The present invention relates generally to a method, system, and computer program product for controlling accumulation of undesirable data in HyperText Transfer Protocol (HTTP, http). More particularly, the present invention relates to a method, system, and computer program product for http header licensing in proxy systems.
Unless expressly distinguished where used, a “client system” (hereinafter interchangeably referred to as “client,” “client system,” or “client application”) is a sender of an http request.
An http request is a request for data where the request message is constructed in compliance with http specification. An http request can include a section where the needed data is requested, and one or more optional sections called http request headers. An http request header seeks to perform certain operations, transmit optional information, request optional information, or some combination thereof, as desired by the client.
Unless expressly distinguished where used, a “server system” (hereinafter interchangeably referred to as “server,” “server system,” or “server application”) is a sender of an http response.
An http response is a response to an http request where the response message is constructed in compliance with http specification. An http response may or may not include the needed data. An http response can include a section where the needed data is included, and one or more optional sections called http response headers. An http response header seeks to perform certain operations, transmit optional information, request optional information, or some combination thereof, as desired by the server.
A proxy system (hereinafter referred to as “proxy”) is a data processing system that acts (i) on behalf of a server, as a receiver of an http request from a client or another proxy, (ii) on behalf of a server, as a sender of an http response to a client or another proxy, (iii) on behalf of a client, as a sender of an http request to a server or another proxy, (iv) on behalf of a client, as a receiver of an http response from a server or another proxy, or (v) some combination of (i)-(iv).
A proxy configured in a server-side data processing environment is called a server-side proxy and masquerades as the server. A proxy configured in a client-side data processing environment is called a client-side proxy and masquerades as the client. An intermediate proxy is simply a proxy that is neither in a server-side environment nor in a client-side environment but can be configured to behave as a server-side proxy, a client-side proxy, both as a server-side proxy and a client-side proxy, or as simply a pass-through system for http request-response traffic.
Cookies are data that a server stores on a client for use in the present and subsequent data communications with the client. Typically, a server issues a cookie to the client by including a “set-cookie” http response header in an http response, with instructions for the client to “return” the cookie value back to the server when requesting further transactions with the server for a given amount of time. Correspondingly, when a cookie is set at a client, the client includes the cookie data in a http request header called a “cookie” header in a subsequent transaction with the server.
Many such operations and data communications are presently accomplished by a large set of http request headers and http response headers presently recognized in the http specification. The setting of a cookie causes subsequent action(s) on the part of the client, and possibly—depending on the scope of applicability of a given cookie—also on the part of other servers. The actions of returning a specific cookie to the server may not be desirable in many cases regardless what a server's operator may wish.
The illustrative embodiments provide a method, system, and computer program product. An embodiment includes a method that modifies a proxy, to form an enhanced proxy, wherein the proxy is configured to inspect only a payload of a HyperText Transfer Protocol (http) message, the modifying enabling the enhanced proxy to identify, at the enhanced proxy, a set of http header types in the http message received from a system. The embodiment sends a license verification request to an external licensing authority (LA) to verify an allowability of each header type in the set of header types. The embodiment receives, from the LA at the enhanced proxy, a license information corresponding to the system. The embodiment modifies the http message by suppressing from transmission an http header of a disallowed header type in the http message, the disallowed header type being identified in the license information. The embodiment transmits the modified http message.
An embodiment includes a computer usable program product. The computer usable program product includes a computer-readable storage device, and program instructions stored on the storage device.
An embodiment includes a computer system. The computer system includes a processor, a computer-readable memory, and a computer-readable storage device, and program instructions stored on the storage device for execution by the processor via the memory.
Certain novel features believed characteristic of the invention are set forth in the appended claims. The invention itself, however, as well as a preferred mode of use, further objectives and advantages thereof, will best be understood by reference to the following detailed description of the illustrative embodiments when read in conjunction with the accompanying drawings, wherein:
The setting of cookies using http headers is used as a non-limiting example use-case to highlight some drawbacks of the present state of the art and to illustrate some operations of the illustrative embodiments that improve the present technological field of endeavor of internet data communications using http.
