CN114793165A - Login system control method, system, device and medium - Google Patents

Login system control method, system, device and medium Download PDF

Info

Publication number
CN114793165A
CN114793165A CN202210204782.5A CN202210204782A CN114793165A CN 114793165 A CN114793165 A CN 114793165A CN 202210204782 A CN202210204782 A CN 202210204782A CN 114793165 A CN114793165 A CN 114793165A
Authority
CN
China
Prior art keywords
token
login
user information
access token
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210204782.5A
Other languages
Chinese (zh)
Inventor
姜波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
OneConnect Financial Technology Co Ltd Shanghai
Original Assignee
OneConnect Financial Technology Co Ltd Shanghai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by OneConnect Financial Technology Co Ltd Shanghai filed Critical OneConnect Financial Technology Co Ltd Shanghai
Priority to CN202210204782.5A priority Critical patent/CN114793165A/en
Publication of CN114793165A publication Critical patent/CN114793165A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • H04L9/3228One-time or temporary data, i.e. information which is sent for every authentication or authorization, e.g. one-time-password, one-time-token or one-time-key

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application relates to the technical field of computers, and provides a login system control method, a system, equipment and a medium, wherein the login system control method comprises the steps of obtaining user information; authenticating user information and setting a token validity period; generating an access token, and storing the access token and the user information to a distributed storage system; encrypting the access token; and completing system login according to the matching of the login information and the encrypted access token. By the login system control method, system, device and medium, the adaptability of the login system can be improved.

Description

Login system control method, system, device and medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, a system, a device, and a medium for controlling a login system.
Background
With the development of internet technology, the variety of mobile applications is increasing, which puts higher demands on the adaptability and reliability of the login system. Based on the current system architecture and the technical development level, the current login system needs to perform login authentication under the condition of user use, relevant business operation can be performed only after the login authentication is successful, the user login state needs to be kept effective in the whole process, and relevant operation data needs to be encrypted during system interaction. Therefore, the existing login system has relatively high coupling, single-point fault risks exist, and system construction under the scene of front-end and back-end separation of the system is not facilitated.
Disclosure of Invention
In view of the above-mentioned shortcomings of the prior art, it is an object of the present application to provide a login system control method, system, device and medium, which can improve the adaptability of the login system.
To achieve the above and other related objects, the present application provides a login system control method, including:
acquiring user information;
authenticating the user information and setting a token validity period;
generating an access token, and storing the access token and the user information to a distributed storage system;
encrypting the access token; and
and completing system login according to the matching of the login information and the encrypted access token.
In an embodiment of the application, the authenticating the user information and setting a token validity period includes:
acquiring a user name and a password to request authentication;
verifying user information and generating a password;
and storing the password to finish the authentication of the user information.
In an embodiment of the present application, the verifying the user information includes:
if the user information is successfully verified, generating a password, storing the password, and finishing the authentication of the user information;
and if the user information is failed to be verified, prompting that the authentication fails and ending the authentication.
In an embodiment of the present application, the method for generating an access token and storing the access token and the user information in a distributed storage system includes:
and generating the access token according to the user information and the token validity period.
In an embodiment of the application, said completing system login according to matching between login information and the encrypted access token includes:
obtaining login request information and an access token;
decrypting the request data of the access token and acquiring user information;
if the decryption is successful, inquiring the token according to the decrypted request data of the access token and the user information, and if the decryption is failed, prompting that the login is invalid and ending the login;
verifying whether the inquired token is expired, if so, generating a new access token according to the user information and the token validity period, and updating the token data in the distributed storage system; if the inquired token is not expired, the token is successfully verified, and the system login is completed.
In an embodiment of the present application, the verifying whether the queried token is expired includes:
verifying whether the inquired token is consistent with the decrypted access token;
if the inquired token is consistent with the decrypted access token, verifying whether the inquired token is expired;
and if the inquired token is inconsistent with the decrypted access token, analyzing the token data.
In an embodiment of the application, the verifying whether the queried token and the decrypted access token are consistent includes:
and judging whether the token is inquired or not, if so, verifying whether the inquired token is consistent with the decrypted access token, and if not, prompting that the login is invalid and finishing the login.
To achieve the above and other related objects, there is also provided a login system including:
the information acquisition module is arranged at the client and used for acquiring the user information;
the checking module is arranged at the server and used for authenticating the user information and setting the token validity period; generating an access token, and storing the access token and the user information to a distributed storage system; encrypting the access token and returning the encrypted access token to the client; according to the matching of the login information and the encrypted access token, completing system login;
and the updating module is arranged at the server and used for generating a new access token according to the user information and the token validity period and updating the token data in the distributed storage system.
To achieve the above and other related objects, the present application further provides an electronic device, which includes a memory, a processor and a computer program stored in the memory and executable on the processor, wherein the processor executes the computer program to achieve the steps of the method.
To achieve the above and other related objects, the present application also provides a computer-readable storage medium having stored thereon a computer program, which when executed by a processor, performs the steps of the above-described method.
As described above, according to the login system control method, system, device and medium provided by the present application, login state management can be performed in a front-end and back-end separation system, so that system security is improved. The front end and the back end are separated in the design of the system, and login authentication does not need to be based on a uniform authentication center, so that the stability of the system is improved. The token is encrypted to realize multiple data security guarantee, and data is prevented from being tampered. The system coupling degree is reduced, and meanwhile, the risk brought by front-end data refreshing is correspondingly reduced. When the server generates the token, the validity period of the token can be dynamically adjusted, so that accurate control is achieved, and meanwhile, the use safety of a user is further improved.
Drawings
Fig. 1 is a first flowchart illustrating a login system control method according to an embodiment of the present disclosure.
Fig. 2 is a flowchart illustrating the step S200 in an embodiment of the present application.
Fig. 3 is a flowchart illustrating a step S500 in an embodiment of the present application.
Fig. 4 is a flowchart illustrating a second method for controlling a login system according to an embodiment of the present disclosure.
Fig. 5 is a flowchart illustrating a third method for controlling a login system according to an embodiment of the present disclosure.
Fig. 6 is a schematic diagram of a login system in an embodiment of the present application.
FIG. 7 is a block diagram of a computer-readable storage medium of the present application in one embodiment.
Fig. 8 is a schematic block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The following embodiments of the present invention are provided by way of specific examples, and other advantages and effects of the present invention will be readily apparent to those skilled in the art from the disclosure herein. The invention is capable of other and different embodiments and of being practiced or of being carried out in various ways, and its several details are capable of modification in various respects, all without departing from the spirit and scope of the present invention.
It should be noted that the drawings provided in the present embodiment are only for illustrating the basic idea of the present invention, and the components related to the present invention are only shown in the drawings rather than drawn according to the number, shape and size of the components in actual implementation, and the type, quantity and proportion of the components in actual implementation may be changed freely, and the layout of the components may be more complicated.
Referring to fig. 1, in an embodiment of the present application, the present application provides a login system control method, which can improve the adaptability of a login system, and the login system control method of the present application includes the following steps:
s100, acquiring user information;
s200, authenticating the user information and setting a token validity period;
s300, generating an access token, and storing the access token and the user information to a distributed storage system;
s400, encrypting the access token;
and S500, completing system login according to the matching of the login information and the encrypted access token.
Referring to fig. 1, in an embodiment of the present application, in step S100, user information is obtained. In this embodiment, the client may include various client applications, such as a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like. The client can be installed in various terminal devices including, but not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like.
Referring to fig. 1, in an embodiment of the present application, in step S200, the user information is authenticated, and a token validity period is set. In this embodiment, the server may respond to the received access request from the client, and feed back the corresponding service to the client, for example, provide a web resource of the server. The server may be configured to provide various services, such as a background management server that supports a website browsed by the client. The backend management server may analyze and process the received data such as the user request, and feed back a processing result (for example, a webpage, information, or data obtained or generated according to the user request) to the client. After entering the mobile service system, the user needs to perform login authentication. And setting a token validity period after authenticating the user information. After the server side succeeds in authentication, based on the user login information and the set token validity period as main parameters, the system generates a token by using a JWT (Json web token, Json network token) technology, then stores the token and the user login information in a distributed storage system, and sets the default validity period.
Referring to fig. 1, in the present embodiment, the JWT technique is a JSON-based development standard implemented for delivering declarations between network application environments, and the JWT token is designed to be compact and secure, and is particularly suitable for a single sign-on scenario of a distributed site. The assertion of JWT is typically used to pass authenticated user identity information between the identity provider and the service provider to facilitate resource acquisition from the resource server, and may add some additional assertion information necessary for other business logic, and the JWT token may also be used directly for authentication, and may also be encrypted. The JWT technique encrypts user information into the JWT token, and the server does not store any user information. The server verifies the correctness of the JWT token by using the stored key, as long as it is correct.
Referring to fig. 1, the JWT token may be generated at the server, and if the client requests authentication from the server using a username/password, the server returns the JWT token to the client at the server if the authentication is successful. The client can take the JWT token to prove its legitimacy at the time of each request. If the JWT token is persisted (e.g., stored in a database) at the server, it is a permanent identity token. The system in one embodiment of the application comprises a client and a server. The JWT technique encrypts user information into the JWT token, and the server does not store any user information. The server verifies the correctness of the JWT token by using the stored key, as long as it is correct. After the processing is finished, the token is encrypted and then returned to the client side, so that the stateless back-end service is realized, and the maintainability of the system is improved.
Referring to fig. 1, in an embodiment of the present application, a front end may be a front end (such as a client) frame built by, for example, an vue frame, and a server may be a back end service built by, for example, a springboot frame, but a building manner in a specific implementation process is not limited to this, and any frame that can successfully build a client and a server may be used for building, which is not limited to this.
Referring to fig. 2, in an embodiment of the present application, the step S200 may further include S210, acquiring a user name and a password to request authentication, S220, verifying user information and generating a password, and S230, storing the password, and completing authentication of the user information. In an embodiment of the present application, step S220 further includes S221, if the user information is successfully verified, generating a password, and storing the password to complete authentication of the user information; and if the user information is failed to be verified, prompting that the authentication fails and ending the authentication. In an embodiment of the present application, the verification may include a rights verification and/or a term verification. For example, if the authentication of the authority is included, the token identification authentication may be determined to be successful when the authentication of the authority passes, and the token identification authentication may be determined to be failed when the authentication of the authority fails. If the deadline verification is included, the token identification verification is determined to be successful when the deadline verification passes, and the token identification verification is determined to be failed when the deadline verification fails. If the authority verification and the time limit verification are included, the token identification verification is determined to be successful when the authority verification and the time limit verification are both passed, and the token identification verification is determined to be failed if at least one of the authority verification and the time limit verification is not passed. The content of the specific authentication is set according to the user requirement, and is not limited to the three ways provided by the above embodiments, and the application is not limited thereto.
Referring to fig. 1, in an embodiment of the present application, in step S300, an access token is generated, and the access token and the user information are stored in a distributed storage system. In this embodiment, the access token may be generated based on the user information and the token validity period. And if the verification is passed, generating an access token, and storing the access token and the user login information in the distributed storage system. The system resource permission corresponding to the user role of the front end (such as the client in this embodiment) and the data permission corresponding to the user role can be obtained according to the user information. The server sends the information of the system resource permission, the information of the data permission, and the token identifier to a front end, which may be a client in an embodiment of the present application. The front end can obtain the menu in the front end authority according to the information of the system resource authority of the front end and the information of the data authority, and the interface path of the access function is obtained based on the menu.
Referring to fig. 1, in an embodiment of the present application, data of an access function may be obtained through an interface path, so that security of the data in a process of accessing the data may be ensured. The token and the user login information are stored in a distributed storage system. And returning the data of the access function to the front end, wherein the returned data of the access function is the data in the front end access authority returned on the basis of the token identification verification.
Referring to fig. 1, in one embodiment of the present application, the access token is encrypted in step S400. In this embodiment, the encryption may be performed by, for example, an encryption key after the access token is generated. The JWT may contain a string, which may include a header, payload, and signature. Where the first two headers and payload are encoded by, for example, Base64, a signature may be used to concatenate the headers and payload together and then obtain the encrypted string using an encryption algorithm (e.g., HS 256).
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S500, system login is completed according to matching between login information and the encrypted access token. In this embodiment, step S500 may further include:
s510, obtaining login request information and an access token;
s520, decrypting the request data of the access token and acquiring user information;
s530, if the decryption is successful, inquiring the token according to the decrypted request data of the access token and the user information, and if the decryption is failed, prompting that the login is invalid and finishing the login;
s540, verifying whether the inquired token is expired, if so, generating a new access token according to the user information and the token validity period, and updating the token data in the distributed storage system; if the inquired token is not expired, the token is successfully verified, and system login is completed.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S510, login request information and an access token are obtained. In this application, the login request information may include an interface path of the access function and a token identifier, the token identifier is a symbolic representation of a front-end identity, and data in a token identifier authority may be accessed through the verified token identifier. The interface path of the access function may be an interface path of the access function that is acquired by the front end according to the system resource authority data of the front end and is acquired based on the menu.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S520, the request data of the access token is decrypted, and the user information is obtained. And decrypting request data of the access token, storing the data in the server, when the front end needs to access, sending an access request with a token identifier to the server, verifying the token identifier by the server, if the verification is passed, acquiring data of an access function according to an interface path in the access request, and returning the accessed data to the front end. When the front end accesses data, only an access request of an interface path with a token identifier and an access function needs to be sent to the server, the data can be stored in the server, and the front end can only access the data in the authority limit through the token identifier, so that the safety of the data is ensured.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S530, if the decryption is successful, the token is queried according to the decrypted request data of the access token and the user information, and if the decryption is failed, the login is prompted to be disabled, and the login is terminated. In this embodiment, it is determined whether a token is queried, and if the token is determined to be queried, it is verified whether the queried token is consistent with the decrypted access token, and if the token is determined not to be queried, a login failure is prompted, and the login is ended. And when the login is finished, sending failure indication information to the front end, wherein the failure indication information is used for enabling the front end to resend the login information. The failure indication may be a dialog box, for example, showing "this authentication failed, please retry! "is used. Two close alert tones may also be returned to alert the user that the current authentication is not passed. The form of the dialog box and the prompt tone can also be provided, the form of the specific indication information is designed according to the needs of the user, and the application is not limited in any way.
Referring to fig. 3 and fig. 4-5, in the present embodiment, it is verified whether the queried token is consistent with the decrypted access token. And if the inquired token is consistent with the decrypted access token, verifying whether the inquired token is expired or not, and if the inquired token is inconsistent with the decrypted access token, analyzing the token data.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S540, it is verified whether the queried token is expired, and if the queried token is expired, a new access token is generated according to the user information and the token expiration date, and the token data in the distributed storage system is updated; if the inquired token is not expired, the token is successfully verified, and system login is completed. And carrying out authority verification on the token identification, and if the authority verification is passed, obtaining token information corresponding to the token identification in the cache of the server according to the token identification. And verifying whether the token information corresponding to the token identification is expired. If the token information corresponding to the token identification is not overdue, determining that the token identification passes verification, updating the corresponding token information according to the token identification, and updating the updated token information to a cache of the server. Wherein, the updated token information is the valid time information of the token. For example, if the token is valid for half an hour in one embodiment, the front end sends an access request with the token identifier to the server fifteen minutes after the first time of obtaining the data of the access function. And at the moment, the server side verifies the token identifier, and after the token identifier passes the verification, if fifteen minutes of the valid time of the current token is detected, namely the token information is not expired, the token identifier is determined to pass the verification, and the valid time of the token is reset to half an hour. And if the token information corresponding to the token identification is expired, determining that the token identification is not verified. By adopting the login system control method provided by the application, data is stored in the server, when the front end needs to access, only an access request with a token identifier needs to be sent to the server, the server verifies the token identifier, if the verification is passed, data with an access function is obtained according to an interface path in the access request, and the accessed data is returned to the front end, so that when the front end accesses the data, only the access request with the token identifier needs to be sent to the server, the data is stored in the server, and the front end can only access the data in the authority limit of the server through the token identifier, thereby ensuring the security of the data. In an embodiment of the present application, the front end may be a client.
Referring to fig. 4, in an embodiment of the present application, after a user enters a mobile service system, login authentication is performed. After the server side successfully authenticates, the system generates a token by using, for example, the JWT technology and stores the token and the user login information in the distributed storage system with the set token validity period as main parameters, and sets the default validity period. After the processing is finished, the token is encrypted and then returned to the front end, and by using the scheme, the stateless back-end service is realized, and the maintainability of the system is improved.
Referring to fig. 5, in an embodiment of the present application, a user makes a login request after authentication is successful, and when a server interface is requested, a token issued by login authentication is carried in an http request header and is transmitted to the server together. And after receiving the request, the server side first decrypts the data. If the decryption fails, the request is directly rejected, and the risk of data tampering in the transaction flow is effectively organized. And after the data is successfully decrypted, the token is analyzed to obtain the user information, and the token data of the user information is inquired in the distributed shared storage according to the user information and the token. If the data is not inquired, the login token of the user is invalid, the transaction is refused, the user is prompted to login the invalid, and the user is guided to login again. If the data is inquired and the inquired token is consistent with the token of the decryption request data, the login of the user is still effective, refreshing is not needed, and subsequent business processing can be continued. If the queried token is not consistent with the token requesting data decryption, the token data needs to be parsed. And judging whether the token is expired or not, and if not, directly continuing the subsequent business process treatment. If the token is found to be expired at the moment, a token needs to be newly generated according to the source user information and the configured validity period, the value in the distributed storage is synchronously updated, and the user validity period is set. And continuing the subsequent business processing after the updating is completed. If the logged-in user is judged to log in abnormally by the system, the user data stored by the user information in the distributed storage can be deleted actively through the operation and management platform, and the user can be kicked out of the system actively.
Referring to fig. 6 and fig. 1-5, in another embodiment of the present application, the present application further provides a login system 100, and the login system 100 may include an information obtaining module 111, a checking module 121, and an updating module 122. The information obtaining module 111 may be disposed on the client 110, and the verifying module 121 and the updating module 122 may be disposed on the server 120. In an embodiment of the present application, the information obtaining module 111 is configured to obtain user information. The verification module 121 is configured to authenticate user information and set a token validity period; generating an access token, and storing the access token and the user information to a distributed storage system; encrypting the access token and returning the encrypted access token to the client; and completing system login according to the matching of the login information and the encrypted access token. The updating module 122 is configured to generate a new access token according to the user information and the token validity period, and update the token data in the distributed storage system.
Referring to fig. 6 and fig. 1 to 5, in an embodiment of the present application, the information obtaining module 111 may be disposed on the client 110 for obtaining the user information. In this embodiment, in an embodiment of the present application, in step S100, user information is acquired by a client. In this embodiment, the client may include various client applications, such as a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like. The client can be installed in various terminal devices including, but not limited to, a smart phone, a tablet computer, a laptop portable computer, a desktop computer, and the like.
Referring to fig. 6 and fig. 1-5, in an embodiment of the present application, the checking module 121 and the updating module 122 may be disposed on the server 120, and configured to complete system login according to matching between login information and the encrypted access token. In this embodiment, in step S200, the user information is authenticated by the server, and a token validity period is set. In this embodiment, the server may respond to the received access request from the client, and feed back the corresponding service to the client, for example, providing a web resource of the server. The server may be configured to a server providing various services, such as a background management server providing support for a website browsed by the client. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the client. After entering the mobile service system, the user needs to perform login authentication. And setting a token validity period after authenticating the user information. After the server side succeeds in authentication, based on the user login information and the set token validity period as main parameters, the system generates a token by using a JWT (Json web token, Json network token) technology, then stores the token and the user login information in a distributed storage system, and sets the default validity period.
Referring to FIG. 1, in the present embodiment, JWT technology is a JSON-based development standard implemented for delivering declarations between network application environments, and the JWT token is designed to be compact and secure, and is particularly suitable for single sign-on scenarios of distributed sites. The assertion of JWT is typically used to pass authenticated user identity information between the identity provider and the service provider to facilitate resource acquisition from the resource server, and may be augmented with some additional assertion information necessary for other business logic, and the JWT token may be used directly for authentication, and may be encrypted. The JWT technique encrypts user information into the JWT token, and the server does not store any user information. The server verifies the correctness of the JWT token by using the stored key, as long as it is correct.
Referring to fig. 1, the JWT token may be generated at the server, and if the client requests authentication from the server using a username/password, and the server successfully authenticates, the JWT token is returned to the client at the server. The client can take the JWT token to prove its legitimacy at the time of each request. If the JWT token is persisted (e.g., stored in a database) at the server, it is a permanent identity token. The system in one embodiment of the application comprises a client and a server. The JWT technique encrypts user information into the JWT token, and the server does not store any user information. The server verifies the correctness of the JWT token by using the stored key, as long as it is correct. After the processing is finished, the token is encrypted and then returned to the client side, so that the stateless back-end service is realized, and the maintainability of the system is improved.
Referring to fig. 2, in an embodiment of the present application, step S200 may further include S210, acquiring a user name and a password to request authentication, S220, verifying user information by the server, generating a password, returning the password to the client, and S230, storing the password by the client, and completing authentication of the user information. In an embodiment of the present application, step S220 further includes S221, if the server verifies the user information successfully, generating a password and returning the password to the client, and storing the password to complete authentication of the user information; and if the server side fails to verify the user information, prompting that the authentication fails and finishing the authentication. In an embodiment of the present application, the verification may include a rights verification and/or a term verification. For example, if rights verification is included, the token identification verification may be determined to be successful when the rights verification passes and may be determined to be failed when the rights verification fails. If the deadline verification is included, when the deadline verification passes, the token identification verification can be determined to be successful, and when the deadline verification fails, the token identification verification can be determined to be failed. If the authority verification and the deadline verification are included, the token identification verification can be determined to be successful when the authority verification and the deadline verification both pass, and the token identification verification can be determined to be failed if at least one of the authority verification and the deadline verification fails. The content of the specific verification is set according to the user requirement, and is not limited to the three ways provided in the above embodiments, and the application is not limited thereto.
Referring to fig. 1, in an embodiment of the present application, in step S300, an access token is generated, and the access token and the user information are stored in a distributed storage system. In this embodiment, the access token may be generated based on the user information and the token validity period. And if the verification is passed, generating an access token, and storing the access token and the user login information in the distributed storage system. The system resource permission corresponding to the user role of the front end (e.g., the client in this embodiment) and the data permission corresponding to the user role can be obtained according to the user information. The server sends the information of the system resource permission, the information of the data permission, and the token identifier to a front end, which may be a client in an embodiment of the present application. The front end can acquire the menu in the front end authority according to the information of the system resource authority of the front end and the information of the data authority, and acquire the interface path of the access function based on the menu.
Referring to fig. 1, in an embodiment of the present application, data of an access function may be obtained through an interface path, so that security of the data in a process of accessing the data may be ensured. The token and the user login information are stored in a distributed storage system. And returning the data of the access function to the front end, wherein the returned data of the access function is the data in the front end access authority returned on the basis of the token identification verification.
Referring to fig. 1, in an embodiment of the present application, in step S400, the access token is encrypted, and the encrypted access token is returned to the client. In this embodiment, the encryption may be performed by, for example, an encryption key after the access token is generated. The JWT may contain a string of characters that may include a header, payload, and signature. Wherein the first two segments of headers and payloads are encoded by, for example, Base64, and the signature can connect the headers and payloads together and then obtain the encrypted string after passing through the encryption algorithm (e.g., HS 256).
Referring to fig. 3, in an embodiment of the present application, in step S500, system login is completed according to matching between login information and the encrypted access token. In this embodiment, step S500 may further include S510 obtaining login request information and an access token. S520, the request data of the access token is decrypted, and user information is obtained. S530, if the decryption is successful, inquiring the token according to the decrypted request data of the access token and the user information, and if the decryption is failed, prompting that the login is invalid and ending the login. S540, verifying whether the inquired token is overdue or not, if the inquired token is overdue, generating a new access token according to the user information and the token validity period, and updating the token data in the distributed storage system; if the inquired token is not expired, the token is successfully verified, and the system login is completed.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S510, login request information and an access token are obtained. In this application, the login request information may include an interface path of the access function and a token identifier, where the token identifier is indicative of a front-end identity, and data in the token identifier authority may be accessed through the verified token identifier. The interface path of the access function may be an interface path of the access function acquired by the front end according to the system resource permission data of the front end and acquired based on the menu.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S520, the request data of the access token is decrypted, and the user information is obtained. And decrypting request data of the access token, storing the data in the server, when the front end needs to access, sending an access request with a token identifier to the server, verifying the token identifier by the server, if the verification is passed, acquiring data of an access function according to an interface path in the access request, and returning the accessed data to the front end. When the front end accesses data, only an access request with a token identifier and an interface path with an access function needs to be sent to the server, the data can be stored in the server, and the front end can only access the data in the authority of the front end through the token identifier, so that the safety of the data is ensured.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S530, if the decryption is successful, the token is queried according to the decrypted request data of the access token and the user information, and if the decryption is failed, the login is prompted to fail, and the login is terminated. In this embodiment, it is determined whether a token is queried, and if the token is determined to be queried, it is verified whether the queried token is consistent with the decrypted access token, and if the token is determined not to be queried, it is prompted that the login is invalid, and the login is ended. And when the login is finished, sending failure indication information to the front end, wherein the failure indication information is used for enabling the front end to resend the login information. The failure indication may be a dialog box, for example, showing "this authentication failed, please retry! "in the dialog box. Two close alert tones may also be returned to alert the user that the current authentication has not passed. The form of the dialog box plus the prompt tone can also be provided, the form of the specific indication information is designed according to the needs of the user, and the application is not limited in any way here.
Referring to fig. 3 and fig. 4-5, in this embodiment, it is verified whether the queried token is consistent with the decrypted access token. If the inquired token is consistent with the decrypted access token, verifying whether the inquired token is overdue, and if the inquired token is inconsistent with the decrypted access token, analyzing the token data.
Referring to fig. 3 and fig. 4-5, in an embodiment of the present application, in step S540, it is verified whether the queried token is expired, and if the queried token is expired, a new access token is generated according to the user information and the token expiration date, and the token data in the distributed storage system is updated. If the inquired token is not expired, the token is successfully verified, and the system login is completed. And carrying out authority verification on the token identification, and if the authority verification is passed, obtaining token information corresponding to the token identification in the cache of the server according to the token identification. And verifying whether the token information corresponding to the token identification is expired. And if the token information corresponding to the token identification is not expired, determining that the token identification passes verification, updating the corresponding token information according to the token identification, and updating the updated token information to a cache of the server. And updating the token information, wherein the updated token information is the valid time information of the token. For example, if the validity time of the token is half an hour in one embodiment, the front end sends an access request with the token identifier to the server fifteen minutes after the first time of obtaining the data of the access function. And at the moment, the server side verifies the token identifier, and after the token identifier passes the verification, if fifteen minutes of the valid time of the current token is detected, namely the token information is not expired, the token identifier is determined to pass the verification, and the valid time of the token is reset to half an hour. And if the token information corresponding to the token identification is expired, determining that the token identification is not verified. By adopting the login system control method provided by the application, data is stored in the server, when the front end needs to access, only an access request with a token identifier needs to be sent to the server, the server verifies the token identifier, if the verification is passed, data with an access function is obtained according to an interface path in the access request, and the accessed data is returned to the front end, so that when the front end accesses data, only the access request with the token identifier needs to be sent to the server, the data is stored in the server, the front end can only access the data in the authority of the server through the token identifier, and the security of the data is ensured. In an embodiment of the present application, the front end may be a client.
Referring to fig. 4, in an embodiment of the present application, after a user enters a mobile service system, login authentication is performed. After the server side succeeds in authentication, the system generates a token by using the user login information and the set token validity period as main parameters, for example, by using a JWT technology, stores the token and the user login information in a distributed storage system, and sets a default validity period of the token and the user login information. After the processing is finished, the token is encrypted and then returned to the front end, and by using the scheme, the stateless back-end service is realized, and the maintainability of the system is improved.
Referring to fig. 5, in an embodiment of the present application, a user makes a login request after authentication is successful, and when a server interface is requested, a token issued by login authentication is carried in an http request header and is delivered to a server together. The server side decrypts the data after receiving the request. If the decryption fails, the request is directly rejected, and the risk of data tampering in the transaction flow is effectively organized. And after the data is successfully decrypted, the token is analyzed to obtain the user information, and the token data of the user information is inquired in the distributed shared storage according to the user information and the token. If the data is not inquired, the login token of the user is invalid, the transaction is refused, the user is prompted to login the invalid, and the user is guided to login again. If the data is inquired and the inquired token is consistent with the token of the decryption request data, the login of the user is still valid, refreshing is not needed, and subsequent business processing can be continued. If the queried token is not consistent with the token requesting data decryption, the token data needs to be parsed. And judging whether the token is expired or not, and if not, directly continuing the subsequent business process treatment. If the token is found to be expired, a token needs to be generated from the source user information and the configured validity period, the values in the distributed storage are updated synchronously, and the user validity period is set. And continuing the subsequent business processing after the updating is completed. If the logged-in user is judged to log in abnormally by the system, the user data stored by the user information in the distributed storage can be deleted actively through the operation and management platform, and the user can be kicked out of the system actively.
Referring to fig. 7, the present application further provides a computer-readable storage medium 10, wherein the computer-readable storage medium 20 stores computer instructions 20, and the computer instructions 20 are used for using the login system control method. The computer readable storage medium 10 may be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system or a propagation medium. The computer-readable storage medium 10 may also include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a Random Access Memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk. Optical disks may include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-RW), and DVD.
Referring to fig. 8, the present application further provides an electronic device, which includes a processor 30 and a memory 40, where the memory 40 stores program instructions, and the processor 30 executes the program instructions to implement the login system control method. The Processor 30 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the system can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic device, discrete hardware component; the Memory 40 may include a Random Access Memory (RAM) and may also include a Non-Volatile Memory (Non-Volatile Memory), such as at least one disk Memory. Memory 40 may also be an internal Memory of the Random Access Memory (RAM) type, and processor 30 and Memory 40 may be integrated into one or more separate circuits or hardware, such as: application Specific Integrated Circuit (ASIC). It should be noted that the computer program in the memory 40 can be implemented in the form of software functional units and stored in a computer readable storage medium when sold or used as a stand-alone product. Based on such understanding, the technical solutions of the present application, or portions thereof, which substantially or partly contribute to the prior art, may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for enabling a computer device (which may be a personal computer, an electronic device, or a network device) to perform all or part of the steps of the methods according to the embodiments of the present application.
The above description of illustrated embodiments of the invention, including what is described in the abstract, is not intended to be exhaustive or to limit the invention to the precise forms disclosed herein. While specific embodiments of, and examples for, the invention are described herein for illustrative purposes only, various equivalent modifications are possible within the spirit and scope of the present invention, as those skilled in the relevant art will recognize and appreciate. As indicated, these modifications may be made to the present invention in light of the foregoing description of illustrated embodiments of the present invention and are to be included within the spirit and scope of the present invention.
The systems and methods have been described herein in general terms as the details aid in understanding the invention. Furthermore, various specific details have been set forth in order to provide a thorough understanding of the embodiments of the invention. One skilled in the relevant art will recognize, however, that an embodiment of the invention can be practiced without one or more of the specific details, or with other apparatus, systems, assemblies, methods, components, materials, parts, and/or the like. In other instances, well-known structures, materials, and/or operations are not specifically shown or described in detail to avoid obscuring aspects of embodiments of the present invention.
Thus, although the present invention has been described herein with reference to particular embodiments thereof, a latitude of modification, various changes and substitutions are intended in the foregoing disclosures, and some features of the invention will be employed without a corresponding use of other features. Accordingly, many modifications may be made to adapt a particular situation or material to the essential scope and spirit of the present invention. It is intended that the invention not be limited to the particular terms used in following claims and/or to the particular embodiment disclosed as the best mode contemplated for carrying out this invention, but that the invention will include any and all embodiments and equivalents falling within the scope of the appended claims. Accordingly, the scope of the invention is to be determined solely by the appended claims.
The above description is only a preferred embodiment of the present application and a description of the applied technical principle, and it should be understood by those skilled in the art that the scope of the present invention related to the present application is not limited to the technical solution of the specific combination of the above technical features, and also covers other technical solutions formed by any combination of the above technical features or their equivalent features without departing from the inventive concept, for example, the technical solutions formed by mutually replacing the above features with (but not limited to) technical features having similar functions disclosed in the present application. Besides the technical features described in the specification, other technical features are known to those skilled in the art, and are not described in detail herein in order to highlight the innovative features of the present invention.

Claims (10)

1. A login system control method is characterized by comprising the following steps:
acquiring user information;
authenticating the user information and setting a token validity period;
generating an access token, and storing the access token and the user information to a distributed storage system;
encrypting the access token; and
and completing system login according to the matching of the login information and the encrypted access token.
2. The login system control method according to claim 1, wherein the authenticating the user information and setting a token validity period includes:
acquiring a user name and a password to request authentication;
verifying user information and generating a password;
and storing the password to finish the authentication of the user information.
3. The login system control method of claim 2, wherein the verifying the user information comprises:
if the user information is successfully verified, generating a password, storing the password, and finishing the authentication of the user information;
and if the user information is failed to be verified, prompting that the authentication fails and finishing the authentication.
4. The login system control method according to claim 1, wherein the method of generating an access token and storing the access token and the user information to a distributed storage system comprises:
and generating the access token according to the user information and the token validity period.
5. The login system control method according to claim 1, wherein the completing system login according to the matching of login information and the encrypted access token comprises:
obtaining login request information and an access token;
decrypting the request data of the access token and acquiring user information;
if the decryption is successful, inquiring the token according to the decrypted request data of the access token and the user information, and if the decryption is failed, prompting that the login is invalid and ending the login;
verifying whether the inquired token is expired, if so, generating a new access token according to the user information and the token validity period, and updating the token data in the distributed storage system; if the inquired token is not expired, the token is successfully verified, and the system login is completed.
6. The login system control method of claim 5, wherein the verifying whether the queried token expires comprises:
verifying whether the inquired token is consistent with the decrypted access token;
if the inquired token is consistent with the decrypted access token, verifying whether the inquired token is expired;
and if the inquired token is inconsistent with the decrypted access token, analyzing the token data.
7. The login system control method of claim 6, wherein the verifying whether the queried token and the decrypted access token are consistent comprises:
and judging whether the token is inquired or not, if so, verifying whether the inquired token is consistent with the decrypted access token, and if not, prompting that the login is invalid and finishing the login.
8. A login system, comprising:
the information acquisition module is arranged at the client and used for acquiring user information;
the checking module is arranged at the server and used for authenticating the user information and setting the validity period of the token; generating an access token, and storing the access token and the user information to a distributed storage system; encrypting the access token and returning the encrypted access token to the client; according to the matching of the login information and the encrypted access token, completing system login;
and the updating module is arranged at the server and used for generating a new access token according to the user information and the token validity period and updating the token data in the distributed storage system.
9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the login system control method of claim 1 when executing the computer program.
10. A computer-readable storage medium on which a computer program is stored, the computer program, when being executed by a processor, implementing the login system control method of claim 1.
CN202210204782.5A 2022-03-03 2022-03-03 Login system control method, system, device and medium Pending CN114793165A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210204782.5A CN114793165A (en) 2022-03-03 2022-03-03 Login system control method, system, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210204782.5A CN114793165A (en) 2022-03-03 2022-03-03 Login system control method, system, device and medium

Publications (1)

Publication Number Publication Date
CN114793165A true CN114793165A (en) 2022-07-26

Family

ID=82459716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210204782.5A Pending CN114793165A (en) 2022-03-03 2022-03-03 Login system control method, system, device and medium

Country Status (1)

Country Link
CN (1) CN114793165A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117668920A (en) * 2024-02-02 2024-03-08 杭州高特电子设备股份有限公司 Secure access method, system, equipment and medium based on internal energy storage system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105337949A (en) * 2014-08-13 2016-02-17 中国移动通信集团重庆有限公司 SSO (Single Sign On) authentication method, web server, authentication center and token check center
US20170353444A1 (en) * 2016-06-06 2017-12-07 Illumina, Inc. Tenant-aware distributed application authentication
CN108769041A (en) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 Login method, system, computer equipment and storage medium
US20180332016A1 (en) * 2017-05-10 2018-11-15 Verizon Patent And Licensing Inc. Token and device location-based automatic client device authentication
CN111988262A (en) * 2019-05-21 2020-11-24 顺丰科技有限公司 Authentication method, authentication device, server and storage medium
CN113065160A (en) * 2021-04-12 2021-07-02 浙江环玛信息科技有限公司 Intelligent court data transmission method and system

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105337949A (en) * 2014-08-13 2016-02-17 中国移动通信集团重庆有限公司 SSO (Single Sign On) authentication method, web server, authentication center and token check center
US20170353444A1 (en) * 2016-06-06 2017-12-07 Illumina, Inc. Tenant-aware distributed application authentication
US20180332016A1 (en) * 2017-05-10 2018-11-15 Verizon Patent And Licensing Inc. Token and device location-based automatic client device authentication
CN108769041A (en) * 2018-06-06 2018-11-06 深圳壹账通智能科技有限公司 Login method, system, computer equipment and storage medium
CN111988262A (en) * 2019-05-21 2020-11-24 顺丰科技有限公司 Authentication method, authentication device, server and storage medium
CN113065160A (en) * 2021-04-12 2021-07-02 浙江环玛信息科技有限公司 Intelligent court data transmission method and system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117668920A (en) * 2024-02-02 2024-03-08 杭州高特电子设备股份有限公司 Secure access method, system, equipment and medium based on internal energy storage system
CN117668920B (en) * 2024-02-02 2024-05-03 杭州高特电子设备股份有限公司 Secure access method, system, equipment and medium based on internal energy storage system

Similar Documents

Publication Publication Date Title
CN109309683B (en) Token-based client identity authentication method and system
TWI706263B (en) Trust registration method, server and system
US20200336310A1 (en) Coordinating access authorization across multiple systems at different mutual trust levels
US10652282B2 (en) Brokered authentication with risk sharing
US7454780B2 (en) Service providing system and method
US9590994B2 (en) Request-specific authentication for accessing web service resources
CN111953708B (en) Cross-account login method and device based on cloud platform and server
EP1427160B1 (en) Methods and systems for authentication of a user for sub-locations of a network location
KR101850677B1 (en) Method and system for determining whether a terminal logging into a website is a mobile terminal
US8984284B2 (en) Method and system for verifying entitlement to access content by URL validation
CN111353903B (en) Network identity protection method and device, electronic equipment and storage medium
US7698734B2 (en) Single sign-on (SSO) for non-SSO-compliant applications
US20140164762A1 (en) Apparatus and method of online authentication
CN108476201B (en) Accelerating online certificate status checking using internet prompting services
US20160381001A1 (en) Method and apparatus for identity authentication between systems
KR20170102877A (en) Method and device for identifying user identity
CN111143822A (en) Application system access method and device
CN112153041A (en) Method and system for realizing multisystem single sign-on based on user synchronization
CN112883357A (en) Stateless login authentication method and device
CN114793165A (en) Login system control method, system, device and medium
US8156338B1 (en) Systems and methods for strong authentication of electronic transactions
CN105656856A (en) Resource management method and device
JP2011165193A (en) User authentication method and device of hybrid terminal
KR102160892B1 (en) Public key infrastructure based service authentication method and system
CN117909611A (en) Page embedding method, device, equipment, medium, program product and credit system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination