Abstract: A method for replicating data in a distributed computer environment wherein a plurality of servers are configured about one or more central hubs in a hub and spoke arrangement. In each of a plurality of originating nodes, updates and associated origination sequence numbers are sent to the central hub. The hub sends updates and associated distribution sequence numbers to the plurality of originating nodes. The hub tracks acknowledgments sent by nodes for a destination sequence number acknowledged by all nodes. Thereafter, a highest origination sequence number is sent from the central hub back to each originating node.

Abstract: A scanning tool executing on a host computer may be used to scan a server only if the server (or a proxy) first exposes to the host a certificate that, upon processing by the host, indicates that the server may be scanned. The certificate preferably encrypts a scan permission and is made available from a given port on the server (or the proxy). Whenever the host desires to perform a scan of the server, the host searches the port for the certificate. The certificate is then decrypted to determine whether the scan permission exists. If so, the scan then proceeds, in accordance with any conditions set forth in the decrypted scan permission.

Abstract: An architecture for extending the Java security model to allow a user or administrator to grant permissions dynamically. By itself, the Java 2 security model does not allow additions to the collections of policy permissions after they have been loaded from the Java policy file. The inventive architecture allows Java applets and applications to dynamically prompt the user to grant a permission that does not exist in the Java policy file. If the user grants the permission, the present invention grants the permission for the ProtectionDomain to which the class asking for the permission belongs. Attributes for the dynamic permission may be set during runtime and saved across browser sessions.

Abstract: An authentication framework for authenticating clients, each of which is coupled to an authentication device of one of a plurality of permitted authentication device types. An authentication method begins by having a client pass to an application server a request for authentication. The request includes a user id and device id identifying a client and an authentication device coupled thereto. The application server determines which device authentication server the request is intended for, and then forwards authentication data in the request to that server. If the device authentication server verifies that the authentication data is acceptable, an authorization token is returned to the client.

Abstract: A method, system, apparatus, and computer program product is presented for a location-based legal information service. A subscriber to the service is assumed to have a data device, such as a mobile handheld device, and the location of the data device is determined through a positioning system, such as GPS or E911. Based on the determined location of the data device, legal information is then retrieved, such as a law or a regulation that is applicable to regulating or restricting activities at or near the determined location. The legal information can be displayed on the data device; the position of the data device can be continually monitored so that the legal information can be continually updated. Alternatively, the legal information can be used to restrict the operation of the data device, e.g., if the legal information is related to a privacy law or regulation.

Abstract: An event management service (EMS) of a distributed computing environment includes a filter mechanism for determining whether events generated by one or more event suppliers are communicated to one or more event consumers. Each event consumer that registers for the service also defines an event filter group that determines whether particular events generated by the one or more event suppliers are communicated to that event consumer. The event filter group is derived from one or more predefined event type schemas and/or event header information. Events supplied to the service are applied through a parser of the filter mechanism to control whether and where a particular event is routed.

Abstract: A persistent object service (POS) that interfaces to a set of one or more relational database management systems. A persistent object is mapped to one or more tables in a relational database based on the object's attribute types and the object's relationships with other objects. If the object inherits from another object, the mapping creates multiple tables, a top level table for base attributes, and a set of one or more child tables that contain extended attributes of the inherited objects. A routine for storing an object converts persistent object operations to a sequence of SQL statements for storing the object in the relational database.

Abstract: A method of determining Internet delays associated with requests from a Web client connectable to a Web server. The method begins at the Web server in response to a first HTTP request. In particular, the Web server serves a response to the first HTTP request and logs a server processing time associated with serving that response. After the response is delivered back to the Web client that initiated the request, an end user response time associated with the first HTTP request is calculated at the Web client. Upon a new HTTP request (typically the next one), the end user response time associated with the first HTTP request is then passed from the Web client to the Web server in a cookie. The Internet delay associated with the first HTTP request is then calculated by subtracting the server processing time from the end user response time.

Abstract: A method for deploying an application to client computers across a computer network is operative in a server environment in which given conditions, such as network load and actual or relative time-of-day, are being monitored. The method begins by establishing at least one rule for determining which of a given set of application versions are to be served to a client computer, and by establishing at least one user profile for determining which of a given set of users have a given priority. In response to a request from a client computer to serve the application, the rule is resolved against the monitored conditions and the user profile to select an application version to serve to the client computer. The application version is then served to the client computer.

Abstract: A method for transcoding an input stream to a desired output format using a transcoder framework. In response to a given transcoder of the framework recognizing an external reference that it cannot transcode, the method calls a subseries of specialized transcoders to transcode the external reference. After the subseries of specialized transcoders generates a transcoded external reference, that reference is returned back to the given transcoder, where it is incorporated into the transcoder's output. Transcoder sub-chains are used in this manner as modular, building blocks in the transcoder framework.

Abstract: A method of enabling a Web browser user to interact with a given application running on a Web server begins by constructing and returning a cookie to the Web browser upon a given occurrence, e.g., user login to the application. Without additional user input, the routine then forces the Web browser to check with the Web server that the cookie was set on the Web browser. Preferably, this is accomplished by sending the cookie from the Web server in a refresh page that redirects the HTTP flow back to itself with a parameter to check if the cookie was set. At the Web server, a test is then done to determine whether the cookie is valid. If so, the user is allowed to interact with the given server application (e.g., to take a given action or to log off from the application without closing the Web browser). A novel cookie construction and validation mechanism is also described.

Abstract: A DCE RPC mechanism normally uses a TCP/IP-based transport service to enable client machines to make remote procedure calls to server machines in a distributed computing environment. NETBIOS protocol support for the RPC mechanism is provided by using NETBIOS application names similar to TCP/IP conventions and through use of connection-oriented or connection-less NETBIOS protocol sequences. In particular, NETBIOS names are used as though they include a fixed portion representing a machine, and a dynamic portion representing an application on that machine. New functions are provided to use NETBIOS names in place of TCP/IP addresses and these NETBIOS names are then used via the sockets API, leaving RPC's use of the sockets API unchanged.

Abstract: A method of routing in a computer network having a pool of servers capable of servicing requests for access to a set of server resource objects. The set of server resource objects are distributed in a non-homogeneous manner across the server pool. According to the method, each incoming client request for access to a specified server resource object is targeted to a router having an associated port space identifying a plurality of ports. Based on the port on which an incoming client request is received, the request is mapped to one of the server resource objects. The router then selects the “best provider” and redirects or forwards the request to that server. The routing and redirection is based upon the port for the incoming request.

Abstract: A method for changing a user password is preferably operative as a Web server impersonates a Web client to obtain access to files stored in a distributed file system space of a distributed computing environment. The method begins in response to receipt of a Web transaction request from the Web client to determine whether the user's password has expired. If so, the method suspends processing of the Web transaction request and then enters a password change subprogram to enable the user to define a new password. Typically, the password change subprogram displays a password change dialog that interacts with the user. Upon definition of the new password by the user, the mechanism resumes processing of the original Web transaction request. Alternatively, the user may be prompted to terminate the original transaction request and select a new URL and/or document.

Abstract: The lightweight directory access protocol (LDAP) is extended to include client- and server-based controls for securing sensitive data in the directory service. The set of controls include a client control implemented on a client machine, and/or a server control implemented on a server machine. It is not required that both controls be implemented together, and a client machine may implement the client control irrespective of whether a server involved in the directory operation is running the server control.

Abstract: A method of authenticating a Web client to a Web server connectable to a distributed file system of a distributed computing environment. The distributed computing environment includes a security service for returning a credential to a user authenticated to access the distributed file system. The method preferably operates within the context of a native operating system environment such as “Windows NT”. Upon initialization of the Web server, a session manager creates a pool of temporary Windows NT user identities. In response to a Web client browser request, a temporary NT user identity is associated with proper DCE credentials. A server process then impersonates the returned NT user identity on a thread which is attempting to access the requested resource.

Abstract: A method for replicating data in a distributed computer environment wherein a plurality of servers are configured about one or more central hubs in a hub and spoke arrangement. In each of a plurality of originating nodes, updates and associated origination sequence numbers are sent to the central hub. The hub sends updates and associated distribution sequence numbers to the plurality of originating nodes. The hub tracks acknowledgments sent by nodes for a destination sequence number acknowledged by all nodes. Thereafter, a highest origination sequence number is sent from the central hub back to each originating node.

Abstract: A routing apparatus is located at an outbound “edge” of an administrative domain or at an inbound “edge” of an ISP or other network facility. The apparatus, which is preferably implemented in software, includes a “dispatcher.” The dispatcher has a database associated therewith in which information about a “current state” of the network or some resource therein is collected and maintained. The “current state” information is generally of two types: quality-of-service (Q-o-S) information associated with transactions involving a particular Web server, or more general network resource availability information. According to the invention, a routing “policy” is defined at the dispatcher using at least one routing rule having a condition and an action. As service requests arrive at the dispatcher, each of the requests is routed to a destination by testing the current state information against the condition.

Abstract: A monitor located between a Web browser and a server upon which a server application is running. The monitor is useful for recording a set of URLs (sometimes referred to as a “request list”) that issue from the Web browser during a sample interactive session between the user of the client machine and the server application. The URL request list trace or session “workload” may then be used to benchmark the server application by supplying the information as an input to a set of HTTP submitter routines. Each HTTP submitter routine simulates a particular user of a client machine connected to the server application. Each routine then “replays” the interactive session recorded by the monitor so that the overall performance of the server application against “multiple” simulated users may be evaluated.

Abstract: A method, system and computer program product to facilitate royalty collection with respect to online distribution of electronically published material over a computer network. In one embodiment, a method for managing use of a digital file (that includes content subject to copyright protection on behalf of some content provider) begins by establishing a count of a number of permitted copies of the digital file. In response to a given protocol, a copy of the digital file is then selectively transferred from a source to a target. Thus, for example, the source and target may be located on the same computer with the source being a disk storage device and the target being a rendering device (e.g., a printer, a display, a sound card or the like). The method logs an indication each time the digital file is transferred from the source to a target rendering device, and the count is decremented upon each transfer. When the count reaches a given value (e.g.