CN112765583A - Single sign-on method, device, equipment and medium - Google Patents

Single sign-on method, device, equipment and medium Download PDF

Info

Publication number
CN112765583A
CN112765583A CN202110112602.6A CN202110112602A CN112765583A CN 112765583 A CN112765583 A CN 112765583A CN 202110112602 A CN202110112602 A CN 202110112602A CN 112765583 A CN112765583 A CN 112765583A
Authority
CN
China
Prior art keywords
target
browser
jwt
cas
session
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110112602.6A
Other languages
Chinese (zh)
Inventor
陈善德
邓剑锋
盛国军
吕大鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haier Digital Technology Qingdao Co Ltd
Haier Caos IoT Ecological Technology Co Ltd
Qingdao Haier Industrial Intelligence Research Institute Co Ltd
Original Assignee
Haier Digital Technology Qingdao Co Ltd
Haier Caos IoT Ecological Technology Co Ltd
Qingdao Haier Industrial Intelligence Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Haier Digital Technology Qingdao Co Ltd, Haier Caos IoT Ecological Technology Co Ltd, Qingdao Haier Industrial Intelligence Research Institute Co Ltd filed Critical Haier Digital Technology Qingdao Co Ltd
Priority to CN202110112602.6A priority Critical patent/CN112765583A/en
Publication of CN112765583A publication Critical patent/CN112765583A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/107License processing; Key processing
    • G06F21/1078Logging; Metering

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the invention discloses a single sign-on method, a single sign-on device, single sign-on equipment and a single sign-on medium. The single sign-on method comprises the following steps: responding to a login authentication request initiated by a target website aiming at a target browser, and acquiring the login state of the target browser in the CAS; if the target browser is in the non-login state in the CAS, returning a login page to the target browser, and performing identity authentication on target login information fed back by the target browser aiming at the login page; if the identity authentication is passed, establishing a target session aiming at the target browser, generating a JWT (just before the web browser) containing target login information, and setting the JWT into the target session; and generating a target cookie corresponding to the target session, and feeding back a redirection instruction containing the target cookie to the target browser. According to the technical scheme of the embodiment of the invention, the login state of the browser in each system is uniformly controlled at the CAS by reading the cookie of the browser, so that the access efficiency is improved.

