CN114095263A - Communication method, device and system - Google Patents
Communication method, device and system Download PDFInfo
- Publication number
- CN114095263A CN114095263A CN202111404348.3A CN202111404348A CN114095263A CN 114095263 A CN114095263 A CN 114095263A CN 202111404348 A CN202111404348 A CN 202111404348A CN 114095263 A CN114095263 A CN 114095263A
- Authority
- CN
- China
- Prior art keywords
- access
- security protocol
- browser
- protocol client
- security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a communication method, a communication device and a communication system. The communication method is applied to a terminal, a browser and a security protocol client are installed on the terminal, and the communication method comprises the following steps: acquiring an access bill from an operation and maintenance security server through a browser; starting a security protocol client in the browser and sending an access bill to the security protocol client; generating an access request carrying an access bill through a security protocol client; sending an access request to a security protocol proxy server through a security protocol client so that the security protocol proxy server exchanges user identity information based on an access ticket carried in the access request and determines the access authority of the security protocol client by utilizing the user identity information; and receiving the service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client. The embodiment of the invention does not need the terminal to provide information such as account number and password for identity authentication, thereby improving the communication safety.
Description
Technical Field
Embodiments of the present invention relate to computer technologies, and in particular, to a communication method, apparatus, and system.
Background
With the increasing importance of the country to the network security, various laws describe the operation and maintenance security audit in detail, the core of the operation and maintenance security audit is an access channel composed of various types of protocol agents, the access channel is used for guaranteeing the security of a target server, and the security problem of the access channel is the most important problem. At the present stage, the authentication of the access channel is based on the authentication means of the system, namely, the authentication is carried out through the account number and the password of the system, and the mode cannot ensure the password concealment and has great potential safety hazard.
Disclosure of Invention
The embodiment of the invention provides a communication method, a communication device and a communication system, which can improve communication safety.
In a first aspect, an embodiment of the present invention provides a communication method, which is applied to a terminal, where a browser and a security protocol client are installed on the terminal, and the communication method includes:
acquiring an access bill from an operation and maintenance security server through a browser;
starting a security protocol client in the browser and sending an access bill to the security protocol client;
generating an access request carrying an access bill through a security protocol client;
sending an access request to a security protocol proxy server through a security protocol client so that the security protocol proxy server exchanges user identity information based on an access ticket carried in the access request and carries out identity verification on the security protocol client by using the user identity information;
and receiving the service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client.
Further, before obtaining the access ticket from the operation and maintenance security server through the browser, the method further includes:
sending a login request carrying user login information to the operation and maintenance security server through the browser, so that the operation and maintenance security server performs login authentication on the browser based on the user login information;
after the login authentication is passed, logging in the operation and maintenance security server through the browser.
Further, acquiring an access ticket from the operation and maintenance security server through the browser, including:
generating a bill acquisition request carrying user identity information through a browser;
sending a bill acquisition request to the operation and maintenance security server through the browser, so that the operation and maintenance security server generates an access bill based on the user identity information in the bill acquisition request;
and receiving an access bill fed back by the operation and maintenance security server through the browser.
In a second aspect, an embodiment of the present invention further provides a communication method, which is applied to a security protocol proxy server, where the communication method includes:
receiving an access request which is sent by a terminal through a security protocol client and carries an access bill, wherein the access bill is obtained by the terminal from an operation and maintenance security server through a browser, the access request is generated by the security protocol client after the browser sends the access bill to the security protocol client, the browser and the security protocol client are both installed on the terminal, and the security protocol client is started in the browser;
exchanging user identity information based on the access ticket;
determining the access authority of the security protocol client by using the user identity information;
and sending the service data corresponding to the access authority to the security protocol client.
Further, exchanging the user identity information based on the access ticket comprises:
determining whether the access ticket is expired;
and when the access ticket is not expired, exchanging the user identity information based on the access ticket.
Further, the method further comprises:
and when the access ticket is expired, sending a ticket expiration notification message to the security protocol client.
Further, exchanging the user identity information based on the access ticket comprises:
sending an information acquisition request carrying an access bill to a bill server;
and receiving an information acquisition response fed back by the bill server, wherein the information acquisition response comprises user identity information corresponding to the access bill.
In a third aspect, this embodiment further provides a communication apparatus, where a browser and a security protocol client are installed on the communication apparatus, and the communication apparatus includes:
the browser control module is used for acquiring an access bill from the operation and maintenance security server through the browser, starting a security protocol client in the browser and sending the access bill to the security protocol client;
the client control module is used for generating an access request carrying an access bill through the security protocol client, sending the access request to the security protocol proxy server through the security protocol client, so that the security protocol proxy server can exchange user identity information based on the access bill carried in the access request, determine the access authority of the security protocol client by using the user identity information, and receive service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client.
In a fourth aspect, the present embodiment further provides a communication apparatus, including:
the access request is generated by the security protocol client after the browser sends the access ticket to the security protocol client, the browser and the security protocol client are both installed on the terminal, and the security protocol client is started in the browser;
the replacing module is used for replacing the user identity information based on the access ticket;
the determining module is used for determining the access authority of the security protocol client by utilizing the user identity information;
and the sending module is used for sending the service data corresponding to the access authority to the security protocol client.
In a fifth aspect, an embodiment of the present invention further provides a communication system, including an operation and maintenance security server, a terminal according to any one of the embodiments of the present invention, and a security protocol proxy server according to any one of the embodiments of the present invention, where a browser and a security protocol client are installed on the terminal.
In a sixth aspect, the embodiment of the present invention further provides an electronic device, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the processor executes the computer program, the processor implements the communication method according to any one of the embodiments of the present invention.
In a seventh aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements a communication method according to any one of the embodiments of the present invention.
In the embodiment of the invention, the terminal is provided with the browser and the security protocol client, and the access bill can be acquired from the operation and maintenance security server through the browser; starting a security protocol client in the browser and sending an access bill to the security protocol client; generating an access request carrying an access bill through a security protocol client; sending an access request to a security protocol proxy server through a security protocol client so that the security protocol proxy server can exchange user identity information based on an access ticket carried in the access request and determine the access authority of the security protocol client by using the user identity information; and receiving the service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client. In the embodiment of the invention, the terminal has the access bill, namely, the terminal passes the identity authentication, in the communication process, the terminal provides the access bill for the security protocol proxy server, and the security protocol proxy server can determine the access authority by exchanging the user identity information based on the access bill, so that the terminal is not required to provide information such as account number and password for identity authentication, and the communication safety is improved.
Drawings
Fig. 1 is a flow chart illustrating a communication method according to an embodiment of the present invention;
FIG. 2 is another flow chart diagram of a communication method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a communication apparatus according to an embodiment of the present invention;
fig. 4 is another schematic structural diagram of a communication device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a communication system of an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
In addition, in the embodiments of the present invention, the words "optional" or "exemplary" are used to mean serving as an example, instance, or illustration. Any embodiment or design described as "optional" or "exemplary" in embodiments of the invention is not to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the terms "optional" or "exemplary" etc. are intended to present relevant concepts in a concrete fashion.
Fig. 1 is a flowchart of a communication method according to an embodiment of the present invention, where the method is applicable to a scenario requiring authentication, and the method may be executed by a communication apparatus provided in an embodiment of the present invention, where the apparatus may be implemented in software and/or hardware. In a specific embodiment, the apparatus may be integrated in a terminal, such as a mobile phone, a computer, or the like, on which a browser and a security protocol client are installed. The following embodiments will be described by taking the device integrated in a terminal as an example, and referring to fig. 1, the method of the embodiments of the present invention specifically includes the following steps:
The operation and maintenance security server is a device for performing flexible resource management and operation and maintenance on the platform, and may be a corresponding background server for multi-cloud operation and maintenance, a cloud manager, an operation and maintenance security platform, and the like, which is not limited in the embodiment of the present invention.
Optionally, before obtaining the access ticket from the operation and maintenance security server through the browser, a process of logging in the operation and maintenance security server through the browser may also be included, that is, the following steps may be included:
(1) and sending a login request carrying user login information to the operation and maintenance security server through the browser, so that the operation and maintenance security server performs login authentication on the browser based on the user login information.
The user login information may be information such as an account and a password freely created when the user registers, and the operation and maintenance security server may perform login authentication on the browser based on the information such as the account and the password. For example, the operation and maintenance security server may compare whether the account and the password submitted by the browser correspond to the account and the password of the user, which are stored in advance, and if so, the authentication is passed; if not, the authentication is not passed.
(2) After the login authentication is passed, logging in the operation and maintenance security server through the browser.
Specifically, the operation and maintenance security server may further feed back an authentication result to the browser, and the browser receives the authentication result, where the authentication result may include authentication pass or authentication fail. When the authentication is passed, logging in the operation and maintenance safety server through the browser; when the authentication is not passed, the operation and maintenance security server cannot be logged in through the browser, and in this case, the browser can try to submit the login request again for logging in.
The method has the advantages that the browser is subjected to login authentication through the user login information, the operation and maintenance safety server can be accessed only through the login authentication browser, and data safety is improved.
Optionally, after the browser successfully logs in the operation and maintenance security server, the browser may acquire the access ticket from the operation and maintenance security server, and the specific acquisition process may include:
(1) and generating a bill acquisition request carrying the user identity information through the browser.
For example, the user identity information may include a user name, an organization where the user is located, a post to which the user belongs, and the like, which is not limited in this embodiment of the present invention. For example, a preset information collection page may be displayed on the browser, and user identity information input by a user is collected through the preset information collection page; or the system can also be connected with a related platform through a preset interface to acquire the user identity information from the related platform, and the related platform can be a platform recording or storing the user identity information. After the user identity information is obtained, a ticket acquisition request carrying the user identity information can be generated through the browser.
(2) And sending a bill acquisition request to the operation and maintenance security server through the browser so that the operation and maintenance security server generates an access bill based on the user identity information in the bill acquisition request.
For example, after receiving the ticket acquisition request, the operation and maintenance security server may extract user identity information therein, verify the user identity information, for example, may verify whether the user identity information is consistent with stored user identity information, if so, the user identity information passes the verification, encode the user identity information to generate a Global Unique Identifier (GUID) or a Universal Unique Identifier (UUID), use the generated GUID or UUID as an access ticket, and return the access ticket to the browser.
In the embodiment of the invention, in order to further improve the communication security, the operation and maintenance security server can set an expiration date or an expiration time for the access ticket when generating the access ticket, and the access ticket which is not expired in the expiration date is the valid ticket and can be used.
In addition, in order to facilitate subsequent use of the access ticket, the operation and maintenance security server can also send the generated access ticket and the corresponding user identity information to the ticket server, so that the access ticket and the user identity information are correspondingly stored on the ticket server. Illustratively, the Ticket Server may be a Remote Dictionary service (Redis) Server.
In a specific embodiment, the access ticket and the user identity information stored on the ticket server may be as shown in table 1 below:
| access ticket | User identity information | Expiration time |
| Bill 1 | User identity information A | Time X |
| Bill 2 | User identity information B | Time Y |
| Bill 3 | User identity information C | Time Z |
TABLE 1
Table 1 shows that three access tickets are stored on the ticket server: note 1, note 2, and note 3. The user identity information corresponding to the bill 1 is user identity information A, and the expiration time is time X; the user identity information corresponding to the bill 2 is user identity information B, and the expiration time is time Y; the user identity information corresponding to the bill 3 is user identity information C, and the expiration time is time Z. It should be noted that the number of tickets, the user identity information, and the expiration time shown in table 1 are only examples, and do not limit the specific embodiment.
(3) And receiving the access ticket fed back by the operation and maintenance security server through the browser.
The method has the advantages that the access ticket represents that the terminal passes the identity authentication (namely, the browser and the security protocol client on the terminal pass the identity authentication), so that the terminal is not required to provide information such as account numbers and passwords for identity authentication in the communication process, the performance of the security protocol proxy server is ensured, and the data transmission process is safe.
Specifically, after the security protocol client is started and operated on the browser, the access ticket acquired by the browser can be sent to the security protocol client.
And 103, generating an access request carrying an access ticket through the security protocol client.
The access request is used to request a target resource to be accessed by a user, and the Security protocol client is a Security protocol for encrypting through network communication, and may be, for example, a Secure Shell protocol (SSH) client, a Transport Layer Security (TSL) client, or a Secure Socket Layer (SSL) client, which is not limited in the embodiment of the present invention. By way of example, the target resource may be a particular web page, some data table, etc. that the user wishes to access.
And step 104, sending an access request to the security protocol proxy server through the security protocol client, so that the security protocol proxy server exchanges user identity information based on an access ticket carried in the access request and determines the access authority of the security protocol client by using the user identity information.
The security protocol proxy server is mainly a communication proxy between the terminal and the service server, and can forward the access request of the terminal to the service server and also forward the service data fed back by the service server to the terminal. The security protocol proxy server may be, for example, an SSH proxy server, a TSL proxy server, or may be an SSL proxy server, which is not limited in this embodiment of the present invention.
For example, after receiving the access request, the security protocol proxy server may extract an access ticket carried in the access request, exchange the user identity information from the ticket server using the access ticket, and determine the access right of the security protocol client according to the user identity information. The access right mainly refers to the size of a range which can be accessed by a user, contents or resources such as web pages or databases can be accessed, and different user identity information can correspond to different access rights.
In a specific embodiment, the relationship between the user identity information and the access right can be shown in the following table 2:
| user identity information | Access rights |
| User identity information A | Resource a |
| User identity information B | Resource b |
| User identity information C | Resource c |
TABLE 2
Table 2 shows that the security protocol client having the user identity information a can access the resource a, the security protocol client having the user identity information B can access the resource B, and the security protocol client having the user identity information C can access the resource C. Table 2 is merely an example, and does not limit the specific embodiments.
Specifically, when the access ticket has an expiration time, after the security protocol proxy server obtains the access ticket, it may further determine whether the access ticket is expired according to the expiration time (for example, the expiration time may be compared with the current time, if the expiration time is earlier than the current time, it indicates that the access ticket is expired, if the expiration time is later than the current time, it indicates that the access ticket is not expired), and if the expiration time is exceeded, it may refuse to process the access request and send expiration notification information to the security protocol client; or, the security protocol proxy server may also directly send the access ticket to the ticket server, and the ticket server determines whether the access ticket is expired, and if the access ticket is expired, the security protocol proxy server may receive expiration notification information sent by the ticket server and forward the expiration notification information to the security protocol client. The terminal receives the expiration notification information through the security protocol client, and after receiving the expiration notification information, the terminal can acquire an unexpired access ticket from the operation and maintenance security server again by using the browser for use. In addition, if the access ticket is not expired, the security protocol proxy server can exchange the user identity information from the ticket server according to the access ticket.
And 105, receiving the service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client.
The service data may be information of a certain webpage or a database specifically accessed by the user.
For example, if the access ticket carried in the access request is ticket 1, the data stored in the ticket server is as shown in table 1 above, and the expiration time X of the ticket 1 is later than the current time, that is, the ticket 1 is not expired, the security protocol proxy server may exchange the user identity information corresponding to the ticket 1, that is, the user identity information a, from the ticket server. The relationship ratio between the user identity information and the access right is shown in table 2, that is, if the access right corresponding to the user identity information a is the resource a, the service data corresponding to the access right fed back by the security protocol proxy server received by using the security protocol client may be the specific content of the resource a.
The technical scheme of the embodiment of the invention provides a communication method, which is applied to a terminal, wherein the terminal is provided with a browser and a security protocol client, and an access bill is obtained from an operation and maintenance security server through the browser; generating an access request carrying an access bill through a browser, and sending the access request to the security protocol client; sending an access request to a security protocol proxy server through a security protocol client so that the security protocol proxy server can exchange user identity information based on an access ticket carried in the access request and determine the access authority of the security protocol client by using the user identity information; and receiving the service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client. In the embodiment of the invention, the terminal has the access bill, namely, the terminal passes the identity authentication, in the communication process, the terminal provides the access bill for the security protocol proxy server, and the security protocol proxy server can determine the access authority by exchanging the user identity information based on the access bill, so that the terminal is not required to provide information such as account number and password for identity authentication, and the communication safety is improved.
Fig. 2 is another schematic flow chart of a communication method according to an embodiment of the present invention, where the communication method may be applied to a security protocol proxy server, and the method specifically includes the following steps:
The terminal is provided with a browser and a security protocol client, wherein the security protocol client can be an SSH client, a TSL client or an SSL client. The access ticket is acquired by the terminal from the operation and maintenance security server through the browser, the operation and maintenance security server generates the access ticket based on the user identity information provided by the terminal, for example, after the operation and maintenance security server obtains the user identity information provided by the terminal, the user identity information can be verified, if the user identity information passes the verification, the user identity information can be encoded to generate a GUID or a UUID, and the generated GUID or UUID is used as the access ticket; the user identity information may include a user name, an organization where the user is located, a post to which the user belongs, and the like, which is not limited in the embodiment of the present invention. The access request is generated according to an access ticket acquired from the browser after the security protocol client is started in the browser, and the access request carries the access ticket. The generation and acquisition processes of the access ticket and the access request are not described in detail in this embodiment, and refer to the description of the foregoing embodiment, which is not described herein again. After the security protocol client generates the access request carrying the access ticket, the security protocol client can send the access request to the security protocol proxy server, and the security protocol proxy server receives the access request carrying the access ticket sent by the terminal through the security protocol client.
Optionally, based on exchanging the access ticket for the user identity information, the specific exchange process may further include:
(1) it is determined whether the access ticket is expired.
Specifically, the access ticket has expiration time, and the security protocol proxy server can determine whether the access ticket is expired according to the expiration time after obtaining the access ticket; for example, the security protocol proxy server may compare the expiration time with the current time, and if the expiration time is earlier than the current time, it indicates that the access ticket is expired, and if the expiration time is later than the current time, it indicates that the access ticket is not expired. Alternatively, the security protocol proxy server may send the access ticket directly to the ticket server, and the ticket server determines whether the access ticket is expired.
(2) And when the access ticket is not expired, exchanging the user identity information based on the access ticket.
Specifically, when the access ticket is not expired, an information acquisition request carrying the access ticket may be sent to the ticket server, and an information acquisition response fed back by the ticket server is received, where the information acquisition response includes user identity information corresponding to the access ticket.
Illustratively, the ticket server may be a Redis server, a relational database server, or the like, and the access ticket corresponding to each user identity information is stored in the Redis server. After the security protocol proxy server sends an information acquisition request carrying an access ticket to the ticket server, the ticket server can query data stored in the ticket server based on the access ticket to acquire user identity information corresponding to the access ticket, carry the user identity information in an information acquisition response, then send the information acquisition response to the security protocol proxy server, and the security protocol proxy server acquires the user identity information from the information acquisition response.
(3) And when the access ticket is expired, sending the ticket expiration notification information to the security protocol client.
Specifically, when the security protocol proxy server determines that the access ticket is expired by itself, the security protocol proxy server may generate ticket expiration notification information and send the ticket expiration notification information to the security protocol client. When the access ticket is determined to be expired through the ticket server, the security protocol proxy server can receive the expiration notification information sent by the ticket server and forward the expiration notification information to the security protocol client.
When the security protocol client receives the expiration notification information, if the security protocol proxy server needs to be continuously accessed, the terminal needs to obtain an unexpired access ticket from the operation and maintenance security server again through the browser for use. The obtained access bill can be different from the previously obtained access bill, and the safety of data transmission is guaranteed.
And step 203, determining the access right of the security protocol client by using the user identity information.
The access authority mainly refers to the size of a range which can be accessed by a user, contents or resources such as web pages or databases can be accessed, different user identity information can correspond to different access authorities, the corresponding relation between the user identity information and the access authority can be stored in advance, and the access authority of the security protocol client side is determined according to the corresponding relation.
And step 204, sending the service data corresponding to the access authority to the security protocol client.
The service data may be information of a certain webpage or a database specifically accessed by the user.
The technical scheme of the embodiment of the invention provides a communication method, which is applied to a security protocol proxy server, and is characterized in that an access request which is sent by a terminal through a security protocol client and carries an access bill is received by the terminal through a browser, the access bill is obtained from an operation and maintenance security server by the terminal, the access request is generated by the security protocol client after the browser sends the access bill to the security protocol client, the browser and the security protocol client are both installed on the terminal, and the security protocol client is started in the browser; exchanging user identity information based on the access ticket; determining the access authority of the security protocol client by using the user identity information; and sending the service data corresponding to the authority to the security protocol client. In the embodiment of the invention, the security protocol proxy server can determine the access authority by exchanging the user identity information based on the access bill provided by the terminal, and the terminal has the access bill, namely, the terminal passes the identity authentication, so that the terminal is not required to provide information such as account number and password for identity authentication in the communication process, and the communication security is improved.
Fig. 3 is a schematic structural diagram of a communication device according to an embodiment of the present invention, and as shown in fig. 3, the communication device is installed with a browser and a security protocol client, and specifically includes: a browser control module 301 and a client control module 302. Wherein the content of the first and second substances,
the browser control module 301 is configured to acquire an access ticket from the operation and maintenance security server through a browser, start a security protocol client in the browser, and send the access ticket to the security protocol client;
the client control module 302 is configured to generate an access request carrying an access ticket through the security protocol client, send the access request to the security protocol proxy server through the security protocol client, so that the security protocol proxy server exchanges user identity information based on the access ticket carried in the access request, determine an access right of the security protocol client by using the user identity information, and receive service data corresponding to the access right fed back by the security protocol proxy server by using the security protocol client.
Optionally, the browser control module 301 is further configured to:
sending a login request carrying user login information to the operation and maintenance security server through the browser, so that the operation and maintenance security server performs login authentication on the browser based on the user login information;
and after the login authentication is passed, logging in the operation and maintenance safety server through the browser.
Optionally, the browser control module 301 is specifically configured to:
generating a bill acquisition request carrying user identity information through a browser;
sending a bill acquisition request to the operation and maintenance security server through the browser, so that the operation and maintenance security server generates an access bill based on the user identity information in the bill acquisition request;
and receiving an access bill fed back by the operation and maintenance security server through the browser.
The communication device provided by the embodiment of the invention can execute the communication method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 4 is another schematic structural diagram of a communication device according to an embodiment of the present invention, and as shown in fig. 4, the communication device specifically includes: a receiving module 401, a swapping module 402, a determining module 403 and a sending module 404. Wherein the content of the first and second substances,
the receiving module 401 is configured to receive an access request carrying an access ticket sent by a terminal through a security protocol client, where the access ticket is obtained by the terminal from an operation and maintenance security server through a browser, the access request is generated by the security protocol client after the browser sends the access ticket to the security protocol client, the browser and the security protocol client are both installed on the terminal, and the security protocol client is started in the browser;
a swap module 402 for swapping user identity information based on the access ticket;
a determining module 403, configured to determine an access right of the security protocol client by using the user identity information;
the sending module 404 is configured to send service data corresponding to the access right to the security protocol client.
Optionally, the swapping module 402 is specifically configured to:
determining whether the access ticket is expired;
and when the access ticket is not expired, exchanging the user identity information based on the access ticket.
Optionally, the sending module 404 is further configured to,
and when the access ticket is expired, sending a ticket expiration notification message to the security protocol client.
Optionally, the swapping module 402 is specifically configured to:
sending an information acquisition request carrying an access bill to a bill server;
and receiving an information acquisition response fed back by the bill server, wherein the information acquisition response comprises user identity information corresponding to the access bill.
The communication device provided by the embodiment of the invention can execute the communication method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 5 is a schematic structural diagram of a communication system according to an embodiment of the present invention, and as shown in fig. 5, the communication system includes a browser 501, a security protocol client 502, an operation and maintenance security server 503, a security protocol proxy server 504, and a ticket server 505, where the browser 501 and the security protocol client 502 are both installed in a terminal; wherein:
the browser 501 is used to: sending a login request carrying user login information to the operation and maintenance security server 503, so that the operation and maintenance security server 503 performs login authentication on the browser 501 based on the user login information, and after the login authentication is passed, logging in the operation and maintenance security server 503; generating a bill acquiring request carrying user identity information, sending the bill acquiring request to the operation and maintenance security server 503, so that the operation and maintenance security server 503 generates an access bill based on the user identity information in the bill acquiring request, and receiving the access bill fed back by the operation and maintenance security server 503; the security protocol client 502 is started and the access ticket is sent to the security protocol client 502.
The security protocol client 502 is used to: starting in the browser 501, receiving an access ticket sent by the browser 501, generating an access request carrying the access ticket, sending the access request to the security protocol proxy server 504, so that the security protocol proxy server 504 exchanges user identity information based on the access ticket carried in the access request, determines an access right of the security protocol client 502 by using the user identity information, and receives service data corresponding to the access right fed back by the security protocol proxy server 504.
The operation and maintenance security server 503 is configured to: receiving a login request carrying user login information sent by the browser 501, performing login authentication on the browser 501 based on the user login information, and allowing the browser to log in the operation and maintenance security server 503 after the login authentication is passed; receiving a ticket acquiring request carrying user identity information sent by the browser 501, generating an access ticket based on the user identity information in the ticket acquiring request, and feeding back the access ticket to the browser 501.
The security protocol proxy server 504 is configured to: a receiving terminal determines whether an access ticket is expired or not through an access request which is sent by a security protocol client 502 and carries the access ticket; when the access ticket is expired, sending a ticket expiration notification message to the security protocol client 502, when the access ticket is not expired, sending an information acquisition request carrying the access ticket to the ticket server 505, receiving an information acquisition response fed back by the ticket server 505, wherein the information acquisition response comprises user identity information corresponding to the access ticket, and acquiring the user identity information from the information acquisition response.
The Ticket Server 505 is used to: receiving an information acquisition request carrying an access ticket sent by the security protocol proxy server 504, and feeding back an information acquisition response to the security protocol proxy server 504, wherein the information acquisition response includes user identity information corresponding to the access ticket.
According to the communication system provided by the embodiment, in the communication process, the terminal provides the access bill for the security protocol proxy server, the security protocol proxy server can determine the access authority based on the access bill for exchanging the user identity information, and the terminal has the access bill which indicates that the terminal passes the identity authentication, so that the terminal is not required to provide information such as account numbers and passwords for identity authentication, the data concealment is improved, the communication system is more convenient and faster, and the communication safety is improved.
Fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, where the electronic device may be a terminal or a security protocol proxy server, as shown in fig. 6, and the electronic device includes a processor 601, a memory 602, an input device 603, and an output device 604; the number of the processors 601 in the electronic device may be one or more, and one processor 601 is taken as an example in fig. 6; the processor 601, the memory 602, the input device 603 and the output device 604 in the electronic apparatus may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 6.
The memory 602 is used as a computer-readable storage medium for storing software programs, computer-executable programs, and modules, such as program instructions/modules (e.g., the browser control module 301 and the client control module 302 in the communication device) corresponding to the communication method in the embodiment of the present invention, and the processor 601 executes various functional applications and data processing of the electronic device by executing the software programs, instructions, and modules stored in the memory 602, so as to implement the communication method described above.
The memory 602 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 602 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 602 may further include memory located remotely from the processor 601, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 603 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic apparatus. The output device 604 may include a display device such as a display screen.
Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, perform a method of communication, the method comprising:
acquiring an access bill from an operation and maintenance security server through a browser;
starting a security protocol client in the browser and sending an access bill to the security protocol client;
generating an access request carrying an access bill through a security protocol client;
sending an access request to a security protocol proxy server through a security protocol client so that the security protocol proxy server exchanges user identity information based on an access ticket carried in the access request and determines the access authority of the security protocol client by utilizing the user identity information;
and receiving the service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client.
Alternatively, the method comprises:
receiving an access request which is sent by a terminal through a security protocol client and carries an access bill, wherein the access bill is obtained by the terminal from an operation and maintenance security server through a browser, the access request is generated by the security protocol client after the browser sends the access bill to the security protocol client, the browser and the security protocol client are both installed on the terminal, and the security protocol client is started in the browser;
exchanging user identity information based on the access ticket;
determining the access authority of the security protocol client by using the user identity information;
and sending the service data corresponding to the access authority to the security protocol client.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the method operations described above, and may also perform related operations in the communication method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention or portions thereof contributing to the prior art may be embodied in the form of a software product, which can be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the above search apparatus, each included unit and module are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, the specific names of the functional units are only for the convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.
