CN114726632B - Login method, login equipment and storage medium - Google Patents
Login method, login equipment and storage medium Download PDFInfo
- Publication number
- CN114726632B CN114726632B CN202210391885.7A CN202210391885A CN114726632B CN 114726632 B CN114726632 B CN 114726632B CN 202210391885 A CN202210391885 A CN 202210391885A CN 114726632 B CN114726632 B CN 114726632B
- Authority
- CN
- China
- Prior art keywords
- user
- tenant
- service
- login
- role
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000008520 organization Effects 0.000 claims abstract description 81
- 101001072091 Homo sapiens ProSAAS Proteins 0.000 claims abstract description 74
- 102100036366 ProSAAS Human genes 0.000 claims abstract description 74
- 230000001960 triggered effect Effects 0.000 claims abstract description 9
- 238000007726 management method Methods 0.000 claims description 58
- 238000004590 computer program Methods 0.000 claims description 16
- 230000009191 jumping Effects 0.000 claims description 8
- 238000012545 processing Methods 0.000 claims description 7
- 238000013500 data storage Methods 0.000 claims description 5
- 238000013475 authorization Methods 0.000 claims description 2
- 238000013507 mapping Methods 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 11
- 230000006870 function Effects 0.000 description 10
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 239000012141 concentrate Substances 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012827 research and development Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000003032 molecular docking Methods 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Abstract
The embodiment of the application provides a login method, login equipment and a storage medium. The method comprises the following steps: acquiring a login request triggered by a user of a service system through a unified login page; according to the login request, the domain name of the service system is jumped to the domain name of the SAAS system to enter a login interface of the SAAS system, and or the domain name of the SAAS system is jumped to a login page of the SAAS system according to the login request; acquiring a user name, a password and a token carried in a login request through a login interface of an SAAS system; checking whether the token is valid; querying an organization node bound with the user under the condition that the token is determined to be valid; checking whether the user name and the password are matched with a pre-stored value under the condition that the token is invalid, and inquiring an organization node bound with the user if the user name and the password are matched with the pre-stored value; under the condition that the service unit to which the user-bound organization node belongs comprises a service system, the user login is determined to be successful, and the user jumps to the first page of the service system.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a login method, device, and storage medium.
Background
And simultaneously supporting the user login of the SAAS system and the non-SAAS system, and simultaneously supporting a unified login page and a login page of the application system. The system not only has tenant, business unit, user, role and authority system of SAAS system, but also has user account password login of single sign-on system, and the verification of associated system authority, and can also associate user and organization structure, application system and internal resource (catalog, menu, button, etc.) authority of application system, and manage and verify.
In the prior art, a general single sign-on system only provides a unified login page, does not support the self login page of a service system, and does not support SAAS user processing; and the general system supporting SAAS user login does not support the single sign-on of the non-SAAS system user. In the prior art, a common single sign-on system only provides user account password login and judges whether the current system can be logged in or not, and after success, a business system page is called back; in general SAAS system, only tenant and business unit manage, user, role and authority of management background, access authority of application system and relationship management between them. In either way, the association and management of users with organizational structures, application systems, and resource rights within application systems is lacking.
Disclosure of Invention
The embodiment of the application aims to provide a login method, login equipment and a storage medium.
In order to achieve the above object, a first aspect of the present application provides a login method, including:
acquiring a login request triggered by a user of a service system through a unified login page;
according to the login request, the domain name of the service system is jumped to the domain name of the SAAS system to enter a login interface of the SAAS system, and or the domain name of the SAAS system is jumped to a login page of the SAAS system according to the login request;
acquiring a user name, a password and a token carried in a login request through a login interface of an SAAS system;
checking whether the token is valid;
querying an organization node bound with the user under the condition that the token is determined to be valid;
checking whether the user name and the password are matched with a pre-stored value under the condition that the token is invalid, and inquiring an organization node bound with the user if the user name and the password are matched with the pre-stored value;
under the condition that the service unit to which the user-bound organization node belongs comprises a service system, the user login is determined to be successful, and the user jumps to the first page of the service system.
In an embodiment of the present application, the method further comprises: after jumping to a first page of a service system, acquiring a first call request of the service system to a permission interface of the SAAS system; inquiring the role of the user under the service system according to the first calling request; inquiring a resource list corresponding to the role; and returning the resource list to the service system so that the service system displays and renders the displayed interface according to the resource list.
In an embodiment of the present application, returning the resource list to the service system further includes: and returning the resource list and the corresponding authority to the service system so that the service system controls the operation of the user on the resource corresponding to the resource list according to the authority.
In an embodiment of the present application, the method further comprises: acquiring a second call request initiated by an administrator through a service system to a data storage interface of the SAAS system; and saving the user input by the administrator and the data associated with the user according to the second call request, wherein the data associated with the user comprises at least one of tenant, business unit, employee, organization tree and association relation.
In an embodiment of the present application, the method further comprises: acquiring a third call request which is initiated by an administrator through a service system and is used for an operation object interface of the SAAS system; and creating an operation object system and an operation item of the business system in the SAAS system according to the third call request, wherein the operation item comprises at least one of a page directory, a menu, a button, a jump path, an interface with a permission call back end and a requested resource corresponding to the operation object system.
In an embodiment of the present application, the method further comprises: after the token is determined to be invalid and the user login is determined to be successful, a corresponding token is generated, the generated token has the validity period of preset time, and the service system can log in the SAAS system within the validity period.
A second aspect of the present application provides a processor configured to perform a login method as described above.
A third aspect of the present application provides a login device comprising a processor for a login method.
A fourth aspect of the present application provides a computer device comprising a memory storing a computer program and a processor implementing a login method when the processor executes the computer program.
According to the login method, the login device and the storage medium, the login request triggered by the user of the business system through the unified login page is obtained; according to the login request, the domain name of the service system is jumped to the domain name of the SAAS system to enter a login interface of the SAAS system, and or the domain name of the SAAS system is jumped to a login page of the SAAS system according to the login request; acquiring a user name, a password and a token carried in a login request through a login interface of an SAAS system; checking whether the token is valid; querying an organization node bound with the user under the condition that the token is determined to be valid; checking whether the user name and the password are matched with a pre-stored value under the condition that the token is invalid, and inquiring an organization node bound with the user if the user name and the password are matched with the pre-stored value; under the condition that the service unit to which the user-bound organization node belongs comprises a service system, the user login is determined to be successful, and the user jumps to the first page of the service system. By the method, the system is convenient to integrate with the service systems, so that public user management, role management, authority management, organization management, system parameter configuration and the like in each service system are extracted, the service systems can concentrate on own service development, and the research and development efficiency is improved.
Drawings
The accompanying drawings are included to provide a further understanding of embodiments of the present application and are incorporated in and constitute a part of this specification, illustrate embodiments of the present application and together with the description serve to explain, without limitation, the embodiments of the present application. In the accompanying drawings
FIG. 1 schematically shows a flow diagram of a login method according to an embodiment of the present application;
FIG. 2 schematically illustrates an architecture diagram of a login method according to an embodiment of the present application;
fig. 3 schematically shows an internal structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
The following describes in detail the implementation of the embodiments of the present application with reference to the accompanying drawings. It should be understood that the detailed description is presented herein by way of illustration and explanation of the present application examples, and is not intended to limit the present application examples.
Fig. 1 schematically shows a flow diagram of a login method according to an embodiment of the present application. As shown in fig. 1, in an embodiment of the present application, a multi-tenant implementation method based on SSO user system is provided, which includes the following steps:
step 101, obtaining a login request triggered by a user of a service system through a unified login page.
Step 102, jumping from the domain name of the service system to the domain name of the SAAS system according to the login request to enter a login interface of the SAAS system, and or directly entering a login page of the SAAS system according to the login request.
Step 103, obtaining the user name, the password and the token carried in the login request through the login interface of the SAAS system.
Step 104, check if the token is valid.
In step 105, in case it is determined that the token is valid, the organization node bound to the user is queried.
And step 106, checking whether the user name and the password are matched with the pre-stored values under the condition that the token is invalid, and querying an organization node bound with the user if the user name and the password are matched with the pre-stored values.
And step 107, under the condition that the service unit to which the user-bound organization node belongs comprises a service system, determining that the user login is successful, and jumping to a first page of the service system.
As shown in fig. 1, a user logs in by filling in information such as user account numbers and passwords through a login request triggered by a unified login page, or by sending verification codes through mobile phone numbers, when the login request is sent, checking whether a JWT token in the request is valid or not, wherein the JWT token is a token generated after successful user login authentication, the token contains user information, a request interface only needs to carry the JWT to access resource services, the resource services automatically complete the check of the token according to a pre-agreed algorithm, the authentication service is not required to complete authorization every time, if an effective JWT token exists, the matching check of mobile phone numbers and passwords is skipped, if the JWT token is invalid, the input mobile phone numbers and passwords are checked to be matched with the mobile phone numbers and the passwords stored in a database user table of the system; judging whether a service application system to be logged in currently exists under a service unit to which a tenant organization node bound by a current user belongs, simultaneously meeting the requirements that a mobile phone number and a password stored in a database user table are successfully matched, logging in the currently logged-in service application system successfully, generating a JWT token, logging in any service application system under the service unit by means of the secondary JWT token in the validity period, and finally jumping back to a first page of each service application system through a callback route transmitted by each service application system. For example, a user inputs login information to a login page to login, the requested login information comprises a JWT token, if the JWT token is valid, the user can skip login verification and jump to a home page of a service application system, when the JWT token is out of date, the user login information in a user table needs to be checked, after the user login information passes the check, whether the user has the use authority of the service system is checked again, if the user does not have the authority, the login fails, if the user has the authority, the JWT token is generated, the login is successful and jumps to the home page of the service application system.
In one embodiment, the method further comprises: after jumping to a first page of a service system, acquiring a first call request of the service system to a permission interface of the SAAS system; inquiring the role of the user under the service system according to the first calling request; inquiring a resource list corresponding to the role; and returning the resource list to the service system so that the service system displays and renders the displayed interface according to the resource list.
As shown in fig. 2, an administrator adds a tenant in the system, service unit information input under the tenant, newly builds a service unit in a database of the system, a service unit table contains tenant identifications, mounted organization nodes, the service unit table contains organization node identifications, and a service line application system can be used; adding user information under a tenant, wherein a user table contains tenant identification, and acquiring a first call request of the service system to a permission interface of the SAAS system after a user logs in the service system and jumps to a first page of the service system; the SAAS system is a software service system and inquires the role of the user under the service system according to the first call request; inquiring a resource list corresponding to the role according to the tenant identification of the current login user; and returning the resource list to the service system so that the service system displays and renders the displayed interface according to the resource list.
In an embodiment of the present application, returning the resource list to the service system further includes: and returning the resource list and the corresponding authority to the service system so that the service system controls the operation of the user on the resource corresponding to the resource list according to the authority.
After a user logs in a service system and jumps to a first page of the service system, inquiring a resource list corresponding to a role according to the tenant identification of the current login user; returning the resource list to the business system, the returning the resource list to the business system further comprises: and returning the resource list and the corresponding authority to the service system, wherein the resource list comprises a catalog, a menu, a button, a jump path, a call back-end interface or a request interface and the like on the front-end interface of the application system, so that the service system controls the operation of a user on the resource corresponding to the resource list according to the authority.
In an embodiment of the present application, the method further comprises: acquiring a second call request initiated by an administrator through a service system to a data storage interface of the SAAS system; and saving the user input by the administrator and the data associated with the user according to the second call request, wherein the data associated with the user comprises at least one of tenant, business unit, employee, organization tree and association relation.
Acquiring a second call request initiated by an administrator through a service system to a data storage interface of the SAAS system; and saving the user input by the administrator and the data associated with the user according to the second call request, wherein the data associated with the user comprises at least one of tenant, business unit, employee, organization tree and association relation. Specifically, tenant information and administrator information input by an administrator are newly built in a database of the system, a tenant and tenant table, a user and user table, staff of a currently newly built tenant, an organization tree and nodes of the currently newly built tenant, and a tenant administrator and administrator table, wherein the user, staff and organization tree all contain globally unique tenant identifications, and are associated with the tenants through the unique identifications.
In an embodiment of the present application, the method further comprises: acquiring a third call request which is initiated by an administrator through a service system and is used for an operation object interface of the SAAS system; and creating an operation object system and an operation item of the business system in the SAAS system according to the third call request, wherein the operation item comprises at least one of a page directory, a menu, a button, a jump path, an interface with a permission call back end and a requested resource corresponding to the operation object system.
Acquiring a third call request which is initiated by an administrator through a service system and is used for an operation object interface of the SAAS system; and creating an operation object system and an operation item of the business system in the SAAS system according to the third call request, wherein the operation item comprises at least one of a page directory, a menu, a button, a jump path, an interface with a permission call back end and a requested resource corresponding to the operation object system. Specifically, acquiring service line application system information input by an administrator through a system management page of a management background of the system, and newly establishing an application system record of a service line in a database of the system to acquire resource information under a corresponding service line application system configured by the administrator; the resource information comprises at least one of a page directory, a menu, a button, a jump path, an interface with permission to call the back end and a requested resource corresponding to the system; and newly establishing the resources of the current application system in the database of the system.
In an embodiment of the present application, the method further comprises: after the token is determined to be invalid and the user login is determined to be successful, a corresponding token is generated, the generated token has the validity period of preset time, and the service system can log in the SAAS system within the validity period.
Firstly checking whether a token in a request is valid or not when a user logs in a login request triggered by a login page, and checking whether an input mobile phone number and a password are matched with values of the mobile phone number and the password stored in a database user table of the system or not when the token is invalid; judging whether a service application system to be logged in currently exists under a service unit to which a tenant organization node bound by a current user belongs, simultaneously meeting the requirements that the mobile phone number and the password stored in a database user table are successfully matched, and the user logs in successfully in the currently logged-in service application system, generating a token and setting the validity period of the token, and logging in any service application system under the service unit by means of the secondary token in the validity period.
In one embodiment, the tenant table associates a business unit table, and multiple business units (which may be molecular companies, factories, brands, business lines, etc.) may be created under one tenant (which may be a group company, virtual organization, individual business). The service unit table is associated with an organization table, and one service unit can only be mounted on one node of the organization structure tree (one tenant corresponds to one complete organization structure tree). The user table stores account number and password related information (used for logging in), the user source table is associated, the mobile phone number is used as a unique user identifier, and a third party system with multiple sources can be associated. The user table associates employee tables, when a user is bound to a tenant, employees under the tenant corresponding to the user are created, one user can be bound to a plurality of tenants, and each tenant has a corresponding employee; if the user is a tenant administrator, an associated user administrator table is also required. The user table is associated with the organization table, a many-to-many relationship is established through the user organization table, one user can be bound to a plurality of organization nodes, a plurality of users can be mounted on one organization node, and only users with staff under the current tenant can be bound. The service unit table is associated with a service system table, and one service unit may correspond to a plurality of service systems. The service system table associates resource tables, and one service system can configure a plurality of resources (which can be a directory, a menu, a button, a tree structure with a hierarchical relationship). The user table associates a character table, and a user may have multiple characters in multiple application systems. The role table is associated with a resource table, and one role can bind a plurality of resources of a plurality of service systems under a plurality of service units.
In one embodiment, the SAAS system (hereinafter referred to as the present system) can handle the following:
1. tenant information and administrator information input by a super administrator are obtained through a tenant management page of a management background of the system, and tenant tables, user and user tables, staff and employee tables (staff tables contain globally unique tenant identifications) of currently-built tenants, organization trees and nodes (organization trees comprise organization tables containing tenant identifications) of currently-built tenants, and tenant administrator and user administrator tables are newly built in a database of the system.
2. And acquiring service line application system information input by a super administrator through a system management page of a management background of the system, and newly establishing an application system record and a system table of the service line in a database of the system.
3. And acquiring resource information (such as a catalog, a menu, a button and a jump path on a front-end interface of an application system, an interface of a calling back end or a requested URL (uniform resource locator)) under a corresponding service line application system configured by a super administrator through a resource management page of a management background of the system, and newly establishing a resource and a resource table (comprising a globally unique system identifier) of the current application system in a database of the system.
4. And (3) acquiring service unit information input by a tenant administrator (created by a super administrator in the step 1) through a service unit management page of a management background of the system, and newly establishing a service unit and a service unit table (containing tenant identifications in the service unit table), an organization node (containing organization node identifications in the service unit table) to be mounted, and a service line application system and a service unit system relation table to be used in the database of the system. And limiting to only check and operate the business units under the current tenant according to the tenant identification of the currently logged-in tenant manager.
5. User information input by a tenant administrator is obtained through a user management page of a management background of the system, and a user table are newly built in a database of the system. In order to prevent the current tenant operation from affecting users created by other tenant administrators, the users are accurately matched with the input user real names and mobile phone numbers, and then edited and stored after the corresponding users are found.
6. Staff information input by a tenant administrator is obtained through a staff management page of a management background of the system, and staff tables (the staff tables contain tenant identifications) are newly built in a database of the system. And limiting to only check and operate the staff under the current tenant according to the tenant identification of the currently logged-in tenant manager.
7. And obtaining organization information operated by a tenant administrator through an organization tree management page of a management background of the system, and storing an organization tree and an organization table (the organization table contains tenant identifications) in a database of the system. And limiting to only check and operate the organization tree under the current tenant according to the tenant identification of the currently logged-in tenant administrator.
8. User information of a tenant manager to be bound or unbound is obtained through a user binding page of a management background of the system, and binding relation between an organization node and a user (the user organization table contains tenant identification) is stored in a database of the system. And according to the tenant identification of the currently logged-in tenant manager, the user created by the current tenant can be bound or unbound only on the organization tree of the current tenant (the user table is associated with the employee table, the corresponding user is obtained through the tenant identification on the employee table, and the binding relationship is established between the user and the organization).
9. And acquiring role information input by a tenant administrator through a role management page of a management background of the system, and newly establishing roles (role table-containing service unit/tenant identification and corresponding service line application system identification) in a database of the system. According to the tenant identification of the currently logged-in tenant administrator, roles under the current tenant can only be limited to be checked and operated. In addition, if different tenants need to use the same roles, the role template information input by a super administrator can be obtained through a role template management page of a management background of the system, and a role template (a role table-service unit/tenant identifier is empty and a corresponding service line application system identifier) is newly built in a database of the system.
10. And acquiring resources (business line application systems configured in the step 2 and the step 3 and resources thereof) configured under the business line application system corresponding to the current role/role template and checked by a tenant administrator through a resource configuration page of the current role/role template of a management background of the system, and storing the mapping relation (role resource table-containing role identifiers and resource identifiers) of the role/role template and the resources in a database of the system.
11. And acquiring an employee selected by a tenant administrator through an employee management page of a management background of the system, acquiring a role template checked by the tenant administrator/a role created by the current tenant (a role/role template created in the 9 th step) through a skipped role configuration page of the current employee, and storing the binding relationship between the employee and the role in a database of the system (a user role table-comprising a unique employee work number and a unique role identifier across tenants).
In one embodiment, the application scenario and the docking mode of the SAAS system (hereinafter referred to as the system) include the following:
1. for the business application system (comprising the use of third party outsourcers) used by the inside of the group company: after an administrator operates through a background operation interface provided by the system, the system creates a tenant for the group, and a whole organization tree of the group and the tenant administrator of the group are correspondingly created;
An operation object system in the system is correspondingly established for the business application system, and resources such as a page directory, a menu, buttons and a jump path corresponding to the object system, an interface of a calling back end or a requested URL and the like are correspondingly established; correspondingly creating service units under the tenant of the group for each service BG, molecular company, factory and warehouse in the group, associating the mounted organization tree nodes and associating the service application system which can be used; creating users for all employees of the group, creating the employees under the tenant of the group, and binding the employees to corresponding organization tree nodes; creating a user for a third party outsourcing personnel, and creating an external third party employee (distinguished by employee types) under the group tenant, and binding to the same organization tree node as the internal employee; creating roles for the object systems under the selected service units and associating operable resources in the object systems; roles are associated for the selected employee.
The user of each business application system logs in, uses the unified login page of the system (SAAS system), jumps to the domain name of the system from the domain name of each business application system, enters the login interface of the system, obtains the mobile phone number and the password input by the user, checks whether the JWT token in the request is valid (if there is valid JWT, skips the matching check of the mobile phone number and the password), and checks whether the input mobile phone number and password are matched with the mobile phone number and password values stored in the database user table of the system; and judging whether a current service application system to be logged in exists under the service unit of the organization node of the current group bound by the current user. Meanwhile, the success of login can be met, a JWT token is generated (skipped if a valid JWT exists), any business application system under the business unit can be logged in by means of the secondary token in the validity period, and finally, the home page of each business application system is skipped through callback URL (uniform resource locator) transmitted by each business application system. Thereby realizing the function of single sign-on.
After the user logs in the service application system successfully, calling an API interface of the system, inquiring the role of the current user under the current service application system, and returning to a resource list corresponding to the role; and the service application system displays and renders an interface of the service application system according to the resource list returned by the service application system, and provides the interface for a user to operate within the authority range. Thereby implementing the resource authentication function of the service application system.
2. For the SAAS system of the group company (providing software services for use by other third party external companies):
the third-party external company creates tenants, service units and own staff through SAAS systems outside the system, and stores the information of the tenants, the service units, users, staff, an organization tree, association relations and the like in a database of the system by calling an API (application program interface) of the system; the system only correspondingly establishes an operation object system in the system for the service application system, and the page directory, the menu, the button and the jump path corresponding to the object system, and invokes the interface of the back end or the resource such as the URL of the request; creating roles for the object systems under the selected service units and associating operable resources in the object systems; roles are associated for the selected employee.
The user of each business application system logs in, uses own login page, calls API login interface provided by the system, firstly checks whether the JWT token in the interface is valid (if there is valid JWT, the matching check of the mobile phone number and the password is skipped), and then checks whether the mobile phone number and the password of the current user are matched with the mobile phone number and the password stored in the database user table of the system; and judging whether a current service application system to be logged in exists under the service unit of the organization node of the current group bound by the current user. And meanwhile, the success of login can be met, a JWT token (skipped if a valid JWT exists) is generated, and any business application system under the affiliated business unit can be logged in by virtue of the secondary token in the validity period. And returning the JWT token after successful login. Thereby realizing the function of single sign-on. The implementation of the resource authentication function is the same as scenario 1.
3. Business application systems of me company are used for other third party external companies (open use to the outside): the entry login page of the system is embedded in a background management interface of the service application system, when a user operates the authority configuration function of the service application system, the user directly jumps to the login page of the system, and the subsequent processing process is the same as that of the scene 1. The implementation of the single sign on and resource authentication functions is the same as scenario 1.
According to the login method, the login request triggered by the user of the service system through the unified login page is acquired; according to the login request, the domain name of the service system is jumped to the domain name of the SAAS system to enter a login interface of the SAAS system, and or the domain name of the SAAS system is jumped to a login page of the SAAS system according to the login request; acquiring a user name, a password and a token carried in a login request through a login interface of an SAAS system; checking whether the token is valid; querying an organization node bound with the user under the condition that the token is determined to be valid; checking whether the user name and the password are matched with a pre-stored value under the condition that the token is invalid, and inquiring an organization node bound with the user if the user name and the password are matched with the pre-stored value; under the condition that the service unit to which the user-bound organization node belongs comprises a service system, the user login is determined to be successful, and the user jumps to the first page of the service system. By the method, the system is convenient to integrate with the service systems, so that public user management, role management, authority management, organization management, system parameter configuration and the like in each service system are extracted, the service systems can concentrate on own service development, and the research and development efficiency is improved.
The embodiment of the application provides a processor for running a program, wherein the login method is executed when the program runs.
In one embodiment, a login device is provided, the device comprising a processor for a login method.
In one embodiment, a computer device is provided that includes a memory storing a computer program and a processor that implements a login method when executing the computer program. The computer device may be a terminal, and its internal structure may be as shown in fig. 3. The computer apparatus includes a processor a01, a network interface a02, a display screen a04, an input device a05, and a memory (not shown in the figure) which are connected through a system bus. Wherein the processor a01 of the computer device is adapted to provide computing and control capabilities. The memory of the computer device includes an internal memory a03 and a nonvolatile storage medium a06. The nonvolatile storage medium a06 stores an operating system B01 and a computer program B02. The internal memory a03 provides an environment for the operation of the operating system B01 and the computer program B02 in the nonvolatile storage medium a06. The network interface a02 of the computer device is used for communication with an external terminal through a network connection. The computer program is executed by the processor a01 to implement a login method. The display screen a04 of the computer device may be a liquid crystal display screen or an electronic ink display screen, and the input device a05 of the computer device may be a touch layer covered on the display screen, or may be a key, a track ball or a touch pad arranged on a casing of the computer device, or may be an external keyboard, a touch pad or a mouse.
It will be appreciated by those skilled in the art that the structure shown in fig. 3 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
The embodiment of the application provides equipment, which comprises a processor, a memory and a program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the following steps: acquiring a login request triggered by a user of a service system through a unified login page; according to the login request, the domain name of the service system is jumped to the domain name of the SAAS system to enter a login interface of the SAAS system, and or the domain name of the SAAS system is jumped to a login page of the SAAS system according to the login request; acquiring a user name, a password and a token carried in a login request through a login interface of an SAAS system; checking whether the token is valid; querying an organization node bound with the user under the condition that the token is determined to be valid; checking whether the user name and the password are matched with a pre-stored value under the condition that the token is invalid, and inquiring an organization node bound with the user if the user name and the password are matched with the pre-stored value; under the condition that the service unit to which the user-bound organization node belongs comprises a service system, the user login is determined to be successful, and the user jumps to the first page of the service system.
In one embodiment, the method further comprises: after jumping to a first page of a service system, acquiring a first call request of the service system to a permission interface of the SAAS system; inquiring the role of the user under the service system according to the first calling request; inquiring a resource list corresponding to the role; and returning the resource list to the service system so that the service system displays and renders the displayed interface according to the resource list.
In one embodiment, returning the resource list to the business system further comprises: and returning the resource list and the corresponding authority to the service system so that the service system controls the operation of the user on the resource corresponding to the resource list according to the authority.
In one embodiment, the method further comprises: acquiring a second call request initiated by an administrator through a service system to a data storage interface of the SAAS system; and saving the user input by the administrator and the data associated with the user according to the second call request, wherein the data associated with the user comprises at least one of tenant, business unit, employee, organization tree and association relation.
In one embodiment, the method further comprises: acquiring a third call request which is initiated by an administrator through a service system and is used for an operation object interface of the SAAS system; and creating an operation object system and an operation item of the business system in the SAAS system according to the third call request, wherein the operation item comprises at least one of a page directory, a menu, a button, a jump path, an interface with a permission call back end and a requested resource corresponding to the operation object system.
In one embodiment, the method further comprises: after the token is determined to be invalid and the user login is determined to be successful, a corresponding token is generated, the generated token has the validity period of preset time, and the service system can log in the SAAS system within the validity period.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, etc., such as Read Only Memory (ROM) or flash RAM. Memory is an example of a computer-readable medium.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises an element.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.
Claims (6)
1. A login method applied to a SAAS system, the method comprising:
acquiring a login request triggered by a user of a service system through a unified login page;
according to the login request, jumping from the domain name of the service system to the domain name of the SAAS system to enter a login interface of the SAAS system, and or directly entering a login page of the SAAS system according to the login request;
acquiring a user name, a password and a JWT token carried in the login request through a login interface of the SAAS system;
checking whether a JWT token in the request is effective or not, wherein the JWT token is generated after the user login authentication is successful, the JWT token contains user information, the request interface only needs to carry the JWT token to access resource service, and the resource service automatically completes the JWT token check according to a preset algorithm without requesting authentication service to complete authorization each time;
If a valid JWT token exists, skipping the matching check of the mobile phone number and the password, and inquiring an organization node bound with the user under the condition that the JWT token is determined to be valid;
if the JWT token is invalid, checking whether the input mobile phone number and the password are matched with the mobile phone number and the password stored in the database user table of the system; judging whether a service application system to be logged in currently exists under a service unit to which a tenant organization node bound by a current user belongs, simultaneously meeting the requirements that a mobile phone number and a password stored in a database user table are successfully matched and the user logs in successfully in the currently logged-in service application system, generating a JWT token, and logging in any service application system under the service unit by means of the JWT token in the validity period;
under the condition that the service system is included under the service unit of the organization node bound by the user, determining that the user login is successful, and jumping to a home page of the service system;
the method further comprises the steps of:
after the jump to the first page of the service system, a first call request of the service system to the authority interface of the SAAS system is obtained;
Inquiring the role of the user under the service system according to the first call request;
inquiring a resource list corresponding to the role;
returning the resource list to the service system so that the service system displays and renders a displayed interface according to the resource list;
acquiring a second call request initiated by an administrator through the service system to a data storage interface of the SAAS system;
storing a user input by an administrator and data associated with the user according to the second call request, wherein the data associated with the user comprises at least one of tenant, business unit, employee, organization tree and association relation;
the method further comprises the steps of:
acquiring a third call request which is initiated by an administrator through the service system and is used for an operation object interface of the SAAS system;
creating an operation object system and an operation item of the service system in the SAAS system according to the third call request, wherein the operation item comprises at least one of a page directory, a menu, a button, a jump path, an interface with authority to call the back end and a requested resource corresponding to the operation object system;
