Method and apparatus for controlling server access to a resource in a client/server system

Abstract

In a client/server system, a method and apparatus for handing requests for access to a host resource purportedly on behalf of a client from an untrusted application server that may be capable of operating as a “rogue” server. Upon receiving a service request from a client, an untrusted application server creates a new thread within its address space for the client and obtains from the security server a client security context, which is anchored to the task control block (TCB) for that thread. The client security context specifies the client and indicates whether the client is an authenticated client or an unauthenticated client. When the application server makes a request for access to a host resource purportedly on behalf of the client, the security server examines the security context created for the requesting thread. If the client security context indicates that the client is an authenticated client, the security server grants access to the host resource if the client specified in the client security context is authorized to make the requested access to the host resource. If the client security context indicates that the client is an authenticated client, the security server grants access to the host resource only if both the client specified in the client security context and the application server are authorized to make the requested access to the host resource.