Claims (10)
1. A communication method is applied to a terminal, a browser and a security protocol client are installed on the terminal, and the communication method comprises the following steps:
acquiring an access bill from an operation and maintenance security server through the browser;
starting the security protocol client in the browser and sending the access ticket to the security protocol client;
generating an access request carrying the access ticket through the security protocol client;
sending the access request to a security protocol proxy server through the security protocol client, so that the security protocol proxy server exchanges user identity information based on the access ticket carried in the access request and determines the access authority of the security protocol client by using the user identity information;
and receiving the service data corresponding to the access authority fed back by the security protocol proxy server by using the security protocol client.
2. The communication method according to claim 1, before obtaining the access ticket from the operation and maintenance security server through the browser, further comprising:
sending a login request carrying user login information to the operation and maintenance security server through the browser, so that the operation and maintenance security server performs login authentication on the browser based on the user login information;
and after the login authentication is passed, logging in the operation and maintenance security server through the browser.
3. The communication method according to claim 1 or 2, wherein the obtaining of the access ticket from the operation and maintenance security server through the browser comprises:
generating a bill acquisition request carrying the user identity information through the browser;
sending the bill acquisition request to the operation and maintenance security server through the browser, so that the operation and maintenance security server generates the access bill based on the user identity information in the bill acquisition request;
and receiving the access ticket fed back by the operation and maintenance security server through the browser.
4. A communication method applied to a security protocol proxy server, the communication method comprising:
receiving an access request which is sent by a terminal through a security protocol client and carries an access bill, wherein the access bill is obtained by the terminal from an operation and maintenance security server through a browser, the access request is generated by the security protocol client after the browser sends the access bill to the security protocol client, the browser and the security protocol client are both installed on the terminal, and the security protocol client is started in the browser;
exchanging user identity information based on the access ticket;
determining the access authority of the security protocol client by using the user identity information;
and sending the service data corresponding to the access authority to the security protocol client.
5. The communication method according to claim 4, wherein the exchanging of user identity information based on the access ticket comprises:
determining whether the access ticket is expired;
and exchanging user identity information based on the access ticket when the access ticket is not expired.
6. The communication method of claim 5, wherein the method further comprises:
and when the access ticket is expired, sending a ticket expiration notification message to the security protocol client.
7. The communication method according to any one of claims 4 to 6, wherein the exchanging of the user identity information based on the access ticket comprises:
sending an information acquisition request carrying the access bill to a bill server;
and receiving an information acquisition response fed back by the bill server, wherein the information acquisition response comprises the user identity information corresponding to the access bill.
8. A communication device having a browser and a security protocol client installed thereon, the communication device comprising:
the browser control module is used for acquiring an access bill from an operation and maintenance security server through the browser, starting the security protocol client in the browser and sending the access bill to the security protocol client;
and the client control module is used for generating an access request carrying the access bill through the security protocol client, sending the access request to a security protocol proxy server through the security protocol client, so that the security protocol proxy server exchanges user identity information based on the access bill carried in the access request, determines the access authority of the security protocol client by utilizing the user identity information, and receives service data corresponding to the access authority fed back by the security protocol proxy server by utilizing the security protocol client.
9. A communications apparatus, comprising:
the system comprises a receiving module, a security protocol client and a terminal, wherein the receiving module is used for receiving an access request which is sent by the terminal through the security protocol client and carries an access bill, the access bill is obtained by the terminal from an operation and maintenance security server through a browser, the access request is generated by the security protocol client after the browser sends the access bill to the security protocol client, the browser and the security protocol client are both installed on the terminal, and the security protocol client is started in the browser;
the replacing module is used for replacing the user identity information based on the access ticket;
the determining module is used for determining the access authority of the security protocol client by utilizing the user identity information;
and the sending module is used for sending the service data corresponding to the access authority to the security protocol client.
10. A communication system comprising an operation and maintenance security server, a terminal according to any one of claims 1 to 3, and a security protocol proxy according to any one of claims 4 to 7, the terminal having a browser and a security protocol client installed thereon.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111404348.3A CN114095263A (en) | 2021-11-24 | 2021-11-24 | Communication method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111404348.3A CN114095263A (en) | 2021-11-24 | 2021-11-24 | Communication method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114095263A true CN114095263A (en) | 2022-02-25 |
Family
ID=80303928
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111404348.3A Pending CN114095263A (en) | 2021-11-24 | 2021-11-24 | Communication method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114095263A (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101114900A (en) * | 2006-07-27 | 2008-01-30 | 上海贝尔阿尔卡特股份有限公司 | Multicast service authentication method and device, system |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
| CN105141580A (en) * | 2015-07-27 | 2015-12-09 | 天津灵创智恒软件技术有限公司 | Resource access control method based on AD domain |
| CN109274685A (en) * | 2018-11-02 | 2019-01-25 | 深圳壹账通智能科技有限公司 | Multisystem login method, device, computer equipment and storage medium |
| CN109286633A (en) * | 2018-10-26 | 2019-01-29 | 深圳市华云中盛科技有限公司 | Single sign-on method, device, computer equipment and storage medium |
| CN110213215A (en) * | 2018-08-07 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of resource access method, device, terminal and storage medium |
| CN110958237A (en) * | 2019-11-26 | 2020-04-03 | 苏州思必驰信息科技有限公司 | Authority verification method and device |
| CN110971585A (en) * | 2018-09-28 | 2020-04-07 | 柯尼卡美能达美国研究所有限公司 | Single sign-on method and system initiated by security assertion markup language service provider |
| CN111538966A (en) * | 2020-04-17 | 2020-08-14 | 中移(杭州)信息技术有限公司 | Access method, access device, server and storage medium |
| CN113190828A (en) * | 2021-05-25 | 2021-07-30 | 网宿科技股份有限公司 | Request proxy method, client device and proxy service device |
-
2021
- 2021-11-24 CN CN202111404348.3A patent/CN114095263A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101114900A (en) * | 2006-07-27 | 2008-01-30 | 上海贝尔阿尔卡特股份有限公司 | Multicast service authentication method and device, system |
| CN103179134A (en) * | 2013-04-19 | 2013-06-26 | 中国建设银行股份有限公司 | Single sign on method and system based on Cookie and application server thereof |
| CN105141580A (en) * | 2015-07-27 | 2015-12-09 | 天津灵创智恒软件技术有限公司 | Resource access control method based on AD domain |
| CN110213215A (en) * | 2018-08-07 | 2019-09-06 | 腾讯科技(深圳)有限公司 | A kind of resource access method, device, terminal and storage medium |
| CN110971585A (en) * | 2018-09-28 | 2020-04-07 | 柯尼卡美能达美国研究所有限公司 | Single sign-on method and system initiated by security assertion markup language service provider |
| CN109286633A (en) * | 2018-10-26 | 2019-01-29 | 深圳市华云中盛科技有限公司 | Single sign-on method, device, computer equipment and storage medium |
| CN109274685A (en) * | 2018-11-02 | 2019-01-25 | 深圳壹账通智能科技有限公司 | Multisystem login method, device, computer equipment and storage medium |
| CN110958237A (en) * | 2019-11-26 | 2020-04-03 | 苏州思必驰信息科技有限公司 | Authority verification method and device |
| CN111538966A (en) * | 2020-04-17 | 2020-08-14 | 中移(杭州)信息技术有限公司 | Access method, access device, server and storage medium |
| CN113190828A (en) * | 2021-05-25 | 2021-07-30 | 网宿科技股份有限公司 | Request proxy method, client device and proxy service device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110602052A (en) | Micro-service processing method and server | |
| WO2015143855A1 (en) | Method, apparatus and system for accessing data resources | |
| CN112104665A (en) | Block chain-based identity authentication method and device, computer and storage medium | |
| CN110311880B (en) | File uploading method, device and system | |
| CN111769939B (en) | Business system access method and device, storage medium and electronic equipment | |
| CN112311788A (en) | Access control method, device, server and medium | |
| CN102098162A (en) | Method for performing safety management of operation and maintenance based on security token | |
| CN107070939A (en) | A kind of internet data security method, system and device | |
| CN109885790B (en) | Method and device for acquiring satisfaction evaluation data | |
| CN106961332B (en) | Authority authentication method and device | |
| CN110599311A (en) | Resource processing method and device, electronic equipment and storage medium | |
| CN115022047B (en) | Account login method and device based on multi-cloud gateway, computer equipment and medium | |
| CN111241523B (en) | Authentication processing method, device, equipment and storage medium | |
| CN113364800A (en) | Resource access control method, device, electronic equipment and medium | |
| CN106713315A (en) | Login method and device for plug-in application | |
| CN112434054A (en) | Audit log updating method and device | |
| CN110610418B (en) | Transaction state query method, system, device and storage medium based on block chain | |
| CN111935092B (en) | Information interaction method and device based on third-party application and electronic equipment | |
| CN111553668A (en) | Big data-based cash withdrawal method and device, electronic equipment and medium | |
| CN111786795A (en) | Domain name registration method, domain name supervision method, client and domain name supervision terminal | |
| CN106953877A (en) | One kind saves data authentication approach, system and device from damage | |
| CN114095263A (en) | Communication method, device and system | |
| CN107343028B (en) | Communication method and system based on HTTP (hyper text transport protocol) | |
| CN115622786A (en) | Account login method and device, electronic equipment and storage medium | |
| CN110968632B (en) | Method and system for unified data exchange |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |