Abstract: A method of grouping content requests by one or more behaviors is provided. Each content request is labeled. Sessions for various user and service types are defined. The sessions are then modeled to create representative sessions. Each session is then matched with one or more representative sessions.

Abstract: A method is provided for defining a required information delivery system capacity as a function of a user's service quality objectives. An information delivery system behavior is modeled to understand under what conditions the user's service quality objectives are met or not met. Conditions are captured in which the user's service quality objectives are met or not met. Statistical techniques are applied to the conditions captured. A model is induced that describes the conditions in which the user's service quality objectives are met or not met.

Abstract: A method of determining behavior of an information system application is provided. The information system application's behavior for user content requests and load conditions is determined as is a user's quality of service objectives. The information system application's capacity allocation is then prioritized. Changes in the information system application's behavior are detected. The behavior of the information system applications is then updated in response to detecting changes that affect the user's quality of service objectives.

Abstract: A method and apparatus is provided for securely executing access control functions that may be customized by or on behalf of administrators of information access systems. Examples of such functions include changing a password of a user, determining whether or not data specifying a user and a password identifies an authentic user, and displaying a message indicating whether a login attempt was successful. An access control function is mapped to a digital signature. The digital signature is used to verify that an executable element retrieved for executing the access control function is the proper executable element. The access control functions may be invoked upon the occurrence of access control events, such as a user successfully logging onto an information access system or the modification of a user's password. A mapping contains data used to determine what events are tied to what access control functions, and whether the access control function should be executed.

Abstract: A method and apparatus for controlling use of a network resource. A network administrator accesses and navigates one or more network resources. A navigation capture server captures each request that is generated by the administrator's browser and each response that is received, and stores information about the requests and responses. The navigation capture server analyzes the captured information and generates an access/navigation script that represents the navigation actions taken by the administrator in the session. The script is edited and generalized in a manner such that upon playback of the script, the user may input actual useful information and the system may capture specific response data. When the client accesses and navigates the Web applications, context-specific information, relating to the client's then-current request, is passed from the User View Server to the navigation capture server.

Abstract: A method and apparatus are provided for selectively authenticating and authorizing a client seeking access to one or more protected computer systems over a network. A request of a client to access one of the computer systems is received. A proxy security server is requested to authenticate the client using information identifying the client. An authorization of the client from the proxy security server is received, based on authentication results received from a remote security server that is coupled to the proxy security server. In response, access rights of the client are established, based on one or more access information records received from remote security server through the proxy security server. As a result, one or more legacy security servers may be easily integrated into an application access system without complicated modifications to the application access system.

Abstract: In a system that controls access to information resources, a session manager in cooperation with a topology mechanism enables a client to securely interact with a plurality of access servers and associated runtime elements using a plurality of sessions that are coordinated and tracked. The information resources are stored on protected servers. Access to each of the protected servers is controlled by one of the access servers. Client session information is stored in a session manager that is bound to and associated with the runtime of the access server, and the topology mechanism. In operation, a user of a client or browser logs in to an access server and then submits a request for a resource of a protected server associated with a different access server. A runtime module on the access server receives the request and asks the session manager to validate the session. The session manager determines whether the client is involved in an authenticated session with any access server in the system.

Abstract: A single secure sign-on gives a user access to authorized Web resources, based on the user's role in the organization that controls the Web resources. The information resources are stored on a protected Web server. A user of a client or browser logs in to the system. A runtime module on the protected server receives the login request and intercepts all other request by the client to use a resource. The runtime module connects to an access server that can determine whether a particular user is authentic and which resources the user is authorized to access. User information is associated with roles and functional groups of an organization to which the user belongs; the roles are associated with access privileges. The access server connects to a registry server that stores information about users, roles, functional groups, resources, and associations among them. The access server and registry server exchange encrypted information that authorized the user to use the resource.

Abstract: A multi-domain resource access control mechanism uses a single access control system to manage access by users to resources that belong to multiple domains. A server is associated with each domain in a set of domains. Access to resources in the domains is governed by an access control system. A first server for a first domain transmits a data token to a client seeking access to a resource in a second domain. The client transmits the data token to a second server in the other domain. The second server uses the data token to verify that the user is authentic, that is, authorized to access resources protected by the access control system. Once determining that the user is authorized to access resources, access control cookies are transmitted to client. When the client requests access to a resource in the second domain, and the request did not include access control cookies for the second domain, data is transmitted to the browser causing it to generate another request to the first server.