CN113271300A - Authentication system and method - Google Patents

Authentication system and method Download PDF

Info

Publication number
CN113271300A
CN113271300A CN202110516293.9A CN202110516293A CN113271300A CN 113271300 A CN113271300 A CN 113271300A CN 202110516293 A CN202110516293 A CN 202110516293A CN 113271300 A CN113271300 A CN 113271300A
Authority
CN
China
Prior art keywords
authentication
client
access request
gateway
service server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110516293.9A
Other languages
Chinese (zh)
Other versions
CN113271300B (en
Inventor
李刚
王建召
赵军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Skyguard Network Security Technology Co ltd
Original Assignee
Beijing Skyguard Network Security Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Skyguard Network Security Technology Co ltd filed Critical Beijing Skyguard Network Security Technology Co ltd
Priority to CN202110516293.9A priority Critical patent/CN113271300B/en
Publication of CN113271300A publication Critical patent/CN113271300A/en
Application granted granted Critical
Publication of CN113271300B publication Critical patent/CN113271300B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/561Adding application-functional data or data for application control, e.g. adding metadata

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Library & Information Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses an authentication system and method, and relates to the technical field of computers. One embodiment of the method comprises: when receiving an access request sent by a client through an authentication gateway, sending an authentication page of a target service server for authentication to the client, respectively forwarding authentication information and an authentication result interacted between the client and the target service server in an authentication process, and enabling the client to access any one of the service servers or external servers indicated by the access request under the condition of successful authentication; therefore, the complexity of the authentication operation is reduced, and the working efficiency is improved.

Description

Authentication system and method
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a system and a method for authentication.
Background
With the development and popularization of internet technology, various efficient, convenient and easy-to-use internet business systems are widely applied to work, the automation degree of office work is improved, the work efficiency is improved, and the labor cost is saved. Business systems commonly used in offices include, for example: office automation systems, financial systems, personnel management systems, and the like; service terminals corresponding to these systems usually require authentication operations when users access the service terminals, and meanwhile, access to external service terminals from an office network usually requires authentication operations for user access.
Currently, each service system or internet access authentication system respectively sets and maintains user authentication information of the service system or internet access authentication system, when the same user accesses different service terminals or external service terminals, the user is required to respectively input the authentication information, the operation complexity is high, and the working efficiency is reduced.
Disclosure of Invention
In view of this, embodiments of the present invention provide a system and a method for authentication, where an authentication gateway sends an authentication page of a target service server for authentication to a client when receiving an access request sent by the client, and forwards authentication information and an authentication result interacted between the client and the target service server in an authentication process, respectively, and in a case that authentication is successful, the client accesses any one of the service servers or an external service server indicated by the access request; therefore, the complexity of the authentication operation is reduced, and the working efficiency is improved.
To achieve the above object, according to an aspect of an embodiment of the present invention, there is provided a system for authentication, including: the authentication gateway and a plurality of service servers;
the authentication gateway is used for receiving an access request sent by a client and sending the access request to a target business server in a plurality of business servers based on a configuration strategy;
the target service server is used for forwarding an authentication page through the authentication gateway;
the authentication gateway is further configured to receive authentication information input by the client through the authentication page, and forward the authentication information to the target service server; and receiving an authentication result corresponding to the authentication information returned by the target service terminal, analyzing feature information indicating authentication success or authentication failure from the authentication result, and sending the authentication result to the client, wherein if the authentication result indicates authentication success, the client accesses any one of the service terminals or external service terminals indicated by the access request.
Optionally, the system for authenticating is characterized in that the authentication gateway is further configured to: analyzing the access request to obtain the characteristic identification of the client; searching whether authentication information matched with the characteristic identifier exists in an authentication cache; if not, executing the step of forwarding the authentication page; and if so, performing releasing operation on the access request so as to enable the client to finish the access operation on any service server or external server indicated by the access request.
Optionally, the system for authenticating is characterized by further comprising: aiming at the condition that the client accesses any one of the service servers, each service server except the target service server is configured with an authentication-free access mode; the authentication gateway is used for redirecting the access request to the target service end so that the client accesses any service end after the authentication is passed.
Optionally, the system for authenticating is characterized by further comprising: and aiming at the condition that the client accesses the external server, the authentication gateway is used for directly forwarding the access request to the target service server so as to finish the authentication operation of accessing the external server through the target service server.
Optionally, the system for authenticating is characterized in that the authentication gateway is further configured to: and extracting the characteristic identifier contained in the authentication information from the authentication information by using a set matching strategy, and storing the characteristic identifier into an authentication cache.
Optionally, the system for authentication is further configured to, by using a set policy, analyze an authentication keyword included in the authentication result, so as to indicate the feature information by using the keyword, where the authentication keyword includes: any one or more of a success keyword and a failure keyword; analyzing the authentication keyword contained in the authentication result, further comprising: and searching the authentication keyword from any one or more positions in the state code, the message header and the message body corresponding to the authentication result.
In order to achieve the above object, according to a second aspect of the embodiments of the present invention, there is provided an authentication method, where an access request sent by a client is received through an authentication gateway, and the access request is sent to a target business server among a plurality of business servers based on a configuration policy; forwarding an authentication page by the target service server through the authentication gateway; through the authentication gateway, further receiving authentication information input by the client through the authentication page, and forwarding the authentication information to the target service server; and receiving an authentication result corresponding to the authentication information returned by the target service terminal, analyzing feature information indicating authentication success or authentication failure from the authentication result, and sending the authentication result to the client, wherein if the authentication result indicates authentication success, the client accesses any one of the service terminals or external service terminals indicated by the access request.
Optionally, the method of authentication further comprises: analyzing the access request through the authentication gateway to obtain the characteristic identification of the client; searching whether authentication information matched with the characteristic identifier exists in an authentication cache; if not, executing the step of forwarding the authentication page; and if so, performing releasing operation on the access request so as to enable the client to finish the access operation on any service server or external server indicated by the access request.
Optionally, the method of authentication further comprises: aiming at the condition that the client accesses any one of the service servers, each service server except the target service server is configured with an authentication-free access mode; and redirecting the access request to the target service server through the authentication gateway so that the client accesses any service server after passing the authentication.
Optionally, the method of authentication further comprises: and directly forwarding the access request to the target service server through the authentication gateway aiming at the condition that the client accesses the external service terminal so as to finish the authentication operation of accessing the external service terminal through the target service server.
Optionally, the method of authentication further comprises: and extracting the characteristic identifier contained in the authentication information from the authentication information by using a set matching strategy through the authentication gateway, and storing the characteristic identifier into an authentication cache.
Optionally, the method of authentication is further configured to, through the authentication gateway, analyze an authentication keyword included in the authentication result by using a set policy, so as to indicate the feature information by using the keyword, where the authentication keyword includes: any one or more of a success keyword and a failure keyword; analyzing the authentication keyword contained in the authentication result, further comprising: and searching the authentication keyword from any one or more positions in the state code, the message header and the message body corresponding to the authentication result.
To achieve the above object, according to a third aspect of embodiments of the present invention, there is provided an authenticated electronic apparatus, comprising: one or more processors; storage means for storing one or more programs which, when executed by the one or more processors, cause the one or more processors to carry out a method as claimed in any one of the above-mentioned methods of authentication.
To achieve the above object, according to a fourth aspect of embodiments of the present invention, there is provided a computer-readable medium on which a computer program is stored, characterized in that the program, when executed by a processor, implements the method as in any one of the above-described methods of authentication.
One embodiment of the above invention has the following advantages or benefits: when receiving an access request sent by a client, an authentication gateway can send an authentication page of a target service server for authentication to the client, and respectively forward authentication information and an authentication result interacted in the authentication process for the client and the target service server, so that the client accesses any one of the service servers or external servers indicated by the access request under the condition of successful authentication; therefore, the complexity of the authentication operation is reduced, and the working efficiency is improved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
fig. 1 is a schematic structural diagram of an authentication system according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating an authentication method according to an embodiment of the present invention;
FIG. 3 is a diagram of authentication of a prior art scheme as referred to by an embodiment of the present invention;
FIG. 4 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 5 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server of an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
As shown in fig. 3, in the prior art, when a user needs to access a plurality of service terminals, the user needs to pass authentication of each service terminal, for example: the user 1 needs to access the business server a (e.g., a human management system of a company) through the username a and password a, access the business server B (e.g., a product information system of the company) through the username B and password B, and access the business server C (e.g., a property system of the company) through the username C and password C.
In view of this, as shown in fig. 1, an embodiment of the present invention provides an authentication system, including: the authentication gateway 101, a target service server 102 and a service server 103 included in the plurality of service servers.
The authentication gateway 101 is configured to receive an access request sent by a client, and send the access request to a target service server among the plurality of service servers based on a configuration policy;
specifically, the authentication gateway is configured to process access authentication of a corresponding user to one or more service servers, that is, an access request sent by a client is received through the authentication gateway, where, for example: the access request is that the user 1 accesses the service server A through http:// www.aaa.com, and the http:// www.aaa.com is the access request. Namely, the authentication gateway receives an access request of the client to any service server, thereby realizing the uniform processing of the access request. Further, after receiving the access request, the authentication gateway sends the access request (where the sending manner may be based on 302 code to perform redirection or directly forward) to the target service end based on the configuration policy, so as to perform an authentication operation by the target service end.
Specifically, the configuration policy includes: configuring a URL (Uniform Resource Locator) corresponding to a target service server in the authentication gateway; for example: the URL corresponding to a target service end authentication page configured in the authentication gateway is http:// www.bbb.com/login.action, and the authentication gateway accesses the URL in a redirection mode after receiving an access request from a client, or directly accesses the URL of the target service end, so that the authentication page corresponding to the target service end is forwarded and displayed for the client. Namely, the target service server is used for forwarding the authentication page through the authentication gateway.
The target business server may be any one of a plurality of business servers, for example, a company includes a plurality of business servers, a business server a (human management system of the company), a business server B (product information system of the company), and a business server C (property system of the company); the service server A can be configured as a target service server, and a user can access the service server B and the service server C after passing the authentication of the service server A, so that the authentication is uniformly managed by the authentication gateway, the authentication complexity is reduced, and the working efficiency is improved.
The authentication gateway is further configured to receive authentication information input by the client through the authentication page, and forward the authentication information to the target service server; and receiving an authentication result corresponding to the authentication information returned by the target service terminal, analyzing feature information indicating authentication success or authentication failure from the authentication result, and sending the authentication result to the client, wherein if the authentication result indicates authentication success, the client accesses any one of the service terminals or external service terminals indicated by the access request.
Specifically, a user can input authentication information such as a user name and a password through an authentication page, an authentication gateway obtains the authentication information and forwards the authentication information to a target service end, the target service end authenticates the received authentication information by using an authentication system contained in the target service end and sends an authentication result (i.e., a return message) corresponding to the authentication information to the authentication gateway, and the authentication gateway analyzes feature information indicating authentication success or authentication failure after receiving the authentication result, wherein the feature information is, for example: "success" indicates authentication success, "welcome use" indicates authentication success, "failed" indicates authentication failure, "welcome next login" indicates authentication failure, and so on; the specific content and format of the characteristic information are not limited by the invention. Further, if the authentication result indicates that the authentication is successful, the client accesses any one of the service servers or the external service servers indicated by the access request; wherein, any one of the service terminals, for example: a business server A (a human management system of a company), a business server B (a product information system of the company), a business server C (a property system of the company), and an external server (for example, a website server of the external Internet).
Further, aiming at the condition that the client accesses any one of the service servers, each service server except the target service server is configured with an authentication-free access mode; the authentication gateway is used for redirecting the access request to the target service server so that the client accesses any service server after passing authentication; for example: if the service server a is configured as a target service server, under the condition that the user passes the authentication of the service server a, preferably, each of the service servers (e.g., service server B and service server C) except the target service server (service server a) is configured as a non-authentication access mode (e.g., as an anonymous user access mode); the authentication gateway redirects the access request of the client to a target service terminal (service terminal a) so that the access request of the client can access any service terminal (service terminal B, service terminal C … service terminal N) after the authentication is successful; therefore, the complexity of authentication is reduced, and the working efficiency is improved.
And aiming at the condition that the client accesses the external server, the authentication gateway is used for directly forwarding the access request to the target service server so as to finish the authentication operation of accessing the external server through the target service server. Specifically, if authentication for accessing the external server is required for the user, a target service server may be set, for example: the service server a is set as a target service server including an authentication system, and a dedicated authentication server can be also constructed as the target service server to perform authentication operation. After receiving the access request, the authentication gateway directly forwards the access request (i.e. transparently forwards or unconditionally forwards the access request, i.e. directly forwards the access request no matter whether the user exists in the authentication cache) to the target service server, so as to complete the authentication operation of accessing the external service terminal through the target service server. The authentication gateway is arranged between the client and a target service server to which the authentication system belongs through a transparent user identification mode, and the authentication gateway does not actively guide a user to access an authentication page in a redirection mode, so that the problem that the dynamically generated authentication page does not allow active access is overcome.
The authentication gateway 101 is further configured to: analyzing the access request to obtain the characteristic identification of the client; searching whether authentication information matched with the characteristic identifier exists in an authentication cache; if not, executing the step of forwarding the authentication page; and if so, performing releasing operation on the access request so as to enable the client to finish the access operation on any service server or external server indicated by the access request. Specifically, after receiving an access request sent by a client, the authentication gateway parses the access request (for example, parses a message text of the access request), thereby obtaining a feature identifier (for example, a user name, an IP address, a combination of the user name and the IP address, and the like) of the client, and further, searches whether authentication information matching the feature identifier exists in an authentication cache, that is, searches whether a user included in the access request has been successfully authenticated. If not, executing the step of forwarding the authentication page; and if so, performing a releasing operation on the access request (even if the service server completes the operation aiming at the access request) so as to enable the client to complete the access operation on any one service server or external server indicated by the access request.
Further, by using a set matching strategy, the feature identifier included in the authentication information is extracted from the authentication information, and the feature identifier is stored in an authentication cache. Specifically, the existing integrated authentication gateway has the following problems:
1) the existing integrated authentication gateway only supports to extract authentication information from a message body part contained in a POST request of HTTP, and if an authentication system obtains authentication information such as a user name and a password carried by a parameter obtained by a GET request of HTTP, even if the authentication succeeds, a feature identifier of a user who succeeds in the current authentication cannot be accurately extracted (because the feature identifier exists in a parameter list of the GET request, but not in the information of the message body part of the POST request).
2) The existing authentication gateway usually only provides information such as a feature identifier (user name) extracted from authentication information submitted by a POST request in a key-to-value manner, but if an authentication page of an authentication system is a dynamic page, namely a keyword used for extracting the user name in the page is dynamically changed, the problem that the user name cannot be extracted even if authentication is successful is caused.
Aiming at the problem 1), the invention utilizes a set matching strategy to extract the characteristic identifier contained in the authentication information from the authentication information; wherein, exemplarily, setting the matching policy comprises: simultaneously appointing an authentication page URL and a submission authentication information URL, wherein the two URLs can be the same (can also be preset to be different); under the condition that the two URLs are the same, judging the request type corresponding to the URL, for example: the authentication page corresponds to a GET request, corresponds to an authentication page for inputting a user name and a password by a user, and the like, and the URL submitting the authentication information corresponds to a POST request and is used for submitting the user name and the password information input by the user, and the URL is configured in a configuration file of the authentication gateway so as to distinguish the authentication information from form information submitting the authentication information, so that the problem 1 of the existing authentication gateway is solved.
For problem 2), the present invention extracts the feature identifier included in the authentication information from the authentication information by using a set matching policy, where, for example, the setting of the matching policy further includes: configuring feature identifier keywords and expressions to extract feature identifiers, for example: various expressions may be provided, including, for example, any one or more of user, user name, etc., overcoming problem 2 of existing authentication gateways).
Further, the extracted feature identifier is stored in an authentication cache. The authentication cache can be a data table or a file, and the specific format of the authentication cache is not limited by the invention; preferably, the authentication gateway stores the extracted feature identifier (user name, IP address, etc.) in the authentication cache when parsing out the feature information indicating successful authentication from the authentication result sent by the target service server. The complexity of user authentication is reduced by storing the user characteristic identification to the authentication cache, and when a user accesses an external service end through a target service end, the access information or the authentication information of the user can be counted and stored through the authentication cache; and further statistics and other operations can be easily carried out on the data contained in the authentication cache.
Further, the authentication gateway is further configured to analyze an authentication keyword included in the authentication result by using a set policy, so as to indicate the feature information by using the keyword, where the authentication keyword includes: any one or more of a success keyword and a failure keyword; analyzing the authentication keyword contained in the authentication result, further comprising: and searching the authentication keyword from any one or more positions in the state code, the message header and the message body corresponding to the authentication result. Specifically, when analyzing an authentication result returned by an authentication system, the existing integrated authentication gateway generally only provides a way of searching for a match by using a specific preset keyword, and determines whether authentication is successful or failed according to a search result; for example: the authentication result of the authentication system comprises a specific keyword 'success' or 'welcome', and the authentication is judged to be successful; however, due to the diversity of authentication systems, the keywords contained in the authentication result are not fixed, for example: the response "welcome next login" of authentication failure also contains the keyword "welcome" matched with authentication success, so that the problem of low accuracy of judging the authentication result is caused. Aiming at the problem, the invention is further used for analyzing the authentication keywords contained in the authentication result by using a set strategy so as to indicate the characteristic information through the keywords, wherein any one or more of the successful keywords and the failed keywords are selected; wherein, setting the strategy comprises: and judging the authentication success or authentication failure authentication keywords from configuration, supporting two modes of regular expression and accurate matching, and firstly failing successfully, and if not, then failing, wherein the authentication keywords comprise: any one or more of a success keyword and a failure keyword; further, searching for an authentication keyword may search for the authentication keyword from any one or more of a status code, a message header, and a message body corresponding to the authentication result; thereby improving the accuracy of analyzing the authentication result based on the text of the returned message (i.e., the authentication result). Optionally, a key value (i.e., key) of a cookie planted on the client by the target service server after successful authentication can be set by the authentication gateway, and when the authentication information of the client contains the cookie after analysis, the authentication result returned by the authentication system contained in the target service server is set to contain a keyword for determining whether the cookie is valid, so that the authentication gateway can judge whether the authentication information contains the key value of the cookie, and if so, the cookie is possibly valid (i.e., not expired), so that the authentication page is judged not to be displayed to enable the user to input a user name and a password; and identifying the cookie authentication result according to the keywords indicating the authentication success or the authentication failure in the authentication result of the authentication page by the authentication system.
As shown in fig. 2, an embodiment of the present invention provides an authentication method, which may include the following steps:
step S201: the client sends an access request to the authentication gateway.
Step S202: and after receiving the access request, the authentication gateway sends the authentication page of the target service server to the client.
Specifically, an access request sent by a client is received through an authentication gateway, and the access request is sent to a target business server in a plurality of business servers based on a configuration strategy; and forwarding the authentication page by the target service server through the authentication gateway.
Step S203: the client sends the authentication information input by the user.
Step S204: and the authentication gateway sends authentication information to the target service server.
Specifically, the authentication gateway further receives authentication information input by the client through the authentication page, and forwards the authentication information to the target service server;
further, analyzing the access request through the authentication gateway to obtain a characteristic identifier of the client; searching whether authentication information matched with the characteristic identifier exists in an authentication cache; if not, executing the step of forwarding the authentication page; and if so, performing releasing operation on the access request so as to enable the client to finish the access operation on any service server or external server indicated by the access request. And through the authentication gateway, extracting the characteristic identifier contained in the authentication information from the authentication information by using a set matching strategy, and storing the characteristic identifier into an authentication cache.
Step S205: and the target service server returns an authentication result.
Step S206: the authentication gateway forwards the authentication result to the client.
Specifically, an authentication result corresponding to the authentication information returned by the target service server is received, feature information indicating authentication success or authentication failure is analyzed from the authentication result, and the authentication result is sent to the client.
Further, an authentication keyword included in the authentication result is analyzed by the authentication gateway using a set policy to indicate the feature information by the keyword, wherein the authentication keyword includes: any one or more of a success keyword and a failure keyword; analyzing the authentication keyword contained in the authentication result, further comprising: and searching the authentication keyword from any one or more positions in the state code, the message header and the message body corresponding to the authentication result.
Step S207: and if the authentication result indicates that the authentication is successful, the client accesses any one of the service server or the external server indicated by the access request.
Specifically, for the situation that the client accesses any one of the service servers, each of the service servers except the target service server is configured with an unauthenticated access mode; and redirecting the access request to the target service server through the authentication gateway so that the client accesses any service server after passing the authentication. And directly forwarding the access request to the target service server through the authentication gateway aiming at the condition that the client accesses the external service terminal so as to finish the authentication operation of accessing the external service terminal through the target service server.
An embodiment of the present invention further provides an authenticated electronic device, including: one or more processors; the storage device is used for storing one or more programs, and when the one or more programs are executed by the one or more processors, the one or more processors are enabled to realize the method provided by any one of the above embodiments.
Embodiments of the present invention further provide a computer-readable medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method provided in any of the above embodiments.
Fig. 4 shows an exemplary system architecture 400 of an apparatus to which the method of authentication or authentication of an embodiment of the invention may be applied.
As shown in fig. 4, the system architecture 400 may include terminal devices 401, 402, 403, a network 404, and a server 405. The network 404 serves as a medium for providing communication links between the terminal devices 401, 402, 403 and the server 405. Network 404 may include various types of connections, such as wire, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 401, 402, 403 to interact with a server 405 over a network 404 to receive or send messages or the like. The terminal devices 401, 402, 403 may have various client applications installed thereon, such as a web browser application, various enterprise application clients, and the like.
The terminal devices 401, 402, 403 may be various electronic devices having display screens and supporting various client applications, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 405 may be a server providing various authentication services, such as a background management server providing support for client applications used by users with the terminal devices 401, 402, 403. The background management server can authenticate the received access request and feed back an authentication result to the terminal equipment.
It should be noted that the authentication method provided by the embodiment of the present invention is generally executed by the server 405 (e.g., a gateway), and accordingly, the authentication device is generally disposed in the server 405.
It should be understood that the number of terminal devices, networks, and servers in fig. 4 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 5, shown is a block diagram of a computer system 500 suitable for use with a terminal device implementing an embodiment of the present invention. The terminal device shown in fig. 5 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 5, the computer system 500 includes a Central Processing Unit (CPU)501 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the system 500 are also stored. The CPU 501, ROM 502, and RAM 503 are connected to each other via a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
The following components are connected to the I/O interface 505: an input portion 506 including a keyboard, a mouse, and the like; an output portion 507 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The driver 510 is also connected to the I/O interface 505 as necessary. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as necessary, so that a computer program read out therefrom is mounted into the storage section 508 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 509, and/or installed from the removable medium 511. The computer program performs the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 501.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules and/or units described in the embodiments of the present invention may be implemented by software, and may also be implemented by hardware. The described modules and/or units may also be provided in a processor.
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not incorporated into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: receiving an access request sent by a client through an authentication gateway, and sending the access request to a target business server in a plurality of business servers based on a configuration strategy; forwarding an authentication page by the target service server through the authentication gateway; through the authentication gateway, further receiving authentication information input by the client through the authentication page, and forwarding the authentication information to the target service server; and receiving an authentication result corresponding to the authentication information returned by the target service terminal, analyzing feature information indicating authentication success or authentication failure from the authentication result, and sending the authentication result to the client, wherein if the authentication result indicates authentication success, the client accesses any one of the service terminals or external service terminals indicated by the access request.
In the embodiment of the invention, when an access request sent by a client is received through an authentication gateway, an authentication page of a target service server for authentication is sent to the client, interactive authentication information and an authentication result in the authentication process are respectively forwarded to the client and the target service server, and the client accesses any one of the service servers or external servers indicated by the access request under the condition of successful authentication; therefore, the complexity of the authentication operation is reduced, and the working efficiency is improved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (14)

1. A system for authentication, comprising: the authentication gateway and a plurality of service servers;
the authentication gateway is used for receiving an access request sent by a client and sending the access request to a target business server in a plurality of business servers based on a configuration strategy;
the target service server is used for forwarding an authentication page through the authentication gateway;
the authentication gateway is further configured to receive authentication information input by the client through the authentication page, and forward the authentication information to the target service server; and receiving an authentication result corresponding to the authentication information returned by the target service terminal, analyzing feature information indicating authentication success or authentication failure from the authentication result, and sending the authentication result to the client, wherein if the authentication result indicates authentication success, the client accesses any one of the service terminals or external service terminals indicated by the access request.
2. The system of claim 1, wherein the authentication gateway is further configured to:
analyzing the access request to obtain the characteristic identification of the client; searching whether authentication information matched with the characteristic identifier exists in an authentication cache;
if not, executing the step of forwarding the authentication page;
and if so, performing releasing operation on the access request so as to enable the client to finish the access operation on any service server or external server indicated by the access request.
3. The system of claim 2, further comprising:
for the case that the client accesses any one of the business servers,
each service server side except the target service server side is configured with a non-authentication access mode;
the authentication gateway is used for redirecting the access request to the target service end so that the client accesses any service end after the authentication is passed.
4. The system of claim 2, further comprising:
for the case where the client accesses an external server,
the authentication gateway is used for directly forwarding the access request to the target service server so as to finish the authentication operation of accessing the external service terminal through the target service server.
5. The system of claim 2, wherein the authentication gateway is further configured to:
and extracting the characteristic identifier contained in the authentication information from the authentication information by using a set matching strategy, and storing the characteristic identifier into an authentication cache.
6. The system of claim 1,
the authentication gateway is further configured to analyze an authentication keyword included in the authentication result by using a set policy, so as to indicate the feature information by using the keyword, where the authentication keyword includes: any one or more of a success keyword and a failure keyword;
analyzing the authentication keyword contained in the authentication result, further comprising:
and searching the authentication keyword from any one or more positions in the state code, the message header and the message body corresponding to the authentication result.
7. A method of authentication, characterized in that,
receiving an access request sent by a client through an authentication gateway, and sending the access request to a target business server in a plurality of business servers based on a configuration strategy;
forwarding an authentication page by the target service server through the authentication gateway;
through the authentication gateway, further receiving authentication information input by the client through the authentication page, and forwarding the authentication information to the target service server; and receiving an authentication result corresponding to the authentication information returned by the target service terminal, analyzing feature information indicating authentication success or authentication failure from the authentication result, and sending the authentication result to the client, wherein if the authentication result indicates authentication success, the client accesses any one of the service terminals or external service terminals indicated by the access request.
8. The method of claim 7, further comprising:
analyzing the access request through the authentication gateway to obtain the characteristic identification of the client; searching whether authentication information matched with the characteristic identifier exists in an authentication cache;
if not, executing the step of forwarding the authentication page;
and if so, performing releasing operation on the access request so as to enable the client to finish the access operation on any service server or external server indicated by the access request.
9. The method of claim 8, further comprising:
for the case that the client accesses any one of the business servers,
each service server side except the target service server side is configured with a non-authentication access mode;
and redirecting the access request to the target service server through the authentication gateway so that the client accesses any service server after passing the authentication.
10. The method of claim 8, further comprising:
for the case where the client accesses an external server,
and directly forwarding the access request to the target service server through the authentication gateway so as to finish the authentication operation of accessing the external service terminal through the target service server.
11. The method of claim 8, further comprising:
and extracting the characteristic identifier contained in the authentication information from the authentication information by using a set matching strategy through the authentication gateway, and storing the characteristic identifier into an authentication cache.
12. The method of claim 7,
through the authentication gateway, further using a set policy to analyze an authentication keyword contained in the authentication result to indicate the feature information through the keyword, wherein the authentication keyword includes: any one or more of a success keyword and a failure keyword;
analyzing the authentication keyword contained in the authentication result, further comprising:
and searching the authentication keyword from any one or more positions in the state code, the message header and the message body corresponding to the authentication result.
13. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the method of any one of claims 7-12.
14. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 7-12.
CN202110516293.9A 2021-05-12 2021-05-12 Authentication system and method Active CN113271300B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110516293.9A CN113271300B (en) 2021-05-12 2021-05-12 Authentication system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110516293.9A CN113271300B (en) 2021-05-12 2021-05-12 Authentication system and method

Publications (2)

Publication Number Publication Date
CN113271300A true CN113271300A (en) 2021-08-17
CN113271300B CN113271300B (en) 2022-10-21

Family

ID=77230658

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110516293.9A Active CN113271300B (en) 2021-05-12 2021-05-12 Authentication system and method

Country Status (1)

Country Link
CN (1) CN113271300B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114221822A (en) * 2022-01-12 2022-03-22 杭州涂鸦信息技术有限公司 Network distribution method, gateway device and computer readable storage medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106685785A (en) * 2016-12-27 2017-05-17 北京航空航天大学 Intranet access system based on IPsec VPN proxy
US20180139205A1 (en) * 2016-11-14 2018-05-17 General Electric Company System and method for transparent multi-factor authentication and security posture checking
CN109194673A (en) * 2018-09-20 2019-01-11 江苏满运软件科技有限公司 Authentication method, system, equipment and storage medium based on authorized user message
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
CN110311899A (en) * 2019-06-17 2019-10-08 平安医疗健康管理股份有限公司 Multiservice system access method, device and server
CN111988292A (en) * 2020-08-08 2020-11-24 于奎 Method, device and system for accessing internet by intranet terminal

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20180139205A1 (en) * 2016-11-14 2018-05-17 General Electric Company System and method for transparent multi-factor authentication and security posture checking
CN106685785A (en) * 2016-12-27 2017-05-17 北京航空航天大学 Intranet access system based on IPsec VPN proxy
CN109194673A (en) * 2018-09-20 2019-01-11 江苏满运软件科技有限公司 Authentication method, system, equipment and storage medium based on authorized user message
CN110086822A (en) * 2019-05-07 2019-08-02 北京智芯微电子科技有限公司 The realization method and system of unified identity authentication strategy towards micro services framework
CN110311899A (en) * 2019-06-17 2019-10-08 平安医疗健康管理股份有限公司 Multiservice system access method, device and server
CN111988292A (en) * 2020-08-08 2020-11-24 于奎 Method, device and system for accessing internet by intranet terminal

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114221822A (en) * 2022-01-12 2022-03-22 杭州涂鸦信息技术有限公司 Network distribution method, gateway device and computer readable storage medium
CN114221822B (en) * 2022-01-12 2023-10-27 杭州涂鸦信息技术有限公司 Distribution network method, gateway device and computer readable storage medium

Also Published As

Publication number Publication date
CN113271300B (en) 2022-10-21

Similar Documents

Publication Publication Date Title
US9794227B2 (en) Automatic detection of authentication methods by a gateway
CN111062024B (en) Application login method and device
US11575735B2 (en) Cloud application-agnostic data loss prevention (DLP)
CN108574604B (en) Test method and device
CN109218368B (en) Method, device, electronic equipment and readable medium for realizing Http reverse proxy
CN110958237A (en) Authority verification method and device
CN107302597B (en) Message file pushing method and device
CN105939313B (en) Status code reorientation method and device
CN110830374B (en) Method and device for gray level release based on SDK
CN107465693B (en) Request message processing method and device
CN112887284B (en) Access authentication method and device, electronic equipment and readable medium
CN112583834B (en) Method and device for single sign-on through gateway
CN114979295B (en) Gateway management method and device
CN113271300B (en) Authentication system and method
CN114827239A (en) Bidirectional session holding method and device based on 8583 protocol
CN112825096A (en) Data desensitization method and device
CN112015383A (en) Login method and device
CN113438256A (en) Data transmission method, system and proxy server based on double-layer SSL
CN112948138A (en) Method and device for processing message
CN111190664A (en) Method and system for generating page
CN110765445B (en) Method and device for processing request
CN110278178A (en) A kind of login method, equipment and readable storage medium storing program for executing
CN112905990A (en) Access method, client, server and access system
CN112836201A (en) Method, device, equipment and computer readable medium for multi-platform information intercommunication
CN113824696B (en) Portal authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant