CN109495486A - A method of the single page Web application integration CAS based on JWT - Google Patents
A method of the single page Web application integration CAS based on JWT Download PDFInfo
- Publication number
- CN109495486A CN109495486A CN201811452511.1A CN201811452511A CN109495486A CN 109495486 A CN109495486 A CN 109495486A CN 201811452511 A CN201811452511 A CN 201811452511A CN 109495486 A CN109495486 A CN 109495486A
- Authority
- CN
- China
- Prior art keywords
- cas
- jwt
- single page
- page web
- web application
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
A kind of method that the present invention proposes single page Web application integration CAS based on JWT, single page Web application login page are redirected to the login page of cas system, and URL includes the service that Service parameter identification currently needs to log in;After the success of CAS login page input authentication information registration, CAS Server end is automatically redirected to single page Web according to Service parameter and applies user, redirects the Ticket parameter that link is generated comprising CAS;Single page Web is applied using Service, Ticket as parameter, and request API service end obtains JWT;Using Service, Tikcet as parameter, request CAS server-side ProxyValidate interface is verified at API service end, judges whether user has logged in cas system.The present invention does not need to save the logging state of user at API service end, requests CAS interface check to generate JWT by API service and realizes certification, reduce the degree of coupling of system, solve Cross-domain problem, improve user experience, ensure that the safety of user sensitive information.
Description
Technical field
The present invention relates to CAS integrated technology field, the side of specially a kind of single page Web application integration CAS based on JWT
Method.
Background technique
In the development process of enterprise, multiple application systems are gone out for different business developments, for user experience, have increased
User's degree of adhesion, each Business Application Certification service are all integrated in cas system, and user only needs to carry out by cas system
Primary login and authentication, so that it may access multiple systems, which greatly enhances working efficiencies and safety.With front end skill
The development of art, the architecture mode that many application systems all use front and back end to separate, client are applied using single page Web, server-side
Only need to provide API, for client by calling API to realize data interaction, the client part page and data must be logical in user
It is just accessible later to cross certification, likewise, service end part API also requires user authentication.
Traditional CAS integration mode mainly has following steps:
1) user accesses application system resource, and CAS client is redirected to when needing to log in, and redirecting link includes Service
(URL of the application system of current request cas system) parameter;
2) user carries out authentication in CAS client;
3) after certification passes through, CAS server-side generates a random Ticket, and CAS server-side is redirected by parameter of Ticket
Service into step 1);
4) application system requests CAS server-side API, verifies the legitimacy of Ticket using Ticket as parameter;
5) after CAS server-side verifying Ticket is legal, user information is returned to application system, application system locally saves user's
Logging state, application system page realize user authentication.
Under traditional CAS integration mode, since current each operation system product certification service has all been integrated in CAS, and
And each service product require locally save user logging state, this for using front and back end separation system for,
Single page Web application and API service end must all save the logging state of user, and this considerably increases the degrees of coupling of system.Due to
Single page Web is applied and API service end may not also result in cross-domain ask in the same domain under traditional CAS integration mode
Topic.
Summary of the invention
In view of the above-mentioned problems, solving cross-domain ask the purpose of the present invention is to provide a kind of degree of coupling that can reduce system
Topic improves user experience, guarantees the method for the single page Web application integration CAS based on JWT of the safety of user sensitive information.
Technical solution is as follows:
Step A: single page Web application login page is redirected to the login page of cas system, and URL includes Service parameter identification
The service for currently needing to log in;
Step B: user is after the success of CAS login page input authentication information registration, and CAS Server end is according to step A's
Service parameter is automatically redirected to single page Web application, redirects the Ticket parameter that link is generated comprising CAS;
Step C: single page Web, using using Ticket, Service as parameter, requests API service end authorization interface, obtains JWT;
After step D:API service end interface receives request, using Ticket, Service as parameter, CAS is called
ProxyValidate verification interface;
Step E: if verification pass through, CAS server-side return user information, API service end according to HS256 algorithm, user information,
Expired time generates JWT, returns to single page Web application, and single page Web, which is applied, saves JWT in localStoage or Cookie;School
It is not invalid by then returning to Ticket to test;
Step F: subsequent single page Web application request API service end interface, request header carry JWT, are authenticated;If authentication is lost
It loses or JWT is out of date, then return to mistake;Otherwise the information of single page Web application request is returned;
Step G: user exits single page Web and is stored in local JWT in application, deleting in E step first, is then redirected to
CAS client exits link, is in the state of publishing in client and CAS at this time.
Further, the HS256 algorithm in the step E is replaced with into RS256 algorithm.
Further, when the subsequent single page Web application request API service end interface, ciphering signature is carried out to data.
The beneficial effects of the present invention are: user of the present invention logs in single page Web in application, only needing to carry Service parameter
It is redirected to CAS Server to be logged in, the sensitive information (such as account, password) of user is without API service end;API clothes
Business end does not need to save the logging state of user;API is designed using the framework mode of RESTful in API service end, is recognized using JWT
Card mode solves the problems, such as cross-domain;JWT carries validity period, is more than to need again single page Web application to step on again after validity period
Record obtains JWT, enhances the safety of system.
Detailed description of the invention
Fig. 1 is that the present invention is based on the flow charts of the method for the single page Web application integration CAS of JWT.
Specific embodiment
The present invention is described in further details in the following with reference to the drawings and specific embodiments.The invention proposes one kind to be based on
The method of the single page Web application integration CAS of JWT, single page Web, which is applied, under normal conditions obtains token reality by request API service
It now authenticates, since the sensitive informations such as the password of current business system user are all stored separately on the database of CAS service, API clothes
User authentication can not be implemented separately in business, and according to the method for the integrated CAS of tradition, the login of user can only be locally saved in API service
State, this considerably increases the degrees of coupling of system, while if single-page is applied and API service is not under same domain name, API clothes
Business end uses the architecture design of RESTful, and traditional CAS integration mode also results in Cross-domain problem.The present invention proposes a kind of base
In the method for the single-page application integration CAS of JWT, does not need to save the logging state of user at API service end, be taken by API
Business request CAS interface check generates JWT and realizes certification, reduces the degree of coupling of system, solves Cross-domain problem, improves user
Experience, ensure that the safety of user sensitive information.The present invention integrates the flow chart of the method for CAS as shown in Figure 1, specific steps
It is as follows:
Step A: single page Web application login page is redirected to the login page of cas system, and URL includes Service parameter identification
The service for currently needing to log in.
User logs in single page Web and logs in application, only needing to carry Service parameter and being redirected to CAS Server,
Without API service end, API service end does not need naturally also to save user's the sensitive information (such as account, password) of user
Logging state.
Step B: after the success of CAS login page input authentication information registration, CAS joins user according to the Service of step A
Number is automatically redirected to single page Web application, redirects the Ticket parameter that link is generated comprising CAS.
Step C: single-page is applied using Ticket, Service as parameter, and API authorization interface is requested, and obtains JWT.
After step D:API service end interface receives request, using Ticket, Service as parameter, CAS is called
ProxyValidate verification interface.
Step E: if verification passes through, CAS server-side returns to user information, and API service is according to HS256 algorithm, Yong Huxin
Breath, expired time generate JWT, return to single page Web application, and single page Web, which is applied, saves JWT in localStoage or Cookie;
Verification is not invalid by then returning to Ticket.
Wherein, HS256 Encryption Algorithm also could alternatively be RS256 algorithm.
Step F: subsequent single page Web application request API service end interface, request header carry JWT, are authenticated;If mirror
Power failure or JWT are out of date, return to mistake, otherwise return to the information of single page Web application request.
API is designed using the framework mode of RESTful in API service end, using JWT authentication mode, solves cross-domain ask
Topic.
When the subsequent single page Web application request API service end interface, ciphering signature can be carried out to data.JWT is included
Validity period is more than to need again single page Web application to log in again after validity period and obtain JWT, enhance the safety of system.
Step G: user exits single page Web and is stored in local JWT in application, deleting in E step first, then redirects
Link is exited to CAS client, is in the state of publishing in client and CAS at this time.
The present invention is based on the methods of the single-page application integration CAS of JWT, solve single-page application integration cas system
Problem.API service end does not need to save the logging state of user, and the logging state of user is unified to be saved by CAS server-side.User
It needs to log in single page Web and is logged in application, jumping to CAS client;It is ginseng that single page Web, which is applied with Service, Ticket,
Number, request API service end obtain JWT;CAS server-side is requested using Service, Tikcet as parameter in API service end
ProxyValidate interface is verified, and judges whether user has logged in cas system;API service end possesses independent add
Key SECRET_KEY;API service end judge user cas system login after, with SECRET_KEY, user information,
Expiration time is parameter, carries out encryption using HS256 algorithm and generates JWT.
Claims (3)
1. a kind of method of the single page Web application integration CAS based on JWT, which comprises the following steps:
Step A: single page Web application login page is redirected to the login page of cas system, and URL includes Service parameter identification
The service for currently needing to log in;
Step B: user is after the success of CAS login page input authentication information registration, and CAS Server end is according to step A's
Service parameter is automatically redirected to single page Web application, redirects the Ticket parameter that link is generated comprising CAS;
Step C: single page Web, using using Ticket, Service as parameter, requests API service end authorization interface, obtains JWT;
After step D:API service end interface receives request, using Ticket, Service as parameter, CAS is called
ProxyValidate verification interface;
Step E: if verification passes through, CAS server-side returns to user information, and API service end is according to HS256 algorithm, SECRET_
KEY, user information, expired time generate JWT, return to single page Web application, single page Web apply in localStoage or
Cookie saves JWT;Verification is not invalid by then returning to Ticket;
Step F: subsequent single page Web application request API service end interface, request header carry JWT, are authenticated;If authentication is lost
It loses or JWT is out of date, then return to mistake;Otherwise the information of single page Web application request is returned;
Step G: user exits single page Web and is stored in local JWT in application, deleting in E step first, is then redirected to
CAS client exits link, is in the state of publishing in client and CAS at this time.
2. the method for the single page Web application integration CAS according to claim 1 based on JWT, which is characterized in that will be described
HS256 algorithm in step E replaces with RS256 algorithm.
3. the method for the single page Web application integration CAS according to claim 1 based on JWT, which is characterized in that after described
When continuous single page Web application request API service end interface, ciphering signature is carried out to data.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811452511.1A CN109495486B (en) | 2018-11-30 | 2018-11-30 | Single-page Web application integration CAS method based on JWT |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811452511.1A CN109495486B (en) | 2018-11-30 | 2018-11-30 | Single-page Web application integration CAS method based on JWT |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109495486A true CN109495486A (en) | 2019-03-19 |
CN109495486B CN109495486B (en) | 2020-12-22 |
Family
ID=65698960
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811452511.1A Active CN109495486B (en) | 2018-11-30 | 2018-11-30 | Single-page Web application integration CAS method based on JWT |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109495486B (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110276197A (en) * | 2019-06-25 | 2019-09-24 | 四川长虹电器股份有限公司 | The method to be come into force in real time based on shared blacklist revocation JWT token |
CN111200596A (en) * | 2019-12-25 | 2020-05-26 | 曙光信息产业(北京)有限公司 | File service system based on Web technology and design method thereof |
CN111931157A (en) * | 2020-08-12 | 2020-11-13 | 广东电力信息科技有限公司 | Access method, device, storage medium and computer equipment of single sign-on system |
CN112422528A (en) * | 2020-11-03 | 2021-02-26 | 北京锐安科技有限公司 | Client login method, device, system, electronic equipment and storage medium |
CN114422182A (en) * | 2021-12-13 | 2022-04-29 | 以萨技术股份有限公司 | Unified identity management platform |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1331441A (en) * | 2000-06-24 | 2002-01-16 | 王以成 | Chinese-character input system 'three-digit code' |
US20130268755A1 (en) * | 2012-04-06 | 2013-10-10 | Microsoft Corporation | Cross-provider cross-certification content protection |
CN104052746A (en) * | 2014-06-18 | 2014-09-17 | 华为技术有限公司 | Heterogeneous application single sign-on system and method |
CN104539615A (en) * | 2014-12-29 | 2015-04-22 | 中国南方电网有限责任公司 | Cascading authentication method based on CAS |
CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
-
2018
- 2018-11-30 CN CN201811452511.1A patent/CN109495486B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1331441A (en) * | 2000-06-24 | 2002-01-16 | 王以成 | Chinese-character input system 'three-digit code' |
US20130268755A1 (en) * | 2012-04-06 | 2013-10-10 | Microsoft Corporation | Cross-provider cross-certification content protection |
CN104052746A (en) * | 2014-06-18 | 2014-09-17 | 华为技术有限公司 | Heterogeneous application single sign-on system and method |
CN104539615A (en) * | 2014-12-29 | 2015-04-22 | 中国南方电网有限责任公司 | Cascading authentication method based on CAS |
CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
Non-Patent Citations (1)
Title |
---|
RION DOOLEY: "The MyProxy Gateway", 《2014 6TH INTERNATIONAL WORKSHOP ON SCIENCE GATEWAYS》 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110276197A (en) * | 2019-06-25 | 2019-09-24 | 四川长虹电器股份有限公司 | The method to be come into force in real time based on shared blacklist revocation JWT token |
CN111200596A (en) * | 2019-12-25 | 2020-05-26 | 曙光信息产业(北京)有限公司 | File service system based on Web technology and design method thereof |
CN111931157A (en) * | 2020-08-12 | 2020-11-13 | 广东电力信息科技有限公司 | Access method, device, storage medium and computer equipment of single sign-on system |
CN112422528A (en) * | 2020-11-03 | 2021-02-26 | 北京锐安科技有限公司 | Client login method, device, system, electronic equipment and storage medium |
CN112422528B (en) * | 2020-11-03 | 2022-10-14 | 北京锐安科技有限公司 | Client login method, device, system, electronic equipment and storage medium |
CN114422182A (en) * | 2021-12-13 | 2022-04-29 | 以萨技术股份有限公司 | Unified identity management platform |
CN114422182B (en) * | 2021-12-13 | 2024-01-16 | 以萨技术股份有限公司 | Unified identity management platform |
Also Published As
Publication number | Publication date |
---|---|
CN109495486B (en) | 2020-12-22 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109309683B (en) | Token-based client identity authentication method and system | |
US7747856B2 (en) | Session ticket authentication scheme | |
CN109495486A (en) | A method of the single page Web application integration CAS based on JWT | |
EP1771782B1 (en) | Single sign-on with common access card | |
US7788711B1 (en) | Method and system for transferring identity assertion information between trusted partner sites in a network using artifacts | |
CN112468481B (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
US8015301B2 (en) | Policy and attribute based access to a resource | |
US8955082B2 (en) | Authenticating using cloud authentication | |
CN103023918B (en) | The mthods, systems and devices logged in are provided for multiple network services are unified | |
US6668322B1 (en) | Access management system and method employing secure credentials | |
US7568098B2 (en) | Systems and methods for enhancing security of communication over a public network | |
CN102265255B (en) | Method and system for providing a federated authentication service with gradual expiration of credentials | |
CN104320423B (en) | Single-sign-on lightweight implementation method based on Cookie | |
US9825938B2 (en) | System and method for managing certificate based secure network access with a certificate having a buffer period prior to expiration | |
CN107172054A (en) | A kind of purview certification method based on CAS, apparatus and system | |
JP2008524751A (en) | Consumer Internet authentication service | |
US20120278863A1 (en) | Ad-hoc user account creation | |
CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
US20020038426A1 (en) | Method and a system for improving logon security in network applications | |
US7895644B1 (en) | Method and apparatus for accessing computers in a distributed computing environment | |
US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
CN107872455A (en) | A kind of cross-domain single login system and its method | |
CN105162775A (en) | Logging method and device of virtual machine | |
US20170104748A1 (en) | System and method for managing network access with a certificate having soft expiration | |
CN107911379A (en) | A kind of CAS Server |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CP02 | Change in the address of a patent holder |
Address after: 9/F, Block C, No. 28 Tianfu Avenue North Section, Chengdu High tech Zone, China (Sichuan) Pilot Free Trade Zone, Chengdu City, Sichuan Province, 610000 Patentee after: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. Address before: 610000, 11th floor, building 2, No. 219, Tianfu Third Street, hi tech Zone, Chengdu, Sichuan Province Patentee before: CHENGDU KNOWNSEC INFORMATION TECHNOLOGY Co.,Ltd. |
|
CP02 | Change in the address of a patent holder |