CN101827110A - Application server access system in intranet - Google Patents

Application server access system in intranet Download PDF

Info

Publication number
CN101827110A
CN101827110A CN 201010176498 CN201010176498A CN101827110A CN 101827110 A CN101827110 A CN 101827110A CN 201010176498 CN201010176498 CN 201010176498 CN 201010176498 A CN201010176498 A CN 201010176498A CN 101827110 A CN101827110 A CN 101827110A
Authority
CN
China
Prior art keywords
server
information
user
authentication
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 201010176498
Other languages
Chinese (zh)
Other versions
CN101827110B (en
Inventor
侯志荣
浦沅
高嵩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN2010101764989A priority Critical patent/CN101827110B/en
Publication of CN101827110A publication Critical patent/CN101827110A/en
Application granted granted Critical
Publication of CN101827110B publication Critical patent/CN101827110B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides an application server access system in an intranet, which comprises an application server, a database server, a server access terminal, an authentication device and a strategic control server, wherein the database server, the authentication device and the strategic control server are connected with each other through the intranet, the authentication device is connected with the server access terminal through the intranet, and the authentication device is connected with the application server; and the authentication device authenticates information in the application server step by step, and assigns the permission to a user passing the final authentication. The invention adopts a step-by-step progressive authentication method, and thereby increasing the safety and the flexibility, and effectively overcoming the limitation of one time authentication commonly adopted by the prior art; and an enterprise can flexibly define the equipment grouping, the business grouping number and the granularity according to self requirements, and thereby realizing a more precise right management function.

Description

Application server access system in a kind of intranet
Technical field
The invention relates to the computer security management technology, particularly about the computer access authentication techniques, is about the application server access system in a kind of intranet concretely.
Background technology
The levels of informatization such as finance, telecommunications, the tax than higher industry in, a large amount of servers of often having trooped have a large amount of management maintenances and business personnel to visit these servers every day.In order to satisfy the requirement of safe internal control, need authenticate and authorize the user.
Present computer equipment is general all to provide feature richness, friendly man-machine interface interface by operating system to the device access person, supports the multi-user access under the complicated business operating environment, and specific authentification of user and authorization method is provided.It is to set up different user's groups in operating system that the user is authenticated with the common method of authorizing, for the device access person distributes unique identify label USER_ID and authenticate password, store device access person's identify label into operating system associated user group, set up user rights database in operating system this locality.Operating system authenticates according to the USER_ID and the password of device access person input, the search subscriber rights database, if it is correct to search user's USER_ID and password veritification result, then from the user right data, retrieves this user's authority and give this user authority.
The inventor finds to exist at least in the prior art following deficiency in realizing process of the present invention:
The type of user's group generally is to be defined according to access resources by operating system, the type of user's group is fixed and negligible amounts (most of operating systems only provide user's set type of several coarsenesses such as the system manager organizes, domestic consumer's group), can't carry out the self-defined of user's set type according to business event operation demand.When some business can only be visited by the certain user, present authentication and authorization can't realize, can only provide visit to calling party with all business, are difficult to guarantee the fail safe of server info.
During authentification of user, adopt disposable authentication mode that visitor's identity is authenticated, use single identifying algorithm, authenticating safety is not high; And need search for and compare in whole user rights database, resource consumption be higher, and it is lower to carry out efficient.
The user right data are kept at computer equipment this locality, need Decentralization and maintenance, and cost is higher.
Summary of the invention
The embodiment of the invention provides the application server access system in a kind of intranet, adopts the authentication method that goes forward one by one step by step, and per step authentication can be adopted the different authentication method, to overcome the limitation of the general disposable authentication of adopting of prior art.
To achieve these goals, in one embodiment, provide the application server access system in a kind of intranet, described system comprises: application server, database server, server access terminal, identification authentication system and policy control server;
Described database server, identification authentication system, the policy control server interconnects by intranet, and described identification authentication system is connected with the server access terminal by intranet, and described identification authentication system is connected with application server; Wherein,
Described database server comprises:
The user ID storage device; Be used to store user ID;
Server packet sign storage device; Be used to store the server packet sign;
The user password storage device; Be used to store user password; And
Traffic packets sign storage device; Be used for the storage service group character;
Described server access terminal comprises:
The solicited message input unit; Be used to import the application server access solicited message that comprises user ID, user password, server packet sign, application server identifier, traffic packets sign; And
The application server access device; Be used for access application server;
Described identification authentication system comprises:
Information receiver; Be used to receive the accessing request information of sending of described server access terminal;
The user ID authenticate device; Being used for user ID with described accessing request information sends to described database server and authenticates;
Application server switch Query Information generating apparatus; Be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device; Be used for described application server on off state Query Information is sent to described policy control server;
The server packet authenticate device; Being used for according to the server packet authentication switch of the described policy control server feedback information of opening the server packet sign of described accessing request information being sent to described database server authenticates;
The information translation request unit; Be used for the user password of described accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
The password authentication device; Being used for password transitional information with described policy control server feedback sends to described database server and authenticates;
Professional on off state Query Information generating apparatus; Be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device; Be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device; Being used for according to the identifying service block switch open information of described policy control server feedback the traffic packets sign of described accessing request information being sent to described database server authenticates; And
The authority information dispensing device; The identifying service block successful information that is used for returning according to described database server sends the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device; The server packet authentication switch state information and the identifying service block on off state information that are used for sending according to described identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber; The user password that is used for described identification authentication system is sent carries out information translation; And
The password dispensing device; Be used for the user password after the information translation is sent to described identification authentication system.
To achieve these goals, in one embodiment, provide the application server access system in a kind of intranet, described system comprises: application server, database server, server access terminal and policy control server;
Described database server comprises:
The user ID storage device; Be used to store user ID;
Server packet sign storage device; Be used to store the server packet sign;
The user password storage device; Be used to store user password; And
Traffic packets sign storage device; Be used for the storage service group character;
Described server access terminal comprises:
The solicited message input unit; Be used to import the application server access solicited message that comprises user ID, user password, server packet sign, application server identifier, traffic packets sign; And
The application server access device; Be used for access application server;
Described application server comprises: identification authentication system, and described identification authentication system is connected with the server access terminal by intranet, and described identification authentication system comprises:
Information receiver; Be used to receive the accessing request information of sending of described server access terminal;
The user ID authenticate device; Being used for user ID with described accessing request information sends to described database server and authenticates;
Application server switch Query Information generating apparatus; Be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device; Be used for described application server on off state Query Information is sent to described policy control server;
The server packet authenticate device; Being used for according to the server packet authentication switch of the described policy control server feedback information of opening the server packet sign of described accessing request information being sent to described database server authenticates;
The information translation request unit; Be used for the user password of described accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
The password authentication device; Being used for password transitional information with described policy control server feedback sends to described database server and authenticates;
Professional on off state Query Information generating apparatus; Be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device; Be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device; Being used for according to the identifying service block switch open information of described policy control server feedback the traffic packets sign of described accessing request information being sent to described database server authenticates; And
The authority information dispensing device; The identifying service block successful information that is used for returning according to described database server sends the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device; The server packet authentication switch state information and the identifying service block on off state information that are used for sending according to described identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber; The user password that is used for described identification authentication system is sent carries out information translation; And
The password dispensing device; Be used for the user password after the information translation is sent to described identification authentication system.
The beneficial effect of the embodiment of the invention: the present invention introduces device packets and traffic packets, adopt the authentication method that goes forward one by one step by step, per step authentication can be adopted the different authentication method, has strengthened fail safe and flexibility, has effectively overcome the limitation of the general disposable authentication of adopting of prior art; Enterprise can define device packets and traffic packets quantity and granularity flexibly according to self-demand, thereby can realize the rights management function that more becomes more meticulous.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.In the accompanying drawings:
Fig. 1 is the structural representation of the application server access system in the embodiment of the invention intranet;
Fig. 2 is the structural representation of embodiment of the invention database server;
Fig. 3 is the structural representation of embodiment of the invention server access terminal;
Fig. 4 is the structural representation of embodiment of the invention identification authentication system;
Fig. 5 is the structural representation of embodiment of the invention policy control server;
Fig. 6 is an embodiment of the invention information interaction flow chart;
Fig. 7 is the go forward one by one structure chart of Verification System of embodiment of the invention safety;
Fig. 8 is the data structure diagram of embodiment of the invention user definition table;
Fig. 9 is the data structure diagram of embodiment of the invention MG definition list;
Figure 10 is the data structure diagram of embodiment of the invention password definition list;
Figure 11 is the data structure diagram of embodiment of the invention SG definition list;
Figure 12 is the access authentication method flow chart of the embodiment of the invention based on banking;
Figure 13 is the authentication method flow chart that goes forward one by one of another embodiment of the present invention;
Figure 14 is an embodiment of the invention strategy method to set up flow chart;
Figure 15 is embodiment of the invention identification authentication system and policy control device and the mutual schematic diagram of data storage device.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, the embodiment of the invention is described in further details below in conjunction with accompanying drawing.At this, illustrative examples of the present invention and explanation thereof are used to explain the present invention, but not as a limitation of the invention.
The embodiment of the invention is introduced device packets (Machine Group MG) and business service grouping (Service Group SG), and MG and SG are defined voluntarily by the user, to make up fine-grained authority space.The authority Up of every visitor (user) in the authority space of computer equipment can use Up=({ MGID}, SGID}) represent, the former represents whether the user can visit this cluster tool, the latter represents that the visitor enters the business operations competence set that is possessed after this equipment, thereby greater flexibility and virtualization process ability are provided.
Whether particularly, the embodiment of the invention adopts the substep mode of going forward one by one that the user is authenticated and authorizes: at first inquire about this user by the USER_ID that receives from the user and exist; If the user exists, verify again whether the computer equipment of user capture belongs to this user's access profile; If judge that the user can visit this computer equipment, user password is verified, if user password authentication success, again from composing to the device access person according to the relevant Business Processing authority of user's business service group character (SG_ID) information extraction, finally finish authenticating user identification and mandate, allow the user to enter system.
As shown in Figure 1, the invention provides the application server access system in a kind of intranet, described system comprises: policy control server 100, database server 200, identification authentication system 300, server access terminal 400 and application server 500.
Described policy control server 100, database server 200, identification authentication system 300 interconnects by intranet, described identification authentication system 300 is connected with server access terminal 400 by intranet, and described identification authentication system 300 is connected with application server 500.
As shown in Figure 2, described database server 200 comprises: the user ID storage device 201 that is used to store user ID; Be used to store the server packet sign storage device 202 of server packet sign; Be used to store the user password storage device 203 of user password; And the traffic packets that is used for the storage service group character identifies storage device 204.
As shown in Figure 3, described server access terminal 400 comprises: the solicited message input unit 401 that is used to import the application server access solicited message that comprises user ID, user password, server packet sign, application server identifier and traffic packets sign; And be used for the application server access device 402 of access application server.
As shown in Figure 4, described identification authentication system 300 comprises: the information receiver 301 that is used to receive the accessing request information of sending of described server access terminal; Be used for the user ID of described accessing request information is sent to the user ID authenticate device 302 that described database server authenticates; Be used for generating the application server switch Query Information generating apparatus 303 of server packet authentication switch query State information according to the user totem information of described database server feedback; Be used for described application server on off state Query Information is sent to the application server switch Query Information dispensing device 304 of described policy control server; Be used for the server packet sign of described accessing request information being sent to the server packet authenticate device 305 that described database server authenticates according to the server packet authentication switch of the described policy control server feedback information of opening; Be used for the user password of described accessing request information being sent to the information translation request unit 306 that described policy control server carries out the password information conversion according to the server packet information of described database server feedback; Being used for password transitional information with described policy control server feedback sends to described database server and carries out authenticate password authenticate device 307; Be used for generating the professional on off state Query Information generating apparatus 308 of identifying service block on off state Query Information according to the user password information of described database server feedback; Be used for described professional on off state Query Information is sent to described policy control server service on off state Query Information dispensing device 309; Be used for the traffic packets sign of described accessing request information being sent to the traffic packets ID authentication device 310 that described database server authenticates according to the identifying service block switch open information of described policy control server feedback; And the identifying service block successful information that is used for returning according to described database server sends the authority information dispensing device 311 of application server access authority information to described server access terminal.
As shown in Figure 5, described policy control server 100 comprises: be used for the server packet authentication switch state information sent according to described identification authentication system and the identifying service block on off state information on off state feedback device 101 of feedback application server packet authentication on off state and identifying service block on off state respectively; The user password that is used for that described identification authentication system is sent carries out the transcriber 102 of information translation; And be used for the user password after the information translation is sent to the password dispensing device 103 of described identification authentication system.
Application server 500 can comprise a plurality of, figure 1 illustrates 3 groups, is respectively application servers group 1, application servers group 2 and application servers group 3, and every group of application server comprises a plurality of application servers again, the present invention is not exceeded according to this.
As described in Figure 4, described identification authentication system can also comprise: the information extracting device 312 that is used for extracting from described application server access solicited message user ID, user password, server packet sign, application server identifier and traffic packets sign.
Described application server access solicited message also comprises: application server identifier.
Described server packet sign storage device also is used for storage and described server packet sign corresponding application server sign.Described server packet authenticate device also is used for application server identifier with described accessing request information and sends to described database server and authenticate.
As shown in Figure 5, described policy control server 100 also comprises: be used for setting the server packet authentication switch state of described identification authentication system and the on off state setting device 104 of identifying service block on off state; And be used for information modifier 105 that the information of described database server is made amendment.
When the server packet authentication switch was in closed condition, identification authentication system was skipped server packet ID authentication device, directly the sign of the traffic packets in the described accessing request information was sent to described database server and authenticated.
When the identifying service block switch is in closed condition, allow user capture by all business in the application server of described server packet ID authentication device authentication.
Policy control server 100, database server 200, identification authentication system 300, server access terminal 400 and application server 500 are realized the visit of server access terminal 400 application server 500 by information interaction, policy control server 100, database server 200, identification authentication system 300, information interaction between server access terminal 400 and the application server 500 as described in Figure 6, information interaction comprises the steps:
Every application server of S1, application server 500 sends to its device packets sign, device identification and traffic packets sign in the database server 200 and preserves.
S2, database server 200 have been stored user ID, user password and and the group character of application server corresponding equipment, device identification and traffic packets sign.
S3, server access terminal send access request to identification authentication system 300, comprise user ID, device packets sign, device identification in the server access request, information such as user password and traffic packets sign.
S4, identification authentication system 300 receive the accessing request information of sending of described server access terminal, user ID is sent to database server 200 carry out the user ID authentication, inquire in the database server 200 have this user ID after, the feedback information that will comprise user ID is given identification authentication system 300.
S5, identification authentication system 300 generate server packet authentication switch query State information according to the user totem information of described database server 200 feedbacks.
S6, described server packet on off state Query Information is sent to described policy control server 100, whether inquiry server packet switch is opened.
If S7 server packet authentication switch is opened, policy control server 100 feedback application server packet authentication on off states are given identification authentication system 300.
S8, identification authentication system 300 send to described database server 200 according to the server packet authentication switch of the described policy control server feedback information of opening with the sign of the server packet in the described accessing request information and authenticate, inquire in the database server 200 have this server group character after, the feedback information that will comprise this server group character is given identification authentication system 300.
S9, the user password in the described accessing request information is sent to described policy control server 100 carry out password information conversion.
S10, policy control server 100 return the password information of conversion, the complexity that policy control server 100 can change password, and password is generating algorithm at random, and the password encryption algorithm generates corresponding password transitional information according to specific password authentication algorithm.
The password transitional information that S11, identification authentication system 300 feed back described policy control server 100 sends to described database server 200 and authenticates, inquire in the database server 200 have this user password after, the feedback information that will comprise user password is given identification authentication system 300.
The password information that S112, identification authentication system 300 return according to data server 200 generates identifying service block on off state Query Information.
S13, identification authentication system 300 send to described policy control server 100 with described traffic packets on off state Query Information, and whether the inquiry business block switch is opened.
If S14 identifying service block switch open, policy control server 100 feedback identifying service block on off states are given identification authentication system 300.
S15, identification authentication system 300 traffic packets sign sends to described database server 200 and authenticates, inquire have this traffic packets sign in the database server 200 after, the feedback information that will comprise the traffic packets sign is given identification authentication system 300.
S16, identification authentication system 300 send the application server access authority information according to the traffic packets information that described database server 200 returns to described server access terminal.
S17, server access terminal are according to the business in the access authority information visit corresponding application server.
Fig. 7 is the go forward one by one structure chart of Verification System of embodiment of the invention safety, and the safety Verification System of going forward one by one comprises: policy control device 100, identification authentication system 300 and data storage device 200.Wherein policy control device 100 links to each other with identification authentication system 300, data storage device 200 respectively, and identification authentication system 300 links to each other with data storage device 200, computer device resources 400 respectively.Computer device resources 400 is equivalent to the application server 500 among Fig. 1.
In Fig. 7, the strategy that identification authentication system 300 regulative strategy control device 100 are provided with, the tables of data of data query storage device 200 storages, finish authenticating user identification and generate the service authority of access computer device resource 400, by special bottom communication interface, finish subscriber authorisation then and between the computer device resources 400.
Describe policy control device 100 in detail below in conjunction with Fig. 7, the function of each unit in identification authentication system 300 and the data storage device 200.
Policy control device 100 is used for the storage and the management of Collective qualification and delegated strategy, be that the user who visits is authenticated the inlet of controlling with delegated strategy, provide every function of user management regular maintenance operation, for the device access person provides password replacement etc. from management function.As shown in Figure 7, policy control device 100 comprises: Main Processor Unit 101 ', authentication switch dispensing unit 102 ', password policy dispensing unit 103 ' and verify data adjustment unit 104 '.Authentication switch dispensing unit 102 ' the be used for function of on off state setting device 104 and the on off state feedback device 101 of Fig. 1; Password policy dispensing unit 103 ' be used for the realizing function of 102 grades of password dispensing devices of Fig. 5 transcriber; Verify data adjustment unit 104 ' be used to the realize function of information modifier.
Main Processor Unit 101 ' with authentication switch dispensing unit 102 ', password policy dispensing unit 103 ' with verify data adjustment unit 104 ' be connected, be used to receive user's instruction, identification user's instruction, invokes authentication switch dispensing unit 102 ', password policy dispensing unit 103 ' or verify data adjustment unit 104 ' handle accordingly.
Device packets (MachineGroup MG) authentication ' unit 302 of authentication switch dispensing unit 102 ' be used to identification authentication system 300 ', service authorization unit 304 ' switch is set, for enterprise provides security strategy configuration flexibly.Under the default situations, MG authentication ' unit 302 ' and service authorization unit 304 ' authentication function all be set to opening.The safety officer can revise by input instruction and be provided with, and closes authentication function.Close after the MG authentication function, identification authentication system 300 in visitor's authentication process, will can not trigger MG authentication ' unit 302 ', skip the MG authenticating step; Close after the service authorization function, identification authentication system 2 in the authentication process, will can not trigger service authorization unit 304 ', all business service that allow the device access person to use accessed equipment to provide.
Password policy dispensing unit 103 ', the complexity that is used to store and revise the user capture password requires, password safety control strategy such as generating algorithm, password encryption algorithm at random.The safety officer can be according to the ERM requirement, by the password policy configurations unit 103 ' above-mentioned safety control strategy of password configuration file is adjusted.
Verify data adjustment unit 104 ' be used for to user definition table 201 ', MG definition list 202 ', password definition list 203 ' and SG definition list 204 ' data increase, deletion and modify feature.Verify data adjustment unit 104 ', device packets information, business service grouping information are set according to the instruction that the safety officer sends; According to the instruction that the device access person sends, carry out user profile modification, user password modification etc. from management function.During the user's modification password, verify data adjustment unit 104 ' access password policy configurations unit 103 ', according to the requirement of safety control strategy such as generating algorithm at random of password complexity, password, generate corresponding password transitional information store into password definition list 203 ' in.Password authentication unit 303 ' when carrying out the user password authentication, generally need invokes authentication data adjustment unit 104 ' corresponding password transitional information of generation.
Identification authentication system 300 is used for providing access entrance to the device access person, receives the also verify data of analyzing device visitor input, and the control strategy that reference policy control device 100 is set is carried out the substep authentication and authorization and operated.As shown in Figure 7, identification authentication system 300 comprises: user information retrieval unit 301 ', MG authentication ' unit 302 ', password authentication unit 303 ' and service authorization unit 304 '.User information retrieval unit 301 is used for realizing Fig. 4 information receiver 301, the function of user ID authenticate device 302 and information extracting device 312; MG authentication ' unit 302 ' be used for Fig. 4 to realize application server switch Query Information generating apparatus 303, the function of application server switch Query Information dispensing device 304 and server packet authenticate device; Password authentication unit 303 ' be used for realizing Fig. 4 information translation request unit 306, the function of password authentication device 307; Service authorization unit 304 ' be used for the realizing professional switch Query Information of Fig. 4 generating apparatus 308, professional switch Query Information dispensing device 309, the function of traffic packets ID authentication device 310 and authority information dispensing device 311.
The verify data of user information retrieval unit 301 ' receiving equipment visitor input, verify data comprises information such as USER_ID, MG_ID, device identification (DEV_ID), SG_ID.The user definition table 201 of data query storage device 200 ' in whether have this USER_ID, if there is no, refusing user's visit.
If user definition table 201 ' this USER_ID of middle existence, MG authentication ' unit 302 ' according to the MG definition list 202 of the MG_ID information retrieval data storage device 200 in the verify data ', whether have this device packets in the judgment device grouping information.If can find this packet equipment, from MG definition list 202 ' obtain equipment MG_DEV field in the group of this equipment group, and search whether there is this DEV_ID according to the DEV_ID in the verify data in the MG_DEV field, if exist, enter password authentication ' unit 303 '; If there is no, then return failure information, do not allow the Accessor Access.
The password authentication unit 303 ' user password in the verify data of device access person input is checked, call password policy dispensing unit 103, use specific password authentication algorithm to generate corresponding password transitional information, and in view of the above the password definition list 203 of visit data storage device 200 ', judge whether user password has the record of coupling in table.If have, then enter service authorization unit 304 ', otherwise return failure information, do not allow the Accessor Access.
Service authorization unit 304 ' according to the SG_ID information in the verify data of device access person input, the SG definition list 204 of retrieve data storage device 200 ', judge and whether have this traffic packets in the traffic packets information, if exist, then return the business service group authority SG_ROLE of this traffic packets, and give the user this permission grant; Otherwise return failure information, do not allow the Accessor Access.
Data storage device 200 is used for device packets information and the business service group information that the centralized storage visitor authenticated and authorized required visitor's identity information, corporate environment, for identification authentication system 300 provides verify data, as shown in Figure 7, data storage device 200 comprises: user definition table 201 ', MG definition list 202 ', password definition list 203 ' and SG definition list 204 '.User definition table 201 ', MG definition list 202 ', password definition list 203 ' and SG definition list 204 ' be respectively applied for and realize user ID storage device 201 among Fig. 2, server packet sign storage device 202, the function of user password storage device 203 and traffic packets sign storage device 204.
User definition table 201 ' be used for the incidence relation of memory device user ID and addressable MG, addressable SG, Fig. 8 is preferential data structure table.
MG definition list 202 ' be used to is stored facility information in the grouping information of the equipment that the user need visit and the group, and Fig. 9 is preferred data structure table.
Password definition list 203 ' be used to store user's password information, Figure 10 is preferred data structure table.
SG definition list 204 ' be used for storage service service packet information, and the corresponding authority of different business service grouping, Figure 11 is preferred data structure table.
As shown in figure 12, the embodiment of the invention provides a kind of access authentication method based on banking, and described method comprises:
Step S1201: the access registrar information that receives user's input;
Step S1202: from described access registrar information, obtain user ID, device packets sign, traffic packets sign;
Step S1203: judge whether exist described user ID, device packets to identify in the authentication information of storing and the traffic packets sign successively;
Step S1204:, described traffic packets sign corresponding service grouping authority is composed to described user if having described user ID, device packets sign and traffic packets sign in the authentication information of storage.
Described access registrar information also comprises user capture password and the access means sign corresponding with the device packets sign.After the access registrar information that receives user's input, described method also comprises: obtain the user capture password access means sign corresponding with the device packets sign from described access registrar information.
Step S1203 specifically comprises: judge in the authentication information of storing whether have described user ID; If have described user ID in the authentication information of storage, judge whether there is described device packets sign in the authentication information of storing; If there is described device packets sign in the authentication information of storage, judge whether there is described traffic packets sign in the authentication information of storing.
In the authentication information of judging storage, whether exist before the described device packets sign, described method also comprises: judge in the authentication information of storing whether have described user capture password, if then judge whether there is described device packets sign in the authentication information of storing.
Alternatively, in the authentication information of judging storage, whether exist before the described traffic packets sign, described method also comprises: judge in the authentication information of storing whether have described user capture password, if then judge whether there is described traffic packets sign in the authentication information of storing.
In the authentication information of judging storage, whether exist before the described traffic packets sign, described method also comprises: judge whether there is the access means sign in the authentication information of storing, if then judge whether there is described traffic packets sign in the authentication information of storing.
Below in conjunction with Fig. 7, Fig. 8, Fig. 9, Figure 10 and Figure 11, describe specific embodiments of the invention in detail with party a subscriber.
As shown in figure 13, another embodiment of the present invention provides a kind of safe authentication method that goes forward one by one.The concrete steps of this authentication method that goes forward one by one are as follows:
Step S1301: identification authentication system 300 receives the access registrar information of party a subscriber input, the user information retrieval unit 301 in the identification authentication system 300 ' this authentication information is resolved.Comprise in the authentication information: the professional corresponding service group character that the group character of equipment corresponding equipment, the party a subscriber that the user ID of party a subscriber, party a subscriber will be visited will be visited can also comprise the user capture password of party a subscriber and identify corresponding information such as access means sign with device packets.
Step S1302: user information retrieval unit 301 ' from this access registrar information of party a subscriber extracts the USER_ID in the user authentication information, whether there be (Fig. 8) in the user message table 301 of data query storage device 200, if can inquire this USER_ID, then return corresponding data record collection, send to MG authentication ' unit 302 ' processing, otherwise step S1309 is carried out in the visit of refusal party a subscriber.
Step S1303:MG authentication ' unit 302 ' invokes authentication switch dispensing unit 102 confirms that whether the MG authentication switch is opened, if the MG authentication switch is not opened, directly enters step S1305; Otherwise, enter step S1304.
Step S1304:MG authentication ' unit 302 ' the obtain MG_ID in the access registrar information, inquiry MG definition list 202 ' in whether have MG_ID (Fig. 3), if can MG definition list 202 ' in inquire this MG_ID, then return corresponding data record collection, and from access registrar information, extract the identify label DEV_ID of the computer equipment that party a subscriber need land, this DEV_ID of search in the MG_DEV of return data record set field value, if exist, then the return authentication successful information enters step S1705; Otherwise step S1709 is carried out in the visit of refusal party a subscriber.
Step S1305: password authentication unit 303 ' extraction user capture password from access registrar information, call password policy dispensing unit 103, use specific password authentication algorithm to generate corresponding password transitional information, and in view of the above at password definition list 203 ' search whether there is this user capture password, if can retrieve this user capture password and successfully the coupling, then return the password authentication success message, enter step S1306; Otherwise step S1309 is carried out in the visit of refusal party a subscriber.
Step S1305 is not essential step, can carry out step S1305 after step S1302 yet, and the present invention is not as limit.
Step S1306: service authorization unit 304 ' invokes authentication switch dispensing unit 102 confirms whether the service authorization switch is opened, if do not open, then all business service access rights of this equipment is authorized to party a subscriber, forwards step S1308 to; Otherwise, forward step S1307 to.
Step S1307: service authorization unit 304 ' according to the inquiry of the SG_D in user authentication information SG definition list 303, if can retrieve this SG_ID, then return corresponding data record collection, extract the SG_ROLE field in the record set, with field value, be that business operation processing authority subclass is composed to the user, forward step S1308 to.
Step S1308: service authorization unit 304 ' permission party a subscriber enters the computer equipment system visit corresponding service of the visit of asking.
Step S1309: finish authentication.
Before the safety of carrying out Figure 13 was gone forward one by one identifying procedure, policy control device 100 need be provided with the authentification of user strategy, to guarantee the carrying out of the safe identifying procedure that goes forward one by one.
As shown in figure 14, the embodiment of the invention provides a kind of tactful method to set up, and described tactful method to set up comprises:
Step S1401: the Main Processor Unit 101 of policy control device 100 receives the service request information of user's input, and resolution request message extracts concrete control clauses and subclauses, carries out step S1402.
Step S1402: Main Processor Unit 101 judges whether to be management request certainly according to solicited message, if, execution in step S1409; Otherwise, carry out step S1403.
Step S1403: Main Processor Unit 101 is judged the content of solicited message, if the authentication ' unit switch is adjusted, carries out step S1404; If adjust the password algorithm, then carry out step S1405; If adjustment user profile is then carried out step S1406; If adjust device packets information, then carry out step S1407; If adjust the business service grouping information, then carry out step S1408.
Step S1404: need authentication ' unit and the switch sign adjusted in the authentication switch dispensing unit 102 analysis request data, revise the switch sign of MG authentication function or service authorization function, carry out step S1412.
Step S1405: the complexity requirement of password policy dispensing unit 103 adjustment user capture passwords, password be safety control strategy such as generating algorithm, password encryption algorithm at random, and stores, and carries out step S1412.
Step S1406: the user definition table 201 of verify data adjustment unit 104 visit data storage devices 200 ', according to the concrete instruction of service request, increase, delete or revise the information of relative users, and store.Such as, a certain user is adjusted to addressable MG2 from addressable MG1, carry out step S1412.
Step S1407: the MG definition list 202 of verify data adjustment unit 104 visit data storage devices 200 ', according to the concrete instruction of service request, increase, delete or modification corresponding apparatus information, and store.Such as, with the deletion from former MG group of a few computer equipments, perhaps increase several computer equipments, carry out step S1412.
Step S1408: the SG definition list 204 of verify data adjustment unit 104 visit data storage devices 200 ', according to the concrete instruction of service request, increase, delete or modification corresponding business grouping information, and store.Such as, a certain authority is adjusted to SG2 from SG1, carry out step S1412.
Step S1409: Main Processor Unit 101 is judged from the content of managing request msg, if the modification personal information then forwards step S1410 to; If the modification password then forwards step S1411 to.
Step S1410: the user definition table 201 of verify data adjustment unit 104 visit data storage devices 200 ', concrete instruction according to service request, revise personal information such as email address, telephone number, generally do not allow to Add User, do not allow to revise information such as MG_ID, SG_ID yet, and store, proceed to step S1412.
Step S1411: verify data adjustment unit 103 is resolved the new password of user's input, call password policy dispensing unit 102 and check whether the input password meets tactful requirement, if meet, then generate the password transitional information, store into the password definition list 203 of data storage device 200 ' in; If do not meet, then refusing user's is revised the request of password, carries out step S1412
Step S1412: process ends.
In another embodiment, the present invention also provides the application server access system in a kind of intranet, and described system comprises: application server 500, database server 200, server access terminal 400 and policy control server 100; Be with the difference of the embodiment of Fig. 1: identification authentication system 200 is contained in each application server.Described identification authentication system 200 is connected with the server access terminal by intranet.
When implementing the access authentication method of the embodiment of the invention, need in every computer equipment in the computer equipment cluster environment identification authentication system 300 be installed, identification authentication system 300 is taken over the original user authority management function of computer equipment operating system, and device access person's access request unification is accepted by identification authentication system 300.Carry out communication by the system call mode between identification authentication system 300 and the computer equipment operating system, identification authentication system 300 gets reciprocal process as shown in figure 15 with policy control device 100 and data storage device 200, being contained in each application server (computer equipment 1, computer equipment 2 are to computer equipment n) with identification authentication system 200 among Figure 15 is that example describes, be not to be used to limit the present invention.
Identification authentication system 300 is responsible for analytical Calculation machine equipment visitors' access registrar information, by this user of user information retrieval unit 301 ' judge whether to exist.Do not exist if confirm this user, then directly denied access person enters computer equipment, and ID authentication request finishes.If confirm there is this user in the user information retrieval unit, then access registrar information is sent MG authentication ' unit 302 '.
Whether the MG authentication switch of MG authentication ' unit 302 ' inquiry query strategy control device 100 is opened.If the MG authentication switch is not opened, then access registrar information is sent to password authentication unit 303 ', otherwise, the MG authentication ' unit judges whether computer equipment belongs to the MG that this user can visit, if do not belong to, then directly denied access person enters computer equipment, and ID authentication request finishes, if belong to, then authentication information is sent to password authentication unit 303 '.
Password information in password authentication unit 303 ' parsing user authentication information, the password policy of regulative strategy control device 100, inquiry password definition list carries out password authentication.If the password authentication failure, then directly denied access person enters computer equipment, and ID authentication request finishes.Otherwise, then user authentication request can be sent to service authorization unit 304 ', extract business operation processing authority subclass and compose to the user and allow the user to enter computer equipment, the verification process that goes forward one by one finishes.
The modification of relevant authentication strategy and management data is finished in the policy control request of policy control device 100 main process user according to request content.In user identity went forward one by one verification process, identification authentication system 300 each processing units were provided with 100 policy control information according to the particular content of user authentication information according to the access strategy control device, take corresponding authenticating step.
The useful technique effect of the embodiment of the invention:
Introducing of the present invention and enterprise operation and service associated device grouping MG and business service grouping SG, adopt a kind of new method identifying user identity based on two dimension grouping authority space, broken through the limitation that to use operating system user group traditionally, enterprise can define device packets and traffic packets quantity and granularity flexibly according to self-demand, thereby can realize the rights management function that more becomes more meticulous.
The method that the present invention adopts substep to go forward one by one and authenticate, per step authentication can be adopted the different authentication method, and authentication ' unit parameterisable configurations etc. have effectively overcome the generally limitation of the disposable authentication of employing of prior art.
The present invention adopts the authentication method that goes forward one by one step by step, each step authentication difficulty and complexity are progressively gone forward one by one, the precursor step authentification failure is then directly refused, and has reduced participation subsequent authentication procedure and complicated cipher authentication algorithm invokes number of times, has improved authentication efficient and specific aim greatly.
The present invention is by authentication and the centralized management of delegated strategy control assembly, authentication key message centralized stores, need be on every computer equipment dispersing maintenance, can significantly reduce maintenance workload, increase work efficiency, guarantee the consistency of the authentication information in the corporate environment computer cluster environment.
Above-described specific embodiment; purpose of the present invention, technical scheme and beneficial effect are further described; institute is understood that; the above only is specific embodiments of the invention; and be not intended to limit the scope of the invention; within the spirit and principles in the present invention all, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1. the application server access system in the intranet is characterized in that described system comprises: application server, database server, server access terminal, identification authentication system and policy control server;
Described database server, identification authentication system, the policy control server interconnects by intranet, and described identification authentication system is connected with the server access terminal by intranet, and described identification authentication system is connected with application server; Wherein,
Described database server comprises:
The user ID storage device; Be used to store user ID;
Server packet sign storage device; Be used to store the server packet sign;
The user password storage device; Be used to store user password; And
Traffic packets sign storage device; Be used for the storage service group character;
Described server access terminal comprises:
The solicited message input unit; Be used to import the application server access solicited message that comprises user ID, user password, server packet sign, application server identifier, traffic packets sign; And
The application server access device; Be used for access application server;
Described identification authentication system comprises:
Information receiver; Be used to receive the accessing request information of sending of described server access terminal;
The user ID authenticate device; Being used for user ID with described accessing request information sends to described database server and authenticates;
Application server switch Query Information generating apparatus; Be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device; Be used for described application server on off state Query Information is sent to described policy control server;
The server packet authenticate device; Being used for according to the server packet authentication switch of the described policy control server feedback information of opening the server packet sign of described accessing request information being sent to described database server authenticates;
The information translation request unit; Be used for the user password of described accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
The password authentication device; Being used for password transitional information with described policy control server feedback sends to described database server and authenticates;
Professional on off state Query Information generating apparatus; Be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device; Be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device; Being used for according to the identifying service block switch open information of described policy control server feedback the traffic packets sign of described accessing request information being sent to described database server authenticates; And
The authority information dispensing device; The identifying service block successful information that is used for returning according to described database server sends the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device; The server packet authentication switch state information and the identifying service block on off state information that are used for sending according to described identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber; The user password that is used for described identification authentication system is sent carries out information translation; And
The password dispensing device; Be used for the user password after the information translation is sent to described identification authentication system.
2. the system as claimed in claim 1 is characterized in that, described identification authentication system also comprises:
Be used for extracting the information extracting device of user ID, user password, server packet sign, application server identifier and traffic packets sign from described application server access solicited message.
3. the system as claimed in claim 1 is characterized in that, described application server access solicited message also comprises: application server identifier.
4. system as claimed in claim 3 is characterized in that, described server packet sign storage device also is used for storage and described server packet sign corresponding application server sign.
5. system as claimed in claim 4 is characterized in that, described server packet authenticate device also is used for application server identifier with described accessing request information and sends to described database server and authenticate.
6. the system as claimed in claim 1 is characterized in that, described policy control server also comprises:
Be used for setting the server packet authentication switch state of described identification authentication system and the on off state setting device of identifying service block on off state.
7. the system as claimed in claim 1 is characterized in that, described policy control server also comprises:
Be used for information modifier that the information of described database server is made amendment.
8. the system as claimed in claim 1, it is characterized in that, when the server packet authentication switch is in closed condition, identification authentication system is skipped server packet ID authentication device, directly the sign of the traffic packets in the described accessing request information is sent to described database server and authenticates.
9. the system as claimed in claim 1 is characterized in that, when the identifying service block switch is in closed condition, allows user capture by all business in the application server of described server packet ID authentication device authentication.
10. the application server access system in the intranet is characterized in that described system comprises: application server, database server, server access terminal and policy control server;
Described database server, the policy control server interconnects by intranet; Wherein,
Described database server comprises:
The user ID storage device; Be used to store user ID;
Server packet sign storage device; Be used to store the server packet sign;
The user password storage device; Be used to store user password; And
Traffic packets sign storage device; Be used for the storage service group character;
Described server access terminal comprises:
The solicited message input unit; Be used to import the application server access solicited message that comprises user ID, user password, server packet sign, application server identifier, traffic packets sign; And
The application server access device; Be used for access application server;
Described application server comprises: identification authentication system, and described identification authentication system is connected with the server access terminal by intranet, and described identification authentication system comprises:
Information receiver; Be used to receive the accessing request information of sending of described server access terminal;
The user ID authenticate device; Being used for user ID with described accessing request information sends to described database server and authenticates;
Application server switch Query Information generating apparatus; Be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device; Be used for described application server on off state Query Information is sent to described policy control server;
The server packet authenticate device; Being used for according to the server packet authentication switch of the described policy control server feedback information of opening the server packet sign of described accessing request information being sent to described database server authenticates;
The information translation request unit; Be used for the user password of described accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
The password authentication device; Being used for password transitional information with described policy control server feedback sends to described database server and authenticates;
Professional on off state Query Information generating apparatus; Be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device; Be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device; Being used for according to the identifying service block switch open information of described policy control server feedback the traffic packets sign of described accessing request information being sent to described database server authenticates; And
The authority information dispensing device; The identifying service block successful information that is used for returning according to described database server sends the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device; The server packet authentication switch state information and the identifying service block on off state information that are used for sending according to described identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber; The user password that is used for described identification authentication system is sent carries out information translation; And
The password dispensing device; Be used for the user password after the information translation is sent to described identification authentication system.
CN2010101764989A 2010-05-13 2010-05-13 Application server access system in intranet Active CN101827110B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101764989A CN101827110B (en) 2010-05-13 2010-05-13 Application server access system in intranet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101764989A CN101827110B (en) 2010-05-13 2010-05-13 Application server access system in intranet

Publications (2)

Publication Number Publication Date
CN101827110A true CN101827110A (en) 2010-09-08
CN101827110B CN101827110B (en) 2012-09-26

Family

ID=42690810

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101764989A Active CN101827110B (en) 2010-05-13 2010-05-13 Application server access system in intranet

Country Status (1)

Country Link
CN (1) CN101827110B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103051598A (en) * 2011-10-17 2013-04-17 中兴通讯股份有限公司 Method, user equipment and packet access gateway for secure access to Internet services
CN103179126A (en) * 2013-03-26 2013-06-26 山东中创软件商用中间件股份有限公司 Access control method and device
CN107925877A (en) * 2015-06-23 2018-04-17 华睿泰科技有限责任公司 For centralized configuration and the system and method for certification
CN103036858B (en) * 2011-10-09 2018-10-26 南京中兴软件有限责任公司 System, implementation method, ACF and the PAG of user Internet access
CN109872119A (en) * 2019-01-17 2019-06-11 平安科技(深圳)有限公司 Project information management method, apparatus, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050044225A1 (en) * 2003-08-05 2005-02-24 Sanyo Electric Co., Ltd. Network system, appliance controlling household server, and intermediary server
CN101064717A (en) * 2006-04-26 2007-10-31 北京华科广通信息技术有限公司 Safety protection system of information system or equipment and its working method
CN101170409A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method, system, service device and certification server for realizing device access control

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050044225A1 (en) * 2003-08-05 2005-02-24 Sanyo Electric Co., Ltd. Network system, appliance controlling household server, and intermediary server
CN101064717A (en) * 2006-04-26 2007-10-31 北京华科广通信息技术有限公司 Safety protection system of information system or equipment and its working method
CN101170409A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method, system, service device and certification server for realizing device access control

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036858B (en) * 2011-10-09 2018-10-26 南京中兴软件有限责任公司 System, implementation method, ACF and the PAG of user Internet access
CN103051598A (en) * 2011-10-17 2013-04-17 中兴通讯股份有限公司 Method, user equipment and packet access gateway for secure access to Internet services
CN103051598B (en) * 2011-10-17 2017-04-26 中兴通讯股份有限公司 Method, user equipment and packet access gateway for secure access to Internet services
CN103179126A (en) * 2013-03-26 2013-06-26 山东中创软件商用中间件股份有限公司 Access control method and device
CN107925877A (en) * 2015-06-23 2018-04-17 华睿泰科技有限责任公司 For centralized configuration and the system and method for certification
CN109872119A (en) * 2019-01-17 2019-06-11 平安科技(深圳)有限公司 Project information management method, apparatus, computer equipment and storage medium

Also Published As

Publication number Publication date
CN101827110B (en) 2012-09-26

Similar Documents

Publication Publication Date Title
CN113239344B (en) Access right control method and device
CN110401655A (en) Access control right management system based on user and role
CN201690475U (en) Application server access system in enterprise local area network
CN101310286B (en) Improved single sign on
CN102947797B (en) The online service using directory feature extending transversely accesses and controls
CN101582769B (en) Authority setting method of user access network and equipment
CN109670768A (en) Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain
CN105871914B (en) CRM system access control method
CN105378768A (en) Proximity and context aware mobile workspaces in enterprise systems
CN103400067A (en) Access control method, system and server
US9081982B2 (en) Authorized data access based on the rights of a user and a location
CN102984159A (en) Secure access logic control method based on terminal access behavior and platform server
CN101827110B (en) Application server access system in intranet
CN106101054A (en) The single-point logging method of a kind of multisystem and centralized management system
CN108234509A (en) FIDO authenticators, Verification System and method based on TEE and PKI certificates
CN107465650A (en) A kind of access control method and device
CN106559389A (en) A kind of Service Source issue, call method, device, system and cloud service platform
CN108966216A (en) A kind of method of mobile communication and device applied to power distribution network
CN108920919A (en) Control method, the device and system of interactive intelligence equipment
CN114866346B (en) Password service platform based on decentralization
CN111274569A (en) Research, development, operation and maintenance integrated system for unified login authentication and login authentication method thereof
CN110175439A (en) User management method, device, equipment and computer readable storage medium
CN106127888A (en) Smart lock operational approach and smart lock operating system
CN113111339A (en) Access control method, device, equipment and medium for application service
CN1601954B (en) Moving principals across security boundaries without service interruption

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant