Abstract: One embodiment of the present invention provides a system that facilitates security-enabled content caching. The system operates by first receiving a request from a user at a cache server for restricted content, wherein the cache server stores content for an application server. Next, the system determines if the restricted content is located on the cache server. If so, the system determines if the user is authorized to access the restricted content. If the user is authorized to access the restricted content, the system provides the restricted content to the user from the cache server. Providing the restricted content from the cache server eliminates the time consuming operations involved in requesting and receiving the restricted content from the application server.

Abstract: A system and method for managing security meta-data in a reverse proxy server. The reverse proxy caches data served by an origin server, and also stores security meta-data for authenticating a user and/or authorizing access to cached data. The security meta-data may include an ACL (Access Control List), access control token or descriptor, other access control information, user credentials, user privileges or roles, group membership, user aliases, etc. The reverse proxy may automatically receive access control information from the origin server when a request for data is forwarded to the origin server, or may explicitly request the information from the origin server or a security server. The reverse proxy receives and applies invalidation messages to invalidate stored security meta-data. Also, the reverse proxy acts in a stateful manner, with knowledge of the correlation between a given user and that user's session with the origin server.

Abstract: In a multi-tier data server system, data from the first tier is cached in a mid-tier cache of the middle tier. Access control information from the first tier for the data is also cached within the mid-tier cache. Caching the security information in the middle tier allows the middle tier to make access control decisions regarding requests for data made by clients in the outer tier.

Abstract: A system and method for detecting and managing user session meta-data at a reverse proxy server. The reverse proxy server is logically located between one or more origin servers and any number of users. The reverse proxy server detects the establishment and tearing down of a user session, and any expiration associated with the user session. The reverse proxy server identifies the creation of a session from the pattern and/or content of communications between a user and an origin server, and associates the user (e.g., by username or user ID) with the session (e.g., session ID or cookie). A user session table may be populated with an entry for each observed session. Tear down of a session may be detected by identifying an explicit user logout or a session termination by the origin server.

Abstract: A system and method for managing security meta-data in a reverse proxy server. The reverse proxy caches data served by an origin server, and also stores security meta-data for authenticating a user and/or authorizing access to cached data. The security meta-data may include an ACL (Access Control List), access control token or descriptor, other access control information, user credentials, user privileges or roles, group membership, user aliases, etc. The reverse proxy may automatically receive access control information from the origin server when a request for data is forwarded to the origin server, or may explicitly request the information from the origin server or a security server. The reverse proxy receives and applies invalidation messages to invalidate stored security meta-data. Also, the reverse proxy acts in a stateful manner, with knowledge of the correlation between a given user and that user's session with the origin server.

Abstract: One embodiment of the present invention provides a system that facilitates serving data from a cache server. The system operates upon receiving a request for the data at the cache server. The system first determines if the request requires access control, and also if the data is available in the cache. If the request requires access control and if the data is available in the cache, the system sends an authorization request to an origin server. Upon receiving a response from the origin server, the system determines if the response is an authorization. If so, the system sends the data to the requester.

Abstract: One embodiment of the present invention provides a system that facilitates security-enabled content caching. The system operates by first receiving a request from a user at a cache server for restricted content, wherein the cache server stores content for an application server. Next, the system determines if the restricted content is located on the cache server. If so, the system determines if the user is authorized to access the restricted content. If the user is authorized to access the restricted content, the system provides the restricted content to the user from the cache server. Providing the restricted content from the cache server eliminates the time consuming operations involved in requesting and receiving the restricted content from the application server.

Abstract: A high-speed parallel pattern searching system is disclosed. The high-speed parallel pattern searching system allows the body of a data packet to be searched for one or more patterns such as a string or a series of strings. These string patterns can be defined by the grammar of regular expressions. In the invention, one or more patterns are loaded into one or more nanocomputers that operate in parallel. A control system then feeds a packet body into the participating nanocomputers such that each participating nanocomputer tests for a match. The various tests performed by the nanocomputers may be combined to perform complex searches. These nanocomputer searches are performed in parallel. Furthermore, several different searches may be combined together using control statements. A combination of these searches engines can be supported such that data is also looked at in parallel.

Abstract: A control system for high-speed rule processors used in a gateway system is disclosed. The gateway system employing the current invention can process packets at wire speed by using massive parallel processors, each of the processors operating concurrently and independently. Further, the processing capacities in the gateway system employing the current invention are expandable. The number of packet inspector engines may be increased and all of the engines are connected in a cascade manner. Under the control system, all of the engines operate concurrently and independently and results from each of the engines are collected sequentially through a common data bus. As such the processing speed of packets becomes relatively independent of the complexities and numbers of rules that may be applied to the packets.

Abstract: A high-speed rule processing apparatus is disclosed that may be used to implement a wide variety of rule processing tasks such as network address translation, firewall protection, quality of service, IP routing, and/or load balancing. The high-speed rule processor uses an array of compare engines that operate in parallel. Each compare engine includes memory for storing instructions and operands, an arithmetic-logic for performing comparisons, and control circuitry for interpreting the instructions and operands. The results from the array of compare engines is prioritized using a priority encoding system.