CN101827110B - Application server access system in intranet - Google Patents

Application server access system in intranet Download PDF

Info

Publication number
CN101827110B
CN101827110B CN2010101764989A CN201010176498A CN101827110B CN 101827110 B CN101827110 B CN 101827110B CN 2010101764989 A CN2010101764989 A CN 2010101764989A CN 201010176498 A CN201010176498 A CN 201010176498A CN 101827110 B CN101827110 B CN 101827110B
Authority
CN
China
Prior art keywords
server
information
authentication
application server
password
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN2010101764989A
Other languages
Chinese (zh)
Other versions
CN101827110A (en
Inventor
侯志荣
浦沅
高嵩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN2010101764989A priority Critical patent/CN101827110B/en
Publication of CN101827110A publication Critical patent/CN101827110A/en
Application granted granted Critical
Publication of CN101827110B publication Critical patent/CN101827110B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention provides an application server access system in an intranet, which comprises an application server, a database server, a server access terminal, an authentication device and a strategic control server, wherein the database server, the authentication device and the strategic control server are connected with each other through the intranet, the authentication device is connected with the server access terminal through the intranet, and the authentication device is connected with the application server; and the authentication device authenticates information in the application server step by step, and assigns the permission to a user passing the final authentication. The invention adopts a step-by-step progressive authentication method, and thereby increasing the safety and the flexibility, and effectively overcoming the limitation of one time authentication commonly adopted by the prior art; and an enterprise can flexibly define the equipment grouping, the business grouping number and the granularity according to self requirements, and thereby realizing a more precise right management function.

Description

Application server access system in a kind of intranet
Technical field
The invention relates to the computer security management technology, particularly about the computer access authentication techniques, is about the application server access system in a kind of intranet concretely.
Background technology
The levels of informatization such as finance, telecommunications, the tax than higher industry in, a large amount of servers of often having trooped have a large amount of management maintenances and business personnel to visit these servers every day.In order to satisfy the requirement of safe internal control, need carry out authentication and mandate to the user.
Present computer equipment is general all to provide feature richness, friendly man-machine interface interface through operating system to the device access person, supports the multi-user access under the complicated business operating environment, and particular user authentication and authorization method are provided.It is in operating system, to set up different user's groups with the common method of mandate that the user is carried out authentication; For the device access person distributes unique identify label USER_ID and authenticate password; Store device access person's identify label into operating system associated user group, set up user rights database in operating system this locality.Operating system is carried out authentication according to the USER_ID and the password of device access person input; The search subscriber rights database; If it is correct to search user's USER_ID and password veritification result, then from the user right data, retrieves this user's authority and give this user authority.
The inventor finds to exist at least in the prior art following not enough in realizing process of the present invention:
The type of user's group generally is to be defined according to access resources by operating system; The type of user's group is fixed and negligible amounts (most of operating systems only provide user's set type of several kinds of coarsenesses such as the system manager organizes, domestic consumer's group), can't carry out the self-defined of user's set type according to business event operation demand.When some business can only be visited by the certain user, present authentication and authorization can't realize, can only to calling party visit be provided with all business, are difficult to guarantee the fail safe of server info.
During authentification of user, adopt disposable authentication mode that visitor's identity is carried out authentication, use single identifying algorithm, authenticating safety is not high; And need in whole user rights database, search for and compare, resource consumption be higher, and it is lower to carry out efficient.
The user right data are kept at computer equipment this locality, need Decentralization and maintenance, and cost is higher.
Summary of the invention
The embodiment of the invention provides the application server access system in a kind of intranet, adopts the authentication method that goes forward one by one step by step, and per step authentication can be adopted the different authentication method, to overcome the limitation of the general disposable authentication of adopting of prior art.
To achieve these goals, in one embodiment, the application server access system in a kind of intranet is provided, described system comprises: application server, database server, server access terminal, identification authentication system and policy control server;
Described database server; Identification authentication system; The policy control server interconnects through intranet, and described identification authentication system is connected with the server access terminal through intranet, and described identification authentication system is connected with application server; Wherein,
Described database server comprises:
ID storage device: be used to store ID;
Server packet sign storage device: be used to store the server packet sign;
User password storage device: be used to store user password; And
Traffic packets sign storage device: be used for the storage service group character;
Described server access terminal comprises:
Solicited message input unit: be used to import the application server access solicited message that comprises ID, user password, server packet sign, application server identifier and traffic packets sign; And
Application server access device: be used for access application server;
Described identification authentication system comprises:
Information receiver: be used to receive the accessing request information that send at said server access terminal;
ID authenticate device: be used for ID with said accessing request information and send to described database server and carry out authentication;
Application server switch Query Information generating apparatus: be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device: be used for described application server on off state Query Information is sent to said policy control server;
Server packet authenticate device: be used for the server packet sign of said accessing request information being sent to described database server and carry out authentication according to the server packet authentication switch of the described policy control server feedback information of opening;
Information translation request unit: be used for the user password of said accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
Password authentication device: be used for password transitional information with described policy control server feedback and send to said database server and carry out authentication;
Professional on off state Query Information generating apparatus: be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device: be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device: be used for the traffic packets sign of said accessing request information being sent to described database server and carry out authentication according to the identifying service block switch open information of described policy control server feedback; And
The authority information dispensing device: the identifying service block successful information that is used for returning according to described database server is sent the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device: the server packet authentication switch state information and the identifying service block on off state information that are used for sending according to said identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber: the user password that is used for said identification authentication system is sent carries out information translation; And
Password dispensing device: be used for the user password after the information translation is sent to said identification authentication system.
To achieve these goals, in one embodiment, the application server access system in a kind of intranet is provided, described system comprises: application server, database server, server access terminal and policy control server;
Described database server comprises:
ID storage device: be used to store ID;
Server packet sign storage device: be used to store the server packet sign;
User password storage device: be used to store user password; And
Traffic packets sign storage device: be used for the storage service group character;
Described server access terminal comprises:
Solicited message input unit: be used to import the application server access solicited message that comprises ID, user password, server packet sign, application server identifier and traffic packets sign; And
Application server access device: be used for access application server;
Described application server comprises: identification authentication system, and described identification authentication system is connected with the server access terminal through intranet, and described identification authentication system comprises:
Information receiver: be used to receive the accessing request information that send at said server access terminal;
ID authenticate device: be used for ID with said accessing request information and send to described database server and carry out authentication;
Application server switch Query Information generating apparatus: be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device: be used for described application server on off state Query Information is sent to said policy control server;
Server packet authenticate device: be used for the server packet sign of said accessing request information being sent to described database server and carry out authentication according to the server packet authentication switch of the described policy control server feedback information of opening;
Information translation request unit: be used for the user password of said accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
Password authentication device: be used for password transitional information with described policy control server feedback and send to said database server and carry out authentication;
Professional on off state Query Information generating apparatus: be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device: be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device: be used for the traffic packets sign of said accessing request information being sent to described database server and carry out authentication according to the identifying service block switch open information of described policy control server feedback; And
The authority information dispensing device: the identifying service block successful information that is used for returning according to described database server is sent the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device: the server packet authentication switch state information and the identifying service block on off state information that are used for sending according to said identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber: the user password that is used for said identification authentication system is sent carries out information translation; And
Password dispensing device: be used for the user password after the information translation is sent to said identification authentication system.
The beneficial effect of the embodiment of the invention: the present invention introduces device packets and traffic packets; Adopt the authentication method that goes forward one by one step by step; Per step authentication can be adopted the different authentication method, has strengthened fail safe and flexibility, has effectively overcome the limitation of the general disposable authentication of adopting of prior art; Enterprise can define device packets and traffic packets quantity and granularity according to self-demand flexibly, thereby can realize the rights management function that more becomes more meticulous.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art; To do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below; Obviously, the accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills; Under the prerequisite of not paying creative work property, can also obtain other accompanying drawing according to these accompanying drawings.In the accompanying drawings:
Fig. 1 is the structural representation of the application server access system in the embodiment of the invention intranet;
Fig. 2 is the structural representation of embodiment of the invention database server;
Fig. 3 is the structural representation at embodiment of the invention server access terminal;
Fig. 4 is the structural representation of embodiment of the invention identification authentication system;
Fig. 5 is the structural representation of embodiment of the invention policy control server;
Fig. 6 is an embodiment of the invention information interaction flow chart;
Fig. 7 is the go forward one by one structure chart of Verification System of embodiment of the invention safety;
Fig. 8 is the data structure diagram of embodiment of the invention user definition table;
Fig. 9 is the data structure diagram of embodiment of the invention MG definition list;
Figure 10 is the data structure diagram of embodiment of the invention password definition list;
Figure 11 is the data structure diagram of embodiment of the invention SG definition list;
Figure 12 is the access authentication method flow chart of the embodiment of the invention based on banking;
Figure 13 is the authentication method flow chart that goes forward one by one of another embodiment of the present invention;
Figure 14 is an embodiment of the invention strategy method to set up flow chart;
Figure 15 is embodiment of the invention identification authentication system and policy control device and the mutual sketch map of data storage device.
Embodiment
For the purpose, technical scheme and the advantage that make the embodiment of the invention is clearer, the embodiment of the invention is explained further details below in conjunction with accompanying drawing.At this, illustrative examples of the present invention and explanation thereof are used to explain the present invention, but not as to qualification of the present invention.
The embodiment of the invention is introduced device packets (Machine Group MG) and business service grouping (Service Group SG), and MG and SG are defined by the user voluntarily, to make up fine-grained authority space.The authority Up of every visitor (user) in the authority space of computer equipment can use Up=({ MGID}; SGID}) represent; The former representes whether the user can visit this cluster tool; The latter representes that the visitor gets into the business operations competence set that is possessed after this equipment, thereby greater flexibility and virtualization process ability are provided.
Whether particularly, the embodiment of the invention adopts the substep mode of going forward one by one that the user is carried out authentication and mandate: at first exist through this user of USER_ID inquiry who receives from the user; If the user exists, verify again whether the computer equipment of user capture belongs to this user's access profile; If judge that the user can visit this computer equipment; User password is verified; If user password authentication success; From composing to the device access person, finally accomplish authenticating user identification and mandate again, allow the user to get into system according to the relevant Business Processing authority of user's business service group character (SG_ID) information extraction.
As shown in Figure 1, the present invention provides the application server access system in a kind of intranet, and described system comprises: policy control server 100, database server 200, identification authentication system 300, server access terminal 400 and application server 500.
Described policy control server 100; Database server 200; Identification authentication system 300 interconnects through intranet; Described identification authentication system 300 is connected with server access terminal 400 through intranet, and described identification authentication system 300 is connected with application server 500.
As shown in Figure 2, described database server 200 comprises: the ID storage device 201 that is used to store ID; Be used to store the server packet sign storage device 202 of server packet sign; Be used to store the user password storage device 203 of user password; And the traffic packets that is used for the storage service group character identifies storage device 204.
As shown in Figure 3, described server access terminal 400 comprises: the solicited message input unit 401 that is used to import the application server access solicited message that comprises ID, user password, server packet sign, application server identifier and traffic packets sign; And be used for the application server access device 402 of access application server.
As shown in Figure 4, described identification authentication system 300 comprises: the information receiver 301 that is used to receive the accessing request information of sending at said server access terminal; Be used for the ID of said accessing request information is sent to the ID authenticate device 302 that described database server carries out authentication; Be used for generating the application server switch Query Information generating apparatus 303 of server packet authentication switch query State information according to the user totem information of described database server feedback; Be used for described application server on off state Query Information is sent to the application server switch Query Information dispensing device 304 of said policy control server; Be used for the server packet sign of said accessing request information being sent to the server packet authenticate device 305 that described database server carries out authentication according to the server packet authentication switch of the described policy control server feedback information of opening; Be used for the user password of said accessing request information being sent to the information translation request unit 306 that described policy control server carries out the password information conversion according to the server packet information of described database server feedback; Being used for password transitional information with described policy control server feedback sends to said database server and carries out authenticate password authenticate device 307; Be used for generating the professional on off state Query Information generating apparatus 308 of identifying service block on off state Query Information according to the user password information of described database server feedback; Be used for described professional on off state Query Information is sent to described policy control server service on off state Query Information dispensing device 309; Be used for the traffic packets sign of said accessing request information being sent to the traffic packets ID authentication device 310 that described database server carries out authentication according to the identifying service block switch open information of described policy control server feedback; And the identifying service block successful information that is used for returning according to described database server is sent the authority information dispensing device 311 of application server access authority information to described server access terminal.
As shown in Figure 5, described policy control server 100 comprises: server packet authentication switch state information that is used for sending according to said identification authentication system and identifying service block on off state information is the on off state feedback device 101 of feedback application server packet authentication on off state and identifying service block on off state respectively; The user password that is used for that said identification authentication system is sent carries out the transcriber 102 of information translation; And be used for the user password after the information translation is sent to the password dispensing device 103 of said identification authentication system.
Application server 500 can comprise a plurality of, in Fig. 1, has illustrated 3 groups, is respectively application servers group 1, application servers group 2 and application servers group 3, and every group of application server comprises a plurality of application servers again, the present invention is not exceeded according to this.
Of Fig. 4, described identification authentication system can also comprise: the information extracting device 312 that is used for extracting from described application server access solicited message ID, user password, server packet sign, application server identifier and traffic packets sign.
Described application server access solicited message also comprises: application server identifier.
Described server packet sign storage device also is used for storage and said server packet sign corresponding application server sign.Described server packet authenticate device also is used for application server identifier with said accessing request information and sends to described database server and carry out authentication.
As shown in Figure 5, described policy control server 100 also comprises: be used for setting the server packet authentication switch state of said identification authentication system and the on off state setting device 104 of identifying service block on off state; And be used for information modifier 105 that the information of said database server is made amendment.
When the server packet authentication switch was in closed condition, identification authentication system was skipped server packet ID authentication device, directly the sign of the traffic packets in the said accessing request information was sent to described database server and carried out authentication.
When the identifying service block switch is in closed condition, allow user capture through all business in the application server of said server packet ID authentication device authentication.
Policy control server 100, database server 200, identification authentication system 300; Server access terminal 400 and application server 500 are realized the visit of server access terminal 400 application server 500 through information interaction; Policy control server 100, database server 200, identification authentication system 300; Information interaction such as Fig. 6 between server access terminal 400 and the application server 500 are said, and information interaction comprises the steps:
Every application server of S1, application server 500 sends to its device packets sign, device identification and traffic packets sign in the database server 200 and preserves.
S2, database server 200 have been stored ID, user password and and the group character of application server corresponding equipment, device identification and traffic packets sign.
Access request is sent to identification authentication system 300 in S3, server access terminal, comprises ID, device packets sign, device identification in the server access request, information such as user password and traffic packets sign.
S4, identification authentication system 300 receive the accessing request information that send at said server access terminal; ID is sent to database server 200 carry out the ID authentication; Inquire in the database server 200 have this ID after, the feedback information that will comprise ID is given identification authentication system 300.
S5, identification authentication system 300 generate server packet authentication switch query State information according to the user totem information of described database server 200 feedbacks.
S6, described server packet on off state Query Information is sent to said policy control server 100, whether inquiry server packet switch is opened.
If S7 server packet authentication switch is opened, policy control server 100 feedback application server packet authentication on off states are given identification authentication system 300.
S8, identification authentication system 300 send to described database server 200 according to the server packet authentication switch of the described policy control server feedback information of opening with the sign of the server packet in the said accessing request information and carry out authentication; Inquire in the database server 200 have this server group character after, the feedback information that will comprise this server group character is given identification authentication system 300.
S9, the user password in the said accessing request information is sent to described policy control server 100 carry out password information conversion.
S10, policy control server 100 return the password information of conversion, the complexity that policy control server 100 can change password, and password is generating algorithm at random, and the password encryption algorithm generates corresponding password transitional information according to specific password authentication algorithm.
The password transitional information that S11, identification authentication system 300 feed back described policy control server 100 sends to said database server 200 and carries out authentication; Inquire in the database server 200 have this user password after, the feedback information that will comprise user password is given identification authentication system 300.
The password information that S112, identification authentication system 300 return according to data server 200 generates identifying service block on off state Query Information.
S13, identification authentication system 300 send to said policy control server 100 with described traffic packets on off state Query Information, and whether the inquiry business block switch is opened.
If S14 identifying service block switch open, policy control server 100 feedback identifying service block on off states are given identification authentication system 300.
S15, identification authentication system 300 traffic packets sign sends to said database server 200 and carries out authentication, inquire have this traffic packets sign in the database server 200 after, the feedback information that will comprise the traffic packets sign is given identification authentication system 300.
S16, identification authentication system 300 send the application server access authority information according to the traffic packets information that described database server 200 returns to described server access terminal.
S17, server access terminal are according to the business in the access authority information visit corresponding application server.
Fig. 7 is the go forward one by one structure chart of Verification System of embodiment of the invention safety, and the safety Verification System of going forward one by one comprises: policy control device 100, identification authentication system 300 and data storage device 200.Wherein policy control device 100 links to each other with identification authentication system 300, data storage device 200 respectively, and identification authentication system 300 links to each other with data storage device 200, computer device resources 400 respectively.Computer device resources 400 is equivalent to the application server 500 among Fig. 1.
In Fig. 7; The strategy that identification authentication system 300 regulative strategy control device 100 are provided with; The tables of data of data query storage device 200 storages; Accomplish authenticating user identification and generate the service authority of access computer device resource 400, through special bottom communication interface, accomplish subscriber authorisation then and between the computer device resources 400.
Specify policy control device 100 below in conjunction with Fig. 7, the function of each unit in identification authentication system 300 and the data storage device 200.
Policy control device 100 is used for the storage and the management of Collective qualification and delegated strategy; It is the inlet that the user of visit is carried out authentication and delegated strategy control; Each item function of user management regular maintenance operation is provided, for the device access person provides password replacement etc. from management function.As shown in Figure 7, policy control device 100 comprises: Main Processor Unit 101 ˊ, authentication switch dispensing unit 102 ˊ, password policy dispensing unit 103 ˊ and verify data adjustment unit 104 ˊ.Authentication switch dispensing unit 102 ˊ are used for the function of on off state setting device 104 and the on off state feedback device 101 of Fig. 1; Password policy dispensing unit 103 ˊ are used for realizing the function of 102 grades of password dispensing devices of Fig. 5 transcriber; Verify data adjustment unit 104 ˊ are used to realize the function of information modifier.
Main Processor Unit 101 ˊ are connected with authentication switch dispensing unit 102 ˊ, password policy dispensing unit 103 ˊ and verify data adjustment unit 104 ˊ; Be used to receive user's instruction; Identification user's instruction, invokes authentication switch dispensing unit 102 ˊ, password policy dispensing unit 103 ˊ or verify data adjustment unit 104 ˊ handle accordingly.
Device packets (Machine Group MG) authentication ' unit 302 ˊ, service authorization unit 304 ˊ that authentication switch dispensing unit 102 ˊ are used to identification authentication system 300 are provided with switch, for enterprise provides security strategy configuration flexibly.Under the default situations, the authentication function of MG authentication ' unit 302 ˊ and service authorization unit 304 ˊ all is set to opening.The safety officer can revise through input instruction and be provided with, and closes authentication function.Close after the MG authentication function, identification authentication system 300 will can not trigger MG authentication ' unit 302 ˊ in visitor's authentication process, skip the MG authenticating step; Close after the service authorization function, identification authentication system 2 will can not trigger service authorization unit 304 ˊ in the authentication process, allow all business service that the device access person uses to be provided by access means.
Password policy dispensing unit 103 ˊ, the complexity that is used to store and revise the user capture password requires, password safety control strategy such as generating algorithm, password encryption algorithm at random.The safety officer can be according to the ERM requirement, and 103 ˊ adjust the above-mentioned safety control strategy of password configuration file through password policy configurations unit.
Verify data adjustment unit 104 ˊ be used for to user definition table 201 ˊ, MG definition list 202 ˊ, password definition list 203 ˊ and SG definition list 204 ˊ data increase, deletion and modify feature.Verify data adjustment unit 104 ˊ are provided with device packets information, business service grouping information according to the instruction that the safety officer sends; According to the instruction that the device access person sends, carry out user profile modification, user password modification etc. from management function.During the user's modification password; Verify data adjustment unit 104 ˊ access password policy configurations unit 103 ˊ; According to the requirement of safety control strategy such as generating algorithm at random of password complexity, password, generate corresponding password transitional information and store among password definition list 203 ˊ.When password authentication unit 303 ˊ carry out the user password authentication, generally need invokes authentication data adjustment unit 104 ˊ to generate corresponding password transitional information.
Identification authentication system 300 is used for to the device access person access entrance being provided, and receives the also verify data of analyzing device visitor input, and the control strategy that reference policy control device 100 is set is carried out the substep authentication and authorization and operated.As shown in Figure 7, identification authentication system 300 comprises: user information retrieval unit 301 ˊ, MG authentication ' unit 302 ˊ, password authentication unit 303 ˊ and service authorization unit 304 ˊ.User information retrieval unit 301 is used for realizing Fig. 4 information receiver 301, the function of ID authenticate device 302 and information extracting device 312; MG authentication ' unit 302 ˊ are used for Fig. 4 and realize application server switch Query Information generating apparatus 303, the function of application server switch Query Information dispensing device 304 and server packet authenticate device; Password authentication unit 303 ˊ are used for realizing Fig. 4 information translation request unit 306, the function of password authentication device 307; Service authorization unit 304 ˊ are used for realizing the professional switch Query Information of Fig. 4 generating apparatus 308, professional switch Query Information dispensing device 309, the function of traffic packets ID authentication device 310 and authority information dispensing device 311.
The verify data of user information retrieval unit 301 ˊ receiving equipment visitors input, verify data comprises information such as USER_ID, MG_ID, device identification (DEV_ID), SG_ID.Whether there is this USER_ID among user definition table 201 ˊ of data query storage device 200, if do not exist, the refusing user's visit.
If there is this USER_ID among user definition table 201 ˊ, whether MG authentication ' unit 302 ˊ exist this device packets according to MG definition list 202 ˊ of the MG_ID information retrieval data storage device 200 in the verify data in the judgment device grouping information.If can find this packet equipment; From MG definition list 202 ˊ, obtain equipment MG_DEV field in the group of this equipment group; And search whether there is this DEV_ID in the MG_DEV field according to the DEV_ID in the verify data, if exist, get into password authentication ' unit 303 ˊ; If do not exist, then return failure information, do not allow the Accessor Access.
Password authentication unit 303 ˊ check the user password in the verify data of device access person input; Call password policy dispensing unit 103; Use specific password authentication algorithm to generate corresponding password transitional information; And password definition list 203 ˊ of visit data storage device 200 in view of the above, whether the judges password has the record of coupling in table.If have, then get into service authorization unit 304 ˊ, otherwise return failure information, do not allow the Accessor Access.
Service authorization unit 304 ˊ are according to the SG_ID information in the verify data of device access person input; SG definition list 204 ˊ of retrieve data storage device 200; Judge and whether have this traffic packets in the traffic packets information; If exist, then return the business service group authority SG_ROLE of this traffic packets, and give the user this permission grant; Otherwise return failure information, do not allow the Accessor Access.
Data storage device 200 is used for centralized storage visitor authentication and authorizes required visitor's identity information, the device packets information and the business service group information of corporate environment; For identification authentication system 300 provides verify data; As shown in Figure 7, data storage device 200 comprises: user definition table 201 ˊ, MG definition list 202 ˊ, password definition list 203 ˊ and SG definition list 204 ˊ.User definition table 201 ˊ, MG definition list 202 ˊ, password definition list 203 ˊ and SG definition list 204 ˊ are respectively applied for and realize ID storage device 201 among Fig. 2; Server packet sign storage device 202, the function of user password storage device 203 and traffic packets sign storage device 204.
User definition table 201 ˊ is used for the incidence relation of memory device ID and addressable MG, addressable SG, and Fig. 8 is preferential data structure table.
MG definition list 202 ˊ are used to store facility information in grouping information and the group of the equipment that the user need visit, and Fig. 9 is preferred data structure table.
Password definition list 203 ˊ are used to store user's password information, and Figure 10 is preferred data structure table.
SG definition list 204 ˊ are used for storage service service packet information, and the corresponding authority of different service service packet, and Figure 11 is preferred data structure table.
Shown in figure 12, the embodiment of the invention provides a kind of access authentication method based on banking, and described method comprises:
Step S1201: the access registrar information that receives user's input;
Step S1202: from described access registrar information, obtain ID, device packets sign and traffic packets sign;
Step S1203: judge whether exist described ID, device packets to identify in the authentication information of storing and the traffic packets sign successively;
Step S1204:, said traffic packets sign corresponding service grouping authority is composed to said user if having described ID, device packets sign and traffic packets sign in the authentication information of storage.
Described access registrar information also comprises user capture password and the access means sign corresponding with the device packets sign.After the access registrar information that receives user's input, described method also comprises: from described access registrar information, obtain the user capture password access means sign corresponding with the device packets sign.
Step S1203 specifically comprises: judge in the authentication information of storing whether have described ID; If have described ID in the authentication information of storage, judge whether there is said device packets sign in the authentication information of storing; If there is said device packets sign in the authentication information of storage, judge whether there is said traffic packets sign in the authentication information of storing.
In the authentication information of judging storage, whether exist before the said device packets sign; Described method also comprises: judge in the authentication information of storing whether have described user capture password; If then judge whether there is said device packets sign in the authentication information of storing.
Alternatively; In the authentication information of judging storage, whether exist before the said traffic packets sign; Described method also comprises: judge in the authentication information of storing whether have described user capture password, if then judge whether there is said traffic packets sign in the authentication information of storing.
In the authentication information of judging storage, whether exist before the said traffic packets sign; Described method also comprises: judge whether there is the access means sign in the authentication information of storing; If then judge whether there is said traffic packets sign in the authentication information of storing.
Below in conjunction with Fig. 7, Fig. 8, Fig. 9, Figure 10 and Figure 11, specify specific embodiment of the present invention with party a subscriber.
Shown in figure 13, another embodiment of the present invention provides a kind of safe authentication method that goes forward one by one.The concrete steps of this authentication method that goes forward one by one are following:
Step S1301: identification authentication system 300 receives the access registrar information of party a subscriber input, and user information retrieval unit 301 ˊ in the identification authentication system 300 resolve this authentication information.Comprise in the authentication information: the professional corresponding service group character that the group character of equipment corresponding equipment, the party a subscriber that the ID of party a subscriber, party a subscriber will be visited will be visited can also comprise the user capture password of party a subscriber and identify corresponding information such as access means sign with device packets.
Step S1302: user information retrieval unit 301 ˊ extract the USER_ID in the user authentication information from this access registrar information of party a subscriber; Whether there be (Fig. 8) in the user message table 301 of data query storage device 200; If can inquire this USER_ID, then return corresponding data record collection, send to MG authentication ' unit 302 ˊ and handle; Otherwise step S1309 is carried out in the visit of refusal party a subscriber.
Step S1303:MG authentication ' unit 302 ˊ invokes authentication switch dispensing units 102 confirm that whether the MG authentication switch is opened, if the MG authentication switch is not opened, directly gets into step S1305; Otherwise, get into step S1304.
Step S1304:MG authentication ' unit 302 ˊ obtain the MG_ID in the access registrar information; Whether there is MG_ID (Fig. 3) among inquiry MG definition list 202 ˊ; If can in MG definition list 202 ˊ, inquire this MG_ID, then return corresponding data record collection, and from access registrar information, extract the identify label DEV_ID of the computer equipment that party a subscriber need land; This DEV_ID of search in the MG_DEV of return data record set field value; If exist, then the return authentication successful information gets into step S1705; Otherwise step S1709 is carried out in the visit of refusal party a subscriber.
Step S1305: password authentication unit 303 ˊ extract the user capture password from access registrar information; Call password policy dispensing unit 103; Use specific password authentication algorithm to generate corresponding password transitional information, and search whether there is this user capture password at password definition list 203 ˊ in view of the above, if can retrieve this user capture password and successful match; Then return the password authentication success message, get into step S1306; Otherwise step S1309 is carried out in the visit of refusal party a subscriber.
Step S1305 is not essential step, can after step S1302, carry out step S1305 yet, and the present invention is not as limit.
Step S1306: service authorization unit 304 ˊ invokes authentication switch dispensing units 102 confirm whether the service authorization switch is opened, if do not open, then all business service access rights of this equipment is authorized to party a subscriber, forwards step S1308 to; Otherwise, forward step S1307 to.
Step S1307: service authorization unit 304 ˊ are according to the inquiry of the SG_ID in user authentication information SG definition list 303; If can retrieve this SG_ID; Then return corresponding data record collection, extract the SG_ROLE field in the record set, field value; Be that business operation processing authority subclass is composed to the user, forward step S1308 to.
Step S1308: service authorization unit 304 ˊ allow party a subscriber to get into the computer equipment system visit corresponding service of the visit of asking.
Step S1309: finish authentication.
Before the safety of carrying out Figure 13 was gone forward one by one identifying procedure, policy control device 100 need be provided with the authentification of user strategy, to guarantee the carrying out of the safe identifying procedure that goes forward one by one.
Shown in figure 14, the embodiment of the invention provides a kind of tactful method to set up, and described tactful method to set up comprises:
Step S1401: the Main Processor Unit 101 of policy control device 100 receives the service request information of user's input, and resolution request message extracts concrete control clauses and subclauses, carries out step S1402.
Step S1402: Main Processor Unit 101 judges whether to from management request according to solicited message, if, execution in step S1409; Otherwise, carry out step S1403.
Step S1403: Main Processor Unit 101 is judged the content of solicited message, if the authentication ' unit switch is adjusted, carries out step S1404; If adjustment password algorithm then carries out step S1405; If adjustment user profile is then carried out step S1406; If adjustment device packets information is then carried out step S1407; If adjustment business service grouping information is then carried out step S1408.
Step S1404: need the authentication ' unit and the switch sign of adjustment in the authentication switch dispensing unit 102 analysis request data, revise the switch sign of MG authentication function or service authorization function, carry out step S1412.
Step S1405: the complexity requirement of password policy dispensing unit 103 adjustment user capture passwords, password be safety control strategy such as generating algorithm, password encryption algorithm at random, and stores, and carries out step S1412.
Step S1406: user definition table 201 ˊ of verify data adjustment unit 104 visit data storage devices 200 according to the concrete instruction of services request, increases, deletes perhaps and revise the information of relative users, and stores.Such as, a certain user is adjusted to addressable MG2 from addressable MG1, carry out step S1412.
Step S1407: MG definition list 202 ˊ of verify data adjustment unit 104 visit data storage devices 200 according to the concrete instruction of services request, increase, delete perhaps and revise corresponding apparatus information, and store.Such as, with the deletion from former MG group of a few computer equipments, perhaps increase several computer equipments, carry out step S1412.
Step S1408: SG definition list 204 ˊ of verify data adjustment unit 104 visit data storage devices 200 according to the concrete instruction of services request, increase, delete perhaps and revise the corresponding business grouping information, and store.Such as, a certain authority is adjusted to SG2 from SG1, carry out step S1412.
Step S1409: the content that Main Processor Unit 101 is judged from the management request data if revise personal information, then forwards step S1410 to; If the modification password then forwards step S1411 to.
Step S1410: user definition table 201 ˊ of verify data adjustment unit 104 visit data storage devices 200; Concrete instruction according to services request; Revise personal information such as email address, telephone number, generally do not allow to Add User, also do not allow to revise information such as MG_ID, SG_ID; And store, proceed to step S1412.
Step S1411: verify data adjustment unit 103 is resolved the new password of user's input; Call password policy dispensing unit 102 inspection input passwords and whether meet tactful requirement; If meet, then generate the password transitional information, store among password definition list 203 ˊ of data storage device 200; If do not meet, then refusing user's is revised the request of password, carries out step S1412
Step S1412: process ends.
In another embodiment, the present invention also provides the application server access system in a kind of intranet, and described system comprises: application server 500, database server 200, server access terminal 400 and policy control server 100; Be with the difference of the embodiment of Fig. 1: identification authentication system 200 is contained in each application server.Described identification authentication system 200 is connected with the server access terminal through intranet.
When the access authentication method of embodiment of the present invention embodiment; Need in every computer equipment in the computer equipment cluster environment identification authentication system 300 be installed; Identification authentication system 300 is taken over the original user authority management function of computer equipment operating system, and device access person's access request unification is accepted by identification authentication system 300.Carry out communication through the system call mode between identification authentication system 300 and the computer equipment operating system; It is shown in figure 15 that identification authentication system 300 and policy control device 100 and data storage device 200 get reciprocal process; Being contained in each application server (computer equipment 1, computer equipment 2 are to computer equipment n) with identification authentication system 200 among Figure 15 is that example describes; Be not to be used to limit the present invention.
Identification authentication system 300 is responsible for analytical Calculation machine equipment visitor's access registrar information, and 301 ˊ judge whether to exist this user by the user information retrieval unit.Do not exist if confirm this user, then directly denied access person gets into computer equipment, and ID authentication request finishes.If this user is confirmed to exist in the user information retrieval unit, then access registrar information is sent MG authentication ' unit 302 ˊ.
Whether the MG authentication switch of MG authentication ' unit 302 ˊ queries policy control devices 100 is opened.If the MG authentication switch is not opened, then access registrar information is sent to password authentication unit 303 ˊ, otherwise; The MG authentication ' unit judges whether computer equipment belongs to the MG that this user can visit; If do not belong to, then directly denied access person gets into computer equipment, and ID authentication request finishes; If belong to, then authentication information is sent to password authentication unit 303 ˊ.
Password authentication unit 303 ˊ resolve the password information in the user authentication information, the password policy of regulative strategy control device 100, and inquiry password definition list carries out password authentication.If the password authentication failure, then directly denied access person gets into computer equipment, and ID authentication request finishes.Otherwise, then can user authentication request be sent to service authorization unit 304 ˊ, extraction business operation processing authority subclass is composed to the user and is allowed the user to get into computer equipment, and the verification process that goes forward one by one finishes.
The modification of relevant authentication strategy and management data is accomplished in policy control device 100 main processing users' policy control request according to request content.In user identity went forward one by one verification process, identification authentication system 300 each processing units were provided with 100 policy control information according to the particular content of user authentication information according to the access strategy control device, take corresponding authenticating step.
The useful technique effect of the embodiment of the invention:
Introducing of the present invention and enterprise operation and service associated device grouping MG and business service grouping SG; Adopt a kind of new method identifying user identity based on two dimension grouping authority space; Broken through the limitation that to use operating system user group traditionally; Enterprise can define device packets and traffic packets quantity and granularity according to self-demand flexibly, thereby can realize the rights management function that more becomes more meticulous.
The present invention adopts the method for the authentication of going forward one by one step by step, and per step authentication can be adopted the different authentication method, and authentication ' unit parameterisable configuration etc. have effectively overcome the generally limitation of the disposable authentication of employing of prior art.
The present invention adopts the authentication method that goes forward one by one step by step; Each goes on foot the authentication difficulty and complexity is progressively gone forward one by one; The precursor step authentification failure is then directly refused, and has reduced participation subsequent authentication procedure and complicated cipher authentication algorithm invokes number of times, has improved authentication efficient and specific aim greatly.
The present invention is through authentication and the centralized management of delegated strategy control assembly; Authentication key message centralized stores, need be on every computer equipment dispersing maintenance, can significantly reduce maintenance workload; Increase work efficiency, guarantee the consistency of the authentication information in the corporate environment computer cluster environment.
Above-described specific embodiment; The object of the invention, technical scheme and beneficial effect have been carried out further explain, and institute it should be understood that the above is merely specific embodiment of the present invention; And be not used in qualification protection scope of the present invention; All within spirit of the present invention and principle, any modification of being made, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.

Claims (10)

1. the application server access system in the intranet is characterized in that described system comprises: application server, database server, server access terminal, identification authentication system and policy control server;
Described database server; Identification authentication system; The policy control server interconnects through intranet, and described identification authentication system is connected with the server access terminal through intranet, and described identification authentication system is connected with application server; Wherein,
Described database server comprises:
ID storage device: be used to store ID;
Server packet sign storage device: be used to store the server packet sign;
User password storage device: be used to store user password; And
Traffic packets sign storage device: be used for the storage service group character;
Described server access terminal comprises:
Solicited message input unit: be used to import the application server access solicited message that comprises ID, user password, server packet sign, application server identifier and traffic packets sign; And
Application server access device: be used for access application server;
Described identification authentication system comprises:
Information receiver: be used to receive the accessing request information that send at said server access terminal;
ID authenticate device: be used for ID with said accessing request information and send to described database server and carry out authentication;
Application server switch Query Information generating apparatus: be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device: be used for described application server on off state Query Information is sent to said policy control server;
Server packet authenticate device: be used for the server packet sign of said accessing request information being sent to described database server and carry out authentication according to the server packet authentication switch of the described policy control server feedback information of opening;
Information translation request unit: be used for the user password of said accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
Password authentication device: be used for password transitional information with described policy control server feedback and send to said database server and carry out authentication;
Professional on off state Query Information generating apparatus: be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device: be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device: be used for the traffic packets sign of said accessing request information being sent to described database server and carry out authentication according to the identifying service block switch open information of described policy control server feedback; And
The authority information dispensing device: the identifying service block successful information that is used for returning according to described database server is sent the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device: the server packet authentication switch state information and the identifying service block on off state information that are used for sending according to said identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber: the user password that is used for said identification authentication system is sent carries out information translation; And
Password dispensing device: be used for the user password after the information translation is sent to said identification authentication system.
2. the system of claim 1 is characterized in that, described identification authentication system also comprises:
Be used for extracting the information extracting device of ID, user password, server packet sign, application server identifier and traffic packets sign from described application server access solicited message.
3. the system of claim 1 is characterized in that, described application server access solicited message also comprises: application server identifier.
4. system as claimed in claim 3 is characterized in that, described server packet sign storage device also is used for storage and said server packet sign corresponding application server sign.
5. system as claimed in claim 4 is characterized in that, described server packet authenticate device also is used for application server identifier with said accessing request information and sends to described database server and carry out authentication.
6. the system of claim 1 is characterized in that, said policy control server also comprises:
Be used for setting the server packet authentication switch state of said identification authentication system and the on off state setting device of identifying service block on off state.
7. the system of claim 1 is characterized in that, said policy control server also comprises:
Be used for information modifier that the information of said database server is made amendment.
8. the system of claim 1; It is characterized in that; When the server packet authentication switch is in closed condition; Identification authentication system is skipped server packet ID authentication device, directly the sign of the traffic packets in the said accessing request information is sent to described database server and carries out authentication.
9. the system of claim 1 is characterized in that, when the identifying service block switch is in closed condition, allows user capture through all business in the application server of said server packet ID authentication device authentication.
10. the application server access system in the intranet is characterized in that described system comprises: application server, database server, server access terminal and policy control server;
Described database server, the policy control server interconnects through intranet; Wherein,
Described database server comprises:
ID storage device: be used to store ID;
Server packet sign storage device: be used to store the server packet sign;
User password storage device: be used to store user password; And
Traffic packets sign storage device: be used for the storage service group character;
Described server access terminal comprises:
Solicited message input unit: be used to import the application server access solicited message that comprises ID, user password, server packet sign, application server identifier and traffic packets sign; And
Application server access device: be used for access application server;
Described application server comprises: identification authentication system, and described identification authentication system is connected with the server access terminal through intranet, and described identification authentication system comprises:
Information receiver: be used to receive the accessing request information that send at said server access terminal;
ID authenticate device: be used for ID with said accessing request information and send to described database server and carry out authentication;
Application server switch Query Information generating apparatus: be used for generating server packet authentication switch query State information according to the user totem information of described database server feedback;
Application server switch Query Information dispensing device: be used for described application server on off state Query Information is sent to said policy control server;
Server packet authenticate device: be used for the server packet sign of said accessing request information being sent to described database server and carry out authentication according to the server packet authentication switch of the described policy control server feedback information of opening;
Information translation request unit: be used for the user password of said accessing request information being sent to described policy control server and carry out the password information conversion according to the server packet information of described database server feedback;
Password authentication device: be used for password transitional information with described policy control server feedback and send to said database server and carry out authentication;
Professional on off state Query Information generating apparatus: be used for generating identifying service block on off state Query Information according to the user password information of described database server feedback;
Professional on off state Query Information dispensing device: be used for described professional on off state Query Information is sent to described policy control server;
Traffic packets ID authentication device: be used for the traffic packets sign of said accessing request information being sent to described database server and carry out authentication according to the identifying service block switch open information of described policy control server feedback; And
The authority information dispensing device: the identifying service block successful information that is used for returning according to described database server is sent the application server access authority information to described server access terminal;
Described policy control server comprises:
The on off state feedback device: the server packet authentication switch state information and the identifying service block on off state information that are used for sending according to said identification authentication system are distinguished feedback application server packet authentication on off state and identifying service block on off state;
Transcriber: the user password that is used for said identification authentication system is sent carries out information translation; And
Password dispensing device: be used for the user password after the information translation is sent to said identification authentication system.
CN2010101764989A 2010-05-13 2010-05-13 Application server access system in intranet Active CN101827110B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010101764989A CN101827110B (en) 2010-05-13 2010-05-13 Application server access system in intranet

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010101764989A CN101827110B (en) 2010-05-13 2010-05-13 Application server access system in intranet

Publications (2)

Publication Number Publication Date
CN101827110A CN101827110A (en) 2010-09-08
CN101827110B true CN101827110B (en) 2012-09-26

Family

ID=42690810

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010101764989A Active CN101827110B (en) 2010-05-13 2010-05-13 Application server access system in intranet

Country Status (1)

Country Link
CN (1) CN101827110B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103036858B (en) * 2011-10-09 2018-10-26 南京中兴软件有限责任公司 System, implementation method, ACF and the PAG of user Internet access
CN103051598B (en) * 2011-10-17 2017-04-26 中兴通讯股份有限公司 Method, user equipment and packet access gateway for secure access to Internet services
CN103179126A (en) * 2013-03-26 2013-06-26 山东中创软件商用中间件股份有限公司 Access control method and device
US9887978B2 (en) * 2015-06-23 2018-02-06 Veritas Technologies Llc System and method for centralized configuration and authentication
CN109872119A (en) * 2019-01-17 2019-06-11 平安科技(深圳)有限公司 Project information management method, apparatus, computer equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101064717A (en) * 2006-04-26 2007-10-31 北京华科广通信息技术有限公司 Safety protection system of information system or equipment and its working method
CN101170409A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method, system, service device and certification server for realizing device access control

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005056207A (en) * 2003-08-05 2005-03-03 Sanyo Electric Co Ltd Network system, home equipment control server and intermediation server

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101064717A (en) * 2006-04-26 2007-10-31 北京华科广通信息技术有限公司 Safety protection system of information system or equipment and its working method
CN101170409A (en) * 2006-10-24 2008-04-30 华为技术有限公司 Method, system, service device and certification server for realizing device access control

Also Published As

Publication number Publication date
CN101827110A (en) 2010-09-08

Similar Documents

Publication Publication Date Title
CN113239344B (en) Access right control method and device
WO2020151322A1 (en) Identity management method, apparatus and device based on blockchain, and storage medium
CN105871914B (en) CRM system access control method
CN101310286B (en) Improved single sign on
CN201690475U (en) Application server access system in enterprise local area network
CN109670768A (en) Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain
CN110401655A (en) Access control right management system based on user and role
CN102947797B (en) The online service using directory feature extending transversely accesses and controls
CN107342992A (en) A kind of System right management method, apparatus and computer-readable recording medium
CN108200050A (en) Single logging-on server, method and computer readable storage medium
CN101827110B (en) Application server access system in intranet
CN105378768A (en) Proximity and context aware mobile workspaces in enterprise systems
CN102984159A (en) Secure access logic control method based on terminal access behavior and platform server
CN103441986A (en) Data resource security control method in thin client mode
CN102724221A (en) Enterprise information system using cloud computing and method for setting user authority thereof
US9081982B2 (en) Authorized data access based on the rights of a user and a location
CN106101054A (en) The single-point logging method of a kind of multisystem and centralized management system
CN110971566A (en) Account unified management method, system and computer readable storage medium
CN107465650A (en) A kind of access control method and device
CN106559389A (en) A kind of Service Source issue, call method, device, system and cloud service platform
CN110175439A (en) User management method, device, equipment and computer readable storage medium
CN105635113A (en) SDK-based remote service processing method and system
CN111274569A (en) Research, development, operation and maintenance integrated system for unified login authentication and login authentication method thereof
CN107645474B (en) Method and device for logging in open platform
CN112804193B (en) Unified account system for realizing multi-platform service intercommunication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant