Patent Application
20080098463
Having thus described the invention in general terms, reference will now be made to the accompanying drawings, which are not necessarily drawn to scale, and wherein:
The present invention now will be described more fully hereinafter with reference to the accompanying drawings, in which preferred embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Like numbers refer to like elements throughout.
Referring to
As shown, one or more terminals 10 may each include an antenna 12 for transmitting signals to and for receiving signals from a base site or base station (BS) 14. The base station is a part of one or more cellular or mobile networks each of which includes elements required to operate the network, such as a mobile switching center (MSC) 16. As well known to those skilled in the art, the mobile network may also be referred to as a Base Station/MSC/Interworking function (BMI). In operation, the MSC is capable of routing calls to and from the terminal when the terminal is making and receiving calls. The MSC can also provide a connection to landline trunks when the terminal is involved in a call. In addition, the MSC can be capable of controlling the forwarding of messages to and from the terminal, and can also control the forwarding of messages for the terminal to and from a messaging center.
The MSC 16 can be coupled to a data network, such as a local area network (LAN), a metropolitan area network (MAN), and/or a wide area network (WAN). The MSC can be directly coupled to the data network. In one typical embodiment, however, the MSC is coupled to a GTW 18a within a WAN, such as the Internet 20. In turn, devices such as processing elements (e.g., personal computers, server computers or the like) can be coupled to the terminal 10 via the Internet. For example, as explained below, the processing elements can include one or more processing elements associated with a computing system configured for accessing the Internet using HTTP requests, referred to herein as a browser 22 (one shown in
The BS 14 can also be coupled to a signaling GPRS (General Packet Radio Service) support node (SGSN) 24. As known to those skilled in the art, the SGSN is typically capable of performing functions similar to the MSC 16 for packet switched services. The SGSN, like the MSC, can be coupled to a data network, such as the Internet 20. The SGSN can be directly coupled to the data network. In a more typical embodiment, however, the SGSN is coupled to a packet-switched core network, such as a GPRS core network (not shown). The packet-switched core network is then coupled to another GTW, such as a GTW GPRS support node (GGSN) 26, and the GGSN is coupled to the Internet, such as directly or via a further GTW 18c. Also, the GGSN can be coupled to a messaging center. In this regard, the GGSN and the SGSN, like the MSC, can be capable of controlling the forwarding of messages, such as MMS messages. The GGSN and SGSN can also be capable of controlling the forwarding of messages for the terminal to and from the messaging center.
In addition, by coupling the SGSN 24 to the GPRS core network, GGSN 26 and GTW 18c, devices such as a browser 22 can be coupled to the terminal 10 via the Internet 20, SGSN, GGSN and GTW. In this regard, devices such as a browser can communicate with the terminal across the SGSN, GPRS, GGSN and GTW. By directly or indirectly connecting the terminals and the other devices (e.g., browser, etc.) to the Internet, the terminals can communicate with the other devices and with one another, such as according to the Hypertext Transfer Protocol (HTTP), to thereby carry out various functions of the terminal, such as in the manner explained below.
Although not every element of every possible mobile network is shown and described herein, it should be appreciated that the terminal 10 can be coupled to one or more of any of a number of different networks through the BS 14. In this regard, the network(s) can be capable of supporting communication in accordance with any one or more of a number of first-generation (1G), second-generation (2G), 2.5G and/or third-generation (3G) mobile communication protocols or the like. For example, one or more of the network(s) can be capable of supporting communication in accordance with 2G wireless communication protocols IS-136 (TDMA), GSM, and IS-95 (CDMA). Also, for example, one or more of the network(s) can be capable of supporting communication in accordance with 2.5G wireless communication protocols GPRS, Enhanced Data GSM Environment (EDGE), or the like. Further, for example, one or more of the network(s) can be capable of supporting communication in accordance with 3G wireless communication protocols such as Universal Mobile Telephone System (UMTS) network employing Wideband Code Division Multiple Access (WCDMA) radio access technology. Some narrow-band AMPS (NAMPS), as well as TACS, network(s) may also benefit from embodiments of the present invention, as should dual or higher mode mobile stations (e.g., digital/analog or TDMA/CDMA/analog phones).
The terminal 10 can further be coupled to one or more wireless access points (APs) 28. The APs can comprise access points configured to communicate with the terminal in accordance with techniques such as, for example, RF, BT, IrDA or any of a number of different wireline or wireless communication techniques, including LAN, WLAN, WiMAX and/or UWB techniques. The APs may be coupled to the Internet 20. Like with the MSC 16, the APs can be directly coupled to the Internet. In one embodiment, however, the APs are indirectly coupled to the Internet via a GTW 18d. As will be appreciated, by directly or indirectly connecting the terminals and the browser 22 and/or any of a number of other devices, to the Internet, the terminals can communicate with one another, the browser, etc., to thereby carry out various functions of the terminal, such as to transmit data, content or the like to, and/or receive content, data or the like from, the browser. As used herein, the terms “data,” “content,” “information” and similar terms may be used interchangeably to refer to data capable of being transmitted, received and/or stored in accordance with embodiments of the present invention. Thus, use of any such terms should not be taken to limit the spirit and scope of the present invention.
Referring now to
The entity capable of operating as a terminal 10, GTW 18 and/or browser 22 includes various means for performing one or more functions in accordance with exemplary embodiments of the present invention, including those more particularly shown and described herein. It should be understood, however, that one or more of the entities may include alternative means for performing one or more like functions, without departing from the spirit and scope of the present invention. More particularly, for example, as shown in
As described herein, the client application(s) may each comprise software operated by the respective entity. It should be understood, however, that any one or more of the client applications described herein can alternatively comprise firmware or hardware, without departing from the spirit and scope of the present invention. Generally, then, the terminal 10, GTW 18 and/or browser 22 can include one or more logic elements for performing various functions of one or more client application(s). As will be appreciated, the logic elements can be embodied in any of a number of different manners. In this regard, the logic elements performing the functions of one or more client applications can be embodied in an integrated circuit assembly including one or more integrated circuits integral or otherwise in communication with a respective network entity (i.e., terminal, browser, etc.) or more particularly, for example, a processor 30 of the respective network entity. The design of integrated circuits is by and large a highly automated process. In this regard, complex and powerful software tools are available for converting a logic level design into a semiconductor circuit design ready to be etched and formed on a semiconductor substrate. These software tools automatically route conductors and locate components on a semiconductor chip using well established rules of design as well as huge libraries of pre-stored design modules. Once the design for a semiconductor circuit has been completed, the resultant design, in a standardized electronic format (e.g., Opus, GDSII, or the like) may be transmitted to a semiconductor fabrication facility or “fab” for fabrication.
In addition to the memory 32, the processor 30 can also be connected to at least one interface or other means for displaying, transmitting and/or receiving data, content or the like. In this regard, the interface(s) can include at least one communication interface 34 or other means for transmitting and/or receiving data, content or the like. For example, the communication interface(s) can include a first communication interface for connecting to a first network, and a second communication interface for connecting to a second network. In addition to the communication interface(s), the interface(s) can also include at least one user interface that can include one or more earphones and/or speakers, a display 36, and/or a user input interface 38. The user input interface, in turn, can comprise any of a number of devices allowing the entity to receive data from a user, such as a microphone, a keypad, a touch display, a joystick, image capture device (e.g., digital camera) or other input device.
In accordance with exemplary embodiments of the present invention, a terminal 10 may implement an information resource, such as a Web server or Web services provider (WSP). An example of a service provided by an exemplifying WSP may comprise, but is not limited to, providing location information. A terminal configured to implement an information resource may be referred to as a web-server mobile terminal 40 for hosting an information resource, such as a Web server and/or a WSP (either or both being referred to herein as a HTTP server 42), as shown in
As also shown in
An exemplary HTTP request line using a “GET” tag indicating the method to be applied to the resource according to the prior art may be as follows:
In accordance with exemplary embodiments of the present invention, the proposed URI pathname used in an HTTP GET request from the client 44, for example, may take a form of “http://www.domain-name/identifier” or “http: identifier.domain-name.” The “identifier” portion of the URI pathname may reflect the identity of the web-server mobile terminal 40 to the proxy GTW 48 (the identity being recognized by the proxy GTW outside of the Internet 20), and the “domain-name” portion of the URI pathname may reflect the domain name of the proxy GTW in the network. The domain name, in turn, reflects an address (e.g., IP address) of the proxy GTW within the Internet. Thus, instead of reflecting the domain name of the proxy, the “domain-name” portion of the URI may directly reflect the address of the proxy GTW within the internet. The identifier portion of the URI, on the other hand, can be the mobile terminal owner's name, nick name, MSISDN or any other identifier which identifies the respective terminal to the proxy GTW.
After receiving the HTTP request, the proxy GTW 46 may proxy the request to the web-server mobile terminal 40 based upon the identity reflected by the identifier portion of the URI. Data access between the proxy GTW and the mobile terminal may be implemented in a number of different manners, particularly any of a number of different manners known to both the mobile terminal and proxy GTW. For example, data access may be implemented by tunneling the data between the mobile terminal and the proxy GTW using IP techniques, such as via the GPRS network. In other words, normal HTTP traffic may be tunneled between the mobile terminal and the proxy GTW. This tunneling may be effectuated with the mobile terminal registering or informing about itself to the proxy GTW, and setting-up the tunneling in order to be available to external devices.
In various instances it may be desirable to provide confidentiality and integrity for the communication between the mobile terminal 40 and proxy GTW 46. In such instances, as part of a registration or setting-up process, the mobile terminal may receive a private key assigned thereto, as well as a public key of the proxy GTW. These keys may thereafter be used for encrypting and/or authenticating communications between the mobile terminal and proxy GTW. Additionally or alternatively, the keys may be used to encrypt the time of the particular communications, a running number or some other value that may tie the communications back to a particular time and/or proxy GTW/mobile terminal. The keys may be received in a number of different manners, such as in a package from the proxy GTW where the package may be received directly from the proxy GTW or via a link from the proxy GTW. In this regard, the mobile terminal may be required to supply its telephone number to the proxy GTW during registration/setting up of the mobile terminal, following which the proxy GTW may provide the package/link to the supplied telephone number, such as in a Short Messaging Service (SMS) message.
Mobile terminals 10 often store personal information of its owner (or user), and as such, it may be desirable for any HTTP server 42 implemented thereon (i.e., a web-server mobile terminal 40) to provide some manner of access control. However, providing access control to a HTTP server implemented by a mobile terminal may be difficult, and may not even be possible with conventional off-the-shelf techniques used on traditional servers. In this regard, a straightforward approach where the HTTP server on the mobile terminal handles access control may lead to problems that can be categorized as “hard” problems involving cost; and “soft” problems involving usability, conceptual or from some other point of view. More particularly, providing access control at the HTTP server 42 may require transferring all HTTP requests to the mobile terminal 40 over a wireless connection, including those that are ultimately blocked; thereby possibly inducing undesirable cost to the terminal owner, particularly for those blocked requests. Also, requiring the HTTP server on the mobile terminal to resolve numerous HTTP requests may place an undesirable burden on limited power resources of the mobile terminal.
In addition, providing access control at the HTTP server 42 may require the owner (or user) of the mobile terminal 40 to perform the functions of an administrator for the creation and management of accounts for those clients 44 authorized to access the HTTP server, and may also require the owner (as an administrator) to provide technical support to those clients. And while such functions may be acceptable to technologically-savvy owners, those functions may not be acceptable or may otherwise be undesirable for other owners. Further, from the standpoint of a client, providing access control at each HTTP server independent of other such servers may undesirably require the client to maintain access parameters (e.g., username/password) for each server, which may become unwieldy as the number of such servers increases.
In view of the foregoing issues with providing access control at the HTTP server 42, exemplary embodiments of the present invention present a framework for providing access control at the proxy GTW 46 in a manner at least partially transparent to the web-server mobile terminal 40, where the proxy GTW may be configured to implement an access control manager 48 for providing such access control. The framework may therefore relieve the mobile terminal from fielding ultimately blocked HTTP requests over a possibly costly wireless connection. The framework of exemplary embodiments of the present invention may also relieve the owner of the mobile terminal from the burden of functioning as an administrator, instead placing that burden on the proxy GTW. And from the perspective of a client, the framework of exemplary embodiments of the present invention may permit a proxy GTW to service a plurality of HTTP servers on one or more mobile terminals; thereby permitting the proxy GTW to manage access to those plurality of HTTP servers via a reduced number of (if not the same) access parameters maintained by the client.
More particularly as to the framework of exemplary embodiments of the present invention, the HTTP server 42 of the web-server mobile terminal 40 may be configured to set (e.g., under direction of the mobile terminal owner) access rights control rules for one or more clients 44. To set such access rights control rules, however, may require the HTTP server to know the identities of those clients for which access rights control rules are set. In this regard, consider that mobile terminals typically store a list or directory including a number of telephone numbers (e.g., Mobile Station International ISDN Numbers—MSISDNs) of contacts of the owner of the mobile terminal. Thus, the web-server mobile terminal of exemplary embodiments of the present invention may identify clients according to telephone numbers associated with respective clients. This manner of identifying a client may even be provided in instances in which the client does not have a telephone number. In such instances, the associated telephone number may comprise the telephone number of another device of the owner (or user) of the respective client. Thus, for example, the telephone number associated with a browser 22 (i.e., client) may comprise the telephone number of a mobile terminal 10 of the user of the respective browser.
Similar to the HTTP server 42 of the web-server mobile terminal 40, the access control manager 48 of the proxy GTW may likewise be required to know the identities the clients 44 requesting access to the HTTP server. In principle, it may be possible to configure clients (e.g., mobile terminals 10) having telephone numbers to automatically provide those to the access control manager when requesting access to the HTTP server. In general, however, such a configuration may be problematic when the client does not have a telephone number (e.g., browser 22). Accordingly, in various exemplary embodiments of the present invention, a client desiring to access one or more HTTP servers serviced by a proxy GTW may register with the respective proxy GTW, such as in a manner transparent to the client user so that the registration appears as though it is originating with the HTTP proxy. During this registration process, the access control manager may request that the client (or client user registrant) provide a number of pieces of identifying information for setting up an account for the client user registrant. For example, the access control manager may be configured to send a selectable form or a form to be filled in, such as a HTML form, to the client for providing requested information. This requested/provided information included in the user account may include, for example, a username (and password, if required) (access parameters) and telephone number of the client or another device of the respective client user registrant. Upon registering with the proxy GTW, the client may be required to activate the user registration/account. In such instances, for example, the proxy GTW may send a message (e.g., SMS message) to the provided telephone number. This message may include a personal identification number (PIN), which may then be provided by the client user (or owner) back to the proxy GTW to activate the user registration/account.
The requested/provided information of the user account for a client 44 may therefore be utilized to identify a client requesting access to a HTTP server 42 of a web-server mobile terminal 40. In this regard, before requesting access to a HTTP server, the client may be required to login to the proxy GTW 46 servicing the respective HTTP server. During this login procedure, the access control manager 48 may request that the client provide the username (and password, if required) for the client user's account at the access control manager. And upon receipt of the username/password, the access control manager may identify a corresponding user account, including an associated telephone number included therein. This telephone number may then be considered the telephone number associated with the respective client for providing access control to a HTTP server serviced by the proxy GTW. It should be realized, however, that in lieu of registering/logging-in to the proxy GTW as explained above, the client may provide one or more of the above pieces of information in a number of other manners before gaining access to the HTTP server.
In accordance with exemplary embodiments of the present invention, the HTTP server 42 of the web-server mobile terminal 40 may be configured to set (e.g., under direction of the mobile terminal owner—or user) access rights control rules for one or more clients 44, identifying those clients by their associated telephone numbers. In this regard, the telephone numbers identifying one or more clients may be stored by the mobile terminal, such as in a list or directory of contacts of the owner of the mobile terminal. The HTTP server may be configured to receive access rights control rules for one or more clients from the mobile terminal owner, and send those rules to the access control manager 48 of the proxy GTW 46. For example, to allow access to persons Bob and Alice but deny access to everyone else, the HTTP server could send the access control manager the following access rights control rules:
Deny All
Allow Bob, Alice,
In the preceding example, in the access rights control rules sent to the access control manager, Bob and Alice may be identified by their respective telephone numbers, which may correspond to the telephone numbers in user accounts for Bob and Alice at the access control manager. Also in the preceding example, and in response to the access rights control rules, the access control manager may thereby be configured to first deny everybody access to the HTTP server, and then specifically permit access to Bob and Alice. That is, the access control manager may thereby be configured to filter out all traffic to the HTTP server except traffic from Bob and Alice, which have been specifically permitted.
Symmetrically, instead of filtering out all traffic except those specifically permitted access, the access control manager 48 could be configured to allow access to everybody, but specifically filter out certain clients 44. Consider, for example, the following access rights control rules:
Allow All
Deny Carol,
where again, Carol may be identified by her respective telephone number, which may correspond to the telephone number in a user account for Carol at the access control manager. In this example, the access control manager may be configured to allow all traffic to the HTTP server except from Carol, which may instead be filtered out.
It should further be noted that access rights control rules may permit more fine-tuned access control at the access control manager 48 of the proxy GTW 46. For example, in addition to filtering traffic by specific clients 44, traffic may be filtered by specific resources of the HTTP server 42, where those resources may be identified by Uniform Resource Locators (URLs). Consider, for example, the following access rights control rules:
Deny All
Allow Bob, Alice
Allow All/public
In this example, the access control manager is configured to deny access to everybody by default. The access control manager may permit Bob and Alice to access all resources of the respective HTTP server, however, and further permit everybody to access URLs including in the path “/public.” In this example, it should also be noted that the access control manager need not know the identity of a client 44 to permit access to URLs including in the path “/public,” and as such, exemplary embodiments of the present invention may further support anonymous access to resources of the HTTP server.
Reference is now made to
At some point before, after or as the client 44 provides its information to the access control manager 48 of the proxy GTW 46, the HTTP server 42 of the web-server mobile terminal 40 may set (e.g., under direction of the mobile terminal owner—or user) access rights control rules for one or more clients, identifying those clients by their associated telephone numbers. In this regard, the HTTP server may receive access rights control rules for one or more clients from the mobile terminal owner, and send those rules to the access control manager of the proxy GTW. The access control manager may thereafter configure access to the HTTP server based upon the access rights control rules and the telephone numbers associated therewith.
At one or more instances after providing its information to the access control manager 48 of the proxy GTW 46, and after the access control manager configures access to the HTTP server, the client may login to the proxy GTW. As explained above, during this login procedure, the access control manager 48 may request that the client provide the username (and password, if required) for the client user's account at the access control manager. And upon receipt of the username/password, the access control manager may identify a corresponding user account, including an associated telephone number included therein. This telephone number may then be considered the telephone number associated with the respective client for providing access control to a HTTP server serviced by the proxy GTW.
As the client 44 is logged in to the proxy GTW 46, the client may request a resource of the HTTP server 42 of the web-server mobile terminal 40, such as by sending an HTTP GET request to the HTTP server. As explained above, the URI in such resource requests reflects the domain name of the proxy GTW in the network, and as such, the resource request from the client is forwarded through respective network(s) to the proxy GTW. Upon receipt of the resource request, the proxy GTW may identify the web-server mobile terminal, or more particularly the HTTP server of the web-server mobile terminal, also from the URI in the resource request. From the identity of the HTTP server, the access control manager 48 of the proxy GTW may recall or otherwise identify the access rights control rules of the respective HTTP server. And from the telephone number associated with the client and the access rights control rules (including one or more telephone numbers), the access control manager may determine if the client is authorized to access the HTTP server (or the requested resource of the HTTP server).
If the client 44 is not authorized to access the HTTP server 42 (or the requested resource of the HTTP server), the access control manager 48 may deny the client's resource request, and may further notify the client that it is not authorized to access the requested HTTP server (or resource). Otherwise, if the client is authorized to access the HTTP server (or resource), as shown, the proxy GTW 46 may proxy or otherwise send the resource request to the HTTP server, such as by tunneling the resource request to the web-server mobile terminal, and thus the HTTP server. In response to the request, the HTTP server may send a reply including the requested resource (if appropriate) to the proxy GTW, such as by tunneling the reply to the proxy GTW. In turn, the proxy GTW may forward the reply to the client to fulfill the resource request.
According to one aspect of the present invention, the functions performed by one or more of the entities of the system, such as the web-server mobile terminal 40, proxy GTW 46 and/or client (e.g., terminal 10, browser 22, etc.) may be performed by various means, such as hardware and/or firmware, including those described above, alone and/or under control of a computer program product (e.g., HTTP server 42, access control manager 48, etc.). The computer program product for performing one or more functions of embodiments of the present invention includes a computer-readable storage medium, such as the non-volatile storage medium, and software including computer-readable program code portions, such as a series of computer instructions, embodied in the computer-readable storage medium.
In this regard,
Accordingly, blocks or steps of the control flow diagram supports combinations of means for performing the specified functions, combinations of steps for performing the specified functions and program instruction means for performing the specified functions. It will also be understood that one or more blocks or steps of the control flow diagram, and combinations of blocks or steps in the control flow diagram, can be implemented by special purpose hardware-based computer systems which perform the specified functions or steps, or combinations of special purpose hardware and computer instructions.
Many modifications and other embodiments of the invention will come to mind to one skilled in the art to which this invention pertains having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
