CN111510461B - System and method for managing WEB application centralized release authority - Google Patents
System and method for managing WEB application centralized release authority Download PDFInfo
- Publication number
- CN111510461B CN111510461B CN202010338875.8A CN202010338875A CN111510461B CN 111510461 B CN111510461 B CN 111510461B CN 202010338875 A CN202010338875 A CN 202010338875A CN 111510461 B CN111510461 B CN 111510461B
- Authority
- CN
- China
- Prior art keywords
- application
- authentication
- module
- password
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a WEB application centralized release authority management system and a method thereof, wherein the system comprises the following steps: the system comprises an access gateway module, a release management module, an authentication learning module, an authorization management module, an authentication agent module and a protocol agent module; performing multiple WEB application access addresses in a secondary domain name mode; the method comprises the steps of storing a plurality of WEB application authentication information in a centralized manner, and managing the relationship between the authentication information and a user; replacing application authentication user name and password with a plurality of application HTML to replace identity recognition cookies; and the HTTP proxy replaces the cookie identification of the user side and the application side to provide the forwarding of the protocol data. The invention can effectively carry out identification transfer conversion on the application authority; can effectively manage the release, access and authority of WEB application in a centralized way.
Description
Technical Field
The invention relates to the technical field of WEB application, in particular to a method for managing centralized issuing authority of WEB application.
Background
With the rapid development of cloud computing, SAAS services have become a mainstream of enterprise applications, and a large number of various dispersed WEB application services exist in enterprise management, accompanied by a security risk that WEB operation and maintenance are difficult to manage and control.
In recent years zero trust architectures have grown mature, where by default no one/device/system inside or outside the network should be trusted, requiring a trust basis for access control to be restructured based on authentication and authorization. Zero trust subverts access control in a paradigm, guides a security system architecture from network centralization to identity centralization, and essentially demands that access control is carried out by taking identity as center.
Disclosure of Invention
The invention aims to provide a method for solving centralized access control and authority management of WEB application.
The invention is realized by the following technical scheme:
a WEB application centralized release authority management system is characterized in that: the system comprises an access gateway module, a release management module, an authentication learning module, an authorization management module, an authentication agent module and a protocol agent module;
the access gateway module is respectively connected with the release management module, the authentication learning module, the authorization management module, the authentication module and the protocol agent module;
the authentication learning module and the authentication module are respectively connected with the authentication agent module;
the authorization management module is connected with the authentication module and the protocol agent module in sequence.
Furthermore, in order to better realize the invention, a plurality of WEB application access addresses are accessed in a secondary domain name mode; the method comprises the steps of storing a plurality of WEB application authentication information in a centralized manner, and managing the relationship between the authentication information and a user; replacing application authentication user name and password with a plurality of application HTML to replace identity recognition cookies; and the HTTP proxy replaces the cookie identification of the user side and the application side to provide the forwarding of the protocol data.
Further, in order to better implement the invention, the method specifically comprises the following steps:
step S1: adding application information and providing a release address; the method specifically comprises the following steps:
step S11: the browser sets a root address of an access gateway module, accesses the release management module and adds a piece of web application release information; the web application release information protector comprises an application name, an application authentication address, an application user name and an application password;
step S12: the release management module establishes a one-to-one mapping relation between the application authentication address and the application release link address, and the application username and the application password form an application account;
step S2: simulating a login process to construct a flow template; the method specifically comprises the following steps:
step S21: the administrator starts a browser to access the application authentication address through the authentication learning module;
step S22: the authentication learning module judges a confirmation element of the completion of page loading from a page DOM tree; the authentication learning module selects frame positions of a user name, a password, a short message password and an OTP password in a DOM tree of a page in an interactive process and inputs verification test information;
step S23: the authentication learning module sets a verification code picture or a verification region DOM (captcha); the authentication learning module sets a login submission button DOM < submit >;
step S24: after login succeeds, identifying whether the DOM < status > corresponding to the login is successful or failed; and generating template information describing the page authentication login process by using the information and the time waiting interval.
Step S3: authorizing a web application to be accessed; the method specifically comprises the following steps: the administrator accesses the authorization management module through the browser and creates a common user, authorizes the application account established in the step S1 to the common user, establishes a mapping authorization relationship between the person and the application resource, and the common user does not really hold the application password of the application login account.
Step S4: the application selects to trigger access, and the server analyzes the access;
step S41, the common user logs in the access gateway module root address through the browser to obtain an access user application list, wherein the obtained access user application list is the authorized application name in step S3;
step S42: a common user clicks a login button to access an application release link address; the common user browser waits for the return of the access gateway module;
step S43: after receiving an application access request for an application release link address, the access gateway module analyzes an application name and source user information and transmits the application name and the source user information to the authentication module;
step S6: judging access authentication; after receiving the analysis information transmitted by the access gateway module, the authentication module checks whether the authorization management module is authorized, and verifies through the authorization information established in step S3:
if the failure occurs, returning the unauthorized execution is not continued;
if the authentication is successful, generating and creating and recording a one-time authentication password, transmitting the one-time authentication password to the authentication agent module, and waiting for the authentication agent module to finish the simulated login to acquire login information of the real application server;
step S7: simulating login and replacing identity information and replacing and filling secondary verification information to finish the simulation login record identity identification; the method specifically comprises the following steps:
step S71: the authentication agent module receives the request of the authentication module, and obtains the context state in the record through the one-time authentication password; the context state comprises an application name, an application user name, an application password and an application template;
step S72: the authentication agent module creates a headless browser task to access a real application authentication address;
step S73: waiting for loading time according to the description process of the application template in the context state, and checking whether a confirmation element exists after the page is loaded; filling an application user name and an application password into a corresponding position in a page DOM tree according to the description of the application template in the context state;
if the application template comprises the short message password and the OPT password, performing two-factor authentication; then, triggering a short message password acquisition request, acquiring a graphic verification code to generate a cache picture, returning a response to the common user browser, and returning to execute the step S741;
if the application template can directly complete the submission and authentication of the actual application page to the step S742;
step S741: the common user browser displays the verification code picture cache, and the common user identifies and fills in the correct picture verification code;
filling the obtained short message verification code or OTP verification code in a common user browser;
the step of identifying the verification code can be carried out for multiple times according to the description of the application template in the process of simulating login authentication interaction, the step of identifying the verification code can be inserted into the process of submitting authentication, the authentication related information is submitted again, the steps S6, S71, S72 and S73 are repeatedly executed to process the inquiry of a short message password, an OTP password and a regional DOM in a page DOM tree, and the step S742 is continued after the inquiry is carried out;
step S742: the headless browser controls to submit complete authentication information on a real application page to wait for the completion of application response; judging the result according to the application template after the application returns;
if the authentication fails, returning a failure state and an intermediate reason to the authentication agent module, and finally synchronizing the state to a common user browser through the access gateway module;
if the application template is successful, acquiring and recording real application real _ cookie and other identity identification information according to the application template, returning a successful state to the authentication agent module, generating 302 an application page jump address through the access gateway module, wherein the address contains a one-time authentication password, and returning jump content to a common user browser; the logincheck path under the one-time authentication password ensures that no path conflict is generated between the logincheck path and the real application real cookie at the release management module.
Step S8: setting the identity mark from the user to the server by applying the second-level domain name address, and applying the second-level domain name address to a path agent of real application;
step S9: the identity conversion of the front end and the back end of the application protocol agent and the transmission of the application protocol content agent.
Further, in order to better implement the present invention, the step S2 specifically includes the following steps:
step S21: the administrator starts a browser to access the application authentication address through the authentication learning module;
step S22: the authentication learning module judges a confirmation element of the completion of page loading from a page DOM tree; the authentication learning module selects frame positions of a user name, a password, a short message password and an OTP password in a DOM tree of a page in an interactive process and inputs verification test information; (accurate description)
Step S23: the authentication learning module sets a verification code picture or a verification region DOM (captcha); the authentication learning module sets a login submission button DOM < submit >;
step S24: after login succeeds, identifying whether the DOM < status > corresponding to the login is successful or failed; and generating template information describing the page authentication login process by using the information and the time waiting interval.
5. The method for managing the centralized release authority of the WEB application according to claim 4, wherein: the step S3 specifically includes: the administrator accesses the authorization management module through the browser and creates a common user, authorizes the application account established in the step S1 to the common user, establishes a mapping authorization relationship between the person and the application resource, and the common user does not really hold the application password of the application login account.
Further, in order to better implement the present invention, step S7 specifically refers to:
step S71: the authentication agent module receives the request of the authentication module, and obtains the context state in the record through the one-time authentication password; the context state comprises an application name, an application user name, an application password and an application template;
step S72: the authentication agent module creates a headless browser task to access a real application authentication address;
step S73: waiting for loading time according to the description process of the application template in the context state, and checking whether a confirmation element exists after the page is loaded; filling an application user name and an application password into a corresponding position in a page DOM tree according to the description of the application template in the context state;
if the application template comprises the short message password and the OPT password, performing two-factor authentication; then, triggering a short message password acquisition request, acquiring a graphic verification code to generate a cache picture, returning a response to the common user browser, and returning to execute the step S741;
if the application template can directly complete the submission and authentication of the actual application page to the step S742;
step S741: the common user browser displays the verification code picture cache, and the common user identifies and fills in the correct picture verification code;
filling the obtained short message verification code or OTP verification code in a common user browser;
the step of identifying the verification code can be carried out for multiple times according to the description of the application template in the process of simulating login authentication interaction, the step of identifying the verification code can be inserted into the process of submitting authentication, the authentication related information is submitted again, the steps S6, S71, S72 and S73 are repeatedly executed to process the inquiry of a short message password, an OTP password and a regional DOM in a page DOM tree, and the step S742 is continued after the inquiry is carried out;
step S742: the headless browser controls to submit complete authentication information on a real application page to wait for the completion of application response; judging the result according to the application template after the application returns;
if the authentication fails, returning a failure state and an intermediate reason to the authentication agent module, and finally synchronizing the state to a common user browser through the access gateway module;
if the application template is successful, acquiring and recording real application real _ cookie and other identity identification information according to the application template, returning a successful state to the authentication agent module, generating 302 an application page jump address through the access gateway module, wherein the address contains a one-time authentication password, and returning jump content to a common user browser; the login path under the one-time authentication password ensures that no path conflict is generated between the login path and the real application real cookie in the release management module;
further, in order to better implement the present invention, step S8 specifically refers to:
step S81: the common user browser responds to the request of the one-time authentication password and accesses the access gateway module again;
step S82: the access gateway module analyzes the second-level domain name in the request address and the logincheck path under the one-time authentication password and points to the authentication module again;
step S83: the authentication module checks the correctness of the recorded token and the identity of the common user, determines the effective access time and the access times, generates the setting and sets the cookie corresponding to the user side in the response;
judging the mapping relation between the cookie on the user side and the cookie generated by the application authentication; judging whether the mapping relation is one-to-one;
if not, returning a failure state and an intermediate reason to the ordinary user browser through the access gateway module to synchronize the state;
if so, generating 302 an application page jump address pointing to the correct address after application login through the access gateway module, and returning jump content to a common user browser;
step S84: the access request of the common user browser is sent to the access gateway module, and the access gateway module analyzes the secondary domain name and turns the request to a protocol agent module path; the ordinary user browser accesses the second-level domain name address after the application is proxied, and the path is consistent with the application; the secondary domain name does not contain a special path;
further, in order to better implement the present invention, step S9 specifically refers to: the protocol agent module acquires cookie records of the user side, inquires cookies generated by the application through authentication for replacement, sets identity identification information, forwards the request to a real application address, converts cookie reply responses to a common user browser in the same mode after application response is waited, and completes the agent process of the application of the HTTP protocol.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the invention can effectively carry out identification transfer conversion on the application authority;
(2) the invention can effectively manage the release, access and authority of WEB application in a centralized way.
Drawings
FIG. 1 is a schematic diagram of a connection relationship of a rights management system according to the present invention;
FIG. 2 is a schematic diagram of the operation of the present invention;
fig. 3 is a flow chart of the operation of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1:
the invention is realized by the following technical proposal, as shown in figure 1, a WEB application centralized release authority management system comprises an access gateway module, a release management module, an authentication learning module, an authorization management module, an authentication agent module and a protocol agent module;
the access gateway module is respectively connected with the release management module, the authentication learning module, the authorization management module, the authentication module and the protocol agent module;
the authentication learning module and the authentication module are respectively connected with the authentication agent module;
the authorization management module is connected with the authentication module and the protocol agent module in sequence.
An access gateway module: providing application selection and application access portals; and returning the application jump after the authentication agent is completed.
A release management module: the system is responsible for adding management application addresses and setting application access names, and the application correspondingly authenticates account information such as user names and passwords; one application can correspond to a plurality of pieces of authentication account information;
an authentication learning module: learning the position of the application login authentication element and the authentication process sequence, and extracting the identity identification information after authentication to form a template;
an authorization management module: the system is responsible for establishing a many-to-one authorization relationship between the published application and the user;
and the authentication module: receiving an application and a single authentication account name access request selected by the access gateway module, checking with the authorization management module, generating a one-time authentication password, and transmitting the one-time authentication password to the authentication agent module;
an authentication agent module: receiving a request of an authentication module, acquiring application login information and application template information through a one-time authentication password, creating a new headless browser task to simulate login and submit authentication, completing login acquisition and recording cookie related information;
a protocol agent module: the user browser accesses the protocol proxy address, returns after checking the one-time authentication password, and jumps to the application path; the browser requests normal application data to be sent to the protocol proxy module through the application of the corresponding path, and the protocol proxy front-end module replaces and adds formal cookie related information after analyzing the request and then sends the cookie related information to the back-end real application.
Example 2:
in this embodiment, further optimization is performed on the basis of the above embodiments, as shown in fig. 1 to fig. 3, a plurality of WEB application access addresses are performed in a secondary domain name manner; the method comprises the steps of storing a plurality of WEB application authentication information in a centralized manner, and managing the relationship between the authentication information and a user; replacing application authentication user name and password with a plurality of application HTML to replace identity recognition cookies; and the HTTP proxy replaces the cookie identification of the user side and the application side to provide the forwarding of the protocol data.
It should be noted that, through the above improvement, the present invention issues WEB applications based on the second-level domain name and the HTTP protocol forward generation, performs permission authentication through browser behavior simulation, and performs authentication transfer conversion on application permissions. The invention aims to provide a method for solving centralized access control and authority management of WEB application, which is an innovative use under the zero trust requirement.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 3:
the present embodiment is further optimized based on the above embodiments, as shown in fig. 1 to fig. 3, and specifically includes the following steps:
step S1: adding application information and providing a release address; the method specifically comprises the following steps:
step S11: the browser sets a root address of an access gateway module, accesses the release management module and adds a piece of web application release information; the web application release information protector comprises an application name, an application authentication address, an application user name and an application password;
step S12: the release management module establishes a one-to-one mapping relation between the application authentication address and the application release link address, and the application username and the application password form an application account;
step S2: simulating a login process to construct a flow template; the method specifically comprises the following steps:
step S21: the administrator starts a browser to access the application authentication address through the authentication learning module;
step S22: the authentication learning module judges a confirmation element of the completion of page loading from a page DOM tree; the authentication learning module selects frame positions of a user name, a password, a short message password and an OTP password in a DOM tree of a page in an interactive process and inputs verification test information;
step S23: the authentication learning module sets a verification code picture or a verification region DOM (captcha); the authentication learning module sets a login submission button DOM < submit >;
step S24: after login succeeds, identifying whether the DOM < status > corresponding to the login is successful or failed; and generating template information describing the page authentication login process by using the information and the time waiting interval.
Step S3: authorizing a web application to be accessed; the method specifically comprises the following steps: the administrator accesses the authorization management module through the browser and creates a common user, authorizes the application account established in the step S1 to the common user, establishes a mapping authorization relationship between the person and the application resource, and the common user does not really hold the application password of the application login account.
Step S4: the application selects to trigger access, and the server analyzes the access;
step S41, the common user logs in the access gateway module root address through the browser to obtain an access user application list, wherein the obtained access user application list is the authorized application name in step S3;
step S42: a common user clicks a login button to access an application release link address; the common user browser waits for the return of the access gateway module;
step S43: after receiving an application access request for an application release link address, the access gateway module analyzes an application name and source user information and transmits the application name and the source user information to the authentication module;
step S6: judging access authentication; after receiving the analysis information transmitted by the access gateway module, the authentication module checks whether the authorization management module is authorized, and verifies through the authorization information established in step S3:
if the failure occurs, returning the unauthorized execution is not continued;
if the authentication is successful, generating and creating and recording a one-time authentication password, transmitting the one-time authentication password to the authentication agent module, and waiting for the authentication agent module to finish the simulated login to acquire login information of the real application server; the authentication password is transmitted to the authentication agent module, information such as a user name and a password corresponding to a real application server is inquired and obtained through the one-time authentication password, all login information is not transmitted directly, the password is transmitted, the state of a life cycle corresponding to the password is convenient to update in the design of a system table, and a consistent state updating point exists globally.
Step S7: simulating login and replacing identity information and replacing and filling secondary verification information to finish the simulation login record identity identification; 7 specifically means:
step S71: the authentication agent module receives the request of the authentication module, and obtains the context state in the record through the one-time authentication password; the context state comprises an application name, an application user name, an application password and an application template;
step S72: the authentication agent module creates a headless browser task to access a real application authentication address;
step S73: waiting for loading time according to the description process of the application template in the context state, and checking whether a confirmation element exists after the page is loaded; filling an application user name and an application password into a corresponding position in a page DOM tree according to the description of the application template in the context state;
if the application template comprises the short message password and the OPT password, performing two-factor authentication; then, triggering a short message password acquisition request, acquiring a graphic verification code to generate a cache picture, returning a response to the common user browser, and returning to execute the step S741; the reason for setting the step is that many applications can not only submit a user name and a password for direct login, but also exchange information with the user for many times for safety design, so that the system can also perform interactive authentication with the user, and even can repeatedly return a request for many times.
If the application template can directly complete the submission and authentication of the actual application page to the step S742;
step S741: the common user browser displays the verification code picture cache, and the common user identifies and fills in the correct picture verification code;
filling the obtained short message verification code or OTP verification code in a common user browser;
the authentication interaction process can be carried out for multiple times according to the description of the application template and the simulation login authentication, and the verification code identification step can be inserted into the authentication submission process to submit the authentication related information again; this arrangement is adopted for the purpose of enhancing the adaptability of the entire system.
Repeatedly executing the steps S6, S71, S72 and S73 to query the short message password, OTP password and area DOM in the DOM tree of the page, and continuing to the step S742 after filling;
step S742: the headless browser controls to submit complete authentication information on a real application page to wait for the completion of application response; judging the result according to the application template after the application returns;
if the authentication fails, returning a failure state and an intermediate reason to the authentication agent module, and finally synchronizing the state to a common user browser through the access gateway module;
if the application template is successful, acquiring and recording real application real _ cookie and other identity identification information according to the application template, returning a successful state to the authentication agent module, generating 302 an application page jump address through the access gateway module, wherein the address contains a one-time authentication password, and returning jump content to a common user browser; the login path under the one-time authentication password ensures that no path conflict is generated between the login path and the real application real cookie in the release management module; if the collision with the logincheck path transmission happens, the real road access of the application can not be achieved.
Step S8: setting the identity mark from the user to the server by applying the second-level domain name address, and applying the second-level domain name address to a path agent of real application; the method specifically comprises the following steps:
step S81: the common user browser responds to the request of the one-time authentication password and accesses the access gateway module again;
step S82: the access gateway module analyzes the second-level domain name in the request address and the logincheck path under the one-time authentication password and points to the authentication module again;
step S83: the authentication module checks the correctness of the recorded token and the identity of the common user, determines the effective access time and the access times, generates the setting and sets the cookie corresponding to the user side in the response;
judging the mapping relation between the cookie on the user side and the cookie generated by the application authentication; judging whether the mapping relation is one-to-one;
if not, returning a failure state and an intermediate reason to the ordinary user browser through the access gateway module to synchronize the state;
if so, generating 302 an application page jump address pointing to the correct address after application login through the access gateway module, and returning jump content to a common user browser;
step S84: the access request of the common user browser is sent to the access gateway module, and the access gateway module analyzes the secondary domain name and turns the request to a protocol agent module path; the ordinary user browser accesses the second-level domain name address after the application is proxied, and the path is consistent with the application; the secondary domain name does not contain a special path.
Step S9: the identity conversion of the front end and the back end of the application protocol agent and the transmission of the application protocol content agent. The method specifically comprises the following steps: the protocol agent module acquires cookie records of the user side, inquires cookies generated by the application through authentication for replacement, sets identity identification information, forwards the request to a real application address, converts cookie reply responses to a common user browser in the same mode after application response is waited, and completes the agent process of the application of the HTTP protocol.
It is noted that, by the above improvement:
step S1: adding application information, providing a release address:
the administrator admin sets the access gateway module root address as follows through the browser: gateway.domain.com;
adding a piece of web application release information in an admin access release management module:
1. application name: an app;
2. the application authentication address: www.app.com/login;
3. application of the user name: guest;
4. applying the password: 123456;
the publishing management module establishes a one-to-one mapping relationship of www.app.com/login and gateway.domain.com/app'; forming an application account by applying a user name and an application password;
step S2, simulating a login process to construct a flow template:
the administrator admin starts the browser to access the application authentication address through the authentication learning module: www.app.com/login;
the authentication learning module judges a confirmation element < loaded > of the page loading completion from a page DOM tree;
the authentication learning module selects frame positions of a user name < username >, a password < password >, a short message password < message >, an OTP password < onetimepassword > and the like in a DOM tree in an interactive process and inputs verification test information;
the authentication learning module sets a verification code picture or a verification region DOM (captcha);
the authentication learning module sets a login submission button DOM < submit >;
after login is successful, identification is used for identifying whether the DOM < status > corresponding to the login is successful or failed
And generating Template information Template describing the page authentication login process by using the information and the time waiting interval.
Step 3 authorizing the web application to be accessed
The administrator admin accesses the authorization management module through the browser to create a common user, authorizes the application login account guest established in the step S1 to the common user, and establishes a mapping authorization relationship between the administrator and the application resource, but the common user does not really hold an application password of the application login account guest;
step S4 selects trigger access, and the server analyzes access:
a common user logs in to the gateway access module gateway.domain.com through a browser to obtain an application list of accessible users, wherein the obtained list is the authorized application name app in the step 3; the ordinary user clicks a login button to access the application release link address: gateway.domain.com/app/; the common user browser waits for the return of the access gateway module;
after receiving a request for accessing resource gateway, domain, com/app/application, the access gateway module analyzes the name of the application as app, analyzes source user information as user, and transmits the transmitted and analyzed information to the authentication module;
step S6 judges access authentication:
the authentication module receives the analysis information app and user transmitted by the access gateway module, checks whether the authorization management module is authorized or not, and verifies through the authorization information established in the step 3:
if the failure occurs, returning the unauthorized execution is not continued;
if the authentication is successful, generating, creating and recording a one-time authentication password token, and transmitting the one-time authentication password token to wait for the authentication agent module to finish;
step S7: and (3) simulating login to fill in identity information instead, simulating login to fill in secondary verification information instead, and finishing the recording of the identity identifier by simulating login:
step S71: the authentication agent module receives the request of the authentication module, and obtains context states such as application name app, application user name gust, application password 123456, application Template and the like in the record through the one-time authentication password token;
step S72: a headless browser task is newly established, and a real application address www.app.com/login is accessed;
the headless browser task specifically includes: a web browser without a Graphical User Interface (GUI), typically controlled by a programming or command line;
step S73: waiting for a certain loading time according to the Template description process, and checking whether a confirmation element < loaded > exists after the page is loaded; filling an application user name gust and an application password 123456 into the DOM tree corresponding to the positions of < username >, < password >;
if the Template contains the short message, OPT and other two-factor authentication, the Template contains the graphic verification code; triggering a short message acquisition request, acquiring verification code picture cache picture generation, and returning a response to the common user browser to return to execute the step S741;
if the application Template can directly complete the actual application page submission authentication to step S742;
step S741: the common user browser displays the verification code picture cache, and the common user identifies and fills in the correct picture verification code;
filling the obtained short message verification code or OTP verification code in a common user browser;
the verification code identification step can be carried out for multiple times according to the description of the Template and the interaction process of the simulated login authentication, the verification code identification step can be inserted into the process of submitting authentication, the authentication related information is submitted again, the process of the steps S6, S71, S72 and S73 is repeatedly executed to inquire the authentication information such as < message >, < onetime associated >, < captcha > and the like in the DOM tree, and the step S742 is continued after the authentication information is filled;
step S742: the headless browser controls to submit complete authentication information on a real application page to wait for the completion of application response;
after the application returns, judging the result < status > according to the Template;
if the authentication fails, returning a failure state and an intermediate reason to the authentication agent module, and finally synchronizing the state to a common user browser through the access gateway module;
if the application Template and other identity identification information, returning the successful state to the authentication agent module, and generating 302 application page jump address, wherein the address comprises a one-time authentication password token, and the shape is as follows: HTTP 302 app.domain.com/login/token, and returning the jump content to the common user browser; a logic path in the one-time authentication password token ensures that no path conflict with real application occurs in the release management module;
step S8, setting user to service end identity mark by applying second-level domain name address, and applying second-level domain name address to path agent of real application;
the common user browser responds to the HTTP, namely 302 app, domain, com/login/token request, and accesses the access gateway module again;
the access gateway module analyzes the secondary domain name app in the request address and points to the authentication module again through the specified specific path logincheck;
the authentication module checks the correctness of the recorded token and the identity of the common user, determines control factors such as effective access time, access times and the like, and generates a agent _ cookie which is set to correspond to the app.domain.com;
the agent cookie and the real cookie generated by application authentication generate a one-to-one mapping relation;
if the browser fails, returning a failure state and an intermediate reason to the ordinary user browser through the access gateway module to synchronize the state;
if the application is successful, generating 302 an application page jump address pointing to the correct address after the application logs in through accessing the gateway module, wherein HTTP is 302 app.domain.com/index, and returning jump content to a common user browser;
the ordinary user browser responds to the jump request in the step 10 and sends the jump request to the access gateway module, and the access gateway module analyzes the secondary domain name and turns the request to a protocol agent module path;
original application address www.app.com/index/corresponding post-proxy address app. domain. com/index/, second-level domain name address after application is proxied, and path is consistent with application;
step S9, the front and back end identity conversion of the application protocol agent, and the application protocol content forwarding agent;
and the protocol agent module acquires the agent _ cookie record of the app.domain.com in the request, queries the real _ cookie generated by the application after authentication for replacement, sets other identity identification information, forwards the request to a real application address, converts the cookie reply to the common user browser in the same way after the application responds, and completes the agent process of the application of the HTTP protocol.
Example 6:
this embodiment is another description of the present invention, as shown in fig. 1 to fig. 3, and specifically includes the following steps:
1. an administrator accesses the release management module through a browser and adds a web application abbreviated name, a corresponding authentication login link address and a login account (a group of user names and passwords); generating a secondary domain name corresponding to the root domain name based on the access gateway;
2. the administrator starts a browser to access the added web application authentication login link address through the authentication learning module, inputs a user name and a password in an interactive mode, performs short message OPT and other two-factor authentication, and clicks a login button to complete the whole login process; the authentication learning module judges a confirmation element of the page loading completion from a DOM tree of the page, finds and identifies a DOM of a user name and a password frame from the DOM tree, checks whether two-factor authentication is needed and the position of the DOM is identified by being similar to the user name and the password frame, checks whether verification code identification is needed and extracts a verification code picture position DOM and an address identification mode; confirming the sequence of filling and clicking the buttons, and making change records on the complex page or the page in steps based on time; after login succeeds, identifying a DOM element used for identifying whether the login succeeds or fails, and extracting other necessary identity identification items except the cookie of the browser; and generating template information describing the page authentication login process. And loading the generated template to be bound to the application added by the release management module.
This step is not at the heart of this patent, and similar implementations exist in a large number of crawler engines.
3. Authorizing the established application account to a common user through an authorization management module, establishing a mapping relation between a person and resources, wherein the common user does not hold real application login account information;
4. the method comprises the following steps that a common user firstly logs in an access gateway module through a browser, the access gateway has root domain name resolution in DNS resolution, and the common user does not directly access authentication landing corresponding to application; acquiring an accessible application list, and selecting one application associated account to initiate an application access request to access an application release link address, wherein the application release link address is a path of an application name after accessing a gateway domain name; the user browser waits for the return of the access gateway;
5. after receiving the application access request, the access gateway module analyzes the application name and the source common user information and transmits the analyzed information to the authentication module;
6. the authentication module receives the analysis information transmitted by the access gateway module, checks whether the authorization management module is authorized,
if the failure occurs, returning the unauthorized execution is not continued; if the authentication is successful, then generating and temporarily recording a one-time authentication password, transmitting the one-time authentication password to the authentication agent module, and waiting for the completion of the authentication agent module;
7. the authentication agent module receives the request of the authentication module and obtains context states such as an application name, application login information, application template information and the like in real-time records through a one-time authentication password; a headless browser task is newly established, a real application link address is accessed, and dual-factor authentication information such as a real application user name, a password, a short message OPT and the like is filled in according to the time and position sequence according to the description of an application template; if the verification code identification needs secondary verification, obtaining a verification code picture cache, returning a response stream to a common user browser, and repeating the submitting step after the common user identifies and fills in correct verification code information; the identifying step of the verification code can be inserted into any process before submitting authentication and is determined by a template description process;
finally, the headless browser controls to submit the authentication on the actual application page; completing login, acquiring and recording cookie and other identity identification information;
8. returning 302 an application page jump address through the access gateway module, wherein the address comprises a one-time authentication password and a specific check path, and ensuring that the specific check path does not conflict with the application self in the release management module;
9. the ordinary user browser responds 302 to the request of the application page jump address, automatically accesses the access gateway module again, and the access gateway module analyzes the secondary domain name app and the specific check path and points to the authentication and authentication module again; the authentication module checks the correctness of token and common user identity, effectively accesses the time access times, generates and sets a cookie corresponding to the user side in the response, and records the corresponding relation between the cookie and the cookie generated by the application authentication;
10. and the ordinary user browser accesses the second-level domain name address after the application is proxied, and the path is consistent with the application. Sending an access request of a common user browser to an access gateway module, analyzing that the secondary domain name app does not contain a special path by the access gateway module, and turning the request to a protocol agent module path;
11. the protocol agent module acquires cookie records of the user side in the request, inquires the cookies generated by the authentication of the application for replacement, sets other identity identification information, forwards the request to the original application address, and converts cookie reply responses to the common user browser in the same way after the application responds.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (6)
1. A method for managing WEB application centralized release authority is characterized in that:
carrying out flow forwarding on a plurality of WEB application access addresses in a secondary domain name mode;
the method comprises the steps of storing a plurality of WEB application authentication information in a centralized manner, and managing the relationship between the authentication information and a user;
replacing application authentication user name and password with a plurality of application HTML to replace identity recognition cookies;
the cookie identity of the user side and the application side is replaced by the HTTP proxy, and the protocol data is forwarded;
the method specifically comprises the following steps:
step S1: adding application information and providing a release address;
step S11: the browser sets a root address of an access gateway module, accesses the release management module and adds a piece of web application release information; the web application release information protector comprises an application name, an application authentication address, an application user name and an application password;
step S12: the release management module establishes a one-to-one mapping relation between the application authentication address and the application release link address, and the application username and the application password form an application account;
step S2: simulating a login process to construct a flow template;
step S3: authorizing a web application to be accessed;
step S4: the application selects to trigger access, and the server analyzes the access;
step S41, the common user logs in the access gateway module root address through the browser to obtain an access user application list, wherein the obtained access user application list is the authorized application name in step S3;
step S42: a common user clicks a login button to access an application release link address; the common user browser waits for the return of the access gateway module;
step S43: after receiving an application access request for an application release link address, the access gateway module analyzes an application name and source user information and transmits the application name and the source user information to the authentication module;
step S6: judging access authentication; after receiving the analysis information transmitted by the access gateway module, the authentication module checks whether the authorization management module is authorized, and verifies through the authorization information established in step S3:
if the failure occurs, returning the unauthorized execution is not continued;
if the authentication is successful, generating and creating and recording a one-time authentication password, transmitting the one-time authentication password to the authentication agent module, and waiting for the authentication agent module to finish the simulated login to acquire login information of the real application server;
step S7: simulating login and replacing identity information and replacing and filling secondary verification information to finish the simulation login record identity identification;
step S8: setting the identity mark from the user to the server by applying the second-level domain name address, and applying the second-level domain name address to a path agent of real application;
step S9: the identity conversion of the front end and the back end of the application protocol agent and the transmission of the application protocol content agent.
2. The method for managing the centralized release authority of the WEB application according to claim 1, wherein: the step S2 specifically includes the following steps:
step S21: the administrator starts a browser to access the application authentication address through the authentication learning module;
step S22: the authentication learning module judges a confirmation element of the completion of page loading from a page DOM tree; the authentication learning module selects frame positions of a user name, a password, a short message password and an OTP password in a DOM tree of a page in an interactive process and inputs verification test information;
step S23: the authentication learning module sets a verification code picture or a verification region DOM (captcha); the authentication learning module sets a login submission button DOM < submit >;
step S24: after login succeeds, identifying whether the DOM < status > corresponding to the login is successful or failed; and generating template information describing the page authentication login process by using the information and the time waiting interval.
3. The method for managing the centralized release authority of the WEB application according to claim 2, wherein: the step S3 specifically includes: the administrator accesses the authorization management module through the browser and creates a common user, authorizes the application account established in the step S1 to the common user, establishes a mapping authorization relationship between the person and the application resource, and the common user does not really hold the application password of the application login account.
4. The method for managing the centralized release authority of the WEB application according to claim 3, wherein: the step S7 specifically includes:
step S71: the authentication agent module receives the request of the authentication module, and obtains the context state in the record through the one-time authentication password; the context state comprises an application name, an application user name, an application password and an application template;
step S72: the authentication agent module creates a headless browser task to access a real application authentication address;
step S73: waiting for loading time according to the description process of the application template in the context state, and checking whether a confirmation element exists after the page is loaded; filling an application user name and an application password into a corresponding position in a page DOM tree according to the description of the application template in the context state;
if the application template comprises the short message password and the OPT password, performing two-factor authentication; then, triggering a short message password acquisition request, acquiring a graphic verification code to generate a cache picture, returning a response to the common user browser, and returning to execute the step S741;
if the application template can directly complete the submission and authentication of the actual application page to the step S742;
step S741: the common user browser displays the verification code picture cache, and the common user identifies and fills in the correct picture verification code;
filling the obtained short message verification code or OTP verification code in a common user browser;
the step of identifying the verification code can be carried out for multiple times according to the description of the application template in the process of simulating login authentication interaction, the step of identifying the verification code can be inserted into the process of submitting authentication, the authentication related information is submitted again, the steps S6, S71, S72 and S73 are repeatedly executed to process the inquiry of a short message password, an OTP password and a regional DOM in a page DOM tree, and the step S742 is continued after the inquiry is carried out;
step S742: the headless browser controls to submit complete authentication information on a real application page to wait for the completion of application response; judging the result according to the application template after the application returns;
if the authentication fails, returning a failure state and an intermediate reason to the authentication agent module, and finally synchronizing the state to a common user browser through the access gateway module;
if the application template is successful, acquiring and recording real application real _ cookie and other identity identification information according to the application template, returning a successful state to the authentication agent module, generating 302 an application page jump address through the access gateway module, wherein the address contains a one-time authentication password, and returning jump content to a common user browser; the logincheck path under the one-time authentication password ensures that no path conflict is generated between the logincheck path and the real application real cookie at the release management module.
5. The method for managing the centralized release authority of the WEB application according to claim 4, wherein: the step S8 specifically includes:
step S81: the common user browser responds to the request of the one-time authentication password and accesses the access gateway module again;
step S82: the access gateway module analyzes the second-level domain name in the request address and the logincheck path under the one-time authentication password and points to the authentication module again;
step S83: the authentication module checks the correctness of the recorded token and the identity of the common user, determines the effective access time and the access times, generates the setting and sets the cookie corresponding to the user side in the response;
judging the mapping relation between the cookie on the user side and the cookie generated by the application authentication; judging whether the mapping relation is one-to-one;
if not, returning a failure state and an intermediate reason to the ordinary user browser through the access gateway module to synchronize the state;
if so, generating 302 an application page jump address pointing to the correct address after application login through the access gateway module, and returning jump content to a common user browser;
step S84: the access request of the common user browser is sent to the access gateway module, and the access gateway module analyzes the secondary domain name and turns the request to a protocol agent module path; the ordinary user browser accesses the second-level domain name address after the application is proxied, and the path is consistent with the application; the secondary domain name does not contain a special path.
6. The method for managing the centralized release authority of the WEB application according to claim 5, wherein: the step S9 specifically includes: the protocol agent module acquires cookie records of the user side, inquires cookies generated by the application through authentication for replacement, sets identity identification information, forwards the request to a real application address, converts cookie reply responses to a common user browser in the same mode after application response is waited, and completes the agent process of the application of the HTTP protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010338875.8A CN111510461B (en) | 2020-04-26 | 2020-04-26 | System and method for managing WEB application centralized release authority |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010338875.8A CN111510461B (en) | 2020-04-26 | 2020-04-26 | System and method for managing WEB application centralized release authority |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111510461A CN111510461A (en) | 2020-08-07 |
| CN111510461B true CN111510461B (en) | 2022-02-22 |
Family
ID=71878130
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010338875.8A Active CN111510461B (en) | 2020-04-26 | 2020-04-26 | System and method for managing WEB application centralized release authority |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111510461B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112311769B (en) * | 2020-09-29 | 2022-06-24 | 新华三信息安全技术有限公司 | Method, system, electronic device and medium for security authentication |
| CN112104668B (en) * | 2020-11-10 | 2021-02-05 | 成都掌控者网络科技有限公司 | Distributed authority process separation control method and device |
| CN112788048B (en) * | 2021-01-22 | 2022-04-01 | 新华三信息安全技术有限公司 | Authentication information synchronization method and device |
| CN114139072A (en) * | 2021-10-29 | 2022-03-04 | 北京达佳互联信息技术有限公司 | Page data processing method and device, electronic equipment and storage medium |
| CN116975829A (en) * | 2023-09-22 | 2023-10-31 | 北京格尔国信科技有限公司 | Asset confidentiality method, system, terminal and storage medium based on fingerprint authentication |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197711A (en) * | 2007-12-06 | 2008-06-11 | 华为技术有限公司 | Method, device and system for implementing unified authentication management |
| WO2017028804A1 (en) * | 2015-08-19 | 2017-02-23 | 中兴通讯股份有限公司 | Web real-time communication platform authentication and access method and device |
| CN107425983A (en) * | 2017-08-08 | 2017-12-01 | 北京明朝万达科技股份有限公司 | A kind of unified identity authentication method and system platform based on WEB service |
| CN109067914A (en) * | 2018-09-20 | 2018-12-21 | 星环信息科技(上海)有限公司 | Proxy Method, device, equipment and the storage medium of Web service |
| CN110120946A (en) * | 2019-04-29 | 2019-08-13 | 武汉理工大学 | A kind of Centralized Authentication System and method of Web and micro services |
| CN110730077A (en) * | 2019-10-09 | 2020-01-24 | 北京华宇信息技术有限公司 | Method and system for micro-service identity authentication and interface authentication |
| CN110830463A (en) * | 2019-10-30 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Third party authorized login method and device |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103188295A (en) * | 2011-12-28 | 2013-07-03 | 上海格尔软件股份有限公司 | WEB single sign-on method completely transparent to user and application |
| CN104378376B (en) * | 2014-11-18 | 2019-02-26 | 深圳中兴网信科技有限公司 | Single-point logging method, certificate server and browser based on SOA |
| CN105007581B (en) * | 2015-08-12 | 2018-03-20 | 腾讯科技(深圳)有限公司 | A kind of network access authentication method and client |
| CN106612246A (en) * | 2015-10-21 | 2017-05-03 | 星际空间(天津)科技发展有限公司 | Unified authentication method for simulation identity |
| CN105897424B (en) * | 2016-03-14 | 2019-07-12 | 深圳奥联信息安全技术有限公司 | A kind of enhancing identity authentication method |
-
2020
- 2020-04-26 CN CN202010338875.8A patent/CN111510461B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101197711A (en) * | 2007-12-06 | 2008-06-11 | 华为技术有限公司 | Method, device and system for implementing unified authentication management |
| WO2017028804A1 (en) * | 2015-08-19 | 2017-02-23 | 中兴通讯股份有限公司 | Web real-time communication platform authentication and access method and device |
| CN107425983A (en) * | 2017-08-08 | 2017-12-01 | 北京明朝万达科技股份有限公司 | A kind of unified identity authentication method and system platform based on WEB service |
| CN109067914A (en) * | 2018-09-20 | 2018-12-21 | 星环信息科技(上海)有限公司 | Proxy Method, device, equipment and the storage medium of Web service |
| CN110120946A (en) * | 2019-04-29 | 2019-08-13 | 武汉理工大学 | A kind of Centralized Authentication System and method of Web and micro services |
| CN110730077A (en) * | 2019-10-09 | 2020-01-24 | 北京华宇信息技术有限公司 | Method and system for micro-service identity authentication and interface authentication |
| CN110830463A (en) * | 2019-10-30 | 2020-02-21 | 腾讯科技(深圳)有限公司 | Third party authorized login method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111510461A (en) | 2020-08-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111510461B (en) | System and method for managing WEB application centralized release authority | |
| US11323441B2 (en) | System and method for proxying federated authentication protocols | |
| CN111783067B (en) | Automatic login method and device between multiple network stations | |
| JP4779444B2 (en) | Single sign-on implementation method | |
| CN105007280B (en) | A kind of application login method and device | |
| CN105871838B (en) | A kind of log-in control method and customer center platform of third party's account | |
| CN107645486B (en) | login authentication method and device | |
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| CN112597472B (en) | Single sign-on method, device and storage medium | |
| CN110177120A (en) | A kind of method, apparatus and computer readable storage medium of single-sign-on | |
| JP6141041B2 (en) | Information processing apparatus, program, and control method | |
| JP2017107343A (en) | Authentication cooperation system, authentication cooperation method, authorization server, and program | |
| JP5988699B2 (en) | Cooperation system, its cooperation method, information processing system, and its program. | |
| WO2016173199A1 (en) | Mobile application single sign-on method and device | |
| CN105141580B (en) | A kind of resource access control method based on the domain AD | |
| CN110519285A (en) | User authen method, device, computer equipment and storage medium | |
| JP5342020B2 (en) | Group definition management system | |
| JP2002334056A (en) | System and method for executing log-in in behalf of user | |
| CN110413582A (en) | A kind of trans-regional data synchronous system based on business rule | |
| WO2021134873A1 (en) | Data acquisition method, related device and system thereof and storage apparatus | |
| US10735399B2 (en) | System, service providing apparatus, control method for system, and storage medium | |
| JP2018037025A (en) | Program, authentication system, and authentication cooperative system | |
| KR20090102924A (en) | System and method for authentication process of java client agent by applet and Remote Method Invocation | |
| CN116170234B (en) | Single sign-on method and system based on virtual account authentication | |
| JP2017134535A (en) | System and control method for the same system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |