Browse Prior Art Database

Servlet/Applet/HTML Authentication Process with Single Sign-On

IP.com Disclosure Number: IPCOM000013676D
Original Publication Date: 2000-Jan-01
Included in the Prior Art Database: 2003-Jun-18
Document File: 3 page(s) / 64K

Publishing Venue

IBM

Abstract

A process is disclosed that makes it possible for Java* Servlets to log in to the IBM** SecureWay** On-Demand Server Version 2 (ODS) with a web browser as the user interface. It is relatively straightforward to authenticate a user with ODS when the authentication is only needed within one Java Virtual Machine* (JVM). Examples of programs in one JVM are the ODS Applet Launcher desktop and the Applets it launches, or the Servlets running in one application server. The ODS Single Sign-On (SSO) cookies provide authentication for secure Servlets and other programs that want to share their authentication with ODS, so the user does not have to log in twice. However, running authenticated Applets from a Servlet-generated HTML desktop is more difficult. This is because Applets currently do not recognize the SSO cookie in the web browser, so they will request a second login unless the user is already logged in to their JVM. In addition, administrators should be able to configure the amount and types of security mechanisms used.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 42% of the total text.

Page 1 of 3

Servlet/Applet/HTML Authentication Process with Single Sign-On

A process is disclosed that makes it possible for Java* Servlets to log in to the IBM** SecureWay** On-Demand Server Version 2 (ODS) with a web browser as the user interface. It is relatively straightforward to authenticate a user with ODS when the authentication is only needed within one Java Virtual Machine* (JVM). Examples of programs in one JVM are the ODS Applet Launcher desktop and the Applets it launches, or the Servlets running in one application server. The ODS Single Sign-On (SSO) cookies provide authentication for secure Servlets and other programs that want to share their authentication with ODS, so the user does not have to log in twice. However, running authenticated Applets from a Servlet-generated HTML desktop is more difficult. This is because Applets currently do not recognize the SSO cookie in the web browser, so they will request a second login unless the user is already logged in to their JVM. In addition, administrators should be able to configure the amount and types of security mechanisms used.

Figure - Overview of the Authentication Process:

Use Java Login?

Y

 Request for User's Content

Secure-Only?

Set SSO Cookie

N

Login with SSO Cookie

OK?

 Request Content via HTTPS

 Request Content via HTTP

Login Login OK?Incorrect;

Try Again

Display

 HTML Login Form

Y

Secure-Only?

 Display Content via HTTP

 Display Content via HTTPS

N

Y

N

Y

N

Y

Attempt

 Login in Servlet JVM

Attempt

 Login in Applet JVM

N

Y

Login OK?

 Login Incorrect; Try Again

N

Login Check: The process begins when a user uses their web browser to request content (such as a user's personal home page) from a content Servlet. The content Servlet will attempt to retrieve an SSO cookie from the web browser. If the cookie is not found, or its timestamp indicates that it has expired, the Servlet begins

1

[This page contains 1 picture or other non-text object]

Page 2 of 3

the login process. Otherwise, the Servlet will use the authentication data encrypted in the cookie to authenticate the user in the Servlet's JVM. If this authentication fails, the Servlet will begin the login process. If it succeeds, it will send the content the user requested (the home page).

Login Process: The login process can go through one of two methods. The method used is determined by the adminstrator's preference, whether JavaScript* and Java are enabled on the web browser, and whether the web browser was tested with the On-Demand Server. If all of these conditions are met, the Servlet will display the Java login Applet to the user. Otherwise the Servlet returns the HTML login form (via HTTPS), which requests the user's username, password, and optional additional information.

For the Java Login Applet: Before the login Applet is loaded, all of its supporting archive files must be loaded by the web browser. A set of JavaScript functions and Applets load the necessary archive files and determine the web browser's locale (for intern...