WO2005114946A1 - An apparatus, computer-readable memory and method for authenticating and authorizing a service request sent from a service client to a service provider - Google Patents
An apparatus, computer-readable memory and method for authenticating and authorizing a service request sent from a service client to a service provider Download PDFInfo
- Publication number
- WO2005114946A1 WO2005114946A1 PCT/EP2005/052280 EP2005052280W WO2005114946A1 WO 2005114946 A1 WO2005114946 A1 WO 2005114946A1 EP 2005052280 W EP2005052280 W EP 2005052280W WO 2005114946 A1 WO2005114946 A1 WO 2005114946A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service
- client identifier
- client
- service request
- request
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 26
- 238000013475 authorization Methods 0.000 claims abstract description 42
- 239000000284 extract Substances 0.000 claims abstract description 11
- 238000004891 communication Methods 0.000 claims description 17
- 230000008569 process Effects 0.000 claims description 13
- 238000012545 processing Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000007796 conventional method Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
Definitions
- the present invention relates in general to network security, and, in particular, to authentication and authorization for services delivered over a network.
- Web services typically expose existing business functionality over networks in a controlled environment and allow multiple applications to interact with each orther.
- Web service applications use standards such as Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Hypertext Transfer Protocol (HTTP) that are widely available and accepted to facilitate interaction across networks.
- XML provides a language to tag data so that the various components of a web service application can understand the request.
- SOAP is a method of packaging data before transmitting it across a network.
- HTTP is a transport protocol that delivers data across the network.
- Web service applications usually run in the background and do not have a graphical user interface (GUI).
- GUI graphical user interface
- SPI service program interface
- An SPI is defined strictly in terms of the messages that the web service accepts.
- a typical web service invocation consists of a first application (hereinafter referred to as the "service client") sending an XML message, which is packaged in a SOAP "envelope," across the network via HTTP to a second application (hereinafter referred to as the "service provider").
- the format of the XML message of course, must comply with the requirements of the service provider's SPI.
- Web service applications can perform a wide variety of functions, ranging from simple stock quote requests to complicated billing processes.
- a web service invocation has many common names, including a "service request,” a “request call,” or just a “call.”
- service request any communication between a service client and a service provider for invoking a service will be referred to here as a "service request.”
- a business needs to control access to web services to maximize profit and to protect internal computing resources.
- a business achieves control by requiring service requests to pass through a web service manager, which acts much like a firewall.
- a web service manager controls access on two levels: the service client level and the service agreement level.
- To gain access to the desired web service a service client must first present credentials to the web service manager. The web service manager then must determine whether the credentials are authentic. If the credentials are authentic, the web service manager then determines whether the service client is entitled to receive the service that the service client requested. Finally, if the credentials are authentic and the service client is authorized to access the service provider, the web service manager authorizes the service provider to process the request.
- Proprietary authentication methods such as IBM' s WEB IDENTITY or TIVOLI ACCESS MANAGER, can also be used to control access to network services, but these methods are highly complex and require significant overhead.
- Digital certificates are another alternative to the ID/password approach.
- Digital certificates are generally issued by a certification authority, which is typically a trusted third-party organization or company.
- digital certificates can be "self-signed.”
- a self-signed certificate is created by the holder of the certificate, but is still useful if the parties to a transaction are already familiar with each other and the integrity of the certificate is initially verified manually.
- a digital certificate is usually encrypted, and usually contains a holder's name or identifier, a serial number, and expiration date.
- X.509 is the most common digital certificate format, and is the format recommended by the International Telecommunications Union.
- the holder's name or identifier is commonly represented as a Distinguished Name, which is a part of the X.500 standard (also promulgated by ITU).
- a Distinguished Name is comprised of a combination of other X.500 identifiers, which may include a Common Name, an Orga- nizational Unit, Organization, and Country.
- Digital certificates obviate the need for passwords and provide significant advantages over the use of IDs and passwords. An obvious advantage is that users do not have to conjure up or remember complicated passwords. Furthermore, digital certificates obviate the need to implement complicated security policies to ensure that passwords are difficult to guess, and they reduce the risk of security compromise through lost or exposed passwords.
- a programmable apparatus for authenticating and authorizing a service request sent from a service client to a service provider, comprising: a processor; a memory connected to the processor; an authorization database in the memory; a service request filter program in the memory directing the processor to perform steps comprising: receive an incoming service request from the service client on a communication channel, the service request having a digital certificate attached; extract a client identifier from the digital certificate associated with the service request; store the client identifier in the memory using a security program; and wherein the security program encrypts the client identifier in a secure data structure using a key.
- the security program comprises instructions for the processor to perform steps further comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an authenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
- the key is unique to the client identifier.
- the apparatus is further operable to send the service request on the communication channel to a web service manager and comprises a service client authentication program in the memory directing the processor to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; and wherein the client identifier is provided by the security program only if the key is presented with the request.
- the service client authentication program in the memory directs the processor to perform steps further comprising: match the client identifier with a service client record in the authorization database having the same client identifier; and responsive to matching the client identifier with a record in the authorization database, call a service authorization program in the memory; wherein the service authorization program directs the processor to perform steps comprising: determine if the client identifier associated with the service request is authorized to access the service provider; and responsive to determining that the service request is authorized, authorize the service provider to process the request.
- the service.request filter program further directs the processor to authenticate the digital certificate with the issuing certification authority.
- the digital certificate is an X.509 digital certificate.
- the client identifier is a distinguished name.
- the digital certificate is self-signed.
- the programmable apparatus further comprises an authorization log.
- the service client authentication program further records the client identifier in the authorization log.
- the service authorization program further records the client identifier and service request in the authorization log.
- the service request filter program in the memory is further operable to direct the processor to send the service request on the communication channel to a web service manager.
- the client certificate comprises the client identifier
- the apparatus further comprising; means for sending the service request to a web service manager; responsive to receiving an authentication request from a web service manager, means for requesting a client identifier; wherein the client identifier is provided by the security program only if a key corresponding to the key is presented with the request; means for matching the client identifier with a service client record in the authorization database having the same client identifier; means for determining if the client identifier associated with the service request is authorized to access the service provider; responsive to determining that the service request is authorized, means for authorizing the service provider to process the request; means for authenticating the digital certificate with the issuing certification authority; wherein the digital certificate is an X.509 digital certificate; wherein the client identifier is a distinguished name; wherein the digital certificate is self-signed; means for recording the client identifier in an authorization log; and means for recording the client identifier and service request in the authorization log.
- the invention may be implemented as part of a web services architecture.
- a security program for encrypting a client identifier in a secured data structure
- the security program comprising: a computer readable medium; wherein the computer readable medium comprises instructions for a processor to perform steps comprising: acquire a service request; extract the client identifier from the service request; store the client identifier in the secured data structure; and encrypt the secured data structure using a key.
- the computer readable medium comprises further instructions for a process to perform steps comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an authenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
- the key is unique to the client identifier.
- a computer-readable memory for causing a computer to authenticate and authorize service requests sent from a service client to a service provider, comprising: a computer-readable storage medium; an authorization database stored in the storage medium; a service request filter program stored in the storage medium, wherein the storage medium, so configured by the service request filter program, causes the computer to perform steps comprising: receive an incoming service request on a communication channel, the service request having a digital certificate attached; extract a client identifier from the digital certificate associated with the service request; store the client identifier in the memory using a security program; wherein the security program encrypts the client identifier in a secure data structure using a key; and send the service request on the communication channel to a web service manager.
- the security program comprises instructions for the processor to perform steps comprising: acquire a service request; extract the client identifier from the service request; store the client identifier in the secured data structure; and encrypt the secured data structure using a key.
- the security program comprises instructions for the processor to perform steps further comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an au fhenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
- the key is unique to the client identifier.
- the security program comprises instructions for the processor to perform steps comprising: send the service request on the communication channel to a web service manager; wherein the computer readable memory further comprises a service client authentication program in the memory directing the processor to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; and wherein the client identifier is provided by the security program only if the key is presented with the request.
- the service client authentication program in the memory directs the processor to perform steps further comprising: a service client authentication program stored in the storage medium, wherein the storage medium, so configured by the service client authentication program, causes the computer to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; wherein the client identifier is provided by the security program only if a key corresponding to the key is presented with the request; match the client identifier with a service client record in the authorization database having the same client identifier; responsive to matching the client identifier with a record in the authorization database, call a service authorization program in the memory; wherein the service authorization program is stored in the storage medium, and the storage medium, so configured by the service authorization program, causes the computer to perform steps comprising: determine if the client identifier associated with the service request is authorized to access the service provider; and responsive to determining that the service request is authorized, authorize the service provider to process the request.
- the service request filter program further causes the computer to authenticate the digital certificate with the issuing certification authority.
- the digital certificate is an X.509 digital certificate.
- the client identifier is a distinguished name.
- the digital certificate is self-signed.
- the computer-readable memory further comprises an authorization log.
- the service client authentication program further causes to the computer to record the client identifier in the authorization log.
- the service authorization program further causes the computer to record the client identifier and service request in the authorization log.
- an apparatus for authenticating and authorizing a service request sent from a service client to a service provider comprising: means for receiving an incoming service request on a communication channel, the service request having a digital certificate attached; means for extracting a client identifier from the digital certificate associated with the service request; means for storing the client identifier in the memory using a security program; wherein the security program comprises: means for acquiring a service request; means for extracting the client identifier from the service request; means for storing the client identifier in the secured data structure; and means for encrypting the secured data structure using a key, wherein the client certificate comprises the client identifier; means for sending the service request to a web service manager; responsive to receiving an authentication request from a web service manager, means for requesting a client identifier; wherein the client identifier is provided by the security program only if a key corresponding to the key is presented with the request; means for matching the client identifier with a service client record
- a method comprising the steps of: receiving an incoming service request from the service client on a communication channel, the service request having a digital certificate attached; extracting a client identifier from the digital certificate associated with the service request; storing the client identifier in the memory using a security program; and wherein the security program encrypts the client identifier in a secure data structure using a key.
- a method for encrypting a client identifier in a secured data structure comprising: acquiring a service request; extracting the client identifier from the service request; storing the client identifier in the secured data structure; and encrypting the secured data structure using a key.
- the invention may be implemented in computer software.
- the invention described herein comprises, in accordance with a preferred embodiment a Centralized Authentication & Authorization system (CAA).
- CAA Centralized Authentication & Authorization system
- the CAA preferably facilitates secure communication between web service applications by maintaining an authorization database and providing authentication services to other web service applications.
- CAA preferably comprises a Service Request Filter (SRF), a Service Client Authentication Program (SCAP), a Service Authorization Program (SAP), an Authorization Database (ADB), and a Security Program (SP).
- SRF Service Request Filter
- SCAP Service Client Authentication Program
- SAP Service Authorization Program
- ADB Authorization Database
- SP Security Program
- the SRF preferably intercepts incoming service requests, extracts the service client's identifier from a digital certificate attached to the request, stores the identifier in a secured hashtable that is accessible only by web service applications, and forwards the service request on its original route.
- the SP preferably controls access to the secured hashtable by encrypting the secured hashtable using a key.
- a web service manager will receive the original request and invoke the SCAP.
- the SCAP matches the identifier with an identifier stored in the ADB and validates the service client.
- the SAP then preferably queries the ADB to determine if the service request is valid for the service ., client. If the service request is valid, the SAP preferably authorizes, the service request and the appropriate service provider processes the service request. In accordance with a preferred embodiment, the web service manager must present the correct key to the SP in order to access the client identifier and process the service request.
- FIG. 1 is a depiction of a typical networked computing environment in which the integrated server architecture could be implemented in accordance with a preferred embodiment
- FIG. 2 represents the memory configuration of a typical computing workstation using the integrated server architecture of the preferred embodiment
- FIG. 3 is a depiction of the logical design of a preferred embodiment of the present invention.
- FIG. 4 is an illustration of the logic of the Security Program (SP) of a preferred embodiment of the present invention.
- SP Security Program
- FIG. 1 is a depiction of a typical networked computing environment in which the integrated server architecture could be implemented in accordance with a preferred embodiment
- FIG. 2 represents the memory configuration of a typical computing workstation using the integrated server architecture of the preferred embodiment
- FIG. 3 is a depiction of the logical design of a preferred embodiment of the present invention
- FIG. 4 is an illustration of the logic of the Security Program (SP) of a preferred embodiment of the present invention.
- SP Security Program
Abstract
A Centralized Authentication & Authorization (CAA) system that prevents unauthorized access to client data using a secure global hashtable residing in the application server in a web services environment. CAA comprises a Service Request Filter (SRF) and Security Program (SP). The SRF intercepts service requests, extracts the service client's identifier from a digital certificate attached to the request, and stores the identifier in memory accessible to service providers. The client identifier is secured by the SP using a key unique to the client identifier. When the web services manager requests the client identifier, the web services manager must present the key to the SP in order to access the client identifier. Thus, the present invention prevents a malicious user from attempting to obtain sensitive data within the application server once the malicious user has gained access past the firewall.
Description
Description AN APPARATUS, COMPUTER-READABLE MEMORY AND METHOD FOR AUTHENTICATING AND AUTHORIZING A SERVICE REQUEST SENT FROM A SERVICE CLIENT TO A SERVICE PROVIDER Technical Field
[001] The present invention relates in general to network security, and, in particular, to authentication and authorization for services delivered over a network. Background Art
[002] For many years, network technology has enabled the sharing of, and remote access to, computing resources around the world. One computer can readily exchange data with a computer down the hall or in another country. Of course, it did not take long for the business world to harness the power of global networks, and network technology has fueled the growth of an entire new industry focused on delivering services across these networks.
[003] Commonly referred to as "web services," "application services," or "web service applications," network services typically expose existing business functionality over networks in a controlled environment and allow multiple applications to interact with each orther. Web service applications use standards such as Extensible Markup Language (XML), Simple Object Access Protocol (SOAP), and Hypertext Transfer Protocol (HTTP) that are widely available and accepted to facilitate interaction across networks. XML provides a language to tag data so that the various components of a web service application can understand the request. SOAP is a method of packaging data before transmitting it across a network. HTTP is a transport protocol that delivers data across the network. Web service applications usually run in the background and do not have a graphical user interface (GUI). Rather, web services interact via a service program interface (SPI). An SPI is defined strictly in terms of the messages that the web service accepts. Thus, a typical web service invocation consists of a first application (hereinafter referred to as the "service client") sending an XML message, which is packaged in a SOAP "envelope," across the network via HTTP to a second application (hereinafter referred to as the "service provider"). The format of the XML message, of course, must comply with the requirements of the service provider's SPI. Web service applications can perform a wide variety of functions, ranging from simple stock quote requests to complicated billing processes. A web service invocation has many common names, including a "service request," a "request call," or just a "call."
For the sake of simplicity and clarity, any communication between a service client and a service provider for invoking a service will be referred to here as a "service request."
[004] Generally, a business needs to control access to web services to maximize profit and to protect internal computing resources. In general, a business achieves control by requiring service requests to pass through a web service manager, which acts much like a firewall. A web service manager controls access on two levels: the service client level and the service agreement level. To gain access to the desired web service, a service client must first present credentials to the web service manager. The web service manager then must determine whether the credentials are authentic. If the credentials are authentic, the web service manager then determines whether the service client is entitled to receive the service that the service client requested. Finally, if the credentials are authentic and the service client is authorized to access the service provider, the web service manager authorizes the service provider to process the request.
[005] Several methods of authentication are known in the art. The most conventional method requires each client to have a unique identifier (ID) and a password that only the client knows. Every time a client needs to access a service, the client must present an ID and a password that the network service provider can match to the ID presented. Naturally, both the client and the network service provider must keep the password from being unduly disclosed or otherwise disseminated. Passwords must also be difficult to guess. To make passwords difficult to guess, many businesses implement complex security policies that require passwords to meet strict criteria and require clients to change passwords frequently.
[006] Proprietary authentication methods, such as IBM' s WEB IDENTITY or TIVOLI ACCESS MANAGER, can also be used to control access to network services, but these methods are highly complex and require significant overhead.
[007] Digital certificates are another alternative to the ID/password approach. Digital certificates are generally issued by a certification authority, which is typically a trusted third-party organization or company. Alternatively, digital certificates can be "self-signed." A self-signed certificate is created by the holder of the certificate, but is still useful if the parties to a transaction are already familiar with each other and the integrity of the certificate is initially verified manually. A digital certificate is usually encrypted, and usually contains a holder's name or identifier, a serial number, and expiration date. X.509 is the most common digital certificate format, and is the format recommended by the International Telecommunications Union. The holder's name or identifier is commonly represented as a Distinguished Name, which is a part of the X.500 standard (also promulgated by ITU). A Distinguished Name is comprised of a combination of other X.500 identifiers, which may include a Common Name, an Orga-
nizational Unit, Organization, and Country.
[008] Digital certificates obviate the need for passwords and provide significant advantages over the use of IDs and passwords. An obvious advantage is that users do not have to conjure up or remember complicated passwords. Furthermore, digital certificates obviate the need to implement complicated security policies to ensure that passwords are difficult to guess, and they reduce the risk of security compromise through lost or exposed passwords.
[009] Although the art of using digital certificates is not new, integrating digital certificate technology into existing technologies, particularly web service applications, is extremely challenging. In particular, many existing web service applications have been designed to authenticate users based on an ID that is typically embedded in the service request. Thus, existing web service applications do not generally recognize IDs that are encoded in a digital certificate. Therefore, a need exists for an authentication mechanism that can be integrated with existing web services technology while reaping the benefits of digital certificate technology.
[010] Another problem that has arisen in the web services context is the malicious access and searching of databases. Typically, a malicious party is able to breach a firewall using access codes and other information which they are not authorized to use. In some circumstances, the malicious party has limited access within the firewall and attempts to access data repositories that he is not authorized to access. Once inside the firewall, the malicious party can search databases, hashtables, and other data structures at will because there are no further security features on the data structures. Such unauthorized access is not preferable. Consequently, a need exists for a security feature that will prevent a malicious party from searching a data repository when the malicious party gains access past the firewall. Disclosure of Invention
[011] According to a first aspect, there is provided a programmable apparatus for authenticating and authorizing a service request sent from a service client to a service provider, comprising: a processor; a memory connected to the processor; an authorization database in the memory; a service request filter program in the memory directing the processor to perform steps comprising: receive an incoming service request from the service client on a communication channel, the service request having a digital certificate attached; extract a client identifier from the digital certificate associated with the service request; store the client identifier in the memory using a security program; and wherein the security program encrypts the client identifier in a secure data structure using a key.
[012] In one embodiment, the security program comprises instructions for the processor
to perform steps further comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an authenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
[013] In one embodiment the key is unique to the client identifier.
[014] In one embodiment the apparatus is further operable to send the service request on the communication channel to a web service manager and comprises a service client authentication program in the memory directing the processor to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; and wherein the client identifier is provided by the security program only if the key is presented with the request.
[015] In one embodiment the service client authentication program in the memory directs the processor to perform steps further comprising: match the client identifier with a service client record in the authorization database having the same client identifier; and responsive to matching the client identifier with a record in the authorization database, call a service authorization program in the memory; wherein the service authorization program directs the processor to perform steps comprising: determine if the client identifier associated with the service request is authorized to access the service provider; and responsive to determining that the service request is authorized, authorize the service provider to process the request.
[016] In one embodiment the service.request filter program further directs the processor to authenticate the digital certificate with the issuing certification authority.
[017] In one embodiment the digital certificate is an X.509 digital certificate.
[018] In one embodiment the client identifier is a distinguished name.
[019] In one embodiment the digital certificate is self-signed.
[020] In one embodiment the programmable apparatus further comprises an authorization log.
[021] In one embodiment the service client authentication program further records the client identifier in the authorization log.
[022] In one embodiment the service authorization program further records the client identifier and service request in the authorization log.
[023] In one embodiment the service request filter program in the memory is further operable to direct the processor to send the service request on the communication channel to a web service manager.
[024] In one embodiment, the client certificate comprises the client identifier, the apparatus further comprising; means for sending the service request to a web service manager; responsive to receiving an authentication request from a web service manager, means for requesting a client identifier; wherein the client identifier is
provided by the security program only if a key corresponding to the key is presented with the request; means for matching the client identifier with a service client record in the authorization database having the same client identifier; means for determining if the client identifier associated with the service request is authorized to access the service provider; responsive to determining that the service request is authorized, means for authorizing the service provider to process the request; means for authenticating the digital certificate with the issuing certification authority; wherein the digital certificate is an X.509 digital certificate; wherein the client identifier is a distinguished name; wherein the digital certificate is self-signed; means for recording the client identifier in an authorization log; and means for recording the client identifier and service request in the authorization log.
[025] The invention may be implemented as part of a web services architecture.
[026] According to a second aspect, there is provided a security program for encrypting a client identifier in a secured data structure, the security program comprising: a computer readable medium; wherein the computer readable medium comprises instructions for a processor to perform steps comprising: acquire a service request; extract the client identifier from the service request; store the client identifier in the secured data structure; and encrypt the secured data structure using a key.
[027] In one embodiment, the computer readable medium comprises further instructions for a process to perform steps comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an authenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
[028] In one embodiment, the key is unique to the client identifier.
[029] According to another aspect, there is provided a computer-readable memory for causing a computer to authenticate and authorize service requests sent from a service client to a service provider, comprising: a computer-readable storage medium; an authorization database stored in the storage medium; a service request filter program stored in the storage medium, wherein the storage medium, so configured by the service request filter program, causes the computer to perform steps comprising: receive an incoming service request on a communication channel, the service request having a digital certificate attached; extract a client identifier from the digital certificate associated with the service request; store the client identifier in the memory using a security program; wherein the security program encrypts the client identifier in a secure data structure using a key; and send the service request on the communication channel to a web service manager.
[030] In one embodiment the security program comprises instructions for the processor to perform steps comprising: acquire a service request; extract the client identifier from
the service request; store the client identifier in the secured data structure; and encrypt the secured data structure using a key.
[031] In one embodiment the security program comprises instructions for the processor to perform steps further comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an au fhenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
[032] In one embodiment the key is unique to the client identifier.
[033] In one embodiment, the security program comprises instructions for the processor to perform steps comprising: send the service request on the communication channel to a web service manager; wherein the computer readable memory further comprises a service client authentication program in the memory directing the processor to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; and wherein the client identifier is provided by the security program only if the key is presented with the request.
[034] In one embodiment, the service client authentication program in the memory directs the processor to perform steps further comprising: a service client authentication program stored in the storage medium, wherein the storage medium, so configured by the service client authentication program, causes the computer to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; wherein the client identifier is provided by the security program only if a key corresponding to the key is presented with the request; match the client identifier with a service client record in the authorization database having the same client identifier; responsive to matching the client identifier with a record in the authorization database, call a service authorization program in the memory; wherein the service authorization program is stored in the storage medium, and the storage medium, so configured by the service authorization program, causes the computer to perform steps comprising: determine if the client identifier associated with the service request is authorized to access the service provider; and responsive to determining that the service request is authorized, authorize the service provider to process the request.
[035] In one embodiment, the service request filter program further causes the computer to authenticate the digital certificate with the issuing certification authority.
[036] In one embodiment the digital certificate is an X.509 digital certificate.
[037] In one embodiment, the client identifier is a distinguished name.
[038] In one embodiment the digital certificate is self-signed.
[039] In one embodiment, the computer-readable memory further comprises an authorization log.
[040] In one embodiment, the service client authentication program further causes to the computer to record the client identifier in the authorization log.
[041] In one embodiment, the service authorization program further causes the computer to record the client identifier and service request in the authorization log.
[042] According to another aspect, there is provided an apparatus for authenticating and authorizing a service request sent from a service client to a service provider, comprising: means for receiving an incoming service request on a communication channel, the service request having a digital certificate attached; means for extracting a client identifier from the digital certificate associated with the service request; means for storing the client identifier in the memory using a security program; wherein the security program comprises: means for acquiring a service request; means for extracting the client identifier from the service request; means for storing the client identifier in the secured data structure; and means for encrypting the secured data structure using a key, wherein the client certificate comprises the client identifier; means for sending the service request to a web service manager; responsive to receiving an authentication request from a web service manager, means for requesting a client identifier; wherein the client identifier is provided by the security program only if a key corresponding to the key is presented with the request; means for matching the client identifier with a service client record in the authorization database having the same client identifier; means for determining if the client identifier associated with the service request is authorized to access the service provider;, responsive to determining that the service request is authorized, means for authorizing the service provider to process the request; means for authenticating the digital certificate with the issuing certification authority; wherein the digital certificate is an X.509 digital certificate; wherein the client identifier is a distinguished name; wherein the digital certificate is self-signed; means for recording the client identifier in an authorization log; and means for recording the client identifier and service request in the authorization log.
[043] According to another aspect, there is provided a method comprising the steps of: receiving an incoming service request from the service client on a communication channel, the service request having a digital certificate attached; extracting a client identifier from the digital certificate associated with the service request; storing the client identifier in the memory using a security program; and wherein the security program encrypts the client identifier in a secure data structure using a key.
[044] According to another aspect, there is provided a method for encrypting a client identifier in a secured data structure, the method comprising: acquiring a service request; extracting the client identifier from the service request; storing the client identifier in the secured data structure; and encrypting the secured data structure using a key.
[045] The invention may be implemented in computer software.
[046] There is preferably provided an architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable.
[047] The invention described herein comprises, in accordance with a preferred embodiment a Centralized Authentication & Authorization system (CAA). The CAA preferably facilitates secure communication between web service applications by maintaining an authorization database and providing authentication services to other web service applications.
[048] CAA preferably comprises a Service Request Filter (SRF), a Service Client Authentication Program (SCAP), a Service Authorization Program (SAP), an Authorization Database (ADB), and a Security Program (SP). The SRF preferably intercepts incoming service requests, extracts the service client's identifier from a digital certificate attached to the request, stores the identifier in a secured hashtable that is accessible only by web service applications, and forwards the service request on its original route. The SP preferably controls access to the secured hashtable by encrypting the secured hashtable using a key. Typically, a web service manager will receive the original request and invoke the SCAP. The SCAP matches the identifier with an identifier stored in the ADB and validates the service client. The SAP then preferably queries the ADB to determine if the service request is valid for the service ., client. If the service request is valid, the SAP preferably authorizes, the service request and the appropriate service provider processes the service request. In accordance with a preferred embodiment, the web service manager must present the correct key to the SP in order to access the client identifier and process the service request. Brief Description of the Drawings
[049] A preferred embodiment of the present invention will now be described, by way of example only, and with reference to the following drawings in which like reference numbers represent like parts of the preferred embodiment:
[050] Fig. 1 is a depiction of a typical networked computing environment in which the integrated server architecture could be implemented in accordance with a preferred embodiment;
[051] FIG. 2 represents the memory configuration of a typical computing workstation using the integrated server architecture of the preferred embodiment;
[052] FIG. 3 is a depiction of the logical design of a preferred embodiment of the present invention; and
[053] FIG. 4is an illustration of the logic of the Security Program (SP) of a preferred embodiment of the present invention.
Mode for the Invention
[054] A preferred embodiment of the present invention will now be described, by way of example only, and with reference to the following drawings in which like reference numbers represent like parts of the preferred embodiment: [055] Fig. 1 is a depiction of a typical networked computing environment in which the integrated server architecture could be implemented in accordance with a preferred embodiment; [056] FIG. 2 represents the memory configuration of a typical computing workstation using the integrated server architecture of the preferred embodiment; [057] FIG. 3 is a depiction of the logical design of a preferred embodiment of the present invention; and [058] FIG. 4is an illustration of the logic of the Security Program (SP) of a preferred embodiment of the present invention.
Claims
Claims
[001] A programmable apparatus for authenticating and authorizing a service request sent from a service client to a service provider, comprising: a processor; a memory connected to the processor; an authorization database in the memory; a service request filter program in the memory directing the processor to perform steps comprising: receive an incoming service request from the service client on a communication channel, the service request having a digital certificate attached; extract a client identifier from the digital certificate associated with the service request; store the client identifier in the memory using a security program; and wherein the security program encrypts the client identifier in a secure data structure using a key.
[002] The programmable apparatus of claim 1 wherem the security program comprises instructions for the processor to perform steps comprising: acquire a service request; extract the client identifier from the service request; store the client identifier in the secured data structure; and encrypt the secured data structure using a key.
[003] The programmable apparatus of claim 2 wherein the security program comprises instructions for the processor to perform steps further comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an authenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
[004] The security program of claim 3 wherein the key is unique to the client identifier.
[005] The programmable apparatus of claim 4 further comprising: send the service request on the communication channel to a web service manager; a service client authentication program in the memory directing the processor to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; and wherein the client identifier is provided by the security program only if the key is presented with the request.
[006] The programmable apparatus of claim 5 wherem the service client authentication program in the memory directs the processor to perform steps further comprising: match the client identifier with a service client record in the authorization database having the same client identifier; and responsive to matching the client identifier with a record in the authorization database, call a service authorization program in the memory; wherein the service authorization program directs the processor to perform steps comprising: determine if the client identifier associated with the service request is authorized to access the
service provider; and responsive to determining that the service request is authorized, authorize the service provider to process the request.
[007] The programmable apparatus of claim 6 wherein the service request filter program further directs the processor to authenticate the digital certificate with the issuing certification authority.
[008] The programmable apparatus of claim 7 wherein the digital certificate is an X.509 digital certificate.
[009] The programmable apparatus of claim 8 wherein the client identifier is a distinguished name.
[010] The programmable apparatus of claim 9 wherein the digital certificate is self- signed.
[011] The programmable apparatus of claim 10 further comprising an authorization log.
[012] The programmable apparatus of claim 11 wherein the service client authentication program further records the client identifier in the authorization log.
[013] The programmable apparatus of claim 12 wherem the service authorization program further records the client identifier and service request in the authorization log.
[014] The apparatus of claim 1, wherein the service request filter program in the memory is further operable to direct the processor to send the service request on the communication channel to a web service manager.
[015] The apparatus of claim 2, wherem the client certificate comprises the client identifier, the apparatus further comprising; means for sending the service request to a web service manager; responsive to receiving an authentication request from a web service manager, means for requesting a client identifier; wherein the client identifier is provided by the security program only if a key corresponding to the key is presented with the request; means for matching the client identifier with a service client record in the authorization database having the same client identifier; means for determining if the client identifier associated with the service request is authorized to access the service provider; responsive to determining that the service request is authorized, means for authorizing the service provider to process the request; means for authenticating the digital certificate with the issuing certification authority; wherein the digital certificate is an X.509 digital certificate; wherein the client identifier is a distinguished name; wherein the digital certificate is self-signed; means for recording the client identifier in an authorization log; and means for recording the client identifier and service request in the authorization log.
[016] A web service architecture having the programmable apparatus of claim 13.
[017] A security program for encrypting a client identifier in a secured data structure, the security program comprising: a computer readable medium; wherein the computer readable medium comprises instructions for a processor to perform steps comprising: acquire a service request; extract the client identifier from the service request; store the client identifier in the secured data structure; and encrypt the secured data structure using a key.
[018] The security program of claim 17 wherein the steps further comprise: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an authenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
[019] The security program of claim 18 wherein the key is unique to the client identifier.
[020] A computer-readable memory for causing a computer to authenticate and authorize service requests sent from a service client to a service provider, comprising: a computer-readable storage medium; an authorization database stored in the storage medium; a service request filter program stored in the storage medium, wherein the storage medium, so configured by the service request filter program, causes the computer to perform steps comprising: receive an incoming service request on a communication channel, the service request having a digital certificate attached; extract a client identifier from the digital certificate associated with the service request; store the client identifier in the memory using a security program; wherein the security program encrypts the client identifier in a secure data structure using a key; and send the service request on the communication channel to a web service manager.
[021] The computer-readable memory of claim 20 wherein the security program comprises instructions for the processor to perform steps comprising: acquire a service request; extract the client identifier from the service request; store the client identifier in the secured data structure; and encrypt the secured data structure using a key.
[022] The computer-readable memory of claim 21 wherein the security program comprises instructions for the processor to perform steps further comprising: obtain a web context for the service request; get a requested object; obtain a SSL client certificate from the object; notify an authenticating and authorizing agent to continue processing the service request; and wherein the client certificate comprises the client identifier.
[023] The computer-readable memory of claim 21 wherein the key is unique to the client identifier.
[024] The computer-readable memory of claim 21 comprising instructions operable to: send the service request on the commumcation channel to a web service manager, the computer-readable memory further comprising: a service client authentication program in the memory directing the processor to perform steps comprising: responsive to receiving an authentication request from a web service manager, request a client identifier; and wherein the client identifier is provided by the security program only if the key is presented with the request.
[025] The computer-readable memory of claim 21 wherein the service client authentication program in the memory is operable to direct the processor to: responsive to receiving an authentication request from a web service manager, request a client identifier; wherein the client identifier is provided by the security program only if a key coreesponding to the key is presented with the request; match the client identifier with a service client record in the authorization database having the same client identifier; responsive to matching the client identifier with a record in the authorization database, call a service authorization program in the memory; wherein the service authorization program is stored in the storage medium, and the storage medium, so configured by the service authorization program, causes the computer to perform steps comprising: determine if the client identifier associated with the service request is authorized to access the service provider; and responsive to determining that the service request is authorized, authorize the service provider to process the request.
[026] The computer readable memory of claim 21 wherein the service request filter program further causes the computer to authenticate the digital certificate with the issuing certification authority.
[027] The computer-readable memory of claim 21 wherein the digital certificate is an X.509 digital certificate.
[028] The computer-readable memory of claim 21 wherein the client identifier is a distinguished name.
[029] The computer-readable memory of claim 21 wherein the digital certificate is self- signed.
[030] The computer-readable memory of claim 21 further comprising an authorization log.
[031] The computer-readable memory of claim 30 wherem the service client authentication program further causes to the computer to record the client identifier in the authorization log.
[032] The computer-readable memory of claim 30 wherein the service authorization program further causes the computer to record the client identifier and service request in the authorization log.
[033] An apparatus for authenticating and authorizing a service request sent from a service client to a service provider, comprising: means for receiving an incoming service request on a communication channel, the service request having a digital certificate attached; means for extracting a client identifier from the digital certificate associated with the service request; means for storing the client identifier in the memory using a security program; wherein the security program comprises: means for acquiring a service request; means for extracting the client identifier from the service request; means for storing the client identifier in the secured data structure; and means for encrypting the secured data structure using a key, wherein the client certificate comprises the client identifier; means for sending the service request to a web service manager; responsive to receiving an authentication request from a web service manager, means for requesting a client identifier; wherein the client identifier is provided by the security program only if a key corresponding to the key is presented with the request; means for matching the client identifier with a service client record in the authorization database having the same client identifier; means for determining if the client identifier associated with the service request is authorized to access the service provider; responsive to determining that the service request is authorized, means for authorizing the service provider to process the request; means for authenticating the digital certificate with the issuing certification authority; wherem the digital certificate is an X.509 digital certificate; wherein the client identifier „ is a distinguished name; wherein the digital certificate is self-signed; means for recording the client identifier in an authorization log; and means for recording the client identifier and service request in the authorization log.
[034] A method comprising the steps of: receiving an incoming service request from the service client on a communication channel, the service request having a digital certificate attached; extracting a client identifier from the digital certificate associated with the service request; storing the client identifier in the memory using a security program; and wherein the security program encrypts the client identifier in a secure data structure using a key.
[035] A method for encrypting a client identifier in a secured data structure, the method comprising: acquiring a service request; extracting the client identifier from the service request; storing the client identifier in the secured data structure; and encrypting the secured data structure using a key.
[036] A computer program comprising program code means adapted to perform the method of claim 34 or 35 when said program is run on a computer.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US10/850,398 US7412719B2 (en) | 2004-05-20 | 2004-05-20 | Architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable |
| US10/850,398 | 2004-05-20 |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| WO2005114946A1 true WO2005114946A1 (en) | 2005-12-01 |
Family
ID=34968400
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| PCT/EP2005/052280 WO2005114946A1 (en) | 2004-05-20 | 2005-05-18 | An apparatus, computer-readable memory and method for authenticating and authorizing a service request sent from a service client to a service provider |
Country Status (4)
| Country | Link |
|---|---|
| US (2) | US7412719B2 (en) |
| CN (1) | CN1930850A (en) |
| TW (1) | TW200607302A (en) |
| WO (1) | WO2005114946A1 (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212460B (en) * | 2006-12-25 | 2012-04-25 | 华为技术有限公司 | Service function providing method and system |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7519812B2 (en) * | 2004-02-19 | 2009-04-14 | International Business Machines Corporation | Architecture and design for central authentication and authorization in an on-demand utility environment |
| US7412719B2 (en) * | 2004-05-20 | 2008-08-12 | International Business Machines Corporation | Architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable |
| US20080263644A1 (en) * | 2007-04-23 | 2008-10-23 | Doron Grinstein | Federated authorization for distributed computing |
| US8844002B2 (en) * | 2007-06-29 | 2014-09-23 | Ebay Inc. | Method and system for notification and request processing |
| US9270471B2 (en) | 2011-08-10 | 2016-02-23 | Microsoft Technology Licensing, Llc | Client-client-server authentication |
| MX339108B (en) * | 2012-09-18 | 2016-05-12 | Google Inc | Systems, methods, and computer program products for interfacing multiple service provider trusted service managers and secure elements. |
| CN103116819B (en) * | 2012-11-12 | 2016-12-21 | 成都锦瑞投资有限公司 | Property system of real name certification KEY based on CFCA Valuation Standard management platform and application thereof |
| WO2014112972A1 (en) * | 2013-01-15 | 2014-07-24 | Schneider Electric USA, Inc. | Systems and methods for securely accessing programmable devices |
| CN103927491A (en) * | 2014-04-30 | 2014-07-16 | 南方电网科学研究院有限责任公司 | Security baseline assessment method based on SCAP |
| US9742780B2 (en) * | 2015-02-06 | 2017-08-22 | Microsoft Technology Licensing, Llc | Audio based discovery and connection to a service controller |
| US11032379B2 (en) * | 2015-04-24 | 2021-06-08 | Citrix Systems, Inc. | Secure in-band service detection |
| US10108965B2 (en) | 2015-07-14 | 2018-10-23 | Ujet, Inc. | Customer communication system including service pipeline |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003079628A1 (en) * | 2002-03-20 | 2003-09-25 | Research In Motion Limited | Certificate information storage system and method |
Family Cites Families (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US5793868A (en) * | 1996-08-29 | 1998-08-11 | Micali; Silvio | Certificate revocation system |
| US6285991B1 (en) * | 1996-12-13 | 2001-09-04 | Visa International Service Association | Secure interactive electronic account statement delivery system |
| US6128740A (en) * | 1997-12-08 | 2000-10-03 | Entrust Technologies Limited | Computer security system and method with on demand publishing of certificate revocation lists |
| US6615347B1 (en) * | 1998-06-30 | 2003-09-02 | Verisign, Inc. | Digital certificate cross-referencing |
| US6321333B1 (en) * | 1998-10-14 | 2001-11-20 | Wave Systems Corporation | Efficient digital certificate processing in a data processing system |
| US6430688B1 (en) * | 1998-12-22 | 2002-08-06 | International Business Machines Corporation | Architecture for web-based on-line-off-line digital certificate authority |
| US6553568B1 (en) * | 1999-09-29 | 2003-04-22 | 3Com Corporation | Methods and systems for service level agreement enforcement on a data-over cable system |
| US6611869B1 (en) * | 1999-10-28 | 2003-08-26 | Networks Associates, Inc. | System and method for providing trustworthy network security concern communication in an active security management environment |
| US6571221B1 (en) * | 1999-11-03 | 2003-05-27 | Wayport, Inc. | Network communication service with an improved subscriber model using digital certificates |
| US20020128981A1 (en) * | 2000-12-28 | 2002-09-12 | Kawan Joseph C. | Method and system for facilitating secure customer financial transactions over an open network |
| US7171411B1 (en) * | 2001-02-28 | 2007-01-30 | Oracle International Corporation | Method and system for implementing shared schemas for users in a distributed computing system |
| US7748020B2 (en) * | 2002-10-08 | 2010-06-29 | Canon Kabushiki Kaisha | Receiving apparatus and method for processing interruptions in streaming broadcasts |
| EP1511306A1 (en) * | 2003-09-01 | 2005-03-02 | Thomson Licensing S.A. | Method for detecting source status changes during time-shift recording |
| US20050160308A1 (en) * | 2004-01-09 | 2005-07-21 | General Instrument Corporation | Failure recovery for digital video recorders |
| US7519812B2 (en) * | 2004-02-19 | 2009-04-14 | International Business Machines Corporation | Architecture and design for central authentication and authorization in an on-demand utility environment |
| US7412719B2 (en) * | 2004-05-20 | 2008-08-12 | International Business Machines Corporation | Architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable |
-
2004
- 2004-05-20 US US10/850,398 patent/US7412719B2/en not_active Expired - Fee Related
-
2005
- 2005-05-03 TW TW094114175A patent/TW200607302A/en unknown
- 2005-05-18 CN CNA2005800079506A patent/CN1930850A/en active Pending
- 2005-05-18 WO PCT/EP2005/052280 patent/WO2005114946A1/en active Application Filing
-
2008
- 2008-06-27 US US12/147,716 patent/US7788710B2/en not_active Expired - Fee Related
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2003079628A1 (en) * | 2002-03-20 | 2003-09-25 | Research In Motion Limited | Certificate information storage system and method |
Non-Patent Citations (1)
| Title |
|---|
| SCHNEIER, BRUCE: "Applied Cryptography, Second Edition", 1996, JOHN WILEY & SONS, INC., NEW YORK, XP002342178 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101212460B (en) * | 2006-12-25 | 2012-04-25 | 华为技术有限公司 | Service function providing method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| US7412719B2 (en) | 2008-08-12 |
| US7788710B2 (en) | 2010-08-31 |
| US20050273596A1 (en) | 2005-12-08 |
| CN1930850A (en) | 2007-03-14 |
| US20090037731A1 (en) | 2009-02-05 |
| TW200607302A (en) | 2006-02-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2005114946A1 (en) | An apparatus, computer-readable memory and method for authenticating and authorizing a service request sent from a service client to a service provider | |
| US7991996B2 (en) | Architecture and design for central authentication and authorization in an on-demand utility environment | |
| US6092196A (en) | HTTP distributed remote user authentication system | |
| AU2003212723B2 (en) | Single sign-on secure service access | |
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| US8386776B2 (en) | Certificate generating/distributing system, certificate generating/distributing method and certificate generating/distributing program | |
| US6490679B1 (en) | Seamless integration of application programs with security key infrastructure | |
| US5586260A (en) | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms | |
| US7366900B2 (en) | Platform-neutral system and method for providing secure remote operations over an insecure computer network | |
| US7197568B2 (en) | Secure cache of web session information using web browser cookies | |
| JP5635978B2 (en) | Authenticated database connection for applications without human intervention | |
| US6986047B2 (en) | Method and apparatus for serving content from a semi-trusted server | |
| US20050076082A1 (en) | Method and system for managing the exchange of files attached to electronic mails | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| US20030115341A1 (en) | Method and system for authenticating a user in a web-based environment | |
| US20030208681A1 (en) | Enforcing file authorization access | |
| US8566581B2 (en) | Secure inter-process communications | |
| CN107872455A (en) | A kind of cross-domain single login system and its method | |
| CN112468481A (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| US20040083296A1 (en) | Apparatus and method for controlling user access | |
| US9009799B2 (en) | Secure access | |
| CN109492434A (en) | A kind of method for safely carrying out and system of electronics authority | |
| CN112953711A (en) | Database security connection system and method | |
| CN113872934A (en) | Encryption platform based on micro-service architecture | |
| CN115022088A (en) | Government affair gateway system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
| AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
| 121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
| WWE | Wipo information: entry into national phase |
Ref document number: 200580007950.6 Country of ref document: CN |
|
| NENP | Non-entry into the national phase |
Ref country code: DE |
|
| WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
| 122 | Ep: pct application non-entry in european phase |