Description

Single sign-on method, device, equipment and medium
Technical Field
Embodiments of the present invention relate to computer technologies, and in particular, to a method, an apparatus, a device, and a medium for single sign-on.
Background
Single Sign On (SSO) means that a user can freely switch among multiple applications only by logging in once, and does not need to repeatedly input a user name and a password to confirm the identity.
In the single sign-on scheme in the prior art, the sign-on states are respectively controlled by the service systems, the sign-on states are not centralized, on one hand, the butt joint difficulty of the service systems is high, and on the other hand, the problem that the serial number and the sign-on state are inconsistent is easily caused when the sign-on states are respectively controlled.
Disclosure of Invention
Embodiments of the present invention provide a single sign-on method, apparatus, device, and medium, which, by reading a cookie of a browser, uniformly controls the sign-on state of the browser in each system by a CAS, improves access efficiency, and avoids the problem of inconsistent serial numbers or sign-on states.
In a first aspect, an embodiment of the present invention provides a single sign-on method, where the method is applied to a CAS, and includes:
responding to a login authentication request initiated by a target website aiming at a target browser, and acquiring the login state of the target browser in a CAS (CAS);
if the target browser is not logged in the CAS, returning a login page to the target browser, and performing identity verification on target login information fed back by the target browser aiming at the login page;
if the identity authentication is passed, establishing a target session aiming at the target browser, generating a JWT (just the web page) containing the target login information, and setting the JWT into the target session;
and generating a target cookie corresponding to the target session, and feeding back a redirection indication containing the target cookie to the target browser, wherein the target cookie contains the identification of the target session and JWT.
In a second aspect, an embodiment of the present invention provides a single sign-on method, where the method is applied to a target website, and includes:
initiating a login authentication request to the CAS in response to an access request initiated by the target browser;
receiving an access request which is initiated by a target browser and contains a JWT (Java native WT), and judging whether the JWT corresponding to the target browser is stored or not;
if the JWT corresponding to the target browser is not stored, judging whether the received JWT is valid; and if so, establishing a session aiming at the target browser, generating a cookie corresponding to the session, setting the JWT in the cookie, and sending a redirection instruction to the browser.
In a third aspect, an embodiment of the present invention provides a single sign-on apparatus, where the apparatus includes:
the system comprises a login state acquisition module, a CAS (central processing system) and a client side, wherein the login state acquisition module is used for responding to a login authentication request initiated by a target website for a target browser and acquiring the login state of the target browser in the CAS;
the identity authentication module is used for returning a login page to the target browser and authenticating the identity of target login information fed back by the target browser aiming at the login page if the target browser is in a non-login state in the CAS;
a target session generation module, configured to establish a target session for the target browser if the identity authentication is passed, generate a JWT including the target login information, and set the JWT in the target session;
and a redirection instruction sending module, configured to generate a target cookie corresponding to the target session, and feed back a redirection instruction including the target cookie to the target browser, where the target cookie includes an identifier of the target session and JWT.
In a fourth aspect, an embodiment of the present invention provides a single sign-on apparatus, where the apparatus includes:
the authentication request initiating module is used for responding to an access request initiated by a target browser and initiating a login authentication request to the CAS;
an access request receiving module, configured to receive an access request including a JWT initiated by a target browser, and determine whether a JWT corresponding to the target browser is stored;
a session establishing module, configured to determine whether a received JWT is valid if the JWT corresponding to the target browser is not stored, and if so, establish a session for the target browser, generate a cookie corresponding to the session, set the JWT in the cookie, and send a redirection instruction to the browser.
In a fifth aspect, an embodiment of the present invention provides an electronic device, including one or more processors; a storage device, configured to store one or more programs, which when executed by the one or more processors, cause the one or more processors to implement the single sign-on method provided by any embodiment of the present invention.
In a sixth aspect, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the single sign-on method provided in any embodiment of the present invention.
The technical scheme of the embodiment of the invention is that a CAS responds to a login authentication request initiated by a target website aiming at a target browser to acquire the login state of the target browser in the CAS, when the target browser is in an unregistered state in the CAS, a login page is returned to the target browser, the identity verification is carried out on target login information fed back by the target browser, if the target login information passes the identity verification, a target session aiming at the target browser is established, JWT containing the target login information is generated and set in the target session, a target cookie corresponding to the target session is generated, a redirection instruction containing the target cookie is fed back to the target browser, the login state of each mutually trusted target website is uniformly controlled, the uniform access cost is reduced, the cookie containing the JWT is fed back to the target browser, so that the target website acquires and caches the JWT corresponding to the current target browser, the situation of serial numbers is avoided.
Drawings
Fig. 1 is a flowchart of a single sign-on method according to a first embodiment of the present invention;
fig. 2 is a flowchart of a single sign-on method according to a second embodiment of the present invention;
fig. 3 is a flowchart of a single sign-on method according to a third embodiment of the present invention;
FIG. 4a is a flowchart illustrating a first visit to a target website according to a fourth embodiment of the present invention;
FIG. 4b is a flowchart illustrating a second access to the target website after login according to a fourth embodiment of the present invention;
FIG. 4c is a flowchart of a fourth embodiment of the present invention, wherein website A is first visited and mutually trusts the logged-in target website;
FIG. 4d is a flowchart illustrating logout at the target website or website A according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of a single sign-on apparatus according to a fifth embodiment of the present invention;
fig. 6 is a schematic structural diagram of a single sign-on apparatus according to a sixth embodiment of the present invention;
fig. 7 is a schematic structural diagram of an electronic device in a seventh embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Example one
Fig. 1 is a flowchart of a single sign-on method in an embodiment of the present invention, where the technical solution of this embodiment is suitable for uniformly managing and controlling the sign-on state of each target website through a CAS, and the method may be executed by a single sign-on device, and the single sign-on device may be implemented by software and/or hardware, and may be integrated in various general-purpose computer devices, and the single sign-on method specifically includes the following steps:
step 110, in response to a login authentication request initiated by the target website for the target browser, acquiring a login state of the target browser in the CAS.
The Central Authentication Service (CAS) is a solution for single sign-on, and is divided into a Server (CAS Server) and a Client (CAS Client), where the Server needs to be deployed independently and is responsible for performing identity Authentication on a user, and the Client is responsible for processing an access request to a protected resource of the Client and redirecting to the Server when login is needed.
In this embodiment, when a user inputs a website address of a target website in a target browser and accesses the target website, the target website may initiate a login authentication request to a CAS for the target browser that currently initiates the access request, so that the CAS authenticates whether the target browser logs in the CAS, specifically, after receiving the login authentication request initiated by the target website for the target browser, the CAS may determine whether the target browser is in a login state in the CAS according to the access request initiated by the target browser to the target website.
Illustratively, the CAS acquires a cookie carried by the target browser when accessing the target website, reads a session identifier included in the cookie, and determines that the target browser is in a login state in the CAS if the read session identifier corresponds to a session established in the CAS, or else, determines that the target browser is in an unregistered state. The target website may be one of applications in an enterprise, for example, an enterprise H includes an application a, an application B, and an application C, the target website may be the application a, the single sign-on is that after the application a logs in, the user does not need to input a user name and a password again to perform identity authentication when accessing the application B or the application C, and similarly, after the user logs out of the application a, the user also logs out correspondingly in the application B and the application C, and does not need to log out of a login account one by one in each application.
And step 120, if the target browser is not logged in the CAS, returning a login page to the target browser, and performing identity verification on target login information fed back by the target browser aiming at the login page.
In this embodiment, if the CAS determines that the target browser is in the non-login state in the CAS, the CAS returns a login page to the target browser, so that the user inputs a user name and a password for the login page and submits the user name and the password to the CAS, and after obtaining the user name and the password input by the user, the CAS performs authentication to determine the validity of the user.
For example, a user name that is the same as a user name input by a user may be searched for in user names stored in the CAS, if not, a registration page may be returned to the target browser, if so, a password corresponding to the user name stored in the CAS is further compared with a password input by the user, and if consistent, it is determined that the current target browser is in a login state in the CAS, otherwise, it is in an unregistered state.
Optionally, the target login information includes a user name and a password;
the identity verification of the target login information fed back by the target browser aiming at the login page comprises the following steps:
comparing the user name and the password fed back by the target browser with at least one item of matching pairs containing the user name and the password in the registration information list one by one;
and if the user name and the password fed back by the target browser are matched with the matching pairs in the registration list, passing the identity authentication.
In this optional embodiment, the target login information fed back by the target browser includes a user name and a password, specifically, the user name and the password fed back by the target browser may be matched with at least one item in the registration information list, if they are consistent, the identity authentication is passed, otherwise, the authentication is not passed. The CAS includes a plurality of matching pairs, each matching pair includes a user name and a corresponding password, and the matching pairs may be stored when the user performs account registration.
Step 130, if the identity authentication is passed, establishing a target session for the target browser, generating a JWT containing target login information, and setting the JWT into the target session.
In this embodiment, after the username and password fed back by the target browser pass the authentication, the CAS establishes a target Session (Session) corresponding to the target browser, the target Session has a unique Session ID, and the CAS generates a JWT (json Web token) and puts the JWT into the target Session.
Wherein, the JWT is similar to a token and is usually stored in the server, and the user information is encrypted in the JWT, so that the server can identify the user according to the identity information carried by the user when accessing the server. The JWT contains a header containing the encryption algorithm used by the JWT, a payload containing user information such as a username and password, and a JWT validity period that identifies the time at which the JWT is valid, e.g., 13 hours, 37 minutes, 15 seconds, 1 month, 20 months, 2021 year, and 13 days, identifying the current JWT as valid before that point in time.
Step 140, generating a target cookie corresponding to the target session, and feeding back a redirection indication containing the target cookie to the target browser, wherein the target cookie contains the identifier of the target session and the JWT.
In this embodiment, after the target session corresponding to the target browser is generated, a target cookie corresponding to the target session is further set in the target browser, and a JWT is issued for the target website, where the target cookie includes an identifier of the target session and the JWT. Finally, a redirection instruction is sent to the target browser, the JWT is used as a parameter of a target website corresponding to the target website to be transmitted, and specifically, the redirection instruction containing a target cookie is sent to the target browser, wherein the target cookie contains the JWT.
The technical scheme of the embodiment of the invention is that a CAS responds to a login authentication request initiated by a target website aiming at a target browser to acquire the login state of the target browser in the CAS, when the target browser is in an unregistered state in the CAS, a login page is returned to the target browser, the identity verification is carried out on target login information fed back by the target browser, if the target login information passes the identity verification, a target session aiming at the target browser is established, JWT containing the target login information is generated and set in the target session, a target cookie corresponding to the target session is generated, a redirection instruction containing the target cookie is fed back to the target browser, the login state of each mutually trusted target website is uniformly controlled, the uniform access cost is reduced, the problem of cross-domain single sign-on is solved, the cookie containing the JWT is fed back to the target browser to enable the target website to acquire and cache the JWT corresponding to the current target browser, the situation of serial numbers is avoided.
Example two
Fig. 2 is a flowchart of a single sign-on method in the second embodiment of the present invention, which is further detailed based on the above embodiments and provides specific steps of acquiring a login state of a target browser in a CAS and performing authentication on target login information fed back by the target browser to a login page. A single sign-on method provided by the second embodiment of the present invention is described below with reference to fig. 2, which includes the following steps:
step 210, responding to a login authentication request initiated by the target website for the target browser, acquiring a cookie carried by the target browser when the target browser accesses the target website, and extracting a session identifier contained in the cookie.
In this embodiment, after receiving a login authentication request for a target browser initiated by a target website, the CAS acquires a cookie carried by the target browser when accessing the target website, and extracts a session identifier included in the cookie, so as to determine whether the target browser is in a login state in the CAS according to the session identifier. When the CAS judges the login state of the target browser, the CAS can also traverse different browser cookie positions to share the login state of the user in different browsers, thereby realizing cross-browser single-point login.
Step 220, when the session identifier corresponds to the session identifier of the session established in the CAS, it is determined that the target browser is in a login state in the CAS, otherwise, the target browser is in an unregistered state in the CAS.
When a target browser logs in the CAS, the CAS establishes a session corresponding to the target browser, the session is uniquely corresponding to the target browser, meanwhile, the CAS also generates a cookie containing the identification of the session and returns the cookie to the target browser, the cookie is carried by the browser when the browser visits the target website next time, and the CAS can judge the login state of the target browser in the CAS by analyzing the cookie carried by the target browser.
In this embodiment, after the CAS extracts the session identifier included in the cookie, it may be determined whether a session corresponding to the session identifier is currently established, and if so, it is determined that the target browser is in a login state in the CAS, otherwise, the target browser is in an unregistered state in the CAS. Specifically, after extracting the session identifier included in the cookie carried by the target browser, traversing the sessions established in the CAS, and searching whether a session corresponding to the session identifier exists in at least one established session, if so, the target browser is in a login state in the CAS, otherwise, the target browser is in an unregistered state in the CAS.
Step 230, if the target browser is in the login state in the CAS, acquiring the JWT in the cookie carried by the target browser when accessing the target website.
In this embodiment, when the target browser is in the login state in the CAS, the JWT in the cookie carried by the target browser when accessing the target website is directly acquired, so that the target website can feed back the request data to the target browser according to the JWT.
Step 240, feeding back the JWT to the target website, so that the target website establishes a connection with the target browser according to the JWT state.
In this embodiment, after acquiring the JWT in the cookie carried by the target browser when accessing the target website, the CAS feeds the JWT back to the target website, so that the target website can establish a connection with the target browser by verifying the state of the JWT. Specifically, after receiving the JWT, the target website determines whether the JWT is valid by reading the validity of the JWT, and if so, directly sends a redirection instruction to the target browser, so that the target browser continues to initiate an access request to the target website, otherwise, connection with the target browser cannot be established.
Step 250, responding to a logout request initiated by the target website, acquiring the JWT in the cookie carried by the target browser when accessing the target website, and setting the JWT as invalid.
In this embodiment, when the target browser needs to logout the target website, a logout request is initiated to the target website, the target website further initiates a logout request to the CSA after completing logout of the target browser to logout the target browser from the CAS, and the CAS responds to the logout request initiated by the target website, and first obtains the JWT in a cookie carried by the target browser when accessing the target website, and sets the JWT as invalid.
Step 260, deleting the target session corresponding to the target browser and the cookie corresponding to the target session in the CAS.
In this embodiment, after setting the JWT to be disabled, the target session corresponding to the target browser in the CAS and the cookie corresponding to the target session are deleted, and the target browser is logged off in the CAS.
The technical scheme of the embodiment of the invention is that a CAS responds to a login authentication request initiated by a target website aiming at a target browser, acquires a cookie carried by the target browser when the target browser accesses the target website, extracts a session identifier contained in the cookie, determines that the target browser is in a login state in the CAS when the session identifier corresponds to a session identifier of a session established in the CAS, otherwise, determines that the target browser is in a login state in the CAS, acquires a JWT in the cookie carried by the target browser when the target browser accesses the target website and feeds the JWT back to the target website so that the target website establishes connection with the target browser according to the state of the JWT if the target browser is in the login state in the CAS, finally responds to a logout request initiated by the target website, acquires the JWT in the cookie carried by the target browser when the target browser accesses the target website, sets the JWT as invalid, and deletes a target session corresponding to the target browser in the CAS, and the cookie corresponding to the target session reduces the cost of unified access, and feeds the cookie containing the JWT back to the target browser, so that the target website acquires and caches the JWT corresponding to the current target browser, and the condition of serial numbers is avoided.
EXAMPLE III
Fig. 3 is a flowchart of a single sign-on method in a third embodiment of the present invention, where the technical solution of this embodiment is suitable for uniformly managing and controlling the login status of each target website through a CAS, and the method can be executed by a single sign-on device, and the single sign-on device can be implemented by software and/or hardware and can be integrated in various general-purpose computer devices, and the single sign-on method specifically includes the following steps:
step 310, in response to the access request initiated by the target browser, initiates a login authentication request to the CAS.
In this embodiment, after receiving an access request initiated by a target browser, a target website first needs to initiate a login authentication request to the CAS to determine a login state of the target browser in the CAS. The login authentication request comprises a cookie carried by the target browser when the target browser initiates the access request.
Step 320, receiving the access request containing the JWT initiated by the target browser, and determining whether the JWT corresponding to the target browser is stored.
In this embodiment, when the target browser is in the login state in the CAS, the target browser may initiate an access request to the target website again, where the access request includes a JWT, and the target website first determines whether a JWT corresponding to the target browser is stored, that is, determines whether the target browser logs in the target website.
Step 330, if the JWT corresponding to the target browser is not stored, determining whether the received JWT is valid; if so, establishing a session for the target browser, generating a cookie corresponding to the session, setting the JWT in the cookie, and sending a redirection indication to the browser.
In this embodiment, if the target website does not store the JWT corresponding to the target browser, which indicates that the target browser accesses the target website for the first time, that is, the target browser does not log in the target website, it is further determined whether the received JWT is valid according to the validity period of the JWT, if so, a session for the target browser is established, a cookie corresponding to the session is generated, the JWT is set in the cookie, and a redirection instruction is sent to the browser, so that a connection between the target website and the target browser is established.
Optionally, this embodiment further includes: if the target website stores the JWT corresponding to the target browser, comparing the received JWT with the stored JWT;
when the received JWT is inconsistent with the stored JWT, the received JWT is set in a cookie corresponding to the target browser and a redirection indication is sent to the browser.
In this optional embodiment, if the target website stores the JWT corresponding to the target browser, which indicates that the target browser has visited the target website before and is in a login state in the target website, the received JWT is compared with the stored JWT, and when the received JWT is inconsistent with the stored JWT, the received JWT is set in a cookie corresponding to the target browser, and a redirection instruction is sent to the browser, so as to establish a connection between the target website and the target browser.
According to the technical scheme, a target website initiates a login authentication request to a CAS (conditional access system) in response to an access request initiated by a target browser, receives the access request which is initiated by the target browser and contains JWT after the target browser logs in the CAS, judges whether JWT corresponding to the target browser is stored or not, judges whether the received JWT is valid or not if the JWT corresponding to the target browser is not stored, establishes a session aiming at the target browser if the JWT is valid, generates a cookie corresponding to the session, sets the JWT in the cookie, and sends a redirection instruction to the browser.
Example four
Fig. 4a is a flowchart illustrating that a target browser accesses a target website for the first time in the fourth embodiment of the present invention, where the target browser is not logged in both the CAS and the target website, the method specifically includes:
s101, a user inputs a website corresponding to a target website in a target browser and initiates an access request to the target website;
s102, a target website initiates a login authentication request to a CAS (content authentication System), and the login state of a target browser in the CAS is acquired;
s103, the CAS judges the login state of the target browser in the CAS;
s104, if the target browser is not logged in the CAS, returning a login page to the target browser so that a user can fill in a user name and a password;
s105, the target browser feeds back the user name and the password input by the user to the CAS;
s106, the CAS verifies the user validity according to the user name and the password, if the user validity is confirmed, the user verification is passed, and the single sign-on session is established, which specifically comprises the following steps: establishing a session corresponding to a target browser, generating a JWT, setting the JWT into the session, setting a cookie in the target browser, and finally issuing a JWT for a target website;
s107, the target browser is informed to redirect to the target website, the JWT is transmitted as the parameter of the website, and the target browser finishes logging in the CAS.
S108, the target browser initiates an access request containing JWT to a target website;
s109, the target website verifies the effectiveness of the JWT, if the effectiveness is verified, a session corresponding to the target browser is established, a cookie corresponding to the session is generated, and the JWT is arranged in the cookie;
s110, the target website sends a redirection instruction to the target browser, and the target browser completes login on the target website.
Fig. 4b is a flowchart illustrating that the target browser accesses the target website for the second time in the embodiment of the present invention, and at this time, the target browser is in a login state in both the CAS and the target website, where the method specifically includes:
s201, a user inputs a website corresponding to a target website in a target browser and initiates an access request to the target website;
s202, a target website initiates a login authentication request to a CAS to acquire the login state of a target browser in the CAS;
s203, the CAS judges the login state of the target browser in the CAS, if the target browser is in the login state, the JWT is read from a cookie carried when the target browser accesses the target website, and the JWT is sent to the target website;
s204, the target website verifies whether the JWT sent by the CAS is consistent with the local cache or not, and if not, the JWT sent by the CAS is set into a cookie;
s205, initiating a redirection instruction to the target browser.
Fig. 4c is a flowchart illustrating that a target browser accesses a website a that is trusted with a target website for the first time after accessing the target website in the embodiment of the present invention, where the target website and the website a are different business systems of the same enterprise, and at this time, the target browser is in a logged-in state in the CAS and is in an unregistered state in the website a, and the method specifically includes:
s301, a user inputs a website corresponding to the website A in a target browser and initiates an access request to the website A;
s302, a website A initiates a login authentication request to a CAS to acquire the login state of a target browser in the CAS;
s303, the CAS judges the login state of the target browser in the CAS, if the target browser is in the login state, the JWT is read from a cookie carried when the target browser accesses the website A, and the JWT is sent to the website A;
s304, the website A verifies whether the JWT sent by the CAS is valid, and if the JWT is valid, the JWT sent by the CAS is set into a cookie;
s305, initiating a redirection instruction to the target browser, and completing the login of the target browser in the website A.
Fig. 4d is a flowchart illustrating a logout of a target browser at a target website or website a according to an embodiment of the present invention, where the logout at the target website or website a can achieve a single-point logout of a user, where the method includes:
s401, a user initiates a login request to a target website or a website A;
s402, deleting the session and the cookie corresponding to the target browser by the target website or the website A;
s403, the target website or the website A initiates a logout request to the CAS;
s404, the CAS visits the target website or JWT in the cookie carried by the website A from the target browser, sets the JWT as invalid, and deletes the session corresponding to the target browser in the CAS and the cookie corresponding to the session.
S405, the CAS feeds a redirection instruction back to the target browser, and instructs the browser to feed back the unregistered page.
The technical scheme of the embodiment of the invention is that a CAS responds to a login authentication request initiated by a target website aiming at a target browser to acquire the login state of the target browser in the CAS, when the target browser is in an unregistered state in the CAS, a login page is returned to the target browser, the identity verification is carried out on target login information fed back by the target browser, if the target login information passes the identity verification, a target session aiming at the target browser is established, JWT containing the target login information is generated and set in the target session, a target cookie corresponding to the target session is generated, a redirection instruction containing the target cookie is fed back to the target browser, the login state of each mutually trusted target website is uniformly controlled, the uniform access cost is reduced, the cookie containing the JWT is fed back to the target browser, so that the target website acquires and caches the JWT corresponding to the current target browser, the situation of serial numbers is avoided.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a single sign-on device according to a fifth embodiment of the present invention, where the single sign-on device includes: a login status acquisition module 510, an authentication module 520, a target session generation module 530, and a redirection indication sending module 540.
A login state obtaining module 510, configured to respond to a login authentication request initiated by a target website for a target browser, to obtain a login state of the target browser in a CAS;
an identity authentication module 520, configured to, if the target browser is in an unregistered state in the CAS, return a login page to the target browser, and perform identity authentication on target login information fed back by the target browser for the login page;
a target session generation module 530, configured to establish a target session for the target browser if the identity authentication is passed, and generate jwt that includes the target login information and set the target session;
a redirection instruction sending module 540, configured to generate a target cookie corresponding to the target session, and feed back a redirection instruction including the target cookie to the target browser, where the target cookie includes an identifier of the target session and jwt.
The technical scheme of the embodiment of the invention is that a CAS responds to a login authentication request initiated by a target website aiming at a target browser to acquire the login state of the target browser in the CAS, when the target browser is in an unregistered state in the CAS, a login page is returned to the target browser, the identity verification is carried out on target login information fed back by the target browser, if the target login information passes the identity verification, a target session aiming at the target browser is established, jwt containing the target login information is generated and set in the target session, a target cookie corresponding to the target session is generated, a redirection instruction containing the target cookie is fed back to the target browser, the login state of each mutually trusted target website is uniformly controlled through the CAS, the uniform access cost is reduced, the cookie containing jwt is fed back to the target browser, so that the target website acquires and caches jwt corresponding to the current target browser, the situation of serial numbers is avoided.
Optionally, the login status obtaining module 510 includes:
a call-back identifier obtaining unit, configured to obtain a cookie carried by the target browser when accessing the target website, and extract a session identifier included in the cookie;
