P- Ω vQ o P- Ω vQ tr Ω Φ CL pi:

P P o rt CL cn α Φ d Φ α cn vQ rt P Φ tr ∑; CL P- Φ tr PJ CΛ rr 3 P tr CΛ Φ d ^ -.

PJ P- Hi P P- X 'd Φ PP P- d P φ cn Φ Φ d P n Ω • P- P- rt rt d CL od Hi p>: o φ O vQ Tj co 3 P- o Hi rt P- d Φ d P rt P- cn tr rt rt Φ Φ P- j ^

Hi Hi co PP "d Φ Φ d CL P- Hi P ¹ Hi rt rt P rt P rt TJ vQ tr cn P- P- ¹ o rt ω tr vQ φ rt Hi P ¹ cn CO rt TJ Dd Tj co rt Pt P- CΛ CL P x- ∑:

P- X ^* φ Φ cn φ d P Ω P ¹ P cn Pi P ^ X "O PJ n P PJ o Φ rt Ω Ji. Φ rt o φ P- dod P- rt P- vQ O tr Φ P- CL O PJ P- oo Ω o h- ¹ co P- rt tr O CΛ • «N P- φ d rt d Φ d PH ^> d: P Hi Dd Φ P d cn d vQ X ^* P- z ^ P- P > d P CT C rt C

CL rt tr Φ tr P- H "rt 3 Hi P d Hi rt rt Φ Φ rt φ CΛ 3 o co P- Dd P- CΛ Φ

P- P PJ d> Φ Hi Φ N Φ cn O Φ Φ P Cn p- • d φ O rt tr P PJ cn CL P φ o - • O P- Hi P- rt P ∑: P- P CL o Φ d rt P ∑: co hn sΩ rt P- or cn Φ tr cn P ^J rt CO tx rt cn d CL Φ cn 3 d PJ> P ^J d φ P- ∑: φ ld ∑: d Ω CΛ O

Φ \ -> Φ d P tr N d Ω Φ d cn a - ^> CL cn co n P P- cn tr 0-> rt ω tr

Φ d vQ P- φ Φ dd tr P co vQ t- ¹ φ Φ φ rt o CL cn rt P- Φ O Φ Φ ∑; P i rt

CL P- P d π Ω P- 3 vQ rt 1 ∑; Φ tc P- rt d P- Ω vQ 3 Φ -J P P P- P- o •

PJ d cn P- tr rt Φ O P- dd: d • rt P- <1 Φ 3 tr Φ d P ^J 1 P rt d cn tr P- Hi CL rt dd Φ cn% tr tr ω P- O d P - Φ cn 73 CL ∑: Φ o CL rt rt S φ d Hi Φ P- Φ> PP d P- Ω £ Φ Φ φ H TJ φ P rt rt d rt φ Φ P- vQ ¹ Φ p- tc P- CL P 3 O o N P- Φ tr Φ PP P- cn P cn Φ Λ rt φ rt P- CL J-. XP

^ rt PJ PJ ∑: Φ Ω d Φ P rt TJ rt rt φ CO Φ TJ 1— 'd CL • φ Φ O rt CL

TJ d <! CΛ d cn d tr rt d P- Φ P Ω $ ∑: o P- Φ P- ¹ Φ O Φ d P h- ¹ cn

Pl CL Pl Hi P- Ω cn P- Φ vQ rt cn φ X d: CL tr Hi P- d P- rt cn P- P Z rt

P P- cn φ tr P d P rt co TJ d rt Pi O P- Φ OP iQ Φ Ω _^ rt Φ PJ id Pi rt φ rt PP Φ 1 PJ o Φ 1 rt φ d P CL Φ 3 tr PN Ω CO od Φ

Φ cn DJ rt P- P- CL π dd P- σ _^ CL CL CΛ Φ O Φ tr od CL cn & os

X CL cn Φ rt Ω Φ - ^> d cn <Ω O odg Φ Φ P- φ CΛ P tr d ∑: rt rt Ω rt CL P- d rt tr 3 P- CL "• Φ tr d pr ∑; d P dd Ω rt P- P- Φ J-. vQ tr

1 φ Φ vQ Φ Φ P Φ d Φ rt Hl Tj d CL tr -J Φ tr P CΛ r 3 X o Φ σ P cn Φ CΛ co d CΛ d PJ ∑: vQ P CL 3 P ^J φ O Φ d Φ φ P j-> P- PJ CL Ω cn rt co CΛ 3 o ∑: TJ CL Ω rt d Φ - ^> φ Φ Ω PP tr vQ P- rt P- d l- ¹ tr Ω co rt P-

X 'co dd: DJ CTl tr tr P P- σ. P d tr CL P "d • rt Φ rt P- H tr Z d CL Φ rt dd P- d cn P CO PJ CL Ω j ^ rt Φ o Φ φ d φ rt d Pi φ 3 P- - P- d φ P ¹

3 vQ Ω cn rt P- P- or Φ tr CO d PP P- 3 tr ¹ rt od rt d cn CL CΛ CL

Φ H tr Ω Φ od rt CL d Φ tr d P ¹ co tr d 3 Ω P- co tr d CΛ rt cn Ω cn rt P- d P- rt tr tr CL rt vQ d P- iQ od P- d Φ tr CΛ φ 'PJ rt P- Ω cn tr CL Φ »Φ rt Hi rt ∑: ^ Φ CL P- • d H ~ vQ P ^J vQ rt Ω vQ P ¹ Φ cn tr co Φ P- d cn

Hi CL Φ Φ P- co cn Φ d rt P- P Hi CL tr rt rt X rt P o CL d φ O Φ

P ¹ cn Φ P- dd: I— »Φ cn 73 Φ Hi P ¹ P- φ vQ d ιQ P Φ Φ rt •% P- u. P- cn <P- 3 o pr P tc rt tr>fc> d φ φ P Hi co Hi dd: d: P- Φ P- d rt Φ TJ φ O Φ

^ ^< o 3 Φ CL φ CL Pi P- P- cn Hi PJ P • vQ rt P- d Hi rt P- cn Φ PP CΛ d Tj P Φ P l_J. φ od Ω Φ X ^* <! cn _ rt rt rt d Φ P- d: PJ Φ Φ P-

P ¹ rt 3 P- "Ω

PJ Φ Φ P TJ Φ rt d φ tr vQ O o TJ 3 P- J P- cn P d co P cn Ω P- CΛ ∑: tr co P P- • PP CL. rt 3 Φ rt d PP Φ vQ d vQ co Pi j rt d O tr rt rt P- P o H- rt M co d: O Φ d Φ rt P- ^ t- ¹ O Φ * CL 00 T] <Φ rt D: P P-

P- h- ¹ • Φ dd Hi Ω CΛ X d P P- <CL rd tr Φ ∑: P- OP Φ d CL rt

3 X 1 1 rt tr rt rt CL O Φ P- Φ ∑: Φ ∑: rt H "M d P- Hl vQ P ¹ CL rt φ 3 rt Φ Φ P- co P ¹ vQ P- P P- d P - CL Φ Φ cn P Φ d 1 σ. Rt P- P-

P- φ 1 CL cn Φ d 1 Φ φ PP P- XP rt cn P, £> Φ Q 3 J-. d P- ^■ P- 1 α φ rt 1

1 1 φ rt ¹ d rt d 1 o 1 cn

Step 317 requests, packs and sends to browser client 30.

However, if there are further instructions in the access control list ACL, the corresponding one is carried out in a step 318

Instruction is read from the access control list ACL and output to the security control unit 85, whereupon the latter initiates the execution of the instructions. The security control unit 85 waits until the instructions have been carried out and the result, usually a hypertext document 10, 13, is available to it. In a step 319, the hypertext document 10, 13 obtained is packaged and thus sent back to the browser client 30 in a secure way.

Claims

co co IV) IV) P> P ¹ cn o Cn o Cn o Cn

rt PJ vQ J ^ vQ vQ co CΛ CL d Pi N vQ „rt cn _) Pi tr CL cn rt> Q vQ TJ σ φ P 'TJ

Φ d P. Φ Φ. Φ P- P> Φ P ¹ P- PJ P φ Φ rt P ¹ . P Φ Φ Ω Φ P- PPJ PJ P-. PJ

Hl Φ H dd Φ o rt o ω tr P- dd Φ o Φ P- P tr vQ P- o π rt d rt rt P- D>: ω CΛ _^ Φ ^ Ω P ¹ Pi rt T. _^ CΛ P- : - Hi rt ^^ Φ φ CΛ φ

Φ Hl << rt Ω "<N Dd d tr Pi PP ⁾ CΛ • vQ Dd rt P ^» Hi od 3 • d

P- Φ CΛ tr CΛ d P- P ¹ > • <X Ω P "cn Φ Φ P- N oo X d <cn rt

PJ dd rt. -. PJ rt P vQ co Dd co N o N - - - Φ tr co rt vQ P vQ rt ~ d PJ od Φ <rt PJ d Φ Φ Φ co Pi Φ Φ - - P- - ddd rt d - 'Φ Φ Φ Φ d CL P Φ Φ ddd 3 P> rt 3 or vQ od rt 3 tr dd cn P ¹ CL Hi ¹ PJ P 3 cn

CL CL _^ Φ tr cn CL Φ Φ P td Φ d - NN φ cn P- co Φ φ CΛ P rt TJ

Φ o Φ ddd Φ Ω φ d P- CL P- P- 0- P ¹ X ^* ddd <Ω d -— 3 σ d φ tr Φ NP

3 PP DJ. £ -. PJ P tr P cn d φ ιQ do P- DJ o tr CL PJ P Φ P- d: rt Ω P ¹ Φ Ω 3 PJ Ω d Φ Φ Φ DJ 3 Ω ∑: PP ⁾ Φ o rt. -. <P- - PO

CL. -. tr - - - P- tr P- Hi N tr <tr d 3 P- cn P- tr P- Pi d P φ Pl φ rt rt tr

P- NO d rt rt ∑: DJ o PJ cn d h- ¹ cn d P P- rt d rt rt dn P d Φ CD Φ φ do Φ rt Φ Φ rt Φ Φ Hl PP Ω σ Φ co Φ CL CL Φ φ P tr TJ J dd φ

3 - - - P- Φ cn P- P- d P- rt tr p ⁾ Φ 3 • vQ d Ω PJ D ⁾ PJ \ .— vQ ∑: td d 3 dd rt Φ P- cn PJ rt CL - _^ cn CΛ Φ tr d X ^* co CΛ O PJ:

P- σ J Φ TJ co Φ d CL Φ d Φ P- Hl φ P vQ o rt TJ d φ rt φ TJ P> vQ O tr vQ PJ d 3 or 3 vQ Φ d vQ d rt d P- Φ TJ Φ P P- Φ Φ CL rt '- - ~ Φ 3 P

Φ rt cn P vQ cn d: Φ CL Φ TJ rt ∑: φ dd Φ d P- d Φ Φ PJ dd φ rt CL pj: P CL cn CΛ tr dd PJ rt PJ: d cn Ω P- φ d 3 3 J- »PJ: dd cn d Φ φ P φ φ Φ co Ω Φ d" Φ tr - tr d ω Φ CΛ. - _^ P- rt rt vQ

Ω <. P ¹ P P- P P- d tr P CL d CL φ P CL P- CΛ P ¹ rt - Φ Φ tr φ cn Hi d> Q d TJ Φ CL Φ rt CΛ rt d P IV) CO co co d P - o φ d P <!

PJ P Φ TJ Φ Φ P rt P P Hi Ω d Φ d d d CL Φ P- cn o

Hi PJ & φ d & P Φ N d: P- _^ ~. tr d tr P- 3 vQ vQ odd • <d rt P cn cn P- Φ CΛ P- x- Pi Φ od -> dd Φ P- PPP vQ> PJ φ P- cn

Φ tr Φ TJ Ω d TJ td Hi rt P- P P- o rt CL cn CΛ rt P- φ CL CL Φ co d rt d rt CO d Φ P- P tr CL P P- Φ DJ d Φ N Ω Ω Pi P- d P- CΛ '-' Q. N cn Φ d

P- dd: φ Φ: vQ d cn ∑: Φ Φ P t φ tr tr Φ Hi Hi d φ TJ φ: tr 3 vQ tr rt Φ Ω P d Ω Φ CL cn P- 3 P- tr P ¹ P- P d P- Φ d Φ ∑: P tr Φ P

P- d P tr tr tr d Φ Φ P d PJ co PJ d D>: rt d PJ d vQ vQ P- PJ φ cn P-

Φ PJ, - _^ Φ cn φ d N Φ d CL Φ Ω tr vQ PO tr Pi co ddd CL σ Φ P ^ - cn rt P CO. - JP cn X ^* Pt P Hi Φ NP ¹ φ vQ d Φ Hi o vQ Dd Ω iQ tr

Φ cn P-) o P ¹ tr .- _^ Φ d rt cn vQ Φ N rt dd Φ Φ Pi X ^* P CL P- Φ

P vQ ιQ cn - - P ⁾ CO dd φ Tj P- Φ ∑: Φ DJ co d PP o φ Φ d

P ¹ Φ Φ o P- o Hi o rt CL d P d ∑:. -. Φ d cn d PJ Φ rt Φ TJ P- P CL

Φ P d CL d P- CL rt - - - PJ φ CL pj: tr P- cn o CΛ CO P- ∑: P- TJ Pi φ Φ PJ Q p ^j : cn Φ 3 Φ Φ "<∑: PJ P - tr P- rt co Φ H od PJ cn φ φ 3 d rt rt Ω P. P ddo X "vQ H CL Φ dd α σ ~ - ^ φ tr P- 3 1— 'd J Hi tr ü d tr φ PJ CL Φ P- vQ d PJ P d O: rt CL φ φ cn _^ - _^ DJ co PJ t J tr Hi Φ rt tr P- d φ CΛ P d rt CL Hi CL vQ P P- M

P- CO Hi ^ rt "^ d Φ P- Φ φ" ** d Ω P- <d Φ Φ CΛ P - * CΛ 3 ω ddd P ¹ rt Φ Hi Pt P - ~. - - 'tr Pi o vQ d Hi Ω Φ P- P- P- O φ Hi

CL Φ tr d tr Hi PJ Hi P> CL α ∑: d Pi d TJ P- tr P- ∑: Ω d rt d O d Φ Φ O d CL P o φ DJ o tr rt PJ dd Φ o tr CL rt PJ SP

J-. P- Φ P- H d Φ P ^• »cn rt tr Φ NN CL Φ - P- rt d tr Φ P ^J φ 3

P ¹ Φ P P- rt d Φ Φ CL Pt d Φ P Φ Φ N Φ P- d 1 tr PJ

- - P- CL PJ L Φ σ α d P- P- ¹ d rt P Pt O P- CΛ d CΛ o P rt d φ P Φ P cn j PJ co PJ TJ d PJ φ Φ Ü tr d rt CL o N P-: φ 3 tr 3 rt P- PJ rt - - - rt P ⁾ Φ vQ cn P- d PJ. -. PJ PJ vQ Ö Pl 3 PJ O tr Φ. d Φ Φ X 'P- rt cn d rt P ¹ P cn P DJ φ P TJ tr d

Φ 73 φ P- CL CL d N d φ d Φ Φ φ Φ φ o cn P- rt d P- PJ d 'Φ

P φ P- rt P- _" * _* TJ d TJ rt φ d 3 P- d cn Φ Hi Φ ddd rt d

3 Hi d d φ PJ vQ DJ cn d TJ P- Hi d PJ ω φ <!

P- Φ d CL CL x- Φ t TJ £ co σ Φ J P> d TJ tr co Pi PO P- rt P co vQ td P- PJ φ O Φ Φ Φ d D> X ^* co N vQ PJ tr d Φ ddl φ d cn P- Φ tP rt P rt N tr 1 1 Φ φ d Φ X ^{* j} : 1 P d 1 1 1 1 Φ CL ω P- PP rt 1 Φ d 1

N 1 1 1 Φ 1 1

5. System according to one of claims 2 to 4, in which a security protocol is used to transmit the access rights or a reference to the access rights.

6. System according to any one of claims 1 to 5, wherein a data processing unit (31, 41) present characteristics of an accessing party (30) to a downstream data processing device (31, 41) or to a program for Ge ^'nerierung a data packet (10 , 13) can pass on.

7. System according to one of claims 1 to 6, in which the properties required for access to a data packet (10, 13) are determined on the basis of an access control list (ACL), the list containing:

a document field (501) in which the name and location of a data packet (10, 13) are stored,

- a classification field (502) in which the protection class of the data packet (10, 13) is entered, - a privilege field (503) in which the necessary properties for accessing the data packet (10, 13) are entered, and

- An instruction field (504) in which additional information, in particular for generating the data packet (10, 13), can be entered.

8. A method for granting access to information in a distributed computer system in which a plurality of data processing devices, in particular personal computers (PC) and servers (31, 41), are coupled to one another across networks and by means of transfer protocols (TCP / IP) Access to data packets (10, 13) is optionally possible, regardless of the location in which they are stored, wherein

an access request to a data packet (10, 13) is transmitted from a first data processing device (30) to a second data processing device (31, 41), ⁾ IV) IV) P ¹ 'o Cn o cπ o Cn ω p- cn' σ CL Tj I- ¹ P- Pi Hi CL ∑: TJ> _. 1 1

H- 3 TJ o PJ d O o CΛ O o φ P- PJ • d P • rt PP ^• - - rt * d P t φ vQ Dd J-. Dd CL P- rt CL co TJ vQ

CL tC d: φ Ω 3 vQ vQ CL φ <P P- P> P- PJ d d P- d PJ P DJ

Pl Ω <d tr tr d rt Φ φ ^ rt Φ CΛ Φ vQ - - - vQ cn d Φ vQ Pt P- cn

S tr Φ <D ⁾ Φ dd P- Φ P rt P- Φ Φ CL vQ P φ Hi

IX Φ P φ <d P- CL CL d P- cn Hi Φ Ω d d Φ φ cn CL P- rt Hi N

1 d ∑: P Φ vQ 3 PJ φ d DJ d tr cn CL cn P P vQ P- Hi cn ∑;

Tj Φ J P Φ PJ d CL cn CL. -. tr rt Ω PJ Ω cn Φ φ Hi - - tr

OP ¹ d P ∑: vQ σ d Pi P- Φ 'P ö tr cn tr rt NP cn cn P> φ P-

P CL tr Φ Φ PJ CΛ Φ CΛ 3 o Φ P ⁾ d PJ DJ Φ d pj: tr tr o cn rt

3 tr d Φ d tr rt Ω CL P- *. d rt d Hl PJ Hl P rt Φ Φ "> rt Φ

DJ P- d P- CL φ φ tr Φ Ω CL Φ CL rt d rt ö Φ N ω H- rt cn Q rt d d d 3 tr φ P> d d Φ tr Φ P> DJ Cn: rt P "3 ö

- dd <P- vQ φ P co DJ <P- d PJ d rt Φ vQ p- co y DJ O CL d vQ ∑: φ Φ CL PJ P - - Ω Φ 3 d Φ X ". -. 3 ^• ~ * d rt

CL Φ vQ P- P i> PJ tr tr z tr P 3 CL DJ d DJ O P- y d Φ

P- P- cn cn Φ P PJ φ cn Φ Φ J DJ PJ td P- d <d o Ω d N vQ d

Φ 3 vQ P- CL P d P- 3 d PP rr φ Φ d - 'tr dd Φ <Λ φ d tr CL vQ CL rt φ Hi tr Pi P- CL P rr φ vQ P d Φ vQ S> P φ d Φ φ φ cn cn Φ d: d PJ DJ vQ dd Φ P

Φ O cn PJ: cn d P- CL ∑: cn TJ CL CL TJ P- P ¹ Φ φ Cn P D> dd CL DJ

3 P rt rt CL r Φ: H Φ DJ P rt * d P tr tr tr td Φ Φ P pj: P- Φ Φ CΛ d P d ö O cn cn d d d N Φ Φ Φ P- CL P Pi tr

03 P- 3 d P- Φ d cn PJ rt Ω dd Φ CO ∑: P- X "Q Φ Pi P- Φ cn Ω P- vQ o Ω rt O <N tr vQ vQ P d rt CL J Φ P d : d P-

Φ a. -. tr d cn P tr Φ X "Φ d ω Cn Hl vQ P- d Φ d d Φ vQ P- rt

P- P- d co Φ φ vQ rt rt d O P vQ co vQ Pi O P rt d P d cn d d φ d d CL d o P φ Φ <∑: Φ Φ PJ P P- Φ vQ rt Ω d P d

Φ Φ CL tr Dd P d Φ \ -> Φ Q tr P H- ¹ CL Hi cn Dd tr td vQ rt vQ

3 co Φ φ PJ: d ö P ω d P Φ pj: P ¹ Φ Hi ü vQ P- cn PJ P- cn s CL P> P- Pt rt CL PJ PJ CL P- P- rt P cn PJ φ vQ P- Hl d cn cn vQ t φ Φ ~ rt PJ rt P. -. Φ H) CL P ¹ rt P Φ d rt tr rt P- Φ

Pl tr cn n co d -— z Φ tr ∑: rt Hi CL. -. PJ P- P- Φ p ^j : d CL Φ PJ Φ d P

Pl P ¹ TJ Φ Φ Φ co cn Ω cn d rt cn d -> CL pj: rv) d co PJ d Φ Φ J 3 - P rt '3 J P- tr dd 3 o tr rt <Ω Φ rt rt

1 P- Φ O vQ ^> φ J rt cn ^ - σ φ Φ Φ. - tr P- CL d rt d

TJ rt P φ rt PJ x- d Φ TJ ∑: CL PJ d P co DJ d Φ d d. -.

P Pi PO tr .e- CL Φ d Ω P Φ P- d: rt _^ - _^ PJ o Pi Φ cn vQ d CL co o σ PJ Hl Pt φ P> φ rt vQ - - - OP φ tr φ Dd

- CΛ Cn rt> P rt d P ¹ rt PJ tr OO CL Φ d P- o tr Φ Tj Φ: CL ∑;

Location PP "CL - vQ vQ O φ P TJ vQ t- ¹ Φ d: d Φ P tr Φ α_>

X "φ Φ vQ φ P- σ P> Φ Φ x- d CL 3 DJ Φ - - - P- tr tr cn Φ tr d P ¹

O d d rt CΛ P d PJ o P J: O Φ P- Pt d rt Φ PJ rt P Φ d - -

TJ cn. rt ^• »pi: d ¹ cn d rt Φ cn CL d P d Φ Φ TJ P- J, -. td Ω φ rt CL O rt rt rt Ω P- d 3 Hi P d P d J

X "d G. P- tr d P> cn Φ cn P ¹ P- Φ tr Φ vQ P- vQ 3 d: <P- P d: φ PJ CΛ vQ P- J co P - rt PJ cn- rt Φ Φ σ Pi o Ω d: tr rt Ω CΛ φ Hl J - - ^• . -. Rt - _^ DJ: rt P> Hi Φ vQ rt Hi DJ rt P tr Hi φ Φ tr 1 d Hi "co tr <rt • o rt P Φ Φ O CL rt rt rt

P d cn P φ <p> ∑: rt φ "» φ tr PP ^J P d Φ d P- _^ rt CL J Ω P- rt Φ P- rt P CL d PJ PJ: rt CL ddd Φ CL

P. - .. φ Pl tr Φ Λ P P T. cn Φ P "P" rt Φ vQ <CL vQ PJ O

DJ P ¹ d - - PJ P Pi j-. CL - Ω CΛ co rt cn P Φ Φ cn tr vQ * _* o Hi rt -: P "" * tr φ φ _^ Φ rt cn P cn d tr P- rt Φ vQ -— ^• PJ P ¹ OP d co P - Φ DJ O σ co

PJ d Φ PO tr dd Φ DJ N 1 φ P ¹ d ∑: d P Hi PJ d

P P> 1 d - _* Hi P- rt d Φ P- CL tr Φ O rt 1 co CL P Ω Φ Φ P φ Φ P d Φ Φ tr P d ^§ CL rt P- ddd 1 rt 1 1 1