Abstract: A system and method for managing security meta-data in a reverse proxy server. The reverse proxy caches data served by an origin server, and also stores security meta-data for authenticating a user and/or authorizing access to cached data. The security meta-data may include an ACL (Access Control List), access control token or descriptor, other access control information, user credentials, user privileges or roles, group membership, user aliases, etc. The reverse proxy may automatically receive access control information from the origin server when a request for data is forwarded to the origin server, or may explicitly request the information from the origin server or a security server. The reverse proxy receives and applies invalidation messages to invalidate stored security meta-data. Also, the reverse proxy acts in a stateful manner, with knowledge of the correlation between a given user and that user's session with the origin server.

Abstract: In a multi-tier data server system, data from the first tier is cached in a mid-tier cache of the middle tier. Access control information from the first tier for the data is also cached within the mid-tier cache. Caching the security information in the middle tier allows the middle tier to make access control decisions regarding requests for data made by clients in the outer tier.

Abstract: A system and method for communicating a side effect of one data request, or other event, as part of a response to another data request or event. The side effect may include notification of the invalidation of cached data, from an upstream cache to a downstream cache. The upstream cache may store invalidation notifications as they are generated or received, and as responses to data requests are sent downstream, piggyback or merge one or more notifications with a response. This scheme avoids the need to open separate communication connections using specified invalidation accounts and passwords.

Abstract: A system and method for communicating a side effect of a data request, from a data server and through one or more caches, inline with a response to the request. Instead of sending a separate notification of the side effect (e.g., instructions to invalidate data cached in one or more caches), the notification is included in the response. As the response traverses caches on its way to the requestor, each cache applies the side effect with the proper timing. Thus, data invalidation may be performed prior to caching data included in the request and/or forwarding the response toward the requester. A final cache configured to serve the response to the requestor may remove the side effect notification before serving the response.

Abstract: A system and method for facilitating the invalidation of cached data, in which the data to be invalidated are identified using information other than a primary key. The primary key for a cached data object, such as a web page, may be a Uniform Resource Locator (URL). Instead of using an object's URL to identify to a cache the data to be invalidated, a secondary key is used, such as the object's data source or a template from which the object was created. An application communicates the secondary key to a cache, and the cache identifies cached objects that match the secondary key. Those data objects are then invalidated without having to issue multiple invalidation messages from the application.

Abstract: A system and method for detecting and managing user session meta-data at a reverse proxy server. The reverse proxy server is logically located between one or more origin servers and any number of users. The reverse proxy server detects the establishment and tearing down of a user session, and any expiration associated with the user session. The reverse proxy server identifies the creation of a session from the pattern and/or content of communications between a user and an origin server, and associates the user (e.g., by username or user ID) with the session (e.g., session ID or cookie). A user session table may be populated with an entry for each observed session. Tear down of a session may be detected by identifying an explicit user logout or a session termination by the origin server.

Abstract: A system and method for managing security meta-data in a reverse proxy server. The reverse proxy caches data served by an origin server, and also stores security meta-data for authenticating a user and/or authorizing access to cached data. The security meta-data may include an ACL (Access Control List), access control token or descriptor, other access control information, user credentials, user privileges or roles, group membership, user aliases, etc. The reverse proxy may automatically receive access control information from the origin server when a request for data is forwarded to the origin server, or may explicitly request the information from the origin server or a security server. The reverse proxy receives and applies invalidation messages to invalidate stored security meta-data. Also, the reverse proxy acts in a stateful manner, with knowledge of the correlation between a given user and that user's session with the origin server.

Abstract: A system and method for facilitating the invalidation of cached data, in which the data to be invalidated are identified using information other than a primary key. The primary key for a cached data object, such as a web page, may be a Uniform Resource Locator (URL). Instead of using an object's URL to identify to a cache the data to be invalidated, a secondary key is used, such as the object's data source or a template from which the object was created. An application communicates the secondary key to a cache, and the cache identifies cached objects that match the secondary key. Those data objects are then invalidated without having to issue multiple invalidation messages from the application.

Abstract: A system and method for communicating a side effect of a data request, from a data server and through one or more caches, inline with a response to the request. Instead of sending a separate notification of the side effect (e.g., instructions to invalidate data cached in one or more caches), the notification is included in the response. As the response traverses caches on its way to the requestor, each cache applies the side effect with the proper timing. Thus, data invalidation may be performed prior to caching data included in the request and/or forwarding the response toward the requester. A final cache configured to serve the response to the requestor may remove the side effect notification before serving the response.

Abstract: A system and method for communicating a side effect of one data request, or other event, as part of a response to another data request or event. The side effect may include notification of the invalidation of cached data, from an upstream cache to a downstream cache. The upstream cache may store invalidation notifications as they are generated or received, and as responses to data requests are sent downstream, piggyback or merge one or more notifications with a response. This scheme avoids the need to open separate communication connections using specified invalidation accounts and passwords.