a login state determining unit, configured to determine that the target browser is in a login state in the CAS if the session identifier corresponds to a session identifier of an established session in the CAS, and otherwise, the target browser is in an unregistered state in the CAS.
Optionally, the target login information includes a user name and a password;
the identity verification module 520 includes:
the comparison unit is used for comparing the user name and the password fed back by the target browser with at least one item of matching pairs containing the user name and the password in the registration information list one by one;
and the identity authentication unit is used for passing identity authentication if the user name and the password fed back by the target browser are matched with the matching pair in the registration list.
Optionally, the single sign-on apparatus further includes:
jwt obtaining module, configured to, if the target browser is in a login state in a CAS, obtain jwt in a cookie carried by the target browser when accessing the target website;
a connection establishing module, configured to feed back the jwt to the target website, so that the target website establishes a connection with the target browser according to the status of jwt.
Optionally, the single sign-on apparatus further includes:
a failure module, configured to, in response to a logout request initiated by the target website, obtain jwt in a cookie carried by the target browser when accessing the target website, and set the jwt to be failed;
and the deleting module is used for deleting the target session corresponding to the target browser in the CAS and the cookie corresponding to the target session.
The single sign-on device provided by the embodiment of the invention can execute the single sign-on method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE six
Fig. 6 is a schematic structural diagram of a single sign-on device according to a sixth embodiment of the present invention, where the single sign-on device includes: an authentication request initiating module 610, an access request receiving module 620 and a session establishing module 630.
An authentication request initiation module 610, configured to initiate a login authentication request to the CAS in response to an access request initiated by the target browser;
an access request receiving module 620, configured to receive an access request including jwt initiated by a target browser, and determine whether jwt corresponding to the target browser is stored;
a session establishing module 630, configured to determine whether the received jwt is valid if jwt corresponding to the target browser is not stored, if so, establish a session for the target browser, generate a cookie corresponding to the session, set the jwt in the cookie, and send a redirection instruction to the browser.
According to the technical scheme of the embodiment of the invention, a target website initiates a login authentication request to CAS in response to an access request initiated by a target browser, receives the jwt-containing access request initiated by the target browser after the target browser logs in the CAS, judges whether jwt corresponding to the target browser is stored, judges whether the received jwt is valid if jwt corresponding to the target browser is not stored, establishes a session aiming at the target browser if the received jwt is valid, generates a cookie corresponding to the session, sets jwt in the cookie, and sends a redirection instruction to the browser.
Optionally, the single sign-on apparatus further includes:
jwt a comparison module for comparing the received jwt with the stored jwt if jwt corresponding to the target browser is stored in the target website;
and an indication sending module, configured to set the received jwt in the cookie corresponding to the target browser and send a redirection indication to the browser when the received jwt is inconsistent with the stored jwt.
The single sign-on device provided by the embodiment of the invention can execute the single sign-on method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE seven
Fig. 7 is a schematic structural diagram of an electronic device according to a seventh embodiment of the present invention, as shown in fig. 7, the electronic device includes a processor 70 and a memory 71; the number of processors 70 in the device may be one or more, and one processor 70 is taken as an example in fig. 7; the processor 70 and the memory 71 in the device may be connected by a bus or other means, as exemplified by the bus connection in fig. 7.
The memory 71 serves as a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to a single sign-on method in the embodiments of the present invention (for example, the login status acquiring module 510, the identity verifying module 520, the target session generating module 530, and the redirection indication sending module 540 in the single sign-on apparatus, or the authentication request initiating module 610, the access request receiving module 620, and the session establishing module 630). The processor 70 executes various functional applications and data processing of the device by running software programs, instructions and modules stored in the memory 71, that is, implements the single sign-on method described above.
The method comprises the following steps:
responding to a login authentication request initiated by a target website aiming at a target browser, and acquiring the login state of the target browser in a CAS (CAS);
if the target browser is not logged in the CAS, returning a login page to the target browser, and performing identity verification on target login information fed back by the target browser aiming at the login page;
if the identity authentication is passed, establishing a target session for the target browser, generating jwt containing the target login information, and setting the jwt into the target session;
and generating a target cookie corresponding to the target session, and feeding back a redirection instruction containing the target cookie to the target browser, wherein the target cookie contains the identification jwt of the target session.
Or comprises the following steps:
initiating a login authentication request to the CAS in response to an access request initiated by the target browser;
receiving an access request containing jwt initiated by a target browser, and judging whether jwt corresponding to the target browser is stored;
if jwt corresponding to the target browser is not stored, determining if the received jwt is valid; and if so, establishing a session for the target browser, generating a cookie corresponding to the session, setting the jwt in the cookie, and sending a redirection instruction to the browser.
The memory 71 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 71 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 71 may further include memory located remotely from the processor 70, which may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Example eight
An eighth embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program, which when executed by a computer processor is configured to perform a single sign-on method, the method comprising:
responding to a login authentication request initiated by a target website aiming at a target browser, and acquiring the login state of the target browser in a CAS (CAS);
if the target browser is not logged in the CAS, returning a login page to the target browser, and performing identity verification on target login information fed back by the target browser aiming at the login page;
if the identity authentication is passed, establishing a target session aiming at the target browser, generating a JWT (just the web page) containing the target login information, and setting the JWT into the target session;
and generating a target cookie corresponding to the target session, and feeding back a redirection indication containing the target cookie to the target browser, wherein the target cookie contains the identification of the target session and JWT.
Or comprises the following steps:
initiating a login authentication request to the CAS in response to an access request initiated by the target browser;
receiving an access request which is initiated by a target browser and contains a JWT (Java native WT), and judging whether the JWT corresponding to the target browser is stored or not;
if the JWT corresponding to the target browser is not stored, judging whether the received JWT is valid; and if so, establishing a session aiming at the target browser, generating a cookie corresponding to the session, setting the JWT in the cookie, and sending a redirection instruction to the browser.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the single sign-on apparatus, the units and modules included in the embodiment are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (11)

1. A single sign-on method is applied to a Central Authentication Service (CAS), and is characterized by comprising the following steps:
responding to a login authentication request initiated by a target website aiming at a target browser, and acquiring the login state of the target browser in a CAS (CAS);
if the target browser is not logged in the CAS, returning a login page to the target browser, and performing identity verification on target login information fed back by the target browser aiming at the login page;
if the identity authentication is passed, establishing a target session aiming at the target browser, generating a JWT (just the web page) containing the target login information, and setting the JWT into the target session;
and generating a target cookie corresponding to the target session, and feeding back a redirection indication containing the target cookie to the target browser, wherein the target cookie contains the identification of the target session and JWT.
2. The method of claim 1, wherein obtaining the login status of the target browser in the CAS comprises:
obtaining a cookie carried by the target browser when the target browser accesses the target website, and extracting a session identifier contained in the cookie;
and if the session identification corresponds to the session identification of the established session in the CAS, determining that the target browser is in a login state in the CAS, otherwise, determining that the target browser is in an unregistered state in the CAS.
3. The method of claim 1, wherein the target login information comprises a username and password;
the identity verification of the target login information fed back by the target browser aiming at the login page comprises the following steps:
comparing the user name and the password fed back by the target browser with at least one item of matching pairs containing the user name and the password in a registration information list one by one;
and if the user name and the password fed back by the target browser are matched with the matching pair in the registration list, passing the identity authentication.
4. The method of claim 1, further comprising:
if the target browser is in a login state in the CAS, acquiring a JWT in a cookie carried by the target browser when the target browser accesses the target website;
and feeding back the JWT to the target website so that the target website establishes connection with the target browser according to the state of the JWT.
5. The method of claim 1, further comprising:
responding to a logout request initiated by the target website, acquiring a JWT in a cookie carried by the target browser when accessing the target website, and setting the JWT as invalid;
deleting a target session in the CAS corresponding to the target browser and a cookie corresponding to the target session.
6. A single sign-on method is applied to a target website and is characterized by comprising the following steps:
initiating a login authentication request to the CAS in response to an access request initiated by the target browser;
receiving an access request which is initiated by a target browser and contains a JWT (Java native WT), and judging whether the JWT corresponding to the target browser is stored or not;
if the JWT corresponding to the target browser is not stored, judging whether the received JWT is valid; and if so, establishing a session aiming at the target browser, generating a cookie corresponding to the session, setting the JWT in the cookie, and sending a redirection instruction to the browser.
7. The method of claim 6, further comprising:
if the target website stores the JWT corresponding to the target browser, comparing the received JWT with the stored JWT;
when the received JWT is inconsistent with the stored JWT, the received JWT is set in a cookie corresponding to the target browser and a redirection indication is sent to the browser.
8. A single sign-on device, comprising:
the system comprises a login state acquisition module, a CAS (central processing system) and a client side, wherein the login state acquisition module is used for responding to a login authentication request initiated by a target website for a target browser and acquiring the login state of the target browser in the CAS;
the identity authentication module is used for returning a login page to the target browser and authenticating the identity of target login information fed back by the target browser aiming at the login page if the target browser is in a non-login state in the CAS;
a target session generation module, configured to establish a target session for the target browser if the identity authentication is passed, generate a JWT including the target login information, and set the JWT in the target session;
and a redirection instruction sending module, configured to generate a target cookie corresponding to the target session, and feed back a redirection instruction including the target cookie to the target browser, where the target cookie includes an identifier of the target session and JWT.
9. A single sign-on device, comprising:
the authentication request initiating module is used for responding to an access request initiated by a target browser and initiating a login authentication request to the CAS;
an access request receiving module, configured to receive an access request including a JWT initiated by a target browser, and determine whether a JWT corresponding to the target browser is stored;
a session establishing module, configured to determine whether a received JWT is valid if the JWT corresponding to the target browser is not stored, and if so, establish a session for the target browser, generate a cookie corresponding to the session, set the JWT in the cookie, and send a redirection instruction to the browser.
10. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the single sign-on method of any one of claims 1-5 or claims 6-7.
11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a single sign-on method according to any one of claims 1 to 5 or claims 6 to 7.
CN202110112602.6A 2021-01-27 2021-01-27 Single sign-on method, device, equipment and medium Pending CN112765583A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110112602.6A CN112765583A (en) 2021-01-27 2021-01-27 Single sign-on method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110112602.6A CN112765583A (en) 2021-01-27 2021-01-27 Single sign-on method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN112765583A true CN112765583A (en) 2021-05-07

Family

ID=75706166

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110112602.6A Pending CN112765583A (en) 2021-01-27 2021-01-27 Single sign-on method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN112765583A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852622A (en) * 2021-09-18 2021-12-28 数字广东网络建设有限公司 Single sign-on method, device, equipment and storage medium based on government affair application
CN115277212A (en) * 2022-07-28 2022-11-01 乐知未来科技(深圳)有限公司 Website login method and equipment based on cookie semantic analysis
CN115550414A (en) * 2022-09-15 2022-12-30 中国平安人寿保险股份有限公司 Cross-domain session data processing method and device, equipment and medium
CN116208378A (en) * 2023-01-03 2023-06-02 学银通融(北京)教育科技有限公司 Method, device and equipment for preventing user from logging in repeatedly

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997685A (en) * 2009-08-27 2011-03-30 阿里巴巴集团控股有限公司 Single sign-on method, single sign-on system and associated equipment
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
CN108289101A (en) * 2018-01-25 2018-07-17 中企动力科技股份有限公司 Information processing method and device
CN110572388A (en) * 2019-09-05 2019-12-13 北京宝兰德软件股份有限公司 method for connecting unified authentication server and unified authentication adapter
CN110661798A (en) * 2019-09-23 2020-01-07 紫光云(南京)数字技术有限公司 Authentication method based on authentication platform
CN111314340A (en) * 2020-02-13 2020-06-19 深信服科技股份有限公司 Authentication method and authentication platform
CN111404921A (en) * 2020-03-12 2020-07-10 广州市百果园信息技术有限公司 Webpage application access method, device, equipment, system and storage medium
CN111786969A (en) * 2020-06-17 2020-10-16 朗新科技集团股份有限公司 Single sign-on method, device and system
CN112035822A (en) * 2020-08-25 2020-12-04 北京锐安科技有限公司 Multi-application single sign-on method, device, equipment and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997685A (en) * 2009-08-27 2011-03-30 阿里巴巴集团控股有限公司 Single sign-on method, single sign-on system and associated equipment
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
CN108289101A (en) * 2018-01-25 2018-07-17 中企动力科技股份有限公司 Information processing method and device
CN110572388A (en) * 2019-09-05 2019-12-13 北京宝兰德软件股份有限公司 method for connecting unified authentication server and unified authentication adapter
CN110661798A (en) * 2019-09-23 2020-01-07 紫光云(南京)数字技术有限公司 Authentication method based on authentication platform
CN111314340A (en) * 2020-02-13 2020-06-19 深信服科技股份有限公司 Authentication method and authentication platform
CN111404921A (en) * 2020-03-12 2020-07-10 广州市百果园信息技术有限公司 Webpage application access method, device, equipment, system and storage medium
CN111786969A (en) * 2020-06-17 2020-10-16 朗新科技集团股份有限公司 Single sign-on method, device and system
CN112035822A (en) * 2020-08-25 2020-12-04 北京锐安科技有限公司 Multi-application single sign-on method, device, equipment and storage medium

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113852622A (en) * 2021-09-18 2021-12-28 数字广东网络建设有限公司 Single sign-on method, device, equipment and storage medium based on government affair application
CN113852622B (en) * 2021-09-18 2023-09-19 数字广东网络建设有限公司 Single sign-on method, device, equipment and storage medium based on government affair application
CN115277212A (en) * 2022-07-28 2022-11-01 乐知未来科技(深圳)有限公司 Website login method and equipment based on cookie semantic analysis
CN115277212B (en) * 2022-07-28 2024-04-19 乐知未来科技(深圳)有限公司 Website login method and device based on cookie semantic analysis
CN115550414A (en) * 2022-09-15 2022-12-30 中国平安人寿保险股份有限公司 Cross-domain session data processing method and device, equipment and medium
CN115550414B (en) * 2022-09-15 2024-05-14 中国平安人寿保险股份有限公司 Cross-domain session data processing method and device, equipment and medium
CN116208378A (en) * 2023-01-03 2023-06-02 学银通融(北京)教育科技有限公司 Method, device and equipment for preventing user from logging in repeatedly
CN116208378B (en) * 2023-01-03 2023-11-24 学银通融(北京)教育科技有限公司 Method, device and equipment for preventing user from logging in repeatedly

Similar Documents

Publication Publication Date Title
US10116644B1 (en) Network access session detection to provide single-sign on (SSO) functionality for a network access control device
KR102429633B1 (en) Automatic login method and device between multiple websites
CN112765583A (en) Single sign-on method, device, equipment and medium
US9762568B2 (en) Consolidated authentication
CN105007280B (en) A kind of application login method and device
CN110781482B (en) Login method, login device, computer equipment and storage medium
US8966584B2 (en) Dynamic authentication gateway
CN109547458B (en) Login verification method and device, computer equipment and storage medium
CN106375270B (en) Token generation and authentication method and authentication server
US8869258B2 (en) Facilitating token request troubleshooting
US10476733B2 (en) Single sign-on system and single sign-on method
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN108259457B (en) WEB authentication method and device
US7895644B1 (en) Method and apparatus for accessing computers in a distributed computing environment
CN109088884B (en) Website access method, device, server and storage medium based on identity authentication
CN103634111B (en) Single-point logging method and system and single sign-on client-side
CN112887284A (en) Access authentication method and device
CN112491890A (en) Access method and device
CN112929388B (en) Network identity cross-device application rapid authentication method and system, and user agent device
CN110943962B (en) Authentication method, network equipment, authentication server and forwarding equipment
JP6848275B2 (en) Program, authentication system and authentication cooperation system
US11930002B2 (en) Cross-browser single sign-on
WO2022042504A1 (en) Cloud desktop access authentication method, electronic device, and computer readable storage medium
TW201824887A (en) System for using authentication server to implement free login in server group and method thereof
CN117692213A (en) Micro-service authentication method, system, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20210507

RJ01 Rejection of invention patent application after publication