Abstract: A method and system for processing signed data objects in a data processing system is presented. A signed data object utility allows a user to view and edit the contents of data objects embedded within a signed data object via a graphical user interface. Graphical objects represent the data objects embedded within a signed data object. A user may drag and drop objects onto other objects within the signed data object, and the signed data object utility automatically performs the necessary signing operations. Logical associations between data objects contained within the signed data object are determined, and the logical associations are displayed using visual indicators between graphical objects representing the associated data objects. As data objects are added or deleted, the visual indicators are updated to reflect any updates to the logical associations. The user may direct other operations on the signed data object through the graphical user interface.

Abstract: A method is provided for determining an identity of a browser in an Java environment in which an intermediary program masks the browser's identity. The method begins by querying an operating system process table for information identifying the browser. Thereafter, a Java properties table including the information from the process table is set. In response to a request from a calling program (e.g., an applet class) for the browser identity, a getProperty method is then called to retrieve the browser identity from the properties table. The browser identity is then returned to the calling program.

Abstract: A client-side mechanism that enables a web browser user to manipulate an animated graphic served from a web server. For example, the mechanism allows the user to view the frames of the animated graphic, to halt the animation on a selected frame, to add a new frame, to delete a frame, to edit/modify a given frame, to alter the sequence of frames, to modify a speed of the animation, or the like In addition, the mechanism enables the user to cache given frames of the animation and to save the changes across browser cache flushes.

Abstract: An architecture for extending the Java security model to allow a user or administrator to explicitly deny permissions. By itself, the Java 2 security model does not allow additions to the collections of policy permissions after they have been loaded from the Java policy file. The inventive architecture allows Java applets and applications to dynamically prompt the user to deny a permission that does not exist in the Java policy file. If the user denies the permission, the present invention denies the permission for the ProtectionDomain to which the class asking for the permission belongs. Attributes for the denied permission may be set during runtime and saved across browser sessions.

Abstract: The combination of haptic sensory-motor effects developed at two or more networked remote locations as well as the feedback between such remote locations of the effects resultant from such combinations. Within a communications network comprising a plurality of interconnected computer controlled terminals, a system for communicating haptic sensory-motor states which comprises, within a local or first network terminal, apparatus for receiving data representing an original haptic sensory-motor effect transmitted from a second or remote terminal, apparatus for converting the received data into the physical haptic sensory-motor effect represented by the data, and apparatus for juxtaposing upon the physical haptic sensory-motor effect, a direct physical haptic sensory-motor effect to thereby produce a combined resultant haptic sensory-motor effect at the local or first terminal.

Abstract: A method of enabling an HTTP server plug-in to pass an unmangled environment variable into a CGI process begins by configuring the HTTP server to initially override a CGI service method. When the server processes an HTTP request, the server plug-in, which is called prior to the CGI service method and is running in a process of the HTTP server, inserts a “name value” pair prepended with a marker in a request header parameter block of the HTTP server. Then, the CGI service override method executes the server's original (i.e. native) CGI service method, causing it to run an encapsulation program in the CGI process. This program scans the environment of the CGI process for any string prepended with a given HTTP code (e.g., the string “HTTP_”) and the marker. If it finds any such string, the program strips the given HTTP code and the marker from a remainder of the string and resets the environment variable into the CGI process in an “unmangled” form.

Abstract: A system and method for anonymous message forwarding architecture is presented. A voter sends a vote selection to a mail forwarding server that removes the identity of the voter. The mail forwarding server has administrative options given to it by the receiving server. Administrative options include the ability to manage who is authorized to vote, how often an individual is allowed to vote, and confirmation of accepting a vote from an authorized user, or confirmation of rejecting a vote from an unauthorized user. The mail forwarding server sends the anonymous vote selection to the receiving server for vote calculation. The mail forwarding server also has the ability to perform vote selection calculation and may send a single, compiled file to the receiving server.

Abstract: An architecture for extending the Java security model to allow a user or administrator to grant permissions dynamically. By itself, the Java 2 security model does not allow additions to the collections of policy permissions after they have been loaded from the Java policy file. The inventive architecture allows Java applets and applications to dynamically prompt the user to grant a permission that does not exist in the Java policy file. If the user grants the permission, the present invention grants the permission for the ProtectionDomain to which the class asking for the permission belongs. Attributes for the dynamic permission may be set during runtime and saved across browser sessions.

Abstract: An analysis of at least one authentication token for an application is provided. At least one login module within the application is identified. Responsive to a failure to access the application, principal information is retrieved associated with the at least one login module. A recovery action is then generated. The recovery action corresponds to the failure and the principal information.

Abstract: A test/run program receives as input a list of identifiers for source pages referencing applets to be tested or run. The test/run program creates an array of the identifiers, together with parameters for each identifier, web browser to run the test under, and a number of times the source page is to be reloaded and the applets re-run. For each source page, and for each reload of a given source page, the test/run program starts the specified web browser process, loads the designated source page, and starts a fresh runtime environment for the applet. Support for a test class within the test/run program allows the applets to write success, failure, or informational results to an output file and to exit the web browser process when complete. Where a native implementation of the test class is employed, special security permissions need not be specified and the test/run program need not necessarily be run locally.

Abstract: A method, apparatus, and computer implemented instructions for managing access to data in a keystore in a data processing system. A request for access to an item of data is received from a requestor, wherein the item of data is encrypted using a key. A determination of whether the requestor is a trusted requestor is made. The key and the item of data are sent to the requestor in response to a determination that the requestor is a trusted requestor.

Abstract: A method, program and system for mapping ASN.1 data to an object model are provided. The invention consists of identifying the start of a data stream and then generating a new object name for the data. Next, the data is parsed to get the identifier and the data length. Then the data's tag type is analyzed. If the tag type is simple, a class diagram is generated for the data and then the source code for the data is generated. If the tag type is not simple, a subroutine is called to further parse the data before generating the class diagram and source code.

Abstract: The present invention allows multiple stops in a complete transmission and retains the history and integrity of the stops, as well as any modifications made by the stop point along the way. The invention works whether the transmission consists of synchronous or asynchronous protocols. The invention is specifically designed to operate when both protocols are present in the same transmission. The invention keeps a history of the stop by chaining SignedData objects together and using the related message digest signed attribute for the linkages. This ability to blend two different protocols is not available in other transmission techniques involving only one hop between entities. The technique of the invention retains the original identity and signature of the original sender, as well as the integrity of the original message.

Abstract: An apparatus and method for managing keystores is implemented. A distributed keystore is established by aggregating individual. The distributed keystore may, be organized in a multi-level structure, which may be associated with an organizational structure of an enterprise, or other predetermined partitioning. Additionally, a centralized management of certificates may be provided, whereby the expiration or revocation of the certificates may be tracked, and expired or revoked certificates may be refreshed. The keystore may be updated in response to one or more update events.

Abstract: The present invention provides a method, apparatus, and computer implemented instructions for executing cryptographic operations. Responsive to a request to perform a cryptographic operation, one (or more) of a software process and a hardware process is selected for performing the cryptographic operation based on a policy which process results in a available resources to perform the cryptographic operation to form a selected process. The cryptographic operation is performed using the selected process. Necessary object conversions, which is transparent to the application, is carried out in order to convert objects to usable forms of the selected process (es).

Abstract: The present invention discloses an architecture that enables anonymous electronic voting over the Internet using public key technologies. This invention provides a simple yet robust architecture for electronic voting over the unsecured network that is the Internet, using the public and private key pair belonging to the voting entity, not a separate userid and password for each election. In the voting method of the present invention, a voting entity requests a ballot using a public key and a private key belonging to the voting entity. The request is made to a voting mediator. Using a separate public key/private key pair, the voting mediator validates the voting ballot request. After validation of the request, the voting mediator generates an election ballot. The voting mediator sends this ballot to the voting entity. The voting entity casts a vote and sends the ballot to the voting tabulator. The voting tabulator authenticates the ballot and counts the vote.

Abstract: A method of enabling a Web browser user to interact with a given application running on a Web server begins by constructing and returning a cookie to the Web browser upon a given occurrence, e.g., user login to the application. Without additional user input, the routine then forces the Web browser to check with the Web server that the cookie was set on the Web browser. Preferably, this is accomplished by sending the cookie from the Web server in a refresh page that redirects the HTTP flow back to itself with a parameter to check if the cookie was set. At the Web server, a test is then done to determine whether the cookie is valid. If so, the user is allowed to interact with the given server application (e.g., to take a given action or to log off from the application without closing the Web browser). A novel cookie construction and validation mechanism is also described.

Abstract: A method for changing a user password is preferably operative as a Web server impersonates a Web client to obtain access to files stored in a distributed file system space of a distributed computing environment. The method begins in response to receipt of a Web transaction request from the Web client to determine whether the user's password has expired. If so, the method suspends processing of the Web transaction request and then enters a password change subprogram to enable the user to define a new password. Typically, the password change subprogram displays a password change dialog that interacts with the user. Upon definition of the new password by the user, the mechanism resumes processing of the original Web transaction request. Alternatively, the user may be prompted to terminate the original transaction request and select a new URL and/or document.

Abstract: A method of authenticating a Web client to a Web server connectable to a distributed file system of a distributed computing environment. The distributed computing environment includes a security service for returning a credential to a user authenticated to access the distributed file system. The method preferably operates within the context of a native operating system environment such as “Windows NT”. Upon initialization of the Web server, a session manager creates a pool of temporary Windows NT user identities. In response to a Web client browser request, a temporary NT user identity is associated with proper DCE credentials. A server process then impersonates the returned NT user identity on a thread which is attempting to access the requested resource.

Abstract: A method for recognizing and acting upon dynamic data in a computer network such as the Internet. The method begins by having the user (at a machine connected to the computer network) define at least one data source that he or she is interested in monitoring. The data source includes information identifying a location (i.e. a URL) of the data object to be monitored, together with recognition criteria which determines whether the data source is valid. For each data source, the user may then define a set of one or more action criteria, wherein each action criteria has a given polling interval and includes information identifying a sensitivity criteria and an action to be taken if the sensitivity criteria for the data source is met. The inventive process retrieves one or more data sources from the Internet, examines the data sources according to the sensitivity criteria, and triggers actions if any of the sensitivity criteria are met.