Abstract: A mechanism for running interactive applications with a minimal set of privileges is disclosed. The privileges form a subset of the privileges afforded to the user requesting the application and are allocated consistent with the principle of least privilege. The application runs with the minimal amount of permissions necessary to accomplish its assigned tasks. A new user account is created and provisioned or identified for each application to which a user requests access. The accounts have a subset or superset of the access rights and operating system privileges that the user who is logged on to the system and requesting access to the application ordinarily enjoys. The subset/superset of the user's privileges is determined by a policy-based decision system.

Abstract: A system for displaying at a user device output produced by an application program executing on a server includes an application server executing an application program. A proxy server receives data from the application server that represents a screen of graphical display output produced by the application program. A user device executes a client application. The client application receives from the proxy server static image data representing the screen of graphical display output produced by the application program.

Abstract: A bandwidth-adaptive method for synchronizing a consumer node representation of a dynamic data set and the source node representation of the dynamic data includes the step of receiving, from a source node, metadata information identifying a plurality of data packets that represent a state of at least a portion of a changing data set at a point in time. At least one of the identified data packets is received from the source node and at least one of the received data packets is selected responsive to the received metadata information. The metadata information and the selected at least one data packet are transmitted to a consumer node.

Abstract: A bandwidth-adaptive method for synchronizing a consumer node representation of a dynamic data set and the source node representation of the dynamic data includes the step of receiving, from a source node, metadata information identifying a plurality of data packets that represent a state of at least a portion of a changing data set at a point in time. At least one of the identified data packets is received from the source node and at least one of the received data packets is selected responsive to the received metadata information. The metadata information and the selected at least one data packet are transmitted to a consumer node.

Abstract: An apparatus and method for determining a program neighborhood of a client node in a client-server network is described. The program neighborhood of the client node includes application programs hosted by application servers on the network. The present invention enables a user of a client node to learn of these application programs. The user is not required to know where to find such applications or to manually establish links to such applications. To make the client node aware of its program neighborhood, a host server collects application-related information corresponding to application programs hosted by the servers in the network. The application-related information can include the application name, the server location of the application, minimum capabilities required of client nodes for executing the application, and those users who are authorized to use that application. User credentials are received from the client system. The user credentials are used to filter the application-related information.

Abstract: Methods and apparatus for arbitrarily extendible information aggregation and display. This functionality is achieved by abstracting the components of the system into individual modules which communicate using a platform-independent, extendible markup language such as extensible markup language (XML). A designer adds support for new information sources or client devices by abstracting and encapsulating messages to and from the information source or client device in a wrapper using a platform-independent, extendible markup language such as XML.

Abstract: The invention relates to systems and methods for reestablishing client communications by securely traversing network components using an encapsulating communication protocol to provide session persistence and reliability. A first protocol that encapsulates a plurality of secondary protocols is used to communicate over a network to provide session persistence and a reliable connection between a client and a host service via a first protocol service. A ticket authority generates a first ticket and a second ticket associated with the client. The first ticket is provided to the client and the client uses the first ticket to establish a communication session with the first protocol service. The second ticket is provided to the first protocol service and the first protocol service uses the second ticket to establish a communication session with the host service.

Abstract: The invention relates to methods and systems for reconnecting a client and providing user authentication across a reliable and persistent communication session. A first protocol that encapsulates a plurality of secondary protocols is used to communicate over a network. A first protocol service, using the first protocol, provides session persistence and a reliable connection between a client and a host service.