the SAAS system is used for processing the following contents:
Acquiring tenant information and manager information input by a super manager through a tenant management page of a management background of the system, and newly establishing tenant and tenant tables, user and user tables and staff and employee tables of currently-established tenants in a database of the system, wherein the employee tables comprise globally unique tenant identifications and organization trees and nodes of currently-established tenants, the organization trees comprise organization tables, the organization tables comprise tenant identifications and tenant manager and user manager tables;
acquiring service line application system information input by a super administrator through a system management page of a management background of the system, and newly establishing an application system record and a system table of a service line in a database of the system;
the resource management page of the management background of the system is used for acquiring the resource information under the corresponding service line application system configured by the super administrator, and the resource information comprises the following components: the method comprises the steps of establishing a catalog, a menu, a button and a jump path on a front-end interface of an application system, calling an interface of a rear end and a requested URL (uniform resource locator), and newly establishing a resource and a resource table of a current application system in a database of the system, wherein the resource table comprises a globally unique system identifier;
Acquiring a tenant manager through a service unit management page of a management background of the system, wherein the tenant manager creates and inputs service unit information by a super manager, a service unit and a service unit table are newly built in a database of the system, the service unit table comprises tenant identifications, mounted organization nodes, and the service unit table comprises organization node identifications, and a service line application system and a service unit system relation table which can be used; limiting to only check and operate the business units under the current tenant according to the tenant identification of the currently logged-in tenant manager;
user information input by a tenant administrator is obtained through a user management page of a management background of the system, and a user table are newly built in a database of the system; in order to prevent the current tenant operation from affecting users created by other tenant administrators, the users are accurately matched with the input user real names and mobile phone numbers, and then editing and storing are performed after the corresponding users are found;
staff information input by a tenant administrator is obtained through a staff management page of a management background of the system, staff and a staff table are newly built in a database of the system, and the staff table contains tenant identifications; limiting to only check and operate staff under the current tenant according to the tenant identification of the current logged-in tenant manager;
The method comprises the steps that through an organization tree management page of a management background of the system, organization information operated by a tenant manager is obtained, an organization tree and an organization table are stored in a database of the system, and the organization table contains tenant identifications; limiting to only check and operate the organization tree under the current tenant according to the tenant identification of the current logged-in tenant manager;
user information required to be bound or unbound by a tenant manager is obtained through a user binding page of a management background of the system, a binding relationship between an organization node and a user is stored in a database of the system, and a tenant identification is contained in a user organization table; according to the tenant identification of the currently logged-in tenant manager, the user created by the current tenant can be bound or unbound only on the organization tree of the current tenant, the user table is associated with the employee table, the corresponding user is obtained through the tenant identification on the employee table, and the binding relationship is established between the user and the organization;
acquiring role information input by a tenant administrator through a role management page of a management background of the system, and newly establishing a role in a database of the system, wherein a role table comprises service unit/tenant identifications and corresponding service line application system identifications; limiting to only check and operate roles under the current tenant according to the tenant identification of the currently logged-in tenant manager; in addition, if different tenants need to use the same roles, role template information input by a super administrator can be obtained through a role template management page of a management background of the system, a role template is newly built in a database of the system, and a role table service unit/tenant identifier is empty and corresponds to a service line application system identifier;
Acquiring resources configured under a service line application system corresponding to a current role/role template and checked by a tenant administrator through a resource configuration page of the current role/role template of a management background of the system, and storing a mapping relation between the role/role template and the resources in a database of the system, wherein a role resource table comprises a role identifier and a resource identifier;
and acquiring an employee selected by a tenant administrator through an employee management page of a management background of the system, acquiring a role template checked by the tenant administrator/a role created by the current tenant through a skipped role configuration page of the current employee, and storing a binding relationship between the employee and the role in a database of the system, wherein the user role table comprises an employee work number and a role identifier which are unique across the tenant.
2. The method of claim 1, wherein the returning the resource list to the business system further comprises:
and returning the resource list and the corresponding authority to the service system so that the service system controls the operation of the user on the resource corresponding to the resource list according to the authority.
3. The method according to claim 1, wherein the method further comprises:
After the JWT token is determined to be invalid and the user login is determined to be successful, a corresponding JWT token is generated, the generated JWT token has a validity period of preset time, and the service system can log in the SAAS system within the validity period.
4. The method of claim 1, wherein the service system is either a SAAS system or a non-SAAS system.
5. A computer device comprising a memory and a processor, the memory storing a computer program, the processor implementing the login method according to any one of claims 1 to 4 when executing the computer program.
6. A machine-readable storage medium having instructions stored thereon, which when executed by a processor cause the processor to be configured to perform the login method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210391885.7A CN114726632B (en) | 2022-04-14 | 2022-04-14 | Login method, login equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210391885.7A CN114726632B (en) | 2022-04-14 | 2022-04-14 | Login method, login equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114726632A CN114726632A (en) | 2022-07-08 |
| CN114726632B true CN114726632B (en) | 2024-04-05 |
Family
ID=82243868
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210391885.7A Active CN114726632B (en) | 2022-04-14 | 2022-04-14 | Login method, login equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726632B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115758300B (en) * | 2022-11-28 | 2023-08-01 | 北京淘友天下技术有限公司 | Data processing method, device, electronic equipment and storage medium |
| CN116743702B (en) * | 2023-08-16 | 2024-02-27 | 湖南映客互娱网络信息有限公司 | Uniform domain name access method, device and equipment of SaaS system |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105430102A (en) * | 2015-12-28 | 2016-03-23 | 东软集团股份有限公司 | Integration method and system of SaaS (Software as a Service) website and third-party system and device thereof |
| WO2017028804A1 (en) * | 2015-08-19 | 2017-02-23 | 中兴通讯股份有限公司 | Web real-time communication platform authentication and access method and device |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN109688162A (en) * | 2019-02-19 | 2019-04-26 | 山东浪潮通软信息科技有限公司 | A kind of data of multi-tenant divide library method and system |
| WO2020155492A1 (en) * | 2019-01-31 | 2020-08-06 | 平安科技(深圳)有限公司 | Device id-based login state sharing method and device |
| CN111935131A (en) * | 2020-08-06 | 2020-11-13 | 中国工程物理研究院计算机应用研究所 | SaaS resource access control method based on resource authority tree |
| CN113260980A (en) * | 2018-11-12 | 2021-08-13 | 思杰系统有限公司 | System and method for real-time SAAS objects |
| CN114143053A (en) * | 2021-11-24 | 2022-03-04 | 国云科技股份有限公司 | Third-party service login method and device, terminal equipment and storage medium |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160021097A1 (en) * | 2014-07-18 | 2016-01-21 | Avaya Inc. | Facilitating network authentication |
| US10757091B2 (en) * | 2018-10-25 | 2020-08-25 | International Business Machines Corporation | Certificate-based single sign-on (SSO) from mobile applications over the internet |
-
2022
- 2022-04-14 CN CN202210391885.7A patent/CN114726632B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2017028804A1 (en) * | 2015-08-19 | 2017-02-23 | 中兴通讯股份有限公司 | Web real-time communication platform authentication and access method and device |
| CN105430102A (en) * | 2015-12-28 | 2016-03-23 | 东软集团股份有限公司 | Integration method and system of SaaS (Software as a Service) website and third-party system and device thereof |
| CN109309683A (en) * | 2018-10-30 | 2019-02-05 | 泰华智慧产业集团股份有限公司 | The method and system of client identity verifying based on token |
| CN113260980A (en) * | 2018-11-12 | 2021-08-13 | 思杰系统有限公司 | System and method for real-time SAAS objects |
| WO2020155492A1 (en) * | 2019-01-31 | 2020-08-06 | 平安科技(深圳)有限公司 | Device id-based login state sharing method and device |
| CN109688162A (en) * | 2019-02-19 | 2019-04-26 | 山东浪潮通软信息科技有限公司 | A kind of data of multi-tenant divide library method and system |
| CN111935131A (en) * | 2020-08-06 | 2020-11-13 | 中国工程物理研究院计算机应用研究所 | SaaS resource access control method based on resource authority tree |
| CN114143053A (en) * | 2021-11-24 | 2022-03-04 | 国云科技股份有限公司 | Third-party service login method and device, terminal equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114726632A (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108920494B (en) | Isolated access method of multi-tenant database, server and storage medium | |
| CN109688120B (en) | Dynamic authority management system based on improved RBAC model and Spring Security framework | |
| CN114726632B (en) | Login method, login equipment and storage medium | |
| US8769653B2 (en) | Unified access control system and method for composed services in a distributed environment | |
| US20180167378A1 (en) | System and Method for Multi-Tenant SSO With Dynamic Attribute Retrieval | |
| CN113239344B (en) | Access right control method and device | |
| US20120291090A1 (en) | Access management architecture | |
| CN108293045A (en) | Single-sign-on Identity Management between local and remote system | |
| US8365261B2 (en) | Implementing organization-specific policy during establishment of an autonomous connection between computer resources | |
| CN109587233B (en) | Multi-cloud container management method, device and computer-readable storage medium | |
| CN109829286B (en) | User authority management system and method for WEB application | |
| KR20020005457A (en) | Network system, device management system, device management method, data processing method, storage medium, and internet service provision method | |
| CN113297550A (en) | Authority control method, device, equipment, storage medium and program product | |
| US9355270B2 (en) | Security configuration systems and methods for portal users in a multi-tenant database environment | |
| CN104753677A (en) | Password hierarchical control method and system | |
| CN112910904B (en) | Login method and device of multi-service system | |
| CN105516059A (en) | Resource access control method and device | |
| US20200233907A1 (en) | Location-based file recommendations for managed devices | |
| CN110636057A (en) | Application access method and device and computer readable storage medium | |
| CN110691089B (en) | Authentication method applied to cloud service, computer equipment and storage medium | |
| CN105052105A (en) | Utilizing x.509 authentication for single sign-on between disparate servers | |
| US11108831B2 (en) | Machine policy configuration for managed devices | |
| US20210021416A1 (en) | Systems and methods for using automated browsing to recover secured key from a single data entry | |
| CN111045928A (en) | Interface data testing method, device, terminal and storage medium | |
| CN110351719A (en) | A kind of wireless network management method, system and electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230413 Address after: Room 1501, No. 108, Dingxin Road, Haizhu District, Guangzhou City, Guangdong Province, 510000 Applicant after: Guangzhou Xinjing Information Technology Service Co.,Ltd. Address before: 510000 room B338, No. 364, middle Industrial Avenue, Haizhu District, Guangzhou, Guangdong Province Applicant before: Tiangong Xinchuang (Guangzhou) Information Technology Co.,Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |