WO2014088400A1 - A delegation system - Google Patents

A delegation system Download PDF

Info

Publication number
WO2014088400A1
WO2014088400A1 PCT/MY2013/000220 MY2013000220W WO2014088400A1 WO 2014088400 A1 WO2014088400 A1 WO 2014088400A1 MY 2013000220 W MY2013000220 W MY 2013000220W WO 2014088400 A1 WO2014088400 A1 WO 2014088400A1
Authority
WO
WIPO (PCT)
Prior art keywords
module
login
server
delegation
session
Prior art date
Application number
PCT/MY2013/000220
Other languages
French (fr)
Inventor
Teong TAN CHIN
Eng KHOR SWEE
Kheen CHIN CHEE
Hamid SHAQHAWI ABDUL
Wee CHEN WOON
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2014088400A1 publication Critical patent/WO2014088400A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/76Proxy, i.e. using intermediary entity to perform cryptographic operations

Definitions

  • the present invention relates to a delegation system for authorizing and delegating a task of a web application.
  • a user or a delegator may need to delegate certain tasks of the application to another user or a delegatee.
  • the delegation poses a few challenges as the delegator may need to restrict the delegatee's access to only functions and data that are required to perform the delegated tasks.
  • the delegator needs to also restrict the access to only the delegatee.
  • the delegation cannot be done by simply revealing a password to access the software applications.
  • US Patent Publication No. 2002/0046352 A1 discloses a method for enabling participants in an information technology (IT) system or a computer network to delegate user authority to other system participants.
  • the method of the present invention includes the generation of a proxy authorization.
  • the proxy authorization, or proxy is used by the IT system to insure that a given participant may have access to resources on the basis of a permission granted and intended by another user or agent of the IT system, and that the grantor of the permission is authorized to issue the access and/authorities as designated by or within the proxy authorization.
  • a medical record repository for example may allow unlimited access to particular individual patient records to an individual medical doctor.
  • the doctor can then authorize a specific pharmacy to have limited access to designated portions of the medical records of certain of the patients to whom the doctor is authorized access.
  • the pharmacy may then allow access to distinct and different subsets of the portions of the records, to which the pharmacy is authorized access to by a proxy issued by the doctor, to an insurance company, to a billing clerk, and to pharmacists.
  • proxies thereby allows for efficient B2B collaborative message processing using languages such as XML.
  • proxies thereby allows for efficient B2B collaborative message processing using languages such as XML.
  • such system does not restrict access to certain functions of a software application that are required to perform the delegated tasks. Instead, the system only restricts access to data or records in a resource repository.
  • the delegation system must be able to delegate in cloud computing environment which includes multiple software applications having different configurations and settings.
  • the present invention provides a delegation system.
  • the delegation system comprises at least one application server (100), at least one client device (200), and a delegation server (300).
  • the delegation server (300) further includes a user authentication module (310), wherein said user authentication module (310) is used to authenticate users of said delegation server (300), and wherein said user authentication module (310) is connected to the login module (320); a login module (320), wherein said login module (320) is configured to divide a login credential of a delegator into two portions, encrypting and decrypting both portions of the login credential, concatenating the two portions of the login credential; a session recording module (330), wherein said session recording module (330) is used to record login session data; a session playback module (340); wherein said session playback module (340) is used to playback the recorded session data, and wherein said session playback module (340) is connected to the session filtering and rendering module (350); a session filtering and rendering module (350), wherein said session filtering
  • the present invention also provides a method for delegating a task in a web application by using a delegation system.
  • the method is characterised by the steps of accessing a delegation server (300) by using a client device (200); requesting for a URL address of an application server (100) hosting the web application by the delegation server (300); providing the URL address of the application server (100) by the client device (200); initiating recording login session data by a session recording module (330) of the delegation server (300); communicating with the application server (100) by an application server listener and forwarder module (360) of the delegation server (300); logging into the web application by providing a login credential; performing any actions in the web application by the client device (200) to and recording the actions as the login session data by the session recording module (330); reaching a destination page of the web application performing the delegated task; discontinuing recording login session data by the session recording module (330); configuring web controls of the web application by the client device (200) through the delegation server (300); selecting a delegatee to
  • encrypting both portions of the login credential includes hashing a first portion of the login credential and encrypting a second portion of the login credential into an image by using a digital watermarking technique.
  • the present invention also provides a method for performing a delegated task in a web application by using a delegation system.
  • the method is characterised by the steps of: (a) accessing a delegation server (300) by using a client device (200); (b) determining whether an active duration defined to perform the delegated task has expired; (c) uploading an image of an encrypted second portion of a delegator's login credential by the client device (200); (d) decrypting the second portion of the login credential from the uploaded image by a login module (320) of the delegation server (300); (e) retrieving and de-hashing a corresponding hashed first portion of the login credential by a login module (320) of the delegation server (300); (f) concatenating the first portion of the login credential with the second portion of the login credential to form the login credential; (g) initiating communication with an application server (100) of the web application by the delegation server (300); (h) sending the login credential to the web application from the delegation server
  • FIG. 1 shows a block diagram of a delegation system according to an embodiment of the present invention.
  • FIG. 2 shows a block diagram of a delegation server (300) according to an embodiment of the present invention.
  • FIG. 3 shows a flowchart of a method for delegating a task in a web application by using the delegation system of FIG. 1.
  • FIG. 4 shows a flowchart of a method for performing a delegated task in a web application by using the delegation system of FIG. 1.
  • FIG. 5 shows an exemplary image of an encrypted second portion of a login credential.
  • FIG. 1 shows a block diagram of a delegation system according to an embodiment of the present invention.
  • the delegation system comprises of at least one application server (100), at least one client device (200), and a delegation server (300).
  • the application server (100), the client device (200) and the delegation server (300) are connected to a network such as Internet or intranet.
  • the application server (100) is used for hosting at least one web application such as financial management application, human resource management application, customer relationship management application and etc.
  • the web application is a software application that is accessible by users through a web browser. The users securely access the web application by using login credentials to authenticate their identity.
  • the at least one client device (200) can either be used as a delegator or a delegatee, wherein a delegator refers to a user of the client device (200) having a login credential to access the web application while a delegatee refers to a user of the client device (200) that is delegated with a task in the web application by the delegator. Examples of such computing device (200) may include but not limited to laptop, mobile phone, a computer, handheld communication device, and handheld computing device.
  • the delegation server (300) is used to allow the delegator to delegate a task to the delegatee. Moreover, the delegation server (300) hides or disables certain functions and information in the web application when the delegatee is accessing the web application to perform the delegated task.
  • the delegation server (300) comprises of a user authentication module (310), a login module (320), a session recording module (330), a session playback module (340), a session filtering and rendering module (350), an application server listener and forwarder module (360), and a user notification module (370).
  • the user authentication module (310) is used to authenticate users of the delegation server (300).
  • the user authentication module (310) is connected to the login module (320).
  • the login module (320) is used to divide a login credential of the delegator into two portions, wherein a first portion is encrypted and stored in the delegation server (300), while a second portion is encrypted and embedded into an image using digital watermarking technique. The second portion is sent to the delegatee to access the web application.
  • the login module (320) is also used to join and decrypt both portions of the login credential for the delegatee to access the web application by using the delegator's login credential.
  • the session recording module (330) is used to record login session data.
  • the session recording module (330) records the login session data by capturing all HTTP actions which include GET and POST actions performed by the delegator and storing those HTTP actions.
  • the session playback module (340) is used to simulate web-based interaction activities defined by delegator.
  • the session playback module (340) is connected to the session filtering and rendering module (350).
  • the session filtering and rendering module (350) is used to render HTML controls according to permissions and restrictions as defined by delegator.
  • the application server listener and forwarder module (360) is used to communicate with the application server (100) hosting the web application.
  • the user notification module (370) is used to send the image of the second portion of the delegator's login credential to the delegatee, wherein the image is used by the delegatee to access the web application to perform the delegated task.
  • the image is sent in an email to the delegatee.
  • a delegator accesses the delegation server (300) by using a web browser of the client device (200) and thereon, logs into the delegation server (300) by providing a username and a password.
  • the user authentication module (310) determines the validity of the username and password provided by the delegator. If the username and password are invalid, the delegator is denied access to the delegation server (300) as in step 403. Thus, the delegator is unable to perform the delegation process.
  • the delegation server (300) requests for the delegator to provide a URL address of the application server (100) hosting the web application as in step 404. Moreover, the delegation server (300) requests for the delegator to initiate recording the delegator's login session data as in step 405.
  • the application server listener and forwarder module (360) initiates communication with the application server (100) and the session recording module (330) starts to record the delegator's login session data while accessing the web application.
  • the delegator accesses the web application through the delegation server (300), wherein the delegation server (300) acts as a proxy for the application server (100).
  • step 306 the delegator logs into the web application by providing a login credential.
  • the login credential provided by the delegator is recorded by the session recording module (330). If the login credential is invalid, the delegator is denied access to the web application of the application server and thereon, the delegator is required to stop the recording of the login session data.
  • the delegator performs any action in the web application as required to reach a destination page of the web application, wherein the destination page is a webpage for the delegatee to start performing the delegated task. While the delegator performs those actions, the session recording module (330) records those actions until the delegator reaches the destination page and/or stops recording the login session data (decision 407, steps 408 and 409).
  • the login session data includes a series of navigation to be replayed by the delegation server (300) to redirect the delegatee to the destination page as determined by the delegator.
  • the delegator defines the configuration for each web controls of the web application to either enable, disable, hide, or show, wherein the configuration is the HTML tag property defined for a web control of the web application.
  • a web control such as a button, text, table and etc. can be enabled, disabled, hidden or shown to the delegatee when accessing the web application.
  • the configurations of the web controls and its corresponding page name and uniform resource locator (URL) are stored in the delegation server (300) as in step 411.
  • step 412 the delegator selects a delegatee to be delegated with the task in the web application by providing an email address of the delegatee. Moreover, the delegator specifies an active duration for the delegatee to access the web application and perform the delegated task, wherein the delegatee will not be able to access the web application and perform the delegated task after the expiration of the active duration. Once the delegator has selected the delegatee, the delegator logs out from the delegation server (300).
  • the login module (320) extracts the recorded login credential and encodes it into two portions, wherein a first portion of the login credential is hashed and stored by the login module, and a second portion of the login credential is encrypted into an image by using a digital watermarking technique which is a process for embedding and hiding the login credential in an image.
  • a login credential of '12345678' is divided into two portions, wherein the first portion is '1234' and the second portion is '5678'.
  • the first portion is hashed to 'ab23bae0@#3$' while the second portion is encrypted into an image as shown in FIG. 5.
  • the delegation server (300) does not store a copy of the second portion of the image.
  • step 414 the user notification module (370) sends a message to the delegatee, wherein the message includes URL address of the delegation server (300) and the image of the encrypted second portion of delegator's login credential.
  • FIG. 4 there is shown a flowchart of a method for performing a delegated task in a web application by using a delegation system of FIG. 1.
  • a delegatee accesses the delegation server (300) by using a web browser of the client device (200) upon receiving the message sent from the delegation server (300).
  • the delegatee logs into the delegation server (300) by providing a username and a password.
  • the user authentication module (310) determines the validity of the username and password provided by the delegatee. If the username and password are invalid, the delegatee is denied access to the delegation server (300) as in decision 502 and step 503. Thus, the deiegator is unable to perform the delegated task in the web application.
  • the delegation server (300) checks whether the active duration defined for the delegatee has expired. If the active duration has expired, the delegatee is denied access to the delegation server (300) as in decision 504 and step 503. Otherwise, the delegation server request for the delegatee uploads the image of the encrypted second portion of the delegator's login credential as in decision 504 and step 505.
  • the login module (320) decrypts the second portion of delegator's login credential from the uploaded image as in step 506. Thereon, the login module (320) retrieves the hashed first portion of the delegator's login credential as in step 507. The hashed first portion is de-hashed and concatenated with the second portion to form the delegator's login credential as in step 508.
  • step 509 the delegation server (300) initiates communication with the application server (100) of the web application and sends the login credential to the web application. If the login credential is invalid, the delegatee is denied access to the web application to perform the delegated task as in decision 510 and step 511.
  • the session playback module (340) plays back the login session data as in decision 510 and step 512, wherein the login session data is a series of HTTP commands as recorded by the deiegator and the series of HTTP commands are re-played by the session playback module (340) to the delegatee if the login credential is valid.
  • the recorded actions include redirecting from page A to page B and thereon, to page C as the destination page; the delegatee is automatically redirected to page C once the login credential is valid.
  • the application server listener and forwarder module (360) retrieves a webpage of the web application from the application server (100) and extract all stored configurations for the web controls of the retrieved webpage as defined by the delegator as in step 513. Based on each configuration, the session filtering and rendering module (350) finds the corresponding HTML tag from the HTML source obtained from the web application server (100), and the session filtering and rendering module (350) modifies the HTML tag property to hide the web control if the configuration defines that the web control should be hidden, or modifies the HTML tag property to disable the web control if the configuration defines that the web control should be disabled as in step 514. Once all configurations have been applied to the webpage, the modified webpage is delivered to the delegatee to perform the delegated task as in step 515.
  • steps 513 to 515 are repeated.
  • the delegatee logs out from the web application and the delegation server (300) as in decision 517 and step 518. While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specifications are words of description rather than limitation and various changes may be made without departing from the scope of the invention.

Abstract

The present invention relates to a delegation system. The delegation system comprises of at least one application server (100), at least one client device (200), and a delegation server (300). The delegation server (300) is used to allow the delegator to delegate a task to the delegatee. Moreover, the delegation server (300) hides or disables certain functions and information in the web application when the delegatee is accessing the web application to perform the delegated task. The delegation server (300) comprises of a user authentication module (310), a login module (320), a session recording module (330), a session playback module (340), a session filtering and rendering module (350), an application server listener and forwarder module (360), and a user notification module (370).

Description

A DELEGATION SYSTEM
FIELD OF INVENTION
The present invention relates to a delegation system for authorizing and delegating a task of a web application.
BACKGROUND OF THE INVENTION
With the emergence of cloud computing, software applications and databases are remotely hosted and delivered as a service to users over a network. The users may access those software applications and databases through a web browser. Moreover, the users are authenticated to secure their access to those applications and databases which contain confidential information.
For software applications adapted to perform business specific functions, a user or a delegator may need to delegate certain tasks of the application to another user or a delegatee. However, the delegation poses a few challenges as the delegator may need to restrict the delegatee's access to only functions and data that are required to perform the delegated tasks. Moreover, the delegator needs to also restrict the access to only the delegatee. Thus, the delegation cannot be done by simply revealing a password to access the software applications.
In view of this, US Patent Publication No. 2002/0046352 A1 discloses a method for enabling participants in an information technology (IT) system or a computer network to delegate user authority to other system participants. The method of the present invention includes the generation of a proxy authorization. The proxy authorization, or proxy, is used by the IT system to insure that a given participant may have access to resources on the basis of a permission granted and intended by another user or agent of the IT system, and that the grantor of the permission is authorized to issue the access and/authorities as designated by or within the proxy authorization. A medical record repository, for example may allow unlimited access to particular individual patient records to an individual medical doctor. The doctor can then authorize a specific pharmacy to have limited access to designated portions of the medical records of certain of the patients to whom the doctor is authorized access. The pharmacy may then allow access to distinct and different subsets of the portions of the records, to which the pharmacy is authorized access to by a proxy issued by the doctor, to an insurance company, to a billing clerk, and to pharmacists. The use of proxies thereby allows for efficient B2B collaborative message processing using languages such as XML. However, such system does not restrict access to certain functions of a software application that are required to perform the delegated tasks. Instead, the system only restricts access to data or records in a resource repository.
Therefore, there is a need to provide a delegation system that addresses the abovementioned challenges. Moreover, the delegation system must be able to delegate in cloud computing environment which includes multiple software applications having different configurations and settings.
SUMMARY OF INVENTION
The present invention provides a delegation system. The delegation system comprises at least one application server (100), at least one client device (200), and a delegation server (300). The delegation server (300) further includes a user authentication module (310), wherein said user authentication module (310) is used to authenticate users of said delegation server (300), and wherein said user authentication module (310) is connected to the login module (320); a login module (320), wherein said login module (320) is configured to divide a login credential of a delegator into two portions, encrypting and decrypting both portions of the login credential, concatenating the two portions of the login credential; a session recording module (330), wherein said session recording module (330) is used to record login session data; a session playback module (340); wherein said session playback module (340) is used to playback the recorded session data, and wherein said session playback module (340) is connected to the session filtering and rendering module (350); a session filtering and rendering module (350), wherein said session filtering and rendering module (350) is used to render HTML controls as defined by the delegator; an application server listener and forwarder module (360), wherein said application server listener and forwarder module (360) is used to communicate with the application server (100); and a user notification module (370), wherein said user notification module (370) is used to send an encrypted second portion of the delegator's login credential to a delegatee. The present invention also provides a method for delegating a task in a web application by using a delegation system. The method is characterised by the steps of accessing a delegation server (300) by using a client device (200); requesting for a URL address of an application server (100) hosting the web application by the delegation server (300); providing the URL address of the application server (100) by the client device (200); initiating recording login session data by a session recording module (330) of the delegation server (300); communicating with the application server (100) by an application server listener and forwarder module (360) of the delegation server (300); logging into the web application by providing a login credential; performing any actions in the web application by the client device (200) to and recording the actions as the login session data by the session recording module (330); reaching a destination page of the web application performing the delegated task; discontinuing recording login session data by the session recording module (330); configuring web controls of the web application by the client device (200) through the delegation server (300); selecting a delegatee to be delegated with the task and specifying an active duration for the delegatee to access the web application; logging out from the delegation server (300) by the client device (200); extracting the recorded login credential by a login module (320); encoding the login credential into two portions; encrypting both portions of the login credential; storing a first portion of the login credential; and sending a message from a user notification module (370) to a delegatee, wherein the message includes a second portion of the login credential and an address of the delegation server (300).
Preferably, encrypting both portions of the login credential includes hashing a first portion of the login credential and encrypting a second portion of the login credential into an image by using a digital watermarking technique.
The present invention also provides a method for performing a delegated task in a web application by using a delegation system. The method is characterised by the steps of: (a) accessing a delegation server (300) by using a client device (200); (b) determining whether an active duration defined to perform the delegated task has expired; (c) uploading an image of an encrypted second portion of a delegator's login credential by the client device (200); (d) decrypting the second portion of the login credential from the uploaded image by a login module (320) of the delegation server (300); (e) retrieving and de-hashing a corresponding hashed first portion of the login credential by a login module (320) of the delegation server (300); (f) concatenating the first portion of the login credential with the second portion of the login credential to form the login credential; (g) initiating communication with an application server (100) of the web application by the delegation server (300); (h) sending the login credential to the web application from the delegation server (300); (i) playing a recorded login session data by a session playback module (340); (j) retrieving a webpage of the web application from the application server (100) and extracting all stored configurations for the web controls of the retrieved webpage by an application server listener and forwarder module (360); (k) modifying HTML tag properties based on the stored configurations by a session filtering and rendering module (350); (I) sending the retrieved webpage with modified HTML tag properties to the client device (200); and (m) repeating steps Q) to (I) for each webpage of the web application requested by the client device (200). BRIEF DESCRIPTION OF THE DRAWINGS
The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention. FIG. 1 shows a block diagram of a delegation system according to an embodiment of the present invention.
FIG. 2 shows a block diagram of a delegation server (300) according to an embodiment of the present invention.
FIG. 3 shows a flowchart of a method for delegating a task in a web application by using the delegation system of FIG. 1.
FIG. 4 shows a flowchart of a method for performing a delegated task in a web application by using the delegation system of FIG. 1.
FIG. 5 shows an exemplary image of an encrypted second portion of a login credential. DESCRIPTION OF THE PREFFERED EMBODIMENT
A preferred embodiment of the present invention will be described herein below with reference to the accompanying drawings. In the following description, well known functions or constructions are not described in detail since they would obscure the description with unnecessary detail.
FIG. 1 shows a block diagram of a delegation system according to an embodiment of the present invention. The delegation system comprises of at least one application server (100), at least one client device (200), and a delegation server (300). The application server (100), the client device (200) and the delegation server (300) are connected to a network such as Internet or intranet.
The application server (100) is used for hosting at least one web application such as financial management application, human resource management application, customer relationship management application and etc. The web application is a software application that is accessible by users through a web browser. The users securely access the web application by using login credentials to authenticate their identity. The at least one client device (200) can either be used as a delegator or a delegatee, wherein a delegator refers to a user of the client device (200) having a login credential to access the web application while a delegatee refers to a user of the client device (200) that is delegated with a task in the web application by the delegator. Examples of such computing device (200) may include but not limited to laptop, mobile phone, a computer, handheld communication device, and handheld computing device.
The delegation server (300) is used to allow the delegator to delegate a task to the delegatee. Moreover, the delegation server (300) hides or disables certain functions and information in the web application when the delegatee is accessing the web application to perform the delegated task. Referring to FIG. 2, the delegation server (300) comprises of a user authentication module (310), a login module (320), a session recording module (330), a session playback module (340), a session filtering and rendering module (350), an application server listener and forwarder module (360), and a user notification module (370). The user authentication module (310) is used to authenticate users of the delegation server (300). The user authentication module (310) is connected to the login module (320).
The login module (320) is used to divide a login credential of the delegator into two portions, wherein a first portion is encrypted and stored in the delegation server (300), while a second portion is encrypted and embedded into an image using digital watermarking technique. The second portion is sent to the delegatee to access the web application. The login module (320) is also used to join and decrypt both portions of the login credential for the delegatee to access the web application by using the delegator's login credential.
The session recording module (330) is used to record login session data. The session recording module (330) records the login session data by capturing all HTTP actions which include GET and POST actions performed by the delegator and storing those HTTP actions.
The session playback module (340) is used to simulate web-based interaction activities defined by delegator. The session playback module (340) is connected to the session filtering and rendering module (350).
The session filtering and rendering module (350) is used to render HTML controls according to permissions and restrictions as defined by delegator.
The application server listener and forwarder module (360) is used to communicate with the application server (100) hosting the web application.
The user notification module (370) is used to send the image of the second portion of the delegator's login credential to the delegatee, wherein the image is used by the delegatee to access the web application to perform the delegated task. Preferably, the image is sent in an email to the delegatee.
Referring now to FIG. 3, there is shown a flowchart of a method for delegating a task in a web application by using the delegation system of FIG. 1. Initially, as in step 401 , a delegator accesses the delegation server (300) by using a web browser of the client device (200) and thereon, logs into the delegation server (300) by providing a username and a password. In decision 402, the user authentication module (310) determines the validity of the username and password provided by the delegator. If the username and password are invalid, the delegator is denied access to the delegation server (300) as in step 403. Thus, the delegator is unable to perform the delegation process. If the username and password are valid, the delegation server (300) requests for the delegator to provide a URL address of the application server (100) hosting the web application as in step 404. Moreover, the delegation server (300) requests for the delegator to initiate recording the delegator's login session data as in step 405. Once the delegator has initiated the recording of login session data, the application server listener and forwarder module (360) initiates communication with the application server (100) and the session recording module (330) starts to record the delegator's login session data while accessing the web application. Thus, the delegator accesses the web application through the delegation server (300), wherein the delegation server (300) acts as a proxy for the application server (100). In step 306, the delegator logs into the web application by providing a login credential. The login credential provided by the delegator is recorded by the session recording module (330). If the login credential is invalid, the delegator is denied access to the web application of the application server and thereon, the delegator is required to stop the recording of the login session data.
Thereon, the delegator performs any action in the web application as required to reach a destination page of the web application, wherein the destination page is a webpage for the delegatee to start performing the delegated task. While the delegator performs those actions, the session recording module (330) records those actions until the delegator reaches the destination page and/or stops recording the login session data (decision 407, steps 408 and 409). The login session data includes a series of navigation to be replayed by the delegation server (300) to redirect the delegatee to the destination page as determined by the delegator. For example, assuming that the web application includes page A as login page, page B as landing page after login and page C as the destination page for the delegatee that is linked from page B, the login session data includes redirecting from page A to page B and thereon, to page C. In step 410, the delegator defines the configuration for each web controls of the web application to either enable, disable, hide, or show, wherein the configuration is the HTML tag property defined for a web control of the web application. By defining the HTML tag property, a web control such as a button, text, table and etc. can be enabled, disabled, hidden or shown to the delegatee when accessing the web application. The configurations of the web controls and its corresponding page name and uniform resource locator (URL) are stored in the delegation server (300) as in step 411.
In step 412, the delegator selects a delegatee to be delegated with the task in the web application by providing an email address of the delegatee. Moreover, the delegator specifies an active duration for the delegatee to access the web application and perform the delegated task, wherein the delegatee will not be able to access the web application and perform the delegated task after the expiration of the active duration. Once the delegator has selected the delegatee, the delegator logs out from the delegation server (300).
In step 413, the login module (320) extracts the recorded login credential and encodes it into two portions, wherein a first portion of the login credential is hashed and stored by the login module, and a second portion of the login credential is encrypted into an image by using a digital watermarking technique which is a process for embedding and hiding the login credential in an image. For example, a login credential of '12345678' is divided into two portions, wherein the first portion is '1234' and the second portion is '5678'. The first portion is hashed to 'ab23bae0@#3$' while the second portion is encrypted into an image as shown in FIG. 5. The delegation server (300) does not store a copy of the second portion of the image.
In step 414, the user notification module (370) sends a message to the delegatee, wherein the message includes URL address of the delegation server (300) and the image of the encrypted second portion of delegator's login credential. Referring now to FIG. 4, there is shown a flowchart of a method for performing a delegated task in a web application by using a delegation system of FIG. 1. Initially, as in step 501, a delegatee accesses the delegation server (300) by using a web browser of the client device (200) upon receiving the message sent from the delegation server (300). The delegatee logs into the delegation server (300) by providing a username and a password.
Thereon, the user authentication module (310) determines the validity of the username and password provided by the delegatee. If the username and password are invalid, the delegatee is denied access to the delegation server (300) as in decision 502 and step 503. Thus, the deiegator is unable to perform the delegated task in the web application.
If the username and password are valid, the delegation server (300) checks whether the active duration defined for the delegatee has expired. If the active duration has expired, the delegatee is denied access to the delegation server (300) as in decision 504 and step 503. Otherwise, the delegation server request for the delegatee uploads the image of the encrypted second portion of the delegator's login credential as in decision 504 and step 505.
Once the image has been uploaded to the delegation server (300), the login module (320) decrypts the second portion of delegator's login credential from the uploaded image as in step 506. Thereon, the login module (320) retrieves the hashed first portion of the delegator's login credential as in step 507. The hashed first portion is de-hashed and concatenated with the second portion to form the delegator's login credential as in step 508.
In step 509, the delegation server (300) initiates communication with the application server (100) of the web application and sends the login credential to the web application. If the login credential is invalid, the delegatee is denied access to the web application to perform the delegated task as in decision 510 and step 511.
If the login credential is valid, the session playback module (340) plays back the login session data as in decision 510 and step 512, wherein the login session data is a series of HTTP commands as recorded by the deiegator and the series of HTTP commands are re-played by the session playback module (340) to the delegatee if the login credential is valid. For example, if the recorded actions include redirecting from page A to page B and thereon, to page C as the destination page; the delegatee is automatically redirected to page C once the login credential is valid.
Once the playback ends, the application server listener and forwarder module (360) retrieves a webpage of the web application from the application server (100) and extract all stored configurations for the web controls of the retrieved webpage as defined by the delegator as in step 513. Based on each configuration, the session filtering and rendering module (350) finds the corresponding HTML tag from the HTML source obtained from the web application server (100), and the session filtering and rendering module (350) modifies the HTML tag property to hide the web control if the configuration defines that the web control should be hidden, or modifies the HTML tag property to disable the web control if the configuration defines that the web control should be disabled as in step 514. Once all configurations have been applied to the webpage, the modified webpage is delivered to the delegatee to perform the delegated task as in step 515.
In decision 516, if the delegatee requires to proceed to another webpage, steps 513 to 515 are repeated.
Once the delegated task has been completed, the delegatee logs out from the web application and the delegation server (300) as in decision 517 and step 518. While embodiments of the invention have been illustrated and described, it is not intended that these embodiments illustrate and describe all possible forms of the invention. Rather, the words used in the specifications are words of description rather than limitation and various changes may be made without departing from the scope of the invention.

Claims

1. A delegation system comprising:
a) at least one application server (100),
b) at least one client device (200), and
c) a delegation server (300);
wherein said delegation system is characterised in that the delegation server (300) includes:
a) a user authentication module (310), wherein said user authentication module (310) is used to authenticate users of said delegation server (300), and wherein said user authentication module (310) is connected to the login module (320);
b) a login module (320), wherein said login module (320) is configured to divide a login credential of a delegator into two portions, encrypting and decrypting both portions of the login credential, concatenating the two portions of the login credential;
c) a session recording module (330), wherein said session recording module (330) is used to record login session data;
d) a session playback module (340); wherein said session playback module (340) is used to playback the recorded session data, and wherein said session playback module (340) is connected to the session filtering and rendering module (350);
e) a session filtering and rendering module (350), wherein said session filtering and rendering module (350) is used to render HTML controls as defined by the delegator;
f) an application server listener and forwarder module (360), wherein said application server listener and forwarder module (360) is used to communicate with the application server (100); and
g) a user notification module (370), wherein said user notification module (370) is used to send an encrypted second portion of the delegator's login credential to a delegatee.
2. A method for delegating a task in a web application by using a delegation system as claimed in claim 1 is characterised by the steps of:
a) accessing a delegation server (300) by using a client device (200); b) requesting for a URL address of an application server (100) hosting the web application by the delegation server (300);
c) providing the URL address of the application server (100) by the client device (200);
d) initiating recording login session data by a session recording module (330) of the delegation server (300);
e) communicating with the application server (100) by an application server listener and forwarder module (360) of the delegation server (300);
f) logging into the web application by providing a login credential;
g) performing any actions in the web application by the client device (200) and recording the actions as the login session data by the session recording module (330);
h) reaching a destination page of the web application for performing the delegated task;
i) discontinuing recording login session data by the session recording module (330);
j) configuring web controls of the web application by the client device
(200) through the delegation server (300);
k) selecting a delegatee to be delegated with the task and specifying an active duration for the delegatee to access the web application;
I) logging out from the delegation server (300) by the client device (200); m) extracting the recorded login credential by a login module (320);
n) encoding the login credential into two portions;
o) encrypting both portions of the login credential;
p) storing a first portion of the login credential; and
q) sending a message from a user notification module (370) to a delegatee, wherein the message includes a second portion of the login credential and an address of the delegation server (300).
The method as claimed in claim 2, wherein encrypting both portions of the login credential includes hashing a first portion of the login credential and encrypting a second portion of the login credential into an image by using a digital watermarking technique.
4. A method for performing a delegated task in a web application by using a delegation system as claimed in claim 1 is characterised by the steps of: a) accessing a delegation server (300) by using a client device (200); b) determining whether an active duration defined to perform the delegated task has expired;
c) uploading an image of an encrypted second portion of a delegator's login credential by the client device (200);
d) decrypting the second portion of the login credential from the uploaded image by a login module (320) of the delegation server (300);
e) retrieving and de-hashing a corresponding hashed first portion of the login credential by a login module (320) of the delegation server (300); f) concatenating the first portion of the login credential with the second portion of the login credential to form the login credential; g) initiating communication with an application server (100) of the web application by the delegation server (300);
h) sending the login credential to the web application from the delegation server (300);
i) playing a recorded login session data by a session playback module (340);
j) retrieving a webpage of the web application from the application server (100) and extracting all stored configurations for the web controls of the retrieved webpage by an application server listener and forwarder module (360);
k) modifying HTML tag properties based on the stored configurations by a session filtering and rendering module (350);
I) sending the retrieved webpage with modified HTML tag properties to the client device (200); and
m) repeating steps (j) to (I) for each webpage of the web application requested by the client device (200).
PCT/MY2013/000220 2012-12-07 2013-12-03 A delegation system WO2014088400A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2012701115A MY154224A (en) 2012-12-07 2012-12-07 A delegation system
MYPI2012701115 2012-12-07

Publications (1)

Publication Number Publication Date
WO2014088400A1 true WO2014088400A1 (en) 2014-06-12

Family

ID=50029184

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2013/000220 WO2014088400A1 (en) 2012-12-07 2013-12-03 A delegation system

Country Status (2)

Country Link
MY (1) MY154224A (en)
WO (1) WO2014088400A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447041A (en) * 2014-09-02 2016-03-30 阿里巴巴集团控股有限公司 Webpage processing method and device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020046352A1 (en) 2000-10-05 2002-04-18 Ludwig George Stone Method of authorization by proxy within a computer network
US20020083014A1 (en) * 2000-06-30 2002-06-27 Brickell Ernie F. Delegating digital credentials
EP1383265A1 (en) * 2002-07-16 2004-01-21 Nokia Corporation Method for generating proxy signatures

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020083014A1 (en) * 2000-06-30 2002-06-27 Brickell Ernie F. Delegating digital credentials
US20020046352A1 (en) 2000-10-05 2002-04-18 Ludwig George Stone Method of authorization by proxy within a computer network
EP1383265A1 (en) * 2002-07-16 2004-01-21 Nokia Corporation Method for generating proxy signatures

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
VRANCKEN Z ZELTSAN ALCATEL-LUCENT B: "Using OAuth for Recursive Delegation; draft-vrancken-oauth-redelegation-00.txt", USING OAUTH FOR RECURSIVE DELEGATION; DRAFT-VRANCKEN-OAUTH-REDELEGATION-00.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 1 September 2009 (2009-09-01), XP015064118 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105447041A (en) * 2014-09-02 2016-03-30 阿里巴巴集团控股有限公司 Webpage processing method and device

Also Published As

Publication number Publication date
MY154224A (en) 2015-05-15

Similar Documents

Publication Publication Date Title
JP7007985B2 (en) Resource locator with key
JP6389895B2 (en) Data security using keys supplied by request
US9038138B2 (en) Device token protocol for authorization and persistent authentication shared across applications
Erdos et al. Shibboleth architecture draft v05
US8719912B2 (en) Enabling private data feed
CN107534667A (en) Key exports technology
TW201141176A (en) Method and apparatus for providing trusted single sing-on access to applications and internet-based services
US20120311331A1 (en) Logon verification apparatus, system and method for performing logon verification
CA3034665A1 (en) Methods and systems for controlling access to a protected resource
JP2011176435A (en) Secret key sharing system, method, data processor, management server, and program
JP2011145754A (en) Single sign-on system and method, authentication server, user terminal, service server, and program
WO2014088400A1 (en) A delegation system
CN114762291A (en) Method, computer program and data sharing system for sharing user specific data of a user
RU2805668C1 (en) Providing and receiving one or more set of data over a digital communication network
JP2023506500A (en) Provision and acquisition of one or more datasets via a digital communications network
Ayhan et al. Federated multi-agency credentialing

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13824675

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13824675

Country of ref document: EP

Kind code of ref document: A1