WikiPatents - Community Patent Review
Create Free Account  |  License or Sell Your Patent  |  WikiPatents Marketplace  |  WikiPatents Blog
Username:  Password:  
    
Advanced Search
Authentication of users with dynamically configurable protocol stack    
United States Patent5594921   
Link to this pagehttp://www.wikipatents.com/5594921.html
Inventor(s)Pettus; Christopher E. (San Francisco, CA)
AbstractOn a multi-node client server network, a client node obtains access to remote services by means of a communications directory service located in each node of the network. The communications directory service includes a tree structure to which existing directory services and other network services can be added. The tree structure has a plurality of nodes each of which includes specific methods that query and browse the associated directory service if such actions are supported by the underlying service. The communications directory service further includes shared libraries which store a service object associated with each service offered on the network. The service object, in turn, includes the service exchange address and communication link configuration information. A client desiring to access a remote service retrieves the appropriate service object from the communications directory service and uses the service object to set up the communications path.
   














 Title Information Submit all comments and votes
 
Patent Text Patent PDF Print Page Summary File History
Plain text PDF images Print Summary File History
Drawing from US Patent 5594921
Authentication of users with dynamically configurable protocol stack - US Patent 5594921 Drawing
Authentication of users with dynamically configurable protocol stack
Inventor     Pettus; Christopher E. (San Francisco, CA)
Owner/Assignee     Object Technology Licensing Corp. (Cupertino, CA)
Patent assignment
All assignments
Publication Date     January 14, 1997
Application Number     08/169,346
PAIR File History     Application Data   Transaction History
Image File Wrapper   Patent Term   Fees
Litigation
Filing Date     December 17, 1993
US Classification     710/11 709/228 709/229 710/1 713/151
Int'l Classification     G06F 015/00
Examiner     Lee; Thomas C.
Assistant Examiner     Stanton; Terance J.
Attorney/Law Firm     Bookstein & Kudirka
Address
Parent Case    
Priority Data    
USPTO Field of Search     395/200.01 395/600 395/650 395/700
Patent Tags     authentication users dynamically configurable protocol stack
   
Enter a comma (,) or semicolon (;) between multiple tag words/phrases.
Describe this patent:
 Amusing   
 Clever   
 Complex   
 Efficient   
 Historic   
 Important   
 Innovative   
 Interesting   
 Practical   
 Simple   
[no votes]
Patent WIKI

Share information and news about this patent, including information and news about the technology, inventors, company, ligation and licensing.
 References Submit all comments and votes
 
*references marked with an asterisk below are user-added references
 U.S. References
 
Add a new US reference:  
ReferenceRelevancyCommentsReferenceRelevancyComments
5440744
Jacobson

Aug,1995
[0 after 0 votes]		5408619
Oran
707/10
Apr,1995
[0 after 0 votes]
5377350
Skinner
719/316
Dec,1994
[0 after 0 votes]		5349642
Kingdon
713/161
Sep,1994
[0 after 0 votes]
5257369
Skeen
719/312
Oct,1993
[0 after 0 votes]		5224163
Gasser
380/30
Jun,1993
[0 after 0 votes]
5181162
Smith
715/530
Jan,1993
[0 after 0 votes]		5151987
Abraham
714/20
Sep,1992
[0 after 0 votes]
5148479
Bird
713/155
Sep,1992
[0 after 0 votes]		5136705
Stubbs
714/27
Aug,1992
[0 after 0 votes]
5133075
Risch
707/201
Jul,1992
[0 after 0 votes]		5125091
Staas, Jr.
718/101
Jun,1992
[0 after 0 votes]
5119475
Smith
715/866
Jun,1992
[0 after 0 votes]		5093914
Coplien
717/129
Mar,1992
[0 after 0 votes]
5075848
Lai

Dec,1991
[0 after 0 votes]		5060276
Morris
382/151
Oct,1991
[0 after 0 votes]
5050090
Golub
700/217
Sep,1991
[0 after 0 votes]		5041992
Cunningham
345/641
Aug,1991
[0 after 0 votes]
4953080
Dysart
707/103R
Aug,1990
[0 after 0 votes]		4919545
Yu
713/167
Apr,1990
[0 after 0 votes]
4891630
Friedman
345/156
Jan,1990
[0 after 0 votes]		4885717
Beck
717/125
Dec,1989
[0 after 0 votes]
4821220
Duisberg
703/2
Apr,1989
[0 after 0 votes]
 Foreign References
 Other References
 Market Review Submit all comments and votes
   
Market Size
Estimate the gross annual revenues of the relevant market sector:
> $10B
$5B - $10B
$2B - $5B
$500M - $2B
$100M - $500M
$10M - $100M
$1M - $10M
$500K - $1M
$100K - $500K
< $100K
[No votes]
$0
 
$0   $2.5B   $5B   $7.5B   $10B
Market Share
Estimate the percentage of the relevant market sector this invention will capture:
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Reasonable Royalty
What percentage of gross sales should the inventor or assignee be paid?
75% - 100%
50% - 74.99%
25% - 49.99%
10 - 24.99%
5 - 9.99%
2 - 4.99%
1 - 1.99%
< 1%
[No votes]
0.0%
 
0%   25%   50%   75%   100%
Public's "Guesstimation" of Royalty Value
Market SizeN/A[No votes]
xMarket ShareN/A[No votes]
xReasonable RoyaltyN/A[No votes]
N/A
License Availablity
If you are NOT the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
License Availablity
If you ARE the owner or assignee, answer here:
Yes, license is available for purchase

No, license is not currently available



 [No votes]
Competitive Advantage
Does this invention have a significant competitive advantage over similar technologies?
Yes

No



 [No votes]
Most helpful competitive advantage comment
[No comments]
Commercial Alternatives
Are there viable commercial alternatives for this invention?
Yes

No



 [No votes]
Most helpful commercial alternative comment
[No comments]
 Technical Review Submit all comments and votes
 Claims Submit all comments and votes
 


Having thus described our invention, what we claim as new, and desire to secure by Letters Patent is:

1. A multi-node computer system for connecting a client node to a server node over a network, the network operating according to a predefined network protocol defined by a plurality of layers including a session layer, the computer network system comprising:

(a) first storage apparatus located in the server node;

(b) a service program located in the first storage apparatus of the server node for offering a service to the client node;

(c) second storage apparatus located in the client node;

(d) communications directory service programs located in the client node and in the server node, each of the communications directory service programs having means for storing a service object for each service available on the network, each service object including a stack definition that defines layers of the network protocol needed to communicate with each corresponding service;

(e) first apparatus located in the client node for retrieving a stored service object from the communications directory service program in the client node and for dynamically configuring a protocol stack based on the stack definition included with the service object, the protocol stack having program code means for communicating on the network in accordance with the predefined network protocol, the protocol stack further having client authentication means for collecting information about a user and authenticating the user with the service, the first apparatus further including means for returning an access point to a client application executing on the client node, the access point referencing a portion of the protocol stack corresponding to the session layer; and

(g) second apparatus located in the client node for invoking the client authentication means in response to a protocol stack activation request by a user, wherein a client application first activates the protocol stack and then accesses the protocol stack at the access point to communicate with the service program.

2. A multi-node computer network system according to claim 1 wherein each of the communications directory service programs further comprises a directory tree structure having a plurality of node objects and a mechanism responsive to user-entered criteria for traversing the tree structure to locate selected ones of the node objects.

3. A multi-node computer network system according to claim 2, wherein at least some of the plurality of node objects have a service object stored therein.

4. A method for operating a client node in a multi-node computer network for connecting a client node to a server node over a network, the network operating according to a predefined network protocol defined by a plurality of layers including a session layer, the client node having storage apparatus, a processor, an application program controlling the processor for requesting a service from the server node and a configurable protocol stack having program code for communicating on the network in accordance with the predefined protocol and having authentication means for collecting information about a user and authenticating the user with a service, the method comprising the steps of:

A. storing a service object for each service available on the network in the storage apparatus, each service object including a stack definition that defines layers of the network protocol needed to communicate with each corresponding service;

B. the client node receiving user-entered criteria specifying the service; the client node using the user-entered criteria for traversing a directory tree structure with a plurality of node objects to locate selected ones of the node objects;

D. the client node using the selected node object to retrieve the service object from the storage apparatus;

E. the client node configuring the reconfigurable protocol stack in accordance with the stack definition included in the service object to communicate on the network; and

F. the client node using the protocol stack to authenticate the user utilizing the service.
 Description Submit all comments and votes
 


FIELD OF THE INVENTION

This invention relates, in general, to distributed computer networks and more specifically to security for distributed network directory and naming services.

BACKGROUND OF THE INVENTION

With the tremendous growth of data processing by means of independent, localized data processing devices, such as personal computers and mini computers, data networks have evolved to connect together physically-separated devices and to permit digital communication among the various devices connected to the network.

There are several types of networks, including local area networks (LANs) and wide area networks (WANs). ALAN is a limited area network and data devices connected to a LAN are generally located within the same building. The LAN typically consists of a transmission medium, such as a coaxial cable or a twisted pair which connects together various computers, servers, printers, modems and other digital devices. Each of the devices, which are collectively referred to as "nodes", is connected to the transmission medium at an address which uniquely identifies the node and is used to route data from one node to another. A node which provides resources and services is called a "server" node and a node which uses the resources and services is called a "client" node. A WAN generally encompasses a much larger area and may involve common carrier connections such as telephone lines.

LANs and WANs are often connected together in various configurations to form "enterprise" networks which may span different buildings or locations or extend across an entire continent. Enterprise networks are convenient for several reasons: they allow resource sharing--programs, data and equipment are available to all nodes connected to the network without regard to the physical location of the resource and the user. Enterprise networks may also provide reliability by making several redundant sources of data available. For example, important data files can be replicated on several storage devices so that, if one of the files is unavailable, for example, due to equipment failure, the duplicate files are available.

One of the most important characteristics of enterprise networks is that they have the capability of bringing a large and sophisticated set of services to all of the attached users for a reasonable cost. However, for the users to exploit the network potential, they must be able to identify, locate and access the network resources. When a network is small, locating and accessing the available services is relatively simple, but networks are growing larger and there are many networks that presently very large. Thousand node networks are common and million node networks are on the horizon.

An example of a very large network is the INTERNET network, which is used by some of the largest public and private organizations. Much of the power of this type of network goes unused simply because the users are either unaware of the facilities available to them or they find the methods of accessing the facilities difficult or confusing. Consequently, in order to assist users in locating and accessing network resources, many existing networks today utilize network directory or naming services which accept a resource identifier or name from a user and locate the network address that corresponds to the desired network resource.

For example, the entered identifier or name can be "descriptive" and specify a resource by describing enough of its attributes to distinguish it from other resources. Such descriptive names are most useful to human users who are searching the network for a resource that meets certain specified criteria, but they are also require the most computing resources and are often difficult to distribute effectively. There presently exist a number standards for such descriptive name services. For example, the Consultative Committee on International Telephony and Telegraphy (CCITT) and the International Standards Organization (ISO) have developed a standard for a descriptive name service known as X.500.

Naming and directory services (these will be referred to together as "directory services" hereafter) are presently implemented in a variety of ways. The simplest implementation is to use a single, centralized database contained in a local server node to hold a list of names and corresponding network addresses. An example of such a localized directory service is shown in FIG. 1. FIG. 1 illustrates a computer network arranged in a "client-server" configuration comprising a plurality of client nodes 106, 108, 120, 122 and 128 which may, for example, be workstations, personal computers, minicomputers or other computing devices on which run application programs that communicate over various network links including links 102, 110, 116, 126 and 136 with each other and with server nodes, such as nodes 100, 112, 124, 132 and 138. The server nodes may contain specialized hardware devices and software programs that can provide a service or set of services to all or some of the client nodes. The client nodes are the users of the various network services which, in turn, are provided by the server nodes

Typically, the centralized directory service database 104 is located in one of the server nodes, such as node 100. A client node, such as client node 108, can access the directory service by connecting to server node 100, entering a resource identifier or name and retrieving the network address of the associated service. By means of conventional database techniques, a client node may be able to search over the database in order to locate a given resource. In addition, many directory services support browsing by using partial name descriptions, "wild cards" and placeholders. Such centralized directory services with single databases work well in small networks where the number of network addresses is small. However, in larger networks, it is often not feasible to store all the resource identifiers in one central location. Further, a single database represents a single point of failure which can disable the entire network. In addition, a centralized database often suffers from poor performance. For example, while it may be relatively efficient for a local client, such as client 108, to connect to server 100 and access database 104, a remote client, such as client 120, which must link through several servers, 124 and 112, along with a "gateway" link 116, will incur a significant amount of network overhead and the overall system "cost" of the access will be high. With a large number of remote access attempts, directory service provider 100 can quickly become both a processing and communication bottleneck for the entire network.

In order to overcome these problems, additional prior art techniques have been developed which distribute the database data over multiple locations. Such a system is shown schematically in FIG. 2. FIG. 2 depicts a client-server type of network which is similar to that shown in FIG. 1. In particular, elements which correspond in the two figures have corresponding numeral designations. For example, client 108 in FIG. 1 is similar to client 208 in FIG. 2. The difference between the two networks is that the directory service database has been replicated in a number of the server nodes. For example, server node 200 contains a directory service database 204 as do server nodes 212 (database 214), server node 232 (database 230) and server node 224 (database 218). There are a number of prior art methods for replicating the data in each of the databases. Some systems replicate each resource identifier individually in each database, other systems replicate the entire database. Still other systems replicate individual nodes or limit replication by partitioning the database in some manner.

The distributed system shown in FIG. 2 avoids the problems associated with the centralized database. Since the data is replicated, there is no single point of failure and, since the data is usually available on a nearby server node, there are no "remote" client nodes and network overhead is greatly reduced.

However, the distributed system has its own problems. For example, some method must be used to insure data consistency if multiple sources can update the databases. Some systems force data consistency by keeping all copies of the data tightly synchronized in a manner similar to a conventional database system. Other system insure data integrity by means of conventional concurrency arbitration schemes.

Such distributed naming and directory services are effective on homogeneous networks in which the same access methods and protocols apply over the entire network. In this case, a consistent set of names and rules can be developed to permit location and access of various resources with relative ease. However, many large networks are heterogeneous--not only do the networks comprise many types of different computers, including work stations, personal computers, mini-computers, super-computers and main frames, but the network itself is often composed of many independent smaller networks which are connected together by interfaces called "gateways". These smaller networks may have their own access methods and protocols. Further, the heterogeneous construction and organization of these large networks does not lend itself to central control and management which could dictate common methods and protocols.

In many large networks which are comprised of a set of smaller networks which are connected together, each of the underlying separate networks may have its own different directory service utilizing a specific protocol. In this type of network a user may have to be familiar with each network directory service protocol and may have to shift from protocol to protocol as searches are performed from network to network. Consequently, in such a heterogeneous network, one of the main difficulties in accessing network resources arises from a lack of a consistent globally-accessible directory of network resources which can operate over heterogeneous networks without involving the user in the details and the protocol involved in accessing each of these separate networks. Today's networking services have various naming and authentication systems. However, there are no unifying apparatus and method to provide support for any security system transparently.

Accordingly, it is an object of the present invention to provide a communication directory security service which provides a single globally accessible directory security service which is capable of interacting with various existing directory security services and other services with existing and future directory security services which are provided on a network.

SUMMARY OF THE INVENTION

The foregoing problems are solved and the foregoing objects are achieved in one illustrative embodiment of the invention in which a communications directory security service is located in each node of the network. The communications directory security service includes a tree structure to which existing directory security services and other network services can be added. The tree structure has a plurality of nodes each of which includes specific methods that query and browse the associated directory security service if such actions are supported by the underlying service. The communications directory security service further includes shared libraries which store a service object associated with each service offered on the network. The service object, in turn, includes the service exchange address and communication link configuration information. A client desiring to access a remote service retrieves the appropriate service object from the communications directory security service and uses the service object to set up the communications path.

In one embodiment of the invention, each node uses a reconfigurable protocol stack to establish network connections to remote nodes. The communications directory security service stores a set of stack definitions which allow the reconfigurable stack to be set up for a particular communication link. Each service object corresponding to a particular service, contains reference to one or more stack definitions for communication links appropriate to that service. When a client retrieves the service object, one of the stack definitions is selected based on criteria such as quality of service or availability of the link.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and further advantages of the invention may be better understood by referring to the following description in conjunction with the accompanying drawings, in which:

FIG. 1 is a block schematic diagram of a prior art client server network which incorporates a local directory service.

FIG. 2 is a block schematic diagram of a prior art client server network which incorporates a distributed directory server.

FIG. 3 is a block schematic diagram of a computer system, for example, a personal computer system in which the inventive object oriented printing interface operates.

FIG. 4 is a block schematic diagram of a client server network which incorporates the inventive communications directory service.

FIG. 5 is a detailed block schematic diagram of a prior art protocol stack used to transmit data between two nodes structure in accordance with the International Standards Organization seven layer model.

FIG. 6 is a block schematic diagram of the major components of the communications directory service.

FIG. 7 is a schematic diagram of an illustrative directory tree set up which allows browsing over various directory services and other network services.

FIG. 8 is a block schematic diagram of the main components of a server node illustrating how a service program interacts with the communications directory service.

FIG. 9 is a simplified flowchart of the steps involved in making a new service available on the network.

FIG. 10 is an expanded flowchart of the steps carried out by the service program in order to activate a service object.

FIG. 11 is a block schematic diagram of the main components of a client node illustrating how an application program interacts with the communications directory service to access a service.

FIG. 12 is a simplified flowchart of the steps involved in accessing a service available on the network.

FIG. 13 is an expanded flowchart of the steps carried out by the service program in order to activate a service object.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

The invention is preferably practiced in the context of an operating system resident on a personal computer such as the IBM PS/2 or Apple Macintosh computer. A representative hardware environment is depicted in FIG. 3, which illustrates a typical hardware configuration of a computer 300 in accordance with the subject invention. The computer 300 is controlled by a central processing unit 302, which may be a conventional microprocessor; a number of other units, all interconnected via a system bus 308, are provided to accomplish specific tasks. Although a particular computer may only have some of the units illustrated in FIG. 3 or may have additional components not shown, most computers will include at least the units shown.

Specifically, computer 300 shown in FIG. 3 includes a random access memory (RAM) 306 for temporary storage of information, a read only memory (ROM) 304 for permanent storage of the computer's configuration and basic operating commands and an input/output (I/O) adapter 310 for connecting peripheral devices such as a disk unit 313 and printer 314 to the bus 308, via cables 315 and 312, respectively. A user interface adapter 316 is also provided for connecting input devices, such as a keyboard 320, and other known interface devices including mice, speakers and microphones to the bus 308. Visual output is provided by a display adapter 318 which connects the bus 308 to a display device 322 such as a video monitor. The workstation has resident thereon and is controlled and coordinated by operating system software such as the Apple System/7 operating system.

In a preferred embodiment, the invention is implemented in the C++ programming language using object-oriented programming techniques. C++ is a compiled language, that is, programs are written in a human-readable script and this script is then provided to another program called a compiler which generates a machine-readable numeric code that can be loaded into, and directly executed by, a computer. As described below, the C++ language has certain characteristics which allow a software developer to easily use programs written by others while still providing a great deal of control over the reuse of programs to prevent their destruction or improper use. The C++ language is well-known and many articles and texts are available which describe the language in detail. In addition, C++ compilers are commercially available from several vendors including Borland International, Inc. and Microsoft Corporation. Accordingly, for reasons of clarity, the details of the C++ language and the operation of the C++ compiler will not be discussed further in detail herein.

As will be understood by those skilled in the art, Object-Oriented Programming (OOP) techniques involve the definition, creation, use and destruction of "objects". These objects are software entities comprising data elements and routines, or functions, which manipulate the data elements. The data and related functions are treated by the software as an entity and can be created, used and deleted as if they were a single item. Together, the data and functions enable objects to model virtually any real-world entity in terms of its characteristics, which can be represented by the data elements, and its behavior, which can be represented by its data manipulation functions. In this way, objects can model concrete things like people and computers, and they can also model abstract concepts like numbers or geometrical designs.

Objects are defined by creating "classes" which are not objects themselves, but which act as templates that instruct the compiler how to construct the actual object. A class may, for example, specify the number and type of data variables and the steps involved in the functions which manipulate the data. An object is actually created in the program by means of a special function called a constructor which uses the corresponding class definition and additional information, such as arguments provided during object creation, to construct the object. Likewise objects are destroyed by a special function called a destructor. Objects may be used by using their data and invoking their functions.

The principle benefits of object-oriented programming techniques arise out of three basic principles; encapsulation, polymorphism and inheritance. More specifically, objects can be designed to hide, or encapsulate, all, or a portion of, the internal data structure and the internal functions. More particularly, during program design, a program developer can define objects in which all or some of the data variables and all or some of the related functions are considered "private" or for use only by the object itself. Other data or functions can be declared "public" or available for use by other programs. Access to the private variables by other programs can be controlled by defining public functions for an object which access the object's private data. The public functions form a controlled and consistent interface between the private data and the "outside" world. Any attempt to write program code which directly accesses the private variables causes the compiler to generate an error during program compilation which error stops the compilation process and prevents the program from being run.

Polymorphism is a concept which allows objects and functions which have the same overall format, but which work with different data, to function differently in order to produce consistent results. For example, an addition function may be defined as variable A plus variable B (A+B) and this same format can be used whether the A and B are numbers, characters or dollars and cents. However, the actual program code which performs the addition may differ widely depending on the type of variables that comprise A and B. Polymorphism allows three separate function definitions to be written, one for each type of variable (numbers, characters and dollars). After the functions have been defined, a program can later refer to the addition function by its common format (A+B) and, during compilation, the C++ compiler will determine which of the three functions is actually being used by examining the variable types. The compiler will then substitute the proper function code. Polymorphism allows similar functions which produce analogous results to be "grouped" in the program source code to produce a more logical and clear program flow.

The third principle which underlies object-oriented programming is inheritance, which allows program developers to easily reuse pre-existing programs and to avoid creating software from scratch. The principle of inheritance allows a software developer to declare classes (and the objects which are later created from them) as related. Specifically, classes may be designated as subclasses of other base classes. A subclass "inherits" and has access to all of the public functions of its base classes just as if these function appeared in the subclass. Alternatively, a subclass can override some or all of its inherited functions or may modify some or all of its inherited functions merely by defining a new function with the same form (overriding or modification does not alter the function in the base class, but merely modifies the use of the function in the subclass). The creation of a new subclass which has some of the functionality (with selective modification) of another class allows software developers to easily customize existing code to meet their part