The illustrative embodiments recognize that applications running on servers can control many aspects of behavior when communicating with client. Among such behavior is the sending and setting HTTP response headers, for example, Access-Control-Allow-Origin, Cache-Control, Set-Cookie, and others. Sending of http response headers by one server application can also affect other applications running on the same server, in the same domain, or in the same sub-domain as the sender server application.
As a non-limiting example, cookies being set by one server application and can also affect other domains or subdomains. For example, domain on sub.example.tld can also set cookies for example.tld as per standard RFC2109, which provides that a Set-Cookie from request-host x.foo.com is also acceptable for Domain=.foo.com.
The illustrative embodiments recognize that multiple server applications running on the same domain also present this problem. One server application performing operations via http response headers can interfere and set cookies for another server application, even overwrite another server application's cookies, causing an unintentional or malicious session highjacking.
Behavior like this can cause many issues. Again, using cookies as a non-limiting example, if one server application has to support most browsers, then the cookie size adopted by that server application should not exceed 50 cookies per domain, and 4093 bytes per domain. However, another application in the same server, domain, or sub-domain may be restricted to only a certain type of client. Accordingly, the other application can easily ignore the 50 cookies and 4093 bytes limitation, and store or overwrite a cookie in a non-compliant manner such that the operation of the first application on certain browsers causes errors or other issues. For example, in one example domain, upwards of 12,000 bytes of cookie data has been observed at a given time, with a single cookie taking up to 2000 bytes of space. The illustrative embodiments expect that the Content-Security-Policy header will grow to these levels as well in the coming years.
Consider that there are some http response headers which enable behavior on the client that has consequence beyond the transaction, i.e., the configured behavior is persistent. Such is the Set-Cookie header which causes the client to return data on subsequent transactions to the server that sets the cookie and possibly more servers. The Strict-Transport-Security http response header is another example of persistence in a http header as it instructs the client to potentially require SSL for all hosts in the given domain. The Content-Security-Policy http response header causes the client to change its behavior while processing the HTML/CSS/JS content for potentially more than the server application that sent the header. The related Content-Security-Policy-Report-Only http response header causes the client to make POST to a location in case of a violation, which may be the intended operation for one server application but may be undesirable for another server application that is also affected by the persistent operation, e.g., due to the potential of creating opportunities for information leak, DDoS, and other malicious operations.
Presently, some proxies can be configured with proxy-specific policies. These policies are configured for a specific proxy and are either local within the proxy or resident within the local network in which the proxy operates. There does not exist a per-request or per-response based third-party verification of http headers that the proxy can allow to pass, which is dependent on specific sender and/or receiver of the request/response.
The present state of the technological field of endeavor of internet data communication using http presently does not include a mechanism, other than self-policing by the server applications and proxy-specific policies, to avoid such data communication issues. A need exists for verification of http headers by an entity independent of the header sender and any proxy. A need exists that such verification be performed on a per-request or per-response basis. A need exists that such verification be further specific to the header sender, the intended header recipient, or both. A need exists that the verification be dynamically configurable according to a variety of aspects of the data communication in question.
The illustrative embodiments recognize that the presently available tools or solutions do not address these needs/problems or provide adequate solutions for these needs/problems. The illustrative embodiments used to describe the invention generally address and solve the above-described problems and other related problems by http header licensing in proxy systems.
An embodiment can be implemented as a software application. The application implementing an embodiment, or one or more components thereof, can be configured as a modification of an existing proxy—i.e., a native application in the proxy, as an application executing in a data processing system communicating with an existing proxy over a short-range radio network such as Bluetooth, over a wired or wireline local area network (LAN)—i.e., a local application on the LAN, as an application executing in a data processing system communicating with an existing proxy over a wide area network (WAN)—i.e., a remote application on the WAN, as a separate application that operates in conjunction with an existing proxy in other ways, a standalone application, or some combination thereof.
An embodiment implements a licensing authority (LA). The LA can be instantiated within a local network of a server, a local network of a client, or outside the local networks of the server and the client. Any number of LA instances can be created.
An LA manages license information per sender/originator of an http communication. For example, the LA manages separate licenses for server application 1, server application 2, . . . and server application n. Each server application is a sender or originator of an http response and can potentially attach any number of http response headers in its responses. Similarly, the same LA or a different instance thereof can manage separate licenses for client application 1, client application 2, . . . and client application m. Each client application is a sender or originator of an http request and can potentially attach any number of http request headers in its requests.
A license is a collection of tokens. A token is a single tag-value pair, which is identified by an identifier called tag and one or more values corresponding to the tag. The tag and the values are each alphanumeric and can be encoded in any suitable manner. Each license has at least one token in which the tag is a suitable manner of indicating that the tag is an identifier associated with a particular originator. For example, the tag may be “LicenseID” and the value may be “bfd9b4f683b1b959577352bbdd93c53b8d1585342e6762cabcb2988404cd41cf” where the value is uniquely associated with a particular originator, e.g., server application x (which operates in server data processing system y, in sub-domain a.b.c).
Additional tokens in a license can include one or more tags indicating allowance of certain header types and having as value one or more allowed http header types, one or more tags indicating disallowance of certain header types and having as value one or more disallowed http header types, one or more tags indicating a period of validity of allowance/disallowance of a specific respective allowed/disallowed header type or all allowed/disallowed header types, or some combination of these and other tokens.
These examples of tokens and tag-values are not intended to be limiting. From this disclosure, those of ordinary skill in the art will be able to conceive many other tokens and tag-values and the same are contemplated within the scope of the illustrative embodiments.
A server application is configured for http communications with one or more client applications. At initiation of a server application, or at some point during the operation of the server application, the server application gets/requests/initiates a license at an LA instance. For clarity, assume that the LA instance executes outside the control of the local network of the server application and the client application. The LA instance is independent of any proxy, can be queried by any proxy in a manner described herein.
As a consequence of initiating a license at the LA, the server application becomes associated with a unique value of a license identifier token in the license. The LA populates the license with allowance tokens, disallowance tokens, validity period tokens, or some combination thereof. This populating is independent of any proxies, i.e., is not proxy-specific. The license is not locally resident in the proxy, is not managed by the proxy, and is not a proxy policy. In some cases, a proxy can cache a license for improving license verification efficiency, but the license remains non-proxy-specific. Furthermore, only the temporarily cached copy of the license, not the license itself, is managed by the proxy in such cases, such as to determine when the cached copy should be discarded.
The populating of the license is also dynamic, i.e., can be different according to different conditions. For example, the dynamic populating includes but is not limited to populating the license differently for the same request or client at different times, differently for the same response or server at different times, differently for the same header in different requests from the same client, differently for the same header in different responses from the same server, an allowance or disallowance having different validity for the same header at different times from the same client, an allowance or disallowance having different validity for the same header at different times from the same server, and/or differently for the same header from different clients or servers.
An embodiment enables a proxy to perform certain operations described herein. For example, when a server application sends a response, the embodiment causes the proxy to examine the response and extract the server's license identifier and the set of http response headers included in the response, and optionally the response type if applicable in the license implementation.
The embodiment causes the proxy to construct a license verification message for the LA. The license verification message includes the server's license identifier and the set of http response headers included in the response, and optionally the response type if applicable in the license implementation. The embodiment causes the proxy to transmit the license verification message to the LA.
Depending on the contents of the license corresponding to the server's license identifier, the LA sends a license verification response to the proxy. The embodiment causes the proxy to modify the server application's response according to the license verification response. For example, if the license verification response indicates that a certain http response header is disallowed, the embodiment causes the proxy to suppress (not pass through) that http response header from the server's response. The embodiment causes the proxy to pass through that http response header in the server's response which is either not indicated in the disallowed values or is indicated as an allowed value.
If license caching is implemented in the proxy, a current copy of the server's license may be available in the cache of the proxy. In such a case, an embodiment allows the proxy to omit configuring and transmitting the license verification message to the LA and instead direct the message at the local cached copy of the license corresponding to the server's license identifier. The embodiment causes the proxy to perform an evaluation of the allowed and disallowed tokens in the license. The embodiment causes the proxy to suppress those headers that are found in the disallowed token values in a manner similar to the suppression according to the license verification response from the LA.
Only as a non-limiting example, the above operations are described with respect to a server application, http response message, http response headers, and a server-side proxy. An embodiment can similarly enable a client-side proxy to analyze an http request from a client application and suppress certain http request headers. The suppression in the http request can also result from a license verification response from an LA or a cached local copy of a client's license at the client-side proxy.
According to one embodiment, multiple proxies can be enabled for http header suppression in a similar manner. For example, in one embodiment, a server-side proxy is enabled to suppress disallowed http response headers and a client-side proxy is enabled to suppress disallowed http request headers. An intermediate proxy—i.e., a proxy not on the server-side or the client-side—can also be enabled to similarly selectively suppress certain http headers in either the request or the response or both. Any number of proxies, in any combination of any number of server-side/client-side/intermediate proxies, can be similarly enabled using an embodiment to selectively suppress different http headers at different points along the communication pathway of an http communication between a client and a server.
The manner of http header licensing in proxy systems described herein is unavailable in the presently available methods in the technological field of endeavor pertaining to internet data communications using http. A method of an embodiment described herein, when implemented to execute on a device or data processing system, comprises substantial advancement of the functionality of that device or data processing system in preventing undesirable persistence and use of data or operations on either side of the http communication.
The illustrative embodiments are described with respect to certain types of locations of embodiments, proxies, messages, headers, licenses, tokens, tag-values, suppression or inclusion, devices, data processing systems, environments, components, and applications only as examples. Any specific manifestations of these and other similar artifacts are not intended to be limiting to the invention. Any suitable manifestation of these and other similar artifacts can be selected within the scope of the illustrative embodiments.
Furthermore, the illustrative embodiments may be implemented with respect to any type of data, data source, or access to a data source over a data network. Any type of data storage device may provide the data to an embodiment of the invention, either locally at a data processing system or over a data network, within the scope of the invention. Where an embodiment is described using a mobile device, any type of data storage device suitable for use with the mobile device may provide the data to such embodiment, either locally at the mobile device or over a data network, within the scope of the illustrative embodiments.
The illustrative embodiments are described using specific code, designs, architectures, protocols, layouts, schematics, and tools only as examples and are not limiting to the illustrative embodiments. Furthermore, the illustrative embodiments are described in some instances using particular software, tools, and data processing environments only as an example for the clarity of the description. The illustrative embodiments may be used in conjunction with other comparable or similarly purposed structures, systems, applications, or architectures. For example, other comparable mobile devices, structures, systems, applications, or architectures therefor, may be used in conjunction with such embodiment of the invention within the scope of the invention. An illustrative embodiment may be implemented in hardware, software, or a combination thereof.
The examples in this disclosure are used only for the clarity of the description and are not limiting to the illustrative embodiments. Additional data, operations, actions, tasks, activities, and manipulations will be conceivable from this disclosure and the same are contemplated within the scope of the illustrative embodiments.
Any advantages listed herein are only examples and are not intended to be limiting to the illustrative embodiments. Additional or different advantages may be realized by specific illustrative embodiments. Furthermore, a particular illustrative embodiment may have some, all, or none of the advantages listed above.
With reference to the figures and in particular with reference to
Clients or servers are only example roles of certain data processing systems connected to network 102 and are not intended to exclude other configurations or roles for these data processing systems. Server 104 and server 106 couple to network 102 along with storage unit 108. Software applications may execute on any computer in data processing environment 100. Clients 110, 112, and 114 are also coupled to network 102. A data processing system, such as server 104 or 106, or client 110, 112, or 114 may contain data and may have software applications or software tools executing thereon.
Only as an example, and without implying any limitation to such architecture,
Device 132 is an example of a device described herein. For example, device 132 can take the form of a smartphone, a tablet computer, a laptop computer, client 110 in a stationary or a portable form, a wearable computing device, or any other suitable device. Any software application described as executing in another data processing system in
Application 105 implements an embodiment to enable proxy 103 with certain operations relative to http messaging between server application 107 and client application 111 as described herein. Licensing authority 142 is not located in network 102 in the manner of server system 104 or server system 107 (which are connected to network 102 by solid lines) but is reachable from network 102 (as represented by the dashed line connection with network 102) for license verification requests and responses, or optionally for caching of licenses at proxy 103, as described herein.
Servers 104 and 106, storage unit 108, and clients 110, 112, and 114, and device 132 may couple to network 102 using wired connections, wireless communication protocols, or other suitable data connectivity. Clients 110, 112, and 114 may be, for example, personal computers or network computers.
In the depicted example, server 104 may provide data, such as boot files, operating system images, and applications to clients 110, 112, and 114. Clients 110, 112, and 114 may be clients to server 104 in this example. Clients 110, 112, 114, or some combination thereof, may include their own data, boot files, operating system images, and applications. Data processing environment 100 may include additional servers, clients, and other devices that are not shown.
In the depicted example, data processing environment 100 may be the Internet. Network 102 may represent a collection of networks and gateways that use the Transmission Control Protocol/Internet Protocol (TCP/IP) and other protocols to communicate with one another. At the heart of the Internet is a backbone of data communication links between major nodes or host computers, including thousands of commercial, governmental, educational, and other computer systems that route data and messages. Of course, data processing environment 100 also may be implemented as a number of different types of networks, such as for example, an intranet, a local area network (LAN), or a wide area network (WAN).
Among other uses, data processing environment 100 may be used for implementing a client-server environment in which the illustrative embodiments may be implemented. A client-server environment enables software applications and data to be distributed across a network such that an application functions by using the interactivity between a client data processing system and a server data processing system. Data processing environment 100 may also employ a service oriented architecture where interoperable software components distributed across a network may be packaged together as coherent business applications. Data processing environment 100 may also take the form of a cloud, and employ a cloud computing model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g. networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service.
With reference to
Data processing system 200 is also representative of a data processing system or a configuration therein, such as data processing system 132 in
In the depicted example, data processing system 200 employs a hub architecture including North Bridge and memory controller hub (NB/MCH) 202 and South Bridge and input/output (I/O) controller hub (SB/ICH) 204. Processing unit 206, main memory 208, and graphics processor 210 are coupled to North Bridge and memory controller hub (NB/MCH) 202. Processing unit 206 may contain one or more processors and may be implemented using one or more heterogeneous processor systems. Processing unit 206 may be a multi-core processor. Graphics processor 210 may be coupled to NB/MCH 202 through an accelerated graphics port (AGP) in certain implementations.
In the depicted example, local area network (LAN) adapter 212 is coupled to South Bridge and I/O controller hub (SB/ICH) 204. Audio adapter 216, keyboard and mouse adapter 220, modem 222, read only memory (ROM) 224, universal serial bus (USB) and other ports 232, and PCI/PCIe devices 234 are coupled to South Bridge and I/O controller hub 204 through bus 238. Hard disk drive (HDD) or solid-state drive (SSD) 226 and CD-ROM 230 are coupled to South Bridge and I/O controller hub 204 through bus 240. PCI/PCIe devices 234 may include, for example, Ethernet adapters, add-in cards, and PC cards for notebook computers. PCI uses a card bus controller, while PCIe does not. ROM 224 may be, for example, a flash binary input/output system (BIOS). Hard disk drive 226 and CD-ROM 230 may use, for example, an integrated drive electronics (IDE), serial advanced technology attachment (SATA) interface, or variants such as external-SATA (eSATA) and micro-SATA (mSATA). A super I/O (SIO) device 236 may be coupled to South Bridge and I/O controller hub (SB/ICH) 204 through bus 238.
Memories, such as main memory 208, ROM 224, or flash memory (not shown), are some examples of computer usable storage devices. Hard disk drive or solid state drive 226, CD-ROM 230, and other similarly usable devices are some examples of computer usable storage devices including a computer usable storage medium.
An operating system runs on processing unit 206. The operating system coordinates and provides control of various components within data processing system 200 in
Instructions for the operating system, the object-oriented programming system, and applications or programs, such as application 105 in
Furthermore, in one case, code 226A may be downloaded over network 201A from remote system 201B, where similar code 201C is stored on a storage device 201D. in another case, code 226A may be downloaded over network 201A to remote system 201B, where downloaded code 201C is stored on a storage device 201D.
The hardware in
In some illustrative examples, data processing system 200 may be a personal digital assistant (PDA), which is generally configured with flash memory to provide non-volatile memory for storing operating system files and/or user-generated data. A bus system may comprise one or more buses, such as a system bus, an I/O bus, and a PCI bus. Of course, the bus system may be implemented using any type of communications fabric or architecture that provides for a transfer of data between different components or devices attached to the fabric or architecture.
A communications unit may include one or more devices used to transmit and receive data, such as a modem or a network adapter. A memory may be, for example, main memory 208 or a cache, such as the cache found in North Bridge and memory controller hub 202. A processing unit may include one or more processors or CPUs.
The depicted examples in
Where a computer or data processing system is described as a virtual machine, a virtual device, or a virtual component, the virtual machine, virtual device, or the virtual component operates in the manner of data processing system 200 using virtualized manifestation of some or all components depicted in data processing system 200. For example, in a virtual machine, virtual device, or virtual component, processing unit 206 is manifested as a virtualized instance of all or some number of hardware processing units 206 available in a host data processing system, main memory 208 is manifested as a virtualized instance of all or some portion of main memory 208 that may be available in the host data processing system, and disk 226 is manifested as a virtualized instance of all or some portion of disk 226 that may be available in the host data processing system. The host data processing system in such cases is represented by data processing system 200.
With reference to
LA 310 is an example of LA 142 in
Additional proxies are possible and contemplated in the illustrative embodiments, such as any number of intermediate proxies 316, one or more client-side proxy 318, additional server-side proxies, or some combination thereof. Only proxy 304 is used in configuration 300 for the clarity of the description and not to imply any limitation to the number or placement of proxies within the scope of the illustrative embodiments.
Client application 308 sends http request 320. Proxy 304 is normally configured to cache some data that can be used to respond to some http requests without forwarding the http request to server application 306. Assume, only for the clarity of the description, that http request 320 cannot be responded to by proxy 304 based on the cached data. Accordingly, proxy 304 forwards http request 320 to server application 305.
Server application 306 prepares http response 322. Http response 322 includes a license identifier associated with server application 306, assuming that server application 306 has already initiated a license with LA 310. Http response 322 also includes a set of http response headers.
Application 302 operates in conjunction with proxy 304 and enables proxy 304 to perform certain operations described herein. Proxy 304 enabled by application 302 (referred to interchangeably hereinafter as “enhanced proxy”) receives http response 322 and extracts the license identifier. Enhanced proxy 302-304 further determines the header types associated with the http response headers in response 322. Enhanced proxy 302-304 constructs and transmits license verification request 324 to LA 310. LA 310 uses the license associated with the license identifier of server application 306 to determine the allow/disallow permissions indicated in the license. LA 310 optionally also determines the validity periods associated with (i) one or more subsets of one or more individual header types identified in the validation request, (ii) the entire set of header types identified in the validation request, (iii) the license as a whole. Depending on the permissions found in the license and the validity of header types and/or the license, LA 310 sends license verification response 326 to enhanced proxy 302-304.
Using license verification response 326, enhanced proxy 302-304 performs suppression operation 328 on http response 322. Suppression operation 328 suppresses those headers from response 322 that are either included in a disallowed list of header types in license verification response 326 or are not included in an allowed list of header types in license verification response 326. Suppression operation 328 results in modified http response 330. Enhanced proxy 302-304 transmits modified http response 330 on a data path towards client application 308.
With reference to
In step 412, client 408 sends an example “GET” http request to server 406. Proxy 402 receives the http request and forwards to server 406 in step 414. In step 416, server 406 sends client 408 an example http response including http response headers and server's license identifier “X-Transport-License”.
Proxy 402 receives the http response and determines the license identifier and http response header types carried in the http response. In step 418, proxy 402 sends an example “POST” license verification request to LA 410. The POST request includes the license identifier and the http response header types as a query in the payload section of the request.
In step 420, LA 410 sends a license verification response to proxy 402. The license verification response includes the response to the license verification query from step 418. In step 422, proxy 402 transmits a modified http response to client 408. The modified http response may exclude all such http response headers that have been disallowed according to the response in step 420.
With reference to
http response 504 includes http response headers 506 (content-length), 508 (content-type), 510 (p3p), 512 (server), 514 (x-content-type-options), 516 (cache-control), 518 (x-xss-protection), 520 (content-security-policy), 522 (referrer-policy), 524 (strict-transport-security), 526 (pragma), 528 (set-cookie), and 530 (set-cookie). Header 532 provides a reference to a license authority to use (https://license.example.org/check_license.jsp), and license identifier (licenseID) 534 has the value of the license identifier to use for the server application that sent http response 504.
With reference to
With reference to
With reference to
Response 560 further provides that the valid header types are valid for a maximum period of 600 seconds from the time of response 560. This specifying of the validity time period allows the enhanced proxy to cache the assertion of response 560 so that for subsequent license verifications of additional http responses from the same server application, the enhanced proxy does not have to request license verifications from the LA and can perform such validation using the cached assertion. The cached assertion is used as the cached license for licenseID 536 at the enhanced proxy.
With reference to
With reference to
Token 584 is an allowed list of header types. According to the depicted example, all http header types are allowed except those that are disallowed according to token 586. Token 586 includes a list of disallowed header types. Tokens 588 and 590 together specify a time window during which license 580 is valid and usable.
With reference to
In one prong of process 600, the server sends a request to the LA to register (initiate) a license (step 606). The LA receives the request to register the license (step 608). The LA checks rules (step 610) configured in the LA to determine whether the requested license can be granted (step 612). If the requested license can be granted (“Yes” path of step 612), the LA adds a license entry to the licensing database of the LA (step 614). The LA constructs and sends a reply to the server (step 616). When the license can be granted, the reply of step 616 is affirmative. When the license cannot be granted (“No” path of step 612), the reply of step 616 is negative. The server receives the reply (step 618) and ends process 600.
In another prong of process 600, the server sends a request to the LA to update a license (step 620). The server can update the types of headers it expects to send and many other aspects of the license depending upon the specific implementation of the license. The LA receives the request to update the license (step 622). The LA checks rules (step 624) configured in the LA to determine whether the requested license can be updated (step 626). If the requested license can be updated (“Yes” path of step 626), the LA looks up the licensing database of the LA (step 628) to determine whether the license sought to be updated is found in the database (step 630). If the license is found (“Yes” path of step 630), the LA updates the license in the database (step 632). The LA constructs and sends a reply to the server (step 616). When the license can be updated, the reply of step 616 is affirmative. When the license cannot be updated (“No” path of step 626) or when the license is not found (“No” path of step 630), the reply of step 616 is negative. The server receives the reply (step 618) and ends process 600.
In another prong of process 600, the server sends a request to the LA to delete (remove or deactivate) a license (step 634). The LA receives the request to delete the license (step 636). The LA looks up the licensing database of the LA (step 628) to determine whether the license sought to be deleted is found in the database (step 630). If the license is found (“Yes” path of step 630), the LA deletes, removes, or deactivates the license, or otherwise updates the license in the database as removed, deleted, or deactivated (step 632). The LA constructs and sends a reply to the server (step 616). When the license can be deleted, the reply of step 616 is affirmative. When the license is not found (“No” path of step 630), the reply of step 616 is negative. The server receives the reply (step 618) and ends process 600.
With reference to
With reference to
With reference to
The client application is an example of client 408 in
The process begins in the request phase, when the client receives a signal to prepare an http request, such as when a uniform resource identifier (URI) is requested by a user (block 702). The client constructs the http request (block 704). The client transmits the http request (block 706) to a server (block 705), or to a proxy for the server (block 707).
Suppose that block 707 operates and the proxy receives the http request from the client (block 708). The proxy deconstructs the request according to the http specification (block 710). The proxy looks up a local data cache (block 712) to determine whether the data requested in the http request is available locally (block 714). If the data is found in the cache (“Yes” path of block 714), the proxy constructs the http response from the local cache (block 716) and outputs the proxy cached response (block 720).
If the data is not found or is stale in the proxy's cache (“No” path of block 714), the proxy decides to send the http request from the proxy to the server (block 722). The proxy forwards the request from the proxy to the server (block 724).
The server either receives the http request directly from the client via block 705 or from the proxy via block 724. Regardless, the server receives the http request (block 726). The server deconstructs the request according to the http specification (block 728). The server processes the request (block 730).
The process exits the request phase of
In the response phase, the server constructs an http response, including http response headers (block 732). Block 732 may also be reached via block 720 when the proxy determines to construct a response from the local cached data at block 716. The server or the proxy, as the case may be, transmits the http response (block 734). If block 732 was reached via block 720, then the proxy will have already consulted the server application's license (either a cached copy of through the LA) and the http response will be compliant with the license. In such a case, block 734 transmits the http response to the client via block 736.
If block 732 is reached via entry point A and the server constructs the http response at block 732, block 734 transmits the http response to the proxy (block 738).
Back in the request phase of
In the licensing phase of
If the answer at block 746 is negative (“No” path of block 746), the proxy sends a license verification request to the LA (block 748).
The LA receives the license verification request from the proxy (block 750). The LA consults the license database to find the server's license (block 752). The LA returns the license information along with the validity (maximum age) of the license (block 754).
The proxy receives the license information from the LA (block 756). The proxy determines whether the license information indicates that the license exists for the server (block 758). If no license was active or found for the server (“No” path of block 758), the proxy performs a configured “no license” action (block 760). The “no license” actions can include but are not limited to suppressing all or certain optional http response headers from the http response of the server, rejecting the http response of the server all together, or forming a default http response on behalf of the server.
If a license was active or found for the server (“Yes” path of block 758), the proxy optionally updates the local license cache with the copy of the license information (block 762). The proxy modifies the http response of the server by suppressing the disallowed headers according to the license information (block 764). After block 760 or 764, the process exits the licensing phase at exit D to enter the response phase at entry D.
In the response phase of
Thus, a computer implemented method, system or apparatus, and computer program product are provided in the illustrative embodiments for http header licensing in proxy systems and other related features, functions, or operations. Where an embodiment or a portion thereof is described with respect to a type of device, the computer implemented method, system or apparatus, the computer program product, or a portion thereof, are adapted or configured for use with a suitable and comparable manifestation of that type of device.
Where an embodiment is described as implemented in an application, the delivery of the application in a Software as a Service (SaaS) model is contemplated within the scope of the illustrative embodiments. In a SaaS model, the capability of the application implementing an embodiment is provided to a user by executing the application in a cloud infrastructure. The user can access the application using a variety of client devices through a thin client interface such as a web browser (e.g., web-based e-mail), or other light-weight client-applications. The user does not manage or control the underlying cloud infrastructure including the network, servers, operating systems, or the storage of the cloud infrastructure. In some cases, the user may not even manage or control the capabilities of the SaaS application. In some other cases, the SaaS implementation of the application may permit a possible exception of limited user-specific application configuration settings.
The present invention may be a system, a method, and/or a computer program product at any possible technical detail level of integration. The computer program product may include a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present invention.
The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a static random access memory (SRAM), a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, including but not limited to computer-readable storage devices as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.
Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.
Computer readable program instructions for carrying out operations of the present invention may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, configuration data for integrated circuitry, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, C++, or the like, and procedural programming languages, such as the “C” programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present invention.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.
These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the blocks may occur out of the order noted in the Figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.