CN107862198A - One kind accesses verification method, system and client - Google Patents
One kind accesses verification method, system and client Download PDFInfo
- Publication number
- CN107862198A CN107862198A CN201711144444.2A CN201711144444A CN107862198A CN 107862198 A CN107862198 A CN 107862198A CN 201711144444 A CN201711144444 A CN 201711144444A CN 107862198 A CN107862198 A CN 107862198A
- Authority
- CN
- China
- Prior art keywords
- system end
- user
- application system
- authentication token
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/41—User authentication where a single sign-on provides access to a plurality of computers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/321—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
- H04L9/3213—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
Abstract
Accessing verification method, system and client, this method the invention provides one kind includes:The access request that user conducts interviews to any one application system end is received, wherein, the application system end is registered at Verification System end;When the access request needs to be intercepted, judge whether the user has logged at the application system end;If it is, the access request is sent to the application system end;If not, authentication token corresponding to obtaining the user from the Verification System end, is sent to the application system end so that the user is logged at the application system end, and the access request is sent into the application system end by the authentication token.This programme can improve the usage experience of user.
Description
Technical field
It is more particularly to a kind of to access verification method, system and client the present invention relates to field of computer technology.
Background technology
With the continuous development and progress of computer technology, computer be widely used in living and produce in each side
Face, the use of computer can make life more convenient, and production can also be made to have higher efficiency.Enterprises and institutions are for side
Just handle official business, develop the various application systems run on computer, data processing, flow stream are completed using various application systems
Turn, form generation etc. operation.Need to step in order to ensure the security of data resource, when user conducts interviews to application system
Record, the user only logined successfully normally can conduct interviews to application system.
At present, user is in application when accessing application system, it is necessary to input login account and login password is logged in
System is verified and application system can be conducted interviews.
The method that application system is accessed for current user, when the multiple application systems of user's frequent switching, it is necessary to respectively
Login account and login password corresponding to each application system are inputted, to be logged in each application system.Due to answering
More with system quantity, user inputs the login account of each application system and login password respectively to be needed to expend more energy
And the time, cause the usage experience of user poor.
The content of the invention
The embodiments of the invention provide one kind to access verification method, system and client, it is possible to increase user's uses body
Test.
In a first aspect, the embodiments of the invention provide one kind to access verification method, applied to client, including:
The access request that user conducts interviews to any one application system end is received, wherein, the application system end is
Registered at Verification System end;
When the access request needs to be intercepted, judge whether the user has stepped at the application system end
Record;
If it is, the access request is sent to the application system end;
If not, authentication token corresponding to obtaining the user from the Verification System end, the authentication token is sent
To the application system end so that the user logs at the application system end, and the access request is sent to described answer
Use system end.
Alternatively,
After the access request that the reception user conducts interviews to any one application system end, further comprise:
Determine that the user needs the resource to be visited to conduct interviews according to the access request, wherein, it is described to be visited
Resource is stored in the application system end;
Judge whether the resource to be visited is recorded in the white list being pre-created, wherein, the white list record has
At least one data resource;
If it is, determine that the access request without intercepting, is sent to the application system end by the access request;
If not, determining that the access request needs to be intercepted, whether execution is described judges the user in institute
State the login of application system end.
Alternatively,
It is described to judge whether the user has logged at the application system end, including:
Detect whether the application system end is stored with the authentication token corresponding to the user, and the authentication token
Effectively;
If it is, determine that the user logs at the application system end;
If not, determine that the user does not log at the application system end.
Alternatively,
It is described to obtain authentication token corresponding to the user from the Verification System end, including:
Judge whether the user has logged at the Verification System end;
If it is, the authentication token corresponding to the user of the Verification System end storage is obtained, wherein, it is described to recognize
Card token is that previously described user is produced and stored by the Verification System end when the Verification System end is logged in;
If not, the log-on message that the user is inputted is sent to the Verification System end, and obtain the certification system
System end authentication token according to caused by the log-on message.
Second aspect, the embodiment of the present invention additionally provide a kind of client, including:Receiving unit, judging unit and processing
Unit;
The receiving unit, the access request to be conducted interviews for receiving user to any one application system end, wherein,
Registered at Verification System end at the application system end;
The judging unit, when the access request for being received in the receiving unit needs to be intercepted, sentence
Whether the user of breaking has logged at the application system end;
The processing unit, for the judged result according to the judging unit, if it is, the access request is sent
To the application system end, otherwise from authentication token corresponding to the Verification System end acquisition user, the certification is made
Board is sent to the application system end so that the user is logged at the application system end, and the access request is sent to
The application system end.
Alternatively,
The judging unit, it is further used for determining that the user needs what is conducted interviews to wait to visit according to the access request
Resource is asked, and judges whether the resource to be visited is recorded in the white list being pre-created, if it is, determining that the access please
Ask without intercepting, and the access request is sent to the application system end, otherwise determine that the access request needs to carry out
Intercept, and perform it is described judge the user whether the application system end login.
Alternatively,
The judging unit, for detecting whether the application system end is stored with the certification order corresponding to the user
Board, and the authentication token is effective, if it is, determining that the user logs at the application system end, otherwise determines institute
User is stated not log at the application system end.
Alternatively,
The processing unit, for judging whether the user has logged at the Verification System end, if it is, obtaining
The authentication token corresponding to the user of the Verification System end storage, wherein the authentication token is previously described user
Produced and stored by the Verification System end when the Verification System end is logged in, the login for otherwise inputting the user
Information is sent to the Verification System end, and obtains Verification System end certification order according to caused by the log-on message
Board.
The third aspect, the embodiment of the present invention additionally provide a kind of access checking system, including:Verification System end, at least one
Client described in any one of individual application system end and the offer of at least one second aspect;
Registered at the Verification System end at each application system end;
Each described application system end, the access request sent for receiving the client;
The Verification System end, for the request according to the client, sent to the client and correspond to the visitor
The authentication token of the user at family end.
Alternatively,
The Verification System end includes:First identification authenticating unit;
Each described application system end includes:Application session management unit;
First identification authenticating unit, for the log-on message sent according to any one of client, production
Give birth to and store the authentication token of the user corresponding to the client, and in the user not to any one of application system
When the duration that end conducts interviews exceedes the default session failed phase, crash handling is carried out to the authentication token;
The application session management unit, the authentication token sent for receiving each client, and be directed to
Each described authentication token, certification request regularly is sent to first identification authenticating unit, if the authentication token is
Through failure, further determine that whether the authentication token of the first identification authenticating unit storage fails, if described first
The authentication token of identification authenticating unit storage does not fail, then logs in weight according to the simulation of first identification authenticating unit
Newly obtain the authentication token.
Alternatively,
The Verification System end includes:Load equalizer, authen session administrative unit and at least two second authentications
Unit;
The load equalizer is connected with each second identification authenticating unit respectively;
The authen session administrative unit is connected with each second identification authenticating unit respectively;
The load equalizer, the log-on message sent for receiving each client respectively, and by described in
Log-on message is distributed to less second identification authenticating unit of load;And receive come from each application respectively
The certification request of system end, and the certification request is distributed to less second identification authenticating unit of load;
Second identification authenticating unit, for forming the certification of corresponding user according to the log-on message received
Token, and the authen session administrative unit is arrived into authentication token storage;And according to the certification request received from institute
State authen session administrative unit obtain corresponding to the authentication token, and corresponding to the authentication token got is sent to
The application system end.
Access verification method, system and client provided in an embodiment of the present invention, user is being received to an application system
The access request that conducts interviews of system end, and when determining that the access request needs to be intercepted, then judge whether the user has existed
The application system end to be accessed is logged in, and the access request received is issued to the application system to be accessed if having logged on
System end, then obtains authentication token corresponding to user from Verification System end if not logged on, and the authentication token got is sent
To the application system end to be accessed, so that user logs at the application system end to be accessed, will be accessed after the completion of login
Request is sent to the application system end to be accessed.As can be seen here, each application system end is registered at Verification System end, used
Family only needs to be logged at Verification System end, can when user needs to access the application system end being connected with Verification System end
, should without inputting each respectively to complete the login at application system end using the authentication token got from Verification System end
With the login account and login password of system end, so as to improve the usage experience of user.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the required accompanying drawing used in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart for access verification method that one embodiment of the invention provides;
Fig. 2 is the schematic diagram of equipment where a kind of client that one embodiment of the invention provides;
Fig. 3 is a kind of schematic diagram for client that one embodiment of the invention provides;
Fig. 4 is a kind of schematic diagram for access checking system that one embodiment of the invention provides;
Fig. 5 is another schematic diagram for accessing checking system that one embodiment of the invention provides;
Fig. 6 is the schematic diagram that another that one embodiment of the invention provides accesses checking system;
Fig. 7 is another flow chart for accessing verification method that one embodiment of the invention provides.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
Part of the embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of access verification method applied to client, this method can be with
Comprise the following steps:
Step 101:The access request that user conducts interviews to any one application system end is received, wherein, the application
System end is registered at Verification System end;
Step 102:When the access request needs to be intercepted, judge the user whether in the application system
System end logs in, if it is, performing step 103, otherwise performs step 104;
Step 103:The access request is sent to the application system end, and terminates current process;
Step 104:Authentication token corresponding to obtaining the user from the Verification System end, the authentication token is sent
To the application system end so that the user logs at the application system end, and performs step 103.
The embodiments of the invention provide one kind to access verification method, and one application system end is visited receiving user
The access request asked, and determine that the access request is needed when being intercepted, then judge whether the user has been accessed
Application system end is logged in, and the access request received is issued to the application system end to be accessed if having logged on, if
It is not logged on then being sent to the authentication token got to be accessed from authentication token corresponding to Verification System end acquisition user
Application system end so that user logs at the application system end to be accessed, access request is sent to after the completion of login
The application system end to be accessed.As can be seen here, each application system end is registered at Verification System end, user only needs
Verification System end is logged in, and when user needs to access the application system end being connected with Verification System end, can be utilized from recognizing
The authentication token that card system end is got completes the login at application system end, without inputting each application system end respectively
Login account and login password, so as to improve the usage experience of user.
Alternatively, as shown in figure 1, after step 101 receives access request, it is thus necessary to determine that the access request received
Whether need to be intercepted, detailed process is as follows:
Determine that user needs the resource to be visited to conduct interviews according to access request, wherein, the resource to be visited is stored in
The user application system end to be accessed;
Judge whether resource to be visited is recorded in the white list being pre-created, wherein, record has one in the white list
Or a plurality of data resource;
If it is, the access request for determining to receive need not be intercepted, the access request is directly sent to user institute
The application system end to be accessed;
If not, the access request for determining to receive needs to be intercepted, step 102 is performed.
By creating white list, the data resource that need not be maintained secrecy or privacy degrees are relatively low recorded in white list, when with
When family access is recorded in the data resource in white list, without being authenticated to the identity of user.Therefore, when receive user hair
After the access request sent, if user's data resource to be accessed is recorded in white list, carried out without the identity of user
Certification, access request is directly sent to application system end, its data resource to be accessed is shown to user;If user institute
The data resource to be accessed is not recorded in white list, illustrates that user's data resource to be accessed has higher confidentiality
It is required that, it is necessary to the identity of user is verified.
By setting white list, user need not be to the body of user when accessing and being recorded in each data resource in white list
Part is authenticated, and on the one hand can ensure convenience when user accesses public resource, on the other hand can reduce Verification System
The amount of calculation at end, so as to lower the requirement to Verification System end hardware.
Alternatively, as shown in figure 1, when step 102 judges whether user logs at application system end, institute is detected first
Whether the application system end to be accessed is stored with corresponding with user and effective authentication token, has if it is determined user
Through being logged at the application system end to be accessed, otherwise determine that user does not log at the application system end to be accessed.
After user is logged at Verification System end, Verification System end can form the certification order corresponding with user identity
Board, and application system end can be with authentication storage token.When user accesses an application system end, if on the application system end
The authentication token corresponding with the user is stored with, and authentication token is effective, the authentication token can be carried out to the identity of user
Certification, have logged on the application system end according to user and the access request of user is handled;If on the application system end
The authentication token corresponding with the user is not stored, or the authentication token corresponding with the user stored has lost
Effect, can not be authenticated to the identity of user, and be not logged on the application system end according to user is carried out to the access request of user
Processing.
Certainly, it is above-mentioned judge user whether the method logged at application system end be applied to application system end can deposit
The situation of authentication token is stored up, if application system end does not have the function of authentication storage token, needs other methods to judge
Whether user has logged at application system end.For example judge that user receives pair the application system end last time to be accessed
Should in the authentication token of same subscriber time to current time duration whether exceed it is default exempt to log in duration, if it is,
Then judge that the application system end that user does not access at place logs in, otherwise judge user in the application system to be accessed
End logs in.
Alternatively, as shown in figure 1, when step 104 obtains the authentication token corresponding with user from Verification System end, judge
Whether user has logged at Verification System end, if it is, directly obtaining the corresponding with the user of Verification System end storage
Authentication token, the log-on message that user inputs otherwise is sent to Verification System end, user is logged at Verification System end,
And obtain Verification System end authentication token according to caused by log-on message.
After user is logged at Verification System end, Verification System end can form corresponding according to the identity information of user
Authentication token, and the storage scheduled duration of the authentication token to being formed, during being stored to authentication token at authentication token
In effective status, default user has logged on Verification System end.User is in order to logging in application system end, it is necessary to from certification system
System end obtains authentication token.If Verification System end has been stored with authentication token corresponding to user, i.e., user is in certification
System end logs in, then directly obtains the authentication token of Verification System end storage;If Verification System end does not store and user's phase
Corresponding authentication token, then user also not Verification System end log in, then prompt user input log-on message, by log-on message
After being sent to Verification System end, Verification System end generates the authentication token corresponding with user according to log-on message, and to generation
Authentication token storage scheduled duration, now obtain the newly-generated authentication token in Verification System end.
Behind each application system end access authentication system end, after user is logged at Verification System end, Verification System end
The authentication token corresponding to user can be formed, after the authentication token is sent to application system end, application system end can be according to certification
The information that token carries completes the login of user, it is allowed to which user conducts interviews.So, user is logged at Verification System end
Afterwards, can be to access each application system end, so as to improve the usage experience of user without inputting log-on message again.
It should be noted that in the above-described embodiments, log-on message can include the login account and login password of user,
And authentication token can carry Standard User information, access application system end name, accesses application system end subscriber name, access and answer
With system end user password, the cookie for accessing application system end etc..
As shown in Figure 2 and Figure 3, the embodiments of the invention provide a kind of client.Device embodiment can be real by software
It is existing, it can also be realized by way of hardware or software and hardware combining.For hardware view, as shown in Fig. 2 real for the present invention
Apply example offer client where equipment a kind of hardware structure diagram, except the processor shown in Fig. 2, internal memory, network interface, with
And outside nonvolatile memory, the equipment in embodiment where device can also generally include other hardware, such as it is responsible for processing
Forwarding chip of message etc..It is to pass through it as shown in figure 3, as the device on a logical meaning exemplified by implemented in software
Corresponding computer program instructions in nonvolatile memory are read what operation in internal memory was formed by the CPU of place equipment.This
The client that embodiment provides, including:Receiving unit 301, judging unit 302 and processing unit 303;
Receiving unit 301, the access request to be conducted interviews for receiving user to any one application system end, wherein,
Registered at Verification System end at application system end;
Judging unit 302, when the access request for being received in receiving unit 301 needs to be intercepted, judge user
Whether logged at application system end;
Processing unit 303, for the judged result according to judging unit 302, if it is, access request is sent into application
System end, otherwise from Verification System end obtain user corresponding to authentication token, authentication token is sent to application system end so that
User is logged at application system end, and access request is sent into application system end.
Alternatively, on the basis of client shown in Fig. 3, judging unit 302 is further used for being determined according to access request
User needs the resource to be visited to conduct interviews, and judges whether resource to be visited is recorded in the white list being pre-created, such as
Fruit is to determine that access request without intercepting, and is sent to application system end by access request, otherwise determine access request need into
Row intercepts, and performs and judge whether user has logged at application system end.
Alternatively, on the basis of client shown in Fig. 3, judging unit 302 is used to detect whether application system end stores
There is authentication token corresponding to user, and authentication token is effective, if it is, determining that user logs at application system end, otherwise
Determine that user does not log at application system end.
Alternatively, on the basis of client shown in Fig. 3, whether processing unit 303 is used to judge user in certification
System end logs in, if it is, obtaining authentication token corresponding to the user of Verification System end storage, wherein authentication token is to use before this
Family is produced and stored by Verification System end when Verification System end is logged in, and is otherwise sent to the log-on message that user inputs
Verification System end, and obtain Verification System end authentication token according to caused by log-on message.
It should be noted that the content such as information exchange, implementation procedure between each unit in said apparatus, due to this
Inventive method embodiment is based on same design, and particular content can be found in the narration in the inventive method embodiment, no longer superfluous herein
State.
As shown in figure 4, one embodiment of the invention provides a kind of access checking system, including:Verification System end 401,
Any one client 403 that at least one application system end 402 and at least one above-described embodiment provide;
Registered at Verification System end 401 at each application system end 402;
Each application system end 402, the access request sent for receiving each client 403;
Verification System end 401, for the request according to client 403, sent to the client 403 and correspond to the client
The authentication token of 403 user.
The embodiments of the invention provide one kind to access checking system, when client receives user to one of application system
During the access request that system end conducts interviews, client determines whether user has logged at the application system end first, if
Access request is directly then sent to the application system end through logging in, allows users to conduct interviews to the application system end, such as
Fruit is not logged on, and obtaining the authentication token corresponding with user from Verification System end is sent to the application system end, steps on user
The application system end is recorded, access request is sent to the application system end again afterwards.Each application system end is in certification system
System end is registered, can be by certification system when user needs to access application system end after user is logged at Verification System end
The authentication token of system end generation is sent to application system end so that user automatically logs into application system end, and user is without defeated manually
Enter login account and login password, user need not carry out repeatedly inputting the tedious work of login account and login password, so as to carry
The high usage experience of user.
Alternatively, according to the difference of user concurrent pressure, the session management at Verification System end and application system end can be adopted
With independent sessions and shared session two ways, illustrated respectively below for independent sessions and shared session.
For independent sessions, as shown in figure 5, Verification System end 401 includes the first identification authenticating unit 4011, each should
Include application session management unit 4021 with system end 402;
First identification authenticating unit 4011 is used for the log-on message sent according to any one client 403, produces and deposits
The storage authentication token corresponding with the user of client 403, and any one application system end 402 is not carried out in same user
Access continue between exceed the default session failed phase after, to caused authentication token carry out crash handling;
Application session management unit 4021 is used to receive the authentication token that each client 403 is sent, and for receiving
Each authentication token, regularly to the first identification authenticating unit 4011 send certification request, if the authentication token has lost
Effect, then further determine that whether the authentication token of the first identification authenticating unit 4011 storage fails, if the first authentication
The authentication token that unit 4011 stores does not fail, then is logged in and reacquired according to the simulation of the first identification authenticating unit 4011
The authentication token.
Specifically, after the log-on message of a user is sent to the first identification authenticating unit by a client, the
One identification authenticating unit makes the user sign in Verification System end according to the log-on message received, and generates and correspond to the user
Authentication token, and the authentication token to being generated stores.The user accesses any one application system every time afterwards
During end, the first identification authenticating unit can all judge the user, and this conducted interviews with user's last time to any to application system end
One application system end conduct interviews between interval time, if interval time be more than the session failed phase set in advance,
Crash handling is carried out to authentication token corresponding to the user, authentication token corresponding to the user is failed.In the certification of the user
After token failure, user needs to re-enter log-on message by client, to be logged in again at Verification System end, is formed
New authentication token.
When being completed when user logs at Verification System end, and an application system end accessed by client, the application system
System end detect whether to be stored with the authentication token corresponding with the user, and if authentication token it is effective, then receive client
The access request of transmission, the access to the user are handled, and the user is obtained from the first identification authenticating unit if not
Corresponding authentication token, the access request that client is sent is received after getting, the access to user is handled, and right
The authentication token got is stored.Storage of the application session management unit to an authentication token has certain failure
Phase, when stored between exceed the failure period after, the authentication token stored ceases to be in force automatically.Application session management unit is to one
After authentication token is stored, timing sends certification request to the first identification authenticating unit in the form of heartbeat signal, if be somebody's turn to do
The authentication token of application session management unit storage is effective, then continues in the form of heartbeat signal regularly to the first authentication list
Member sends certification request, if the authentication token of application session management unit storage is invalid but the first identification authenticating unit is deposited
The authentication token of storage is effective, then the first identification authenticating unit sends simulation to the application session management unit by client and stepped on
Signal is recorded, the authentication token is issued into the application session management unit again, the application session management unit is to receiving
Authentication token is stored, and is started to perform the timing in the form of heartbeat signal and asked to the transmission certification of the first identification authenticating unit
Ask, until after storing the authentication token void in whole on the first identification authenticating unit, the application session management unit will be stored
The authentication token delete.
The session management mode of independent sessions, suitable for the less application scenarios of user concurrent amount, i.e., synchronization is to each
The situation of the negligible amounts for the user that individual application system end conducts interviews.Except first identification authenticating unit pair at Verification System end
Outside authentication token is stored, the application session management unit at each application system end also stores to authentication token.User
When by client to being conducted interviews using system end, application system end need not be accessed from Verification System end for each
Authentication token is obtained, reduces the calculating pressure at Verification System end.
For sharing session, as shown in fig. 6, Verification System end 401 includes:Load equalizer 4012, authen session management
The identification authenticating unit 4014 of unit 4013 and at least two second;
Load equalizer 4012 is connected with each second identification authenticating unit 4014 respectively, authen session administrative unit
4013 are connected with each second identification authenticating unit 4014 respectively;
Load equalizer 4012 is used to receive the log-on message that each client 403 is sent respectively, and is stepped on what is received
Record information is sent to less second identification authenticating unit 4014 of load, and comes from each application system for receiving respectively
The certification request at end 402, and the certification request received is distributed to less second identification authenticating unit 4014 of load;
Second identification authenticating unit 4014 is used for the authentication token that corresponding user is formed according to the log-on message received,
And the authen session administrative unit 4013 for storing the authentication token formed, and according to the certification request received from certification
Session management unit 4013 obtains corresponding authentication token, and the authentication token got is sent into corresponding application system end
402。
Specifically, when user needs accession authorization system end, the log-on message that each client inputs user is sent
To load equalizer, load equalizer is directed to each log-on message successively, and the login is newly distributed to less one of load
Second identification authenticating unit;Second identification authenticating unit is after the log-on message of load equalizer distribution is received, according to renewal
Information generates corresponding authentication token, and the authentication token generated storage is arrived into authen session administrative unit.When a use
When family accesses an application system end by a client, application system end is sent by above-mentioned client to load equalizer
Certification request is to obtain authentication token corresponding to above-mentioned user, and load equalizer is after certification request is received, by what is received
Certification request is distributed to less second identification authenticating unit of load, and the second identification authenticating unit is receiving load balancing
After the certification request of device distribution, the certification corresponding with above-mentioned user is obtained from authen session administrative unit according to certification request and made
Board, and the authentication token got is sent to the user application system end to be accessed by above-mentioned client.
The session management mode of shared session, suitable for the application scenarios that user concurrent amount is larger, i.e., synchronization is to each
The larger situation of the quantity of the user that individual application system end conducts interviews.Verification System end includes multiple second authentication lists
Member, log-on message and certification request are forwarded from load equalizer to each second identification authenticating unit, is guaranteed to each use
The access at family is verified, shortens the stand-by period of user.In addition, in order to ensure that each second identification authenticating unit can be deposited
Storage and obtain authentication token, be separately provided authen session administrative unit and carry out authentication storage token, can support redis,
Memcache, database and distal end JVM etc..Cluster is done between multiple server, realizes that session is shared.
The session management mode at Verification System end and each application system end is disposed according to the size of user concurrent amount, when
Using the session management mode of independent sessions when user concurrent amount is smaller, when user concurrent amount is larger using the meeting of shared session
Talk about way to manage so that access checking system can be applicable the larger application scenarios of user concurrent amount, and user can also be applied
The less application scenarios of concurrency, so as to improve the applicability of access checking system.
It should be noted that client, when obtaining authentication token from Verification System end, Verification System end can make to certification
Board is encrypted, and ensures security of the authentication token in transmitting procedure.Application system end passes through after authentication token is received
Authentication token is decrypted, the user profile that authentication token carries is obtained, completes the login of user.Wherein, Verification System end
Authentication token can be encrypted using md5 encryption algorithm.In addition, the information entrained by authentication token can include user's
Login account, user login password, access application system end name, access application system end subscriber name, access application system
End subscriber password, the cookie for accessing application system end etc..
The access authentication system provided with reference to above-described embodiment, by taking independent sessions as an example, is carried to the embodiment of the present invention
The access authentication method of confession is described in further detail, as shown in fig. 7, this method may comprise steps of:
Step 701:Client receives the access request that user conducts interviews to an application system end.
In an embodiment of the invention, client gets user to an application system end according to the operation of user
The access request to conduct interviews.
Step 702:Client judges whether access request needs to be intercepted, if it is, performing step 703, otherwise holds
Row step 707.
In an embodiment of the invention, client determines what access request to be accessed in access request is received
Data resource, and detect whether the data resource to be accessed is recorded in the white list being pre-created, if it is, illustrating the visit
Ask that request need not be intercepted, correspondingly perform step 707, otherwise illustrate that the access request needs are intercepted, correspondingly hold
Row step 703.
Wherein, the data resource at multiple application system ends in being recorded in white list, and recorded data resource is not
Progress authentication is needed to allow for what user conducted interviews.
Step 703:Judge whether user has logged at the application system end to be accessed, if it is, performing step
707, otherwise perform step 704.
In an embodiment of the invention, client sends inquiry request to the user application system end to be accessed, and looks into
The effective authentication token whether being stored with the application system end to be accessed corresponding to user is ask, if it is, explanation user is
Through being logged at the application system end to be accessed, step 707 is correspondingly performed, otherwise illustrate that user not accessed also
Application system end logs in, and correspondingly performs step 704.
Step 704:Client judges whether user logs at Verification System end, if it is, performing step 706, otherwise holds
Row step 705.
In an embodiment of the invention, client sends query statement to Verification System end, inquires about on Verification System end
Whether effective authentication token corresponding to user is stored with, if it is, explanation user logs at Verification System end, correspondingly
Step 706 is performed, otherwise illustrates that user does not log in also at Verification System end, correspondingly performs step 705.
Step 705:The log-on message that user inputs is sent to Verification System end by client, and Verification System end is according to login
Authentication token of the information generation corresponding to user.
In an embodiment of the invention, after client judges that user does not log at Verification System end, user is prompted
The log-on messages such as login account, login password are inputted, and the log-on message that user is inputted is sent to Verification System end.Certification system
Login of the user at Verification System end is completed in system end after the log-on message of client transmission is received, according to log-on message, and
Corresponding authentication token is generated to be stored.
Step 706:Client obtains the authentication token relative to user from Verification System end, and the certification got is made
Board is sent to the application system end to be accessed and completes to log in.
In an embodiment of the invention, client obtains the authentication token corresponding with user from Verification System end, and
Authentication token is sent to the user application system end to be accessed.Application system end is receiving the certification order of client transmission
Bridge queen, it is automatically performed the login of user.
Step 707:Access request is sent to the user application system end to be accessed by client.
In an embodiment of the invention, after user logs at application system end, client please by the access from user
Ask and be sent to the user application system end to be accessed, application system end is entered according to access of the access request received to user
Row processing.
The embodiment of the present invention additionally provides a kind of computer-readable recording medium, is stored with execute instruction in the computer-readable recording medium, works as storage
Described in the computing device of controller during execute instruction, the storage control performs the access that above-mentioned each embodiment passes through and tested
Card method.
The embodiment of the present invention additionally provides a kind of storage control, including:Processor, memory and bus;
The memory is used to store execute instruction, and the processor is connected with the memory by the bus, when
During the storage control operation, the execute instruction of memory storage described in the computing device, so that the storage
Controller performs the access verification method that above-mentioned each embodiment passes through.
In summary, access verification method, system and the client that each embodiment of the present invention provides, at least have as follows
Beneficial effect:
1st, in embodiments of the present invention, in the access request for receiving user and being conducted interviews to an application system end, and
When determining that the access request needs to be intercepted, then judge whether the user has logged at the application system end to be accessed,
The access request received is issued to the application system end to be accessed if having logged on, if not logged on then from certification
Authentication token corresponding to system end acquisition user, the authentication token got is sent to the application system end to be accessed, with
User is logged at the application system end to be accessed, access request is sent to the application system to be accessed after the completion of login
System end.As can be seen here, each application system end is registered at Verification System end, user only needs to be stepped at Verification System end
Record, when user needs to access the application system end being connected with Verification System end, it can utilize what is got from Verification System end
Authentication token completes the login at application system end, without inputting the login account at each application system end respectively and logging in close
Code, so as to improve the usage experience of user.
2nd, in embodiments of the present invention, by setting white list, user is recorded in each data in white list in access
The identity of user need not be authenticated during resource, on the one hand can ensure convenience when user accesses public resource, it is another
Aspect can reduce the amount of calculation at Verification System end, so as to lower the requirement to Verification System end hardware.
3rd, in embodiments of the present invention, behind each application system end access authentication system end, user enters at Verification System end
After row logs in, Verification System end can form the authentication token corresponding to user, should after the authentication token is sent to application system end
The information that can be carried with system end according to authentication token completes the login of user, it is allowed to which user conducts interviews.So, user is recognizing
, can be to access each application system end, so as to improve without inputting log-on message again after card system end is logged in
The usage experience of user.
4th, in embodiments of the present invention, Verification System end and each application system are disposed according to the size of user concurrent amount
The session management mode at end, when user concurrent amount is smaller using the session management mode of independent sessions, when user concurrent amount compared with
Using the session management mode of shared session when big so that access checking system can be applicable the larger application of user concurrent amount
Scene, the less application scenarios of user concurrent amount can also be applied, so as to improve the applicability of access checking system.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity
Or operation makes a distinction with another entity or operation, and not necessarily require or imply and exist between these entities or operation
Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non-
It is exclusive to include, so that process, method, article or equipment including a series of elements not only include those key elements,
But also the other element including being not expressly set out, or also include solid by this process, method, article or equipment
Some key elements.In the absence of more restrictions, the key element limited by sentence " including one ", is not arranged
Except other identical factor in the process including the key element, method, article or equipment being also present.
One of ordinary skill in the art will appreciate that:Realizing all or part of step of above method embodiment can pass through
Programmed instruction related hardware is completed, and foregoing program can be stored in computer-readable storage medium, the program
Upon execution, the step of execution includes above method embodiment;And foregoing storage medium includes:ROM, RAM, magnetic disc or light
Disk etc. is various can be with the medium of store program codes.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, is merely to illustrate the skill of the present invention
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention,
Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.
Claims (10)
1. one kind accesses verification method, applied to client, it is characterised in that including:
The access request that user conducts interviews to any one application system end is received, wherein, the application system end is being recognized
Demonstrate,prove system end registration;
When the access request needs to be intercepted, judge whether the user has logged at the application system end;
If it is, the access request is sent to the application system end;
If not, authentication token corresponding to obtaining the user from the Verification System end, institute is sent to by the authentication token
Application system end is stated so that the user is logged at the application system end, and the access request is sent into the application system
System end.
2. according to the method for claim 1, it is characterised in that any one application system end is entered in the reception user
After the access request that row accesses, further comprise:
Determine that the user needs the resource to be visited to conduct interviews according to the access request, wherein, the resource to be visited
It is stored in the application system end;
Judge whether the resource to be visited is recorded in the white list being pre-created, wherein, the white list record has at least
One data resource;
If it is, determine that the access request without intercepting, is sent to the application system end by the access request;
If not, determining that the access request needs to be intercepted, execution is described to judge whether the user has answered described
Logged in system end.
3. according to the method for claim 1, it is characterised in that described to judge the user whether in the application system
System end logs in, including:
Detect whether the application system end is stored with the authentication token corresponding to the user, and the authentication token has
Effect;
If it is, determine that the user logs at the application system end;
If not, determine that the user does not log at the application system end.
4. according to any described method in claims 1 to 3, it is characterised in that described to obtain institute from the Verification System end
Authentication token corresponding to user is stated, including:
Judge whether the user has logged at the Verification System end;
If it is, the authentication token corresponding to the user of the Verification System end storage is obtained, wherein, the certification order
Board is that previously described user is produced and stored by the Verification System end when the Verification System end is logged in;
If not, the log-on message that the user is inputted is sent to the Verification System end, and obtain the Verification System end
The authentication token according to caused by the log-on message.
A kind of 5. client, it is characterised in that including:Receiving unit, judging unit and processing unit;
The receiving unit, the access request to be conducted interviews for receiving user to any one application system end, wherein, it is described
Registered at Verification System end at application system end;
The judging unit, when the access request for being received in the receiving unit needs to be intercepted, judge institute
State whether user has logged at the application system end;
The processing unit, for the judged result according to the judging unit, if it is, the access request is sent into institute
Application system end is stated, otherwise from authentication token corresponding to the Verification System end acquisition user, the authentication token is sent out
The application system end is given so that the user logs at the application system end, and the access request is sent to described
Application system end.
6. client according to claim 5, it is characterised in that
The judging unit, it is further used for determining that the user needs the money to be visited to conduct interviews according to the access request
Source, and judge whether the resource to be visited is recorded in the white list being pre-created, if it is, determine the access request without
Need to intercept, and the access request be sent to the application system end, otherwise determine that the access request needs to be intercepted,
And perform it is described judge the user whether the application system end log in;
And/or
The judging unit, for detecting whether the application system end is stored with the authentication token corresponding to the user,
And the authentication token is effective, if it is, determining that the user logs at the application system end, the use is otherwise determined
Family does not log at the application system end.
7. the client according to claim 5 or 6, it is characterised in that
The processing unit, for judging whether the user has logged at the Verification System end, if it is, described in obtaining
The authentication token corresponding to the user of Verification System end storage, wherein the authentication token is previously described user in institute
State and produced and stored by the Verification System end when Verification System end is logged in, the log-on message for otherwise inputting the user
The Verification System end is sent to, and obtains Verification System end authentication token according to caused by the log-on message.
8. one kind accesses checking system, it is characterised in that including:Verification System end, at least one application system end and at least one
Any described client in individual claim 5 to 7;
Registered at the Verification System end at each application system end;
Each described application system end, the access request sent for receiving the client;
The Verification System end, for the request according to the client, sent to the client and correspond to the client
User the authentication token.
9. system according to claim 8, it is characterised in that
The Verification System end includes:First identification authenticating unit;
Each described application system end includes:Application session management unit;
First identification authenticating unit, for the log-on message sent according to any one of client, produce simultaneously
Storage corresponds to the authentication token of the user of the client, and any one of application system end is not entered in the user
When the duration that row accesses exceedes the default session failed phase, crash handling is carried out to the authentication token;
The application session management unit, the authentication token sent for receiving each client, and for each
The individual authentication token, certification request regularly is sent to first identification authenticating unit, if the authentication token has lost
Effect, further determines that whether the authentication token of the first identification authenticating unit storage fails, if first identity
The authentication token of authentication unit storage does not fail, then is logged according to the simulation of first identification authenticating unit and obtained again
Take the authentication token.
10. system according to claim 8, it is characterised in that
The Verification System end includes:Load equalizer, authen session administrative unit and at least two second identification authenticating units;
The load equalizer is connected with each second identification authenticating unit respectively;
The authen session administrative unit is connected with each second identification authenticating unit respectively;
The load equalizer, the log-on message sent for receiving each client respectively, and by the login
Information is distributed to less second identification authenticating unit of load;And receive come from each application system respectively
The certification request at end, and the certification request is distributed to less second identification authenticating unit of load;
Second identification authenticating unit, for forming the certification order of corresponding user according to the log-on message received
Board, and the authen session administrative unit is arrived into authentication token storage;And according to the certification request received from described
The authentication token corresponding to the acquisition of authen session administrative unit, and the authentication token got is sent to corresponding institute
State application system end.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711144444.2A CN107862198A (en) | 2017-11-17 | 2017-11-17 | One kind accesses verification method, system and client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711144444.2A CN107862198A (en) | 2017-11-17 | 2017-11-17 | One kind accesses verification method, system and client |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107862198A true CN107862198A (en) | 2018-03-30 |
Family
ID=61703156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711144444.2A Pending CN107862198A (en) | 2017-11-17 | 2017-11-17 | One kind accesses verification method, system and client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107862198A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109167802A (en) * | 2018-11-08 | 2019-01-08 | 金蝶软件(中国)有限公司 | Prevent method, server and the terminal of Session Hijack |
| CN109617926A (en) * | 2019-01-28 | 2019-04-12 | 广东淘家科技有限公司 | Control method, device and the storage medium of service authority |
| CN111343636A (en) * | 2020-02-14 | 2020-06-26 | 卓望数码技术(深圳)有限公司 | Unified authentication method, authentication system, terminal and storage medium |
| CN113746673A (en) * | 2021-08-24 | 2021-12-03 | 济南浪潮数据技术有限公司 | Method, device, equipment and medium for deploying bare metal server ipxe |
| CN115086003A (en) * | 2022-06-10 | 2022-09-20 | 上海弘积信息科技有限公司 | Login-free method after webpage skipping of load balancing centralized management and control system |
| CN115277210A (en) * | 2022-07-28 | 2022-11-01 | 中国工商银行股份有限公司 | Token obtaining method and device, electronic equipment and storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101207485A (en) * | 2007-08-15 | 2008-06-25 | 深圳市同洲电子股份有限公司 | System and method of unification identification safety authentication for users |
| CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system |
| CN103078932A (en) * | 2012-12-31 | 2013-05-01 | 中国移动通信集团江苏有限公司 | Method, device and system for realizing universal single sign-on |
| CN103179115A (en) * | 2013-03-18 | 2013-06-26 | 中国科学院信息工程研究所 | Cloud service accessing control method of cross-cloud application facing to cloud television terminal |
| CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
| CN104301316A (en) * | 2014-10-13 | 2015-01-21 | 中国电子科技集团公司第二十八研究所 | Single sign-on system and implementation method thereof |
-
2017
- 2017-11-17 CN CN201711144444.2A patent/CN107862198A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101207485A (en) * | 2007-08-15 | 2008-06-25 | 深圳市同洲电子股份有限公司 | System and method of unification identification safety authentication for users |
| CN103188248A (en) * | 2011-12-31 | 2013-07-03 | 卓望数码技术(深圳)有限公司 | Identity authentication system and method based on single sign-on |
| CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS (Platform as a Service) platform and SaaS (Software as a Service) application system |
| CN103078932A (en) * | 2012-12-31 | 2013-05-01 | 中国移动通信集团江苏有限公司 | Method, device and system for realizing universal single sign-on |
| CN103179115A (en) * | 2013-03-18 | 2013-06-26 | 中国科学院信息工程研究所 | Cloud service accessing control method of cross-cloud application facing to cloud television terminal |
| CN104301316A (en) * | 2014-10-13 | 2015-01-21 | 中国电子科技集团公司第二十八研究所 | Single sign-on system and implementation method thereof |
Non-Patent Citations (1)
| Title |
|---|
| 赵昱栋: "基于CAS和OAuth的统一认证系统研究与实现", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109167802A (en) * | 2018-11-08 | 2019-01-08 | 金蝶软件(中国)有限公司 | Prevent method, server and the terminal of Session Hijack |
| CN109167802B (en) * | 2018-11-08 | 2021-07-13 | 金蝶软件(中国)有限公司 | Method, server and terminal for preventing session hijacking |
| CN109617926A (en) * | 2019-01-28 | 2019-04-12 | 广东淘家科技有限公司 | Control method, device and the storage medium of service authority |
| CN111343636A (en) * | 2020-02-14 | 2020-06-26 | 卓望数码技术(深圳)有限公司 | Unified authentication method, authentication system, terminal and storage medium |
| CN111343636B (en) * | 2020-02-14 | 2023-06-27 | 卓望数码技术(深圳)有限公司 | Unified authentication method, authentication system, terminal and storage medium |
| CN113746673A (en) * | 2021-08-24 | 2021-12-03 | 济南浪潮数据技术有限公司 | Method, device, equipment and medium for deploying bare metal server ipxe |
| CN113746673B (en) * | 2021-08-24 | 2023-03-24 | 济南浪潮数据技术有限公司 | Method, device, equipment and medium for deploying bare metal server ipxe |
| CN115086003A (en) * | 2022-06-10 | 2022-09-20 | 上海弘积信息科技有限公司 | Login-free method after webpage skipping of load balancing centralized management and control system |
| CN115086003B (en) * | 2022-06-10 | 2024-03-29 | 上海弘积信息科技有限公司 | Login-free method after webpage skipping of load balancing centralized management and control system |
| CN115277210A (en) * | 2022-07-28 | 2022-11-01 | 中国工商银行股份有限公司 | Token obtaining method and device, electronic equipment and storage medium |
| CN115277210B (en) * | 2022-07-28 | 2024-02-27 | 中国工商银行股份有限公司 | Token acquisition method, device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11411730B2 (en) | Cryptoasset custodial system with different rules governing access to logically separated cryptoassets and proof-of-stake blockchain support | |
| US11757627B2 (en) | Cryptoasset custodial system with proof-of-stake blockchain support | |
| CN107862198A (en) | One kind accesses verification method, system and client | |
| CN108292331B (en) | Method and system for creating, verifying and managing identities | |
| US8332637B2 (en) | Methods and systems for nonce generation in a token | |
| US20180336554A1 (en) | Secure electronic transaction authentication | |
| US8099765B2 (en) | Methods and systems for remote password reset using an authentication credential managed by a third party | |
| WO2017000829A1 (en) | Method for checking security based on biological features, client and server | |
| CN111931144B (en) | Unified safe login authentication method and device for operating system and service application | |
| CN109257209A (en) | A kind of data center server centralized management system and method | |
| CN109815656A (en) | Login authentication method, device, equipment and computer readable storage medium | |
| CN109413032A (en) | A kind of single-point logging method, computer readable storage medium and gateway | |
| CN104320389B (en) | A kind of fusion identity protection system and method based on cloud computing | |
| CN110149328A (en) | Interface method for authenticating, device, equipment and computer readable storage medium | |
| CN109587126A (en) | User anthority identifying method and system | |
| CN106936772A (en) | A kind of access method, the apparatus and system of cloud platform resource | |
| CN106656514A (en) | kerberos authentication cluster access method, SparkStandalone cluster, and driving node of SparkStandalone cluster | |
| CN110661800A (en) | Multi-factor identity authentication method supporting guarantee level | |
| CN109981680A (en) | A kind of access control implementation method, device, computer equipment and storage medium | |
| CN109495486A (en) | A method of the single page Web application integration CAS based on JWT | |
| Karie et al. | Hardening saml by integrating sso and multi-factor authentication (mfa) in the cloud | |
| CN102571874A (en) | On-line audit method and device in distributed system | |
| CN110301127B (en) | Apparatus and method for predictive token validation | |
| CN109684802A (en) | A kind of method and system providing a user artificial intelligence platform | |
| CN106603567B (en) | A kind of login management method and device of WEB administrator |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180330 |
|
| RJ01 | Rejection of invention patent application after publication |