CN116827659A - Intranet application access method, electronic equipment and readable storage medium - Google Patents
Intranet application access method, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN116827659A CN116827659A CN202310882735.0A CN202310882735A CN116827659A CN 116827659 A CN116827659 A CN 116827659A CN 202310882735 A CN202310882735 A CN 202310882735A CN 116827659 A CN116827659 A CN 116827659A
- Authority
- CN
- China
- Prior art keywords
- mobile terminal
- code
- request
- intranet
- trusted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 101
- 238000012545 processing Methods 0.000 claims abstract description 17
- 238000007689 inspection Methods 0.000 claims abstract description 6
- 238000012795 verification Methods 0.000 claims description 147
- 230000000977 initiatory effect Effects 0.000 claims description 32
- 230000008569 process Effects 0.000 description 20
- 238000004422 calculation algorithm Methods 0.000 description 10
- 238000004891 communication Methods 0.000 description 9
- 238000010586 diagram Methods 0.000 description 8
- 235000014510 cooky Nutrition 0.000 description 6
- 239000000284 extract Substances 0.000 description 6
- 230000004044 response Effects 0.000 description 6
- 230000011664 signaling Effects 0.000 description 6
- 238000012790 confirmation Methods 0.000 description 2
- 238000000605 extraction Methods 0.000 description 2
- 238000002955 isolation Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000004927 fusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000001483 mobilizing effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application discloses an intranet application access method, electronic equipment and a readable storage medium, wherein the method comprises the following steps: responding to an access request for accessing an intranet application initiated by a trusted mobile terminal, and extracting first authentication information carried by the access request; transmitting the first authentication information to a first service end in a public network; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request; receiving an inspection result fed back by the first server; if the checking result is that the access request passes, forwarding the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal. The application can reduce the safety risk of the application in the intranet.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to an intranet application access method, an electronic device, and a readable storage medium.
Background
The enterprise internal application mobility refers to an existing application built in an enterprise internal network (intranet), and is accessed by enterprise staff at mobile terminals such as mobile phones and pad (tablet personal computers) through a certain technical means. In the process of mobilizing an application inside an enterprise, a proxy gateway is generally installed in a network security zone (DMZ (Demilitarized Zone, isolation zone)), so that a public network application can access an intranet application through the proxy gateway.
In practical application, the intranet is isolated from the public network, and the intranet is isolated by the network policy, so that the intranet can defend the public network from attacks even if the intranet does not do corresponding protective measures. Therefore, when the intranet is erected, the security is lower than that of the public network, and the security risk that the application in the intranet cannot appear due to isolation before the application is exposed to the public network also appears, namely, the application in the intranet has higher security risk.
Therefore, in practical applications, a solution capable of reducing security risk of an application in an intranet after the application is exposed to a public network is needed.
Disclosure of Invention
The application mainly aims to provide an intranet application access method, electronic equipment and a readable storage medium, and aims to solve the technical problem that after an application in an intranet is exposed to a public network, the security risk of the application is high.
In order to achieve the above object, the present application provides an intranet application access method, which includes the following steps:
responding to an access request for accessing an intranet application initiated by a trusted mobile terminal, and extracting first authentication information carried by the access request;
transmitting the first authentication information to a first service end in a public network; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request;
Receiving an inspection result fed back by the first server;
if the checking result is that the access request passes, forwarding the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
Illustratively, the first authentication information includes a first device identification code and a first authentication code; the first equipment identification code is used for matching with the second equipment identification code, the first authentication code is used for matching with the second authentication code, and the checking result of the validity check is passing under the condition that the matching results are the same; the second equipment identification code and the second authentication code are stored in a database corresponding to the first service end.
The intranet application access method further comprises the following steps:
responding to a service request for the page initiated by a receiving trusted mobile terminal, and extracting the first authentication information carried by the service request; and executing the step of sending the first authentication information to a first server in the public network.
The present application also provides an intranet application access method, applied to a first service end, for realizing the above purpose, the intranet application access method comprising the following steps:
Receiving first authentication information sent by a proxy gateway; the first authentication information is carried by an access request, and the access request is initiated by the trusted mobile terminal when the intranet application is accessed;
performing validity check on the access request based on the first authentication information to obtain a check result;
sending the checking result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
Illustratively, the first authentication information includes a first device identification code and a first authentication code; the step of performing validity check on the first authentication information to obtain a check result includes:
acquiring a second device identification code and a second authentication code stored in a database;
matching the first equipment identification code with the second equipment identification code, and matching the first authentication code with the second authentication code to obtain a matching result;
and under the condition that the matching results are the same, determining that the checking result of the validity check is passing.
Illustratively, before the acquiring the second device identification code and the second authentication code stored in the database, the method includes:
querying a second authentication code in the database based on the first authentication code;
and if the second authentication code which is the same as the first authentication code is queried, executing the step of acquiring the second equipment identification code and the second authentication code stored in the database.
The intranet application access method further comprises the following steps:
responding to a login request initiated by a target mobile terminal, and acquiring an account number and a password carried by the login request;
verifying the account number and the password, and initiating a short message request to a short message gateway after the account number and the password pass the verification;
acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway;
and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
The intranet application access method further comprises the following steps:
responding to a login request initiated by a target mobile terminal, and determining whether the target mobile terminal is logged in for the first time;
If yes, a short message request is initiated to a short message gateway;
acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway;
and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
The intranet application access method further comprises the following steps:
and responding to a removal request initiated by the front end of the external network application, and deleting the trusted mobile terminal to be removed corresponding to the removal request from the trusted equipment directory.
The present application also provides an intranet application access method applied to a trusted mobile terminal, for achieving the above purpose, the intranet application access method comprising the following steps:
initiating an access request for accessing the intranet application to the proxy gateway; the access request carries first authentication information; the first authentication information is sent to a first service end in a public network by the proxy gateway; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request and sending the check result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal;
And receiving the page returned by the second server.
The intranet application access method further comprises the following steps:
initiating a login request to the first service end; the login request carries an account number and a password; the account number and the password are used for the first server to check, and after the verification is passed, a short message request is initiated to a short message gateway;
acquiring a first verification code sent by the short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
The intranet application access method further comprises the following steps:
initiating a first login request to the first server;
acquiring a first verification code sent by a short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
The intranet application access method further comprises the following steps:
initiating a service request for the page to the proxy gateway; the service request carries the first authentication information.
The intranet application access method further comprises the following steps:
and initiating a removal request to the first service end, wherein the removal request is used for deleting the corresponding trusted mobile terminal in the trusted equipment directory.
To achieve the above object, the present application also provides an electronic device, including: the system comprises a memory, a processor and an intranet application access program stored on the memory and capable of running on the processor, wherein the intranet application access program is configured to realize the steps of the intranet application access method.
For example, to achieve the above object, the present application further provides a computer readable storage medium, where an intranet application access program is stored, where the intranet application access program, when executed by a processor, implements the steps of the intranet application access method as described above.
It should be noted that, the applicant researches and discovers that the intranet and the public network are interconnected through a proxy gateway, and at present, the proxy gateway directly releases the access request, so that the security risk exists in the application in the intranet. In order to solve the problem that security risks exist in applications in an intranet, in the embodiment of the application, a proxy gateway performs validity check on an access request, rather than directly releasing the access request, specifically, after receiving the access request of a trusted mobile terminal for accessing the intranet application, the proxy gateway extracts first authentication information carried by the access request, sends the first authentication information to a first service end in a public network, and assists in validity check on the access request, and when a check result of validity check fed back by the first service end is passed, releases the access request, namely forwards the access request to a second service end in the intranet, and finally, the second service end processes the access request and returns a corresponding page to the trusted mobile terminal. It can be understood that by the above manner, the proxy gateway is equivalent to realizing the isolated network policy, that is, the proxy gateway has the capability of defending the attack of the public network, so that the security risk of the application in the intranet can be reduced.
Drawings
Fig. 1 is a signaling diagram of an embodiment of an intranet application access method according to the present application;
FIG. 2 is a schematic flow chart of an embodiment of an intranet application access method of the present application;
fig. 3 is a signaling schematic diagram of a trust procedure in an intranet application access method embodiment of the present application;
fig. 4 is a signaling diagram of removing a trusted mobile terminal according to an embodiment of the intranet application access method of the present application;
fig. 5 is a schematic structural diagram of a hardware running environment according to an embodiment of the present application.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the application.
The application provides an intranet application access method, and it should be noted that referring to fig. 1, fig. 1 is a signaling schematic diagram of an embodiment of the intranet application access method of the application. Fig. 1 relates to two phases of controlling an access request, wherein the first phase is a login external network application phase, and the second phase is an access internal network application phase through an external network application. Referring to fig. 2, fig. 2 is a flow chart of an embodiment of an intranet application access method according to the present application.
The embodiments of the present application provide embodiments of an intranet application access method, it should be noted that, although a logic sequence is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than that shown or described herein. It should be noted that, the intranet application access method is applied to the proxy gateway, and the intranet application access method includes:
step S210, in response to receiving an access request for accessing an intranet application initiated by a trusted mobile terminal, extracting first authentication information carried by the access request.
In the above-mentioned stage of accessing the intranet application through the extranet application, referring to fig. 1, the extranet application (running in the trusted mobile terminal) first initiates an access request to the first service end, where the access request is processed by the application access portal program running in the first service end, and the application access portal program redirects the application access address (i.e. the address of the proxy gateway) after being proxied. In addition, the first service end extracts user information and login information from the access request, acquires corresponding first authentication information from a database through the user information and the login information, and sends the application access address and the first authentication information to the trusted mobile terminal so that the trusted mobile terminal can carry the first authentication information when initiating an access request for accessing an intranet application to the application access address.
It should be noted that the first authentication information includes, but is not limited to, a first device identification code, and the first authentication code or the encrypted first authentication code.
The first device identification code is generated by the first service end, and the first device identification code is unique to different trusted mobile terminals, specifically, the first service end is generated by a specific algorithm. This particular algorithm includes, but is not limited to, UUID (Universally Unique Identifier, universally unique identification code), snodfake algorithm. Taking a specific algorithm as a UUID as an example, in the process of generating the first equipment identification code through the UUID by the first server side, a random code generated randomly by a hash function can be combined with equipment characteristic information of the trusted mobile terminal. The first server is a server corresponding to the public network application, and an application background of the public network application is operated.
Accordingly, the first authentication code may also be generated by the specific algorithm, and the encryption algorithm used in the encryption process includes, but is not limited to, AES (Advanced Encryption Standard ), and a national encryption algorithm (i.e., a domestic encryption algorithm identified by the national institutes of cryptography).
In an exemplary embodiment, the access request carries the first authentication information through a cookie. It should be noted that the cookie is a local storage of the trusted mobile terminal, and it is specified in HTTP (Hypertext Transfer Protocol ) that the access request will carry data in the cookie, i.e. the first authentication information is stored in the cookie. The first authentication information is sent to the trusted mobile terminal by the first service end, and is stored in the cookie after the first service end sets the cookie of the trusted mobile terminal, and specifically, the first service end is realized by setting the Set-cookie in the response head.
In another exemplary embodiment, the first service end and the trusted mobile terminal may be well defined, and the trusted mobile terminal carries the first authentication information when initiating the access request.
It should be noted that, the user information, the login information and the corresponding first authentication information stored in the database are acquired and stored when the user logs in the external network application. Referring to fig. 1, in the external network application login stage, a user logs in an external network application through a trusted mobile terminal, in this process, a first server side automatically extracts stored device feature information, generates a first authentication code through the specific algorithm, and distributes the first authentication code to the user, where the first authentication code is a security verification identifier when the trusted mobile terminal subsequently accesses the internal network application. The first authentication code is allocated to the user, and when the user logs in the external network application through the trusted mobile terminal, the first service end can acquire the user information and the login information, and the allocation process is a process of mapping the user information, the login information and the first authentication information.
Among them, the device characteristic information includes, but is not limited to, IP (Internet Protocol ) address, MAC (Media Access Control Address, media access control address) address.
In addition, the first service end also performs mapping processing on the first equipment identification code and the corresponding first authentication code, wherein the first equipment identification code is a key, and the corresponding first authentication code is a value and is stored in a temporary database table of the first service end.
After the user logs in the external network application successfully, the client of the external network application running in the trusted mobile terminal needs to carry out other logic processing of the client such as configuration information pulling, page rendering, data loading and the like in the process of loading the page.
It should be noted that, the device feature information in the first server is stored in the trusted process, where the trusted process is to determine that the target mobile terminal is a trusted mobile terminal. The trust process is completed when a user logs in an external network application through a mobile terminal, and referring to fig. 3, fig. 3 is a signaling schematic diagram of the trust process in the internal network application access method embodiment of the present application. The login mode is divided into two modes of short message verification code login and non-short message verification code login, wherein under the condition of the non-short message verification code login, the login and the credit service are completed in two steps, and under the condition of the short message verification code login, the login and the credit service can be combined into one, namely the login and the credit service can be completed through one step. The two login modes can realize the fusion of the device trust logic in the business process without affecting the user experience, namely, the user does not need to carry out additional device trust operation.
In an exemplary embodiment, the login is through a non-short message authentication code. It should be noted that, in response to a login request initiated by a target mobile terminal, a first server side obtains an account number and a password carried by the login request; verifying the account number and the password, and initiating a short message request to a short message gateway after the account number and the password pass the verification; acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway; and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
Specifically, when the target mobile terminal selects the non-short message verification code to log in, the user needs the first service end to verify the account number and the password, and after verification is passed, the target mobile terminal successfully logs in the external network application. The first server side sends a short message request to the short message gateway, and the short message gateway sends a verification short message to the target mobile terminal and the first server side after receiving the short message request. The user receives and fills in the first verification code through the target mobile terminal and submits the first verification code to the first service end, the first service end performs validity verification on the target mobile terminal through the first verification code, namely, whether the second verification code acquired from the short message gateway is identical to the first verification code acquired from the target mobile terminal or not is compared, if the second verification code is identical to the first verification code, the validity verification is passed, and if the second verification code is not identical to the first verification code, the validity verification is not passed. After the target mobile terminal passes the validity verification, the first server adds the target mobile terminal as a trusted mobile terminal; and under the condition that the target mobile terminal fails the validity verification, the first service end returns error information to the target mobile terminal so as to remind a user of the error of the verification code input by the target mobile terminal, and the first service end does not add the target mobile terminal as a trusted mobile terminal. In the case that the first server adds the target mobile terminal as a trusted mobile terminal, the first server also stores trusted device information of the trusted mobile terminal in a database, where the trusted device information includes, but is not limited to, a user ID (Identity document, identification number), a device number, a unique identification code, and a trusted time.
In another exemplary embodiment, the login is via a short message authentication code. It should be noted that, in response to a login request initiated by a target mobile terminal, a first service end determines whether the target mobile terminal is logged in for the first time; if yes, a short message request is initiated to a short message gateway; acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway; and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
Specifically, when the user selects the short message verification code to log in on the target mobile terminal, if the user logs in for the first time, the first service end also needs to perform validity verification on the target mobile terminal through the validity verification flow, determines that the target mobile terminal is successfully logged in after passing verification, and adds the target mobile terminal as a trusted mobile terminal. The validity verification process is basically the same as the embodiment of logging in through the non-short message verification code, and is not described herein.
It should be noted that, when the target mobile terminal which is the trusted mobile terminal is used for login, login verification is not required; and when the target mobile terminal is not a trusted mobile terminal, the validity verification is carried out through the short message verification code, and the target mobile terminal is added as the trusted mobile terminal after the short message verification code passes.
After the target mobile terminal is added as a trusted mobile terminal, user information is further logged into the APP, so that login and equipment trust operation are completed.
Further, referring to fig. 4, fig. 4 is a signaling diagram of removing a trusted mobile terminal according to an embodiment of the intranet application access method of the present application. After the mobile terminal used by the user is changed, for example, the user changes the mobile phone, or when the mobile phone borrows from another person, the trusted state of the trusted mobile terminal needs to be removed, so that the leakage of the historical information in the external network application is avoided, and unnecessary loss is caused.
It should be noted that, in response to a removal request initiated by the front end of the external network application, the first server deletes the trusted mobile terminal corresponding to the removal request from the trusted device directory. In the process of removing the trusted mobile terminal to be removed, a user can remove the trusted mobile terminal in a trusted device catalog of an external network application front end login device management interface, and after confirmation in a popup window, the external network application front end sends a removal request for removing the trusted mobile terminal to a first service end. After receiving the removal request, the first server deletes the trusted mobile terminal in the trusted equipment directory, constructs a bomb message and sends the bomb message to the trusted mobile terminal through a pushing channel.
It should be noted that the front end of the external network application may be running in a trusted mobile terminal to be removed, or may be running in a trusted mobile terminal not to be removed. The bomb message can clear related information in the trusted mobile terminal to be removed, wherein the related information is what kind of trusted mobile terminal can be set by a user in a self-defining way or is preset by the first service end. And after receiving the bomb message, the trusted mobile terminal to be removed removes the relevant information. Further, after the removal is completed, a destruction confirmation notification is sent to the first server. The related information includes, but is not limited to, chat information, notification information, interaction information.
Step S220, transmitting the first authentication information to a first service end in the public network; the first server is used for assisting the proxy gateway in carrying out validity check on the access request.
After the proxy gateway extracts the first authentication information, the proxy gateway cannot complete validity check through the proxy gateway, and the first server stores the first authentication information of the corresponding trusted mobile terminal when the user logs in, so that the first server can assist the proxy gateway to perform validity check on the access request, namely, the first authentication information is sent to the first server.
It should be noted that, after the first service side receives the first authentication information sent by the proxy gateway, the first service side obtains the second equipment identification code and the second authentication code stored in the database; matching the first equipment identification code with the second equipment identification code, and matching the first authentication code with the second authentication code to obtain a matching result; and under the condition that the matching results are the same, determining that the checking result of the validity check is passing.
If the first authentication code and the second authentication code are encrypted, the encrypted first authentication code and the encrypted second authentication code need to be decrypted by the encryption algorithm, and then the decrypted first authentication code and the decrypted second authentication code are matched.
Further, before the first server side obtains the second equipment identification code and the second authentication code stored in the database, the second authentication code is queried in the database based on the first authentication code; if the second authentication code identical to the first authentication code is queried, the step of acquiring the second equipment identification code and the second authentication code stored in the database is executed; if the second authentication code identical to the first authentication code is not queried, the access request is illegal. It will be appreciated that by querying the database for the presence of the second authentication code identical to the first authentication code, the efficiency of determining whether the access request is illegitimate is improved.
Step S230, receiving the inspection result fed back by the first server.
Step S240, if the inspection result is passed, forwarding the access request to a second server in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
The checking result comprises passing and failing, and if the checking result is passing, the access request is legal; if the checking result is failed, the access request is illegal, and the loading of the intranet application is terminated.
Wherein, the resources associated with the page include, but are not limited to, pictures, js script, css style.
Further, in response to receiving a service request for the page initiated by the trusted mobile terminal, the proxy gateway extracts the first authentication information carried by the service request; and executing the step of sending the first authentication information to a first server in the public network. That is, the proxy gateway does not directly pass the subsequent service request initiated by the trusted mobile terminal, but also needs to perform validity check, thereby further reducing the security risk of the application in the intranet.
It should be noted that, the applicant researches and discovers that the intranet and the public network are interconnected through a proxy gateway, and at present, the proxy gateway directly releases the access request, so that the security risk exists in the application in the intranet. In order to solve the problem that security risks exist in applications in an intranet, in the embodiment of the application, a proxy gateway performs validity check on an access request, rather than directly releasing the access request, specifically, after receiving the access request of a trusted mobile terminal for accessing the intranet application, the proxy gateway extracts first authentication information carried by the access request, sends the first authentication information to a first service end in a public network, and assists in validity check on the access request, and when a check result of validity check fed back by the first service end is passed, releases the access request, namely forwards the access request to a second service end in the intranet, and finally, the second service end processes the access request and returns a corresponding page to the trusted mobile terminal. It can be understood that by the above manner, the proxy gateway is equivalent to realizing the isolated network policy, that is, the proxy gateway has the capability of defending the attack of the public network, so that the security risk of the application in the intranet can be reduced.
In addition, the application also provides an intranet application access method, which is applied to the first service end and comprises the following steps: receiving first authentication information sent by a proxy gateway; the first authentication information is carried by an access request, and the access request is initiated by the trusted mobile terminal when the intranet application is accessed; performing validity check on the access request based on the first authentication information to obtain a check result; sending the checking result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
Illustratively, the first authentication information includes a first device identification code and a first authentication code; the step of performing validity check on the first authentication information to obtain a check result includes: acquiring a second device identification code and a second authentication code stored in a database; matching the first equipment identification code with the second equipment identification code, and matching the first authentication code with the second authentication code to obtain a matching result; and under the condition that the matching results are the same, determining that the checking result of the validity check is passing.
Illustratively, before the acquiring the second device identification code and the second authentication code stored in the database, the method includes: querying a second authentication code in the database based on the first authentication code; and if the second authentication code which is the same as the first authentication code is queried, executing the step of acquiring the second equipment identification code and the second authentication code stored in the database.
The intranet application access method further comprises the following steps: responding to a login request initiated by a target mobile terminal, and acquiring an account number and a password carried by the login request; verifying the account number and the password, and initiating a short message request to a short message gateway after the account number and the password pass the verification; acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway; and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
The intranet application access method further comprises the following steps: responding to a login request initiated by a target mobile terminal, and determining whether the target mobile terminal is logged in for the first time; if yes, a short message request is initiated to a short message gateway; acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway; and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
The intranet application access method further comprises the following steps: and responding to a removal request initiated by the front end of the external network application, and deleting the trusted mobile terminal to be removed corresponding to the removal request from the trusted equipment directory.
The specific implementation manner of the intranet application access method applied to the first server is basically the same as the above embodiments of the intranet application access method applied to the proxy gateway, and will not be repeated here.
In addition, the application also provides an intranet application access method, which is applied to the trusted mobile terminal and comprises the following steps: initiating an access request for accessing the intranet application to the proxy gateway; the access request carries first authentication information; the first authentication information is sent to a first service end in a public network by the proxy gateway; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request and sending the check result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal; and receiving the page returned by the second server.
The intranet application access method further comprises the following steps: initiating a login request to the first service end; the login request carries an account number and a password; the account number and the password are used for the first server to check, and after the verification is passed, a short message request is initiated to a short message gateway; acquiring a first verification code sent by the short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
The intranet application access method further comprises the following steps: initiating a first login request to the first server; acquiring a first verification code sent by a short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
The intranet application access method further comprises the following steps: initiating a service request for the page to the proxy gateway; the service request carries the first authentication information.
The intranet application access method further comprises the following steps: and initiating a removal request to the first service end, wherein the removal request is used for deleting the corresponding trusted mobile terminal in the trusted equipment directory.
The specific implementation of the intranet application access method applied to the trusted mobile terminal is basically the same as the above embodiments of the intranet application access method applied to the proxy gateway, and is not repeated here.
In addition, the application also provides an intranet application access device, which comprises:
the extraction module is used for responding to an access request for accessing the intranet application initiated by the trusted mobile terminal, and extracting first authentication information carried by the access request;
the sending module is used for sending the first authentication information to a first service end in the public network; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request;
the receiving module is used for receiving the checking result fed back by the first service end;
The forwarding module is used for forwarding the access request to a second server in the intranet if the checking result is passed; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
Illustratively, the first authentication information includes a first device identification code and a first authentication code; the first equipment identification code is used for matching with the second equipment identification code, the first authentication code is used for matching with the second authentication code, and the checking result of the validity check is passing under the condition that the matching results are the same; the second equipment identification code and the second authentication code are stored in a database corresponding to the first service end.
Illustratively, the intranet application access device further includes:
the extraction module is used for responding to a service request for the page initiated by the receiving trusted mobile terminal and extracting the first authentication information carried by the service request; and executing the step of sending the first authentication information to a first server in the public network.
The specific implementation manner of the intranet application access device is basically the same as the embodiments of the intranet application access method, and is not repeated here.
In addition, the application also provides an intranet application access device, which comprises:
the receiving module is used for receiving the first authentication information sent by the proxy gateway; the first authentication information is carried by an access request, and the access request is initiated by the trusted mobile terminal when the intranet application is accessed;
the checking module is used for checking the validity of the access request based on the first authentication information to obtain a checking result;
the sending module is used for sending the checking result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
Illustratively, the first authentication information includes a first device identification code and a first authentication code; the checking module is specifically used for:
acquiring a second device identification code and a second authentication code stored in a database;
matching the first equipment identification code with the second equipment identification code, and matching the first authentication code with the second authentication code to obtain a matching result;
And under the condition that the matching results are the same, determining that the checking result of the validity check is passing.
Illustratively, the inspection module is further configured to:
querying a second authentication code in the database based on the first authentication code;
and if the second authentication code which is the same as the first authentication code is queried, executing the step of acquiring the second equipment identification code and the second authentication code stored in the database.
Illustratively, the intranet application access device further includes:
the first acquisition module is used for responding to a login request initiated by a target mobile terminal and acquiring an account number and a password carried by the login request;
the verification module is used for verifying the account number and the password, and initiating a short message request to a short message gateway after the account number and the password pass the verification;
the second acquisition module is used for acquiring a first verification code sent by the target mobile terminal and acquiring a second verification code sent by the short message gateway;
and the first determining module is used for determining that the target mobile terminal is a trusted mobile terminal if the first verification code and the second verification code are the same, and adding the trusted mobile terminal to a trusted device directory.
Illustratively, the intranet application access device further includes:
the second determining module is used for responding to a login request initiated by the target mobile terminal and determining whether the target mobile terminal is logged in for the first time;
the initiating module is used for initiating a short message request to the short message gateway if yes;
the third acquisition module is used for acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway;
and the third determining module is used for determining that the target mobile terminal is a trusted mobile terminal if the first verification code and the second verification code are the same, and adding the trusted mobile terminal to a trusted device directory.
Illustratively, the intranet application access device further includes:
and the deleting module is used for responding to a removing request initiated by the front end of the external network application and deleting the trusted mobile terminal to be removed corresponding to the removing request from the trusted equipment directory.
The specific implementation manner of the intranet application access device is basically the same as the embodiments of the intranet application access method, and is not repeated here.
In addition, the application also provides an intranet application access device, which comprises:
The first initiating module is used for initiating an access request for accessing the intranet application to the proxy gateway; the access request carries first authentication information; the first authentication information is sent to a first service end in a public network by the proxy gateway; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request and sending the check result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal;
and the receiving module is used for receiving the page returned by the second server.
Illustratively, the intranet application access device further includes:
the second initiating module is used for initiating a login request to the first service end; the login request carries an account number and a password; the account number and the password are used for the first server to check, and after the verification is passed, a short message request is initiated to a short message gateway;
the first acquisition module is used for acquiring a first verification code sent by the short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
Illustratively, the intranet application access device further includes:
the third initiating module is used for initiating a first login request to the first server;
the second acquisition module is used for acquiring a first verification code sent by the short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
Illustratively, the intranet application access device further includes:
a fourth initiating module, configured to initiate a service request for the page to the proxy gateway; the service request carries the first authentication information.
Illustratively, the intranet application access device further includes:
and a fifth initiating module, configured to initiate a removal request to the first service end, where the removal request is used to delete a corresponding trusted mobile terminal in the trusted device directory.
In addition, the application also provides electronic equipment. As shown in fig. 5, fig. 5 is a schematic structural diagram of a hardware running environment according to an embodiment of the present application.
As shown in fig. 5, the electronic device may include a processor 501, a communication interface 502, a memory 503, and a communication bus 504, where the processor 501, the communication interface 502, and the memory 503 perform communication with each other through the communication bus 504, and the memory 503 is used to store a computer program; the processor 501 is configured to implement the steps of the intranet application access method when executing the program stored in the memory 503.
The communication bus 504 mentioned above for the electronic device may be a Peripheral component interconnect standard (Peripheral ComponentInterconnect, PCI) bus or an extended industry standard architecture (Extended Industry StandardArchitecture, EISA) bus, etc. The communication bus 504 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.
The communication interface 502 is used for communication between the electronic device and other devices described above.
The Memory 503 may include a random access Memory (Random Access Memory, RMD) or may include a Non-Volatile Memory (NM), such as at least one disk Memory. Optionally, the memory 503 may also be at least one memory device located remotely from the aforementioned processor 501.
The processor 501 may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific IntegratedCircuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components.
The specific implementation manner of the electronic device of the present application is basically the same as the above embodiments of the intranet application access method, and will not be repeated here.
In addition, the embodiment of the application also provides a computer readable storage medium, wherein an intranet application access program is stored on the computer readable storage medium, and the intranet application access program realizes the steps of the intranet application access method when being executed by a processor.
The specific implementation manner of the computer readable storage medium of the present application is basically the same as the above embodiments of the intranet application access method, and will not be described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The foregoing embodiment numbers of the present application are merely for the purpose of description, and do not represent the advantages or disadvantages of the embodiments.
From the above description of the embodiments, it will be clear to those skilled in the art that the above-described embodiment method may be implemented by means of software plus a necessary general hardware platform, but of course may also be implemented by means of hardware, but in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art in the form of a software product stored in a storage medium (e.g. ROM/RAM, magnetic disk, optical disk) as described above, comprising instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to perform the method according to the embodiments of the present application.
Furthermore, the terms "first," "second," "third," and the like in the description of the present specification and in the appended claims, are used for distinguishing between descriptions and not necessarily for indicating or implying a relative importance. It will also be understood that, although the terms "first," "second," etc. may be used herein in some embodiments of the application to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish one element from another element. For example, a first table may be named a second table, and similarly, a second table may be named a first table without departing from the scope of the various described embodiments. The first table and the second table are both tables, but they are not the same table.
The foregoing description is only of the preferred embodiments of the present application, and is not intended to limit the scope of the application, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.
Claims (16)
1. The intranet application access method is characterized by being applied to a proxy gateway, and comprises the following steps of:
responding to an access request for accessing an intranet application initiated by a trusted mobile terminal, and extracting first authentication information carried by the access request;
transmitting the first authentication information to a first service end in a public network; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request;
receiving an inspection result fed back by the first server;
if the checking result is that the access request passes, forwarding the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
2. The intranet application access method of claim 1, wherein the first authentication information includes a first device identification code and a first authentication code; the first equipment identification code is used for matching with the second equipment identification code, the first authentication code is used for matching with the second authentication code, and the checking result of the validity check is passing under the condition that the matching results are the same; the second equipment identification code and the second authentication code are stored in a database corresponding to the first service end.
3. The intranet application access method of claim 1, further comprising:
responding to a service request for the page initiated by a receiving trusted mobile terminal, and extracting the first authentication information carried by the service request; and executing the step of sending the first authentication information to a first server in the public network.
4. The intranet application access method is characterized by being applied to a first service end, and comprises the following steps of:
receiving first authentication information sent by a proxy gateway; the first authentication information is carried by an access request, and the access request is initiated by the trusted mobile terminal when the intranet application is accessed;
performing validity check on the access request based on the first authentication information to obtain a check result;
sending the checking result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal.
5. The intranet application access method of claim 4 wherein the first authentication information comprises a first device identification code and a first authentication code; the step of performing validity check on the first authentication information to obtain a check result includes:
Acquiring a second device identification code and a second authentication code stored in a database;
matching the first equipment identification code with the second equipment identification code, and matching the first authentication code with the second authentication code to obtain a matching result;
and under the condition that the matching results are the same, determining that the checking result of the validity check is passing.
6. The intranet application access method as set forth in claim 5, wherein before obtaining the second device identification code and the second authentication code stored in the database, the method includes:
querying a second authentication code in the database based on the first authentication code;
and if the second authentication code which is the same as the first authentication code is queried, executing the step of acquiring the second equipment identification code and the second authentication code stored in the database.
7. The intranet application access method of claim 4, further comprising:
responding to a login request initiated by a target mobile terminal, and acquiring an account number and a password carried by the login request;
verifying the account number and the password, and initiating a short message request to a short message gateway after the account number and the password pass the verification;
Acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway;
and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
8. The intranet application access method of claim 4, further comprising:
responding to a login request initiated by a target mobile terminal, and determining whether the target mobile terminal is logged in for the first time;
if yes, a short message request is initiated to a short message gateway;
acquiring a first verification code sent by the target mobile terminal and a second verification code sent by the short message gateway;
and if the first verification code and the second verification code are the same, determining that the target mobile terminal is a trusted mobile terminal, and adding the trusted mobile terminal to a trusted equipment directory.
9. The intranet application access method of claim 4, further comprising:
and responding to a removal request initiated by the front end of the external network application, and deleting the trusted mobile terminal to be removed corresponding to the removal request from the trusted equipment directory.
10. The intranet application access method is characterized by being applied to a trusted mobile terminal, and comprises the following steps of:
initiating an access request for accessing the intranet application to the proxy gateway; the access request carries first authentication information; the first authentication information is sent to a first service end in a public network by the proxy gateway; the first server side is used for assisting the proxy gateway in carrying out validity check on the access request and sending the check result to the proxy gateway; the checking result is used for the proxy gateway to determine whether to forward the access request to a second server side in the intranet; the second server is used for processing the access request and returning a corresponding page to the trusted mobile terminal;
and receiving the page returned by the second server.
11. The intranet application access method of claim 10, wherein the intranet application access method further comprises:
initiating a login request to the first service end; the login request carries an account number and a password; the account number and the password are used for the first server to check, and after the verification is passed, a short message request is initiated to a short message gateway;
Acquiring a first verification code sent by the short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
12. The intranet application access method of claim 10, wherein the intranet application access method further comprises:
initiating a first login request to the first server;
acquiring a first verification code sent by a short message gateway and sending the first verification code to the first service end; the first verification code is used for the first server to determine whether the first verification code is the same as the second verification code, and when the first verification code is the same as the second verification code, the target mobile terminal is determined to be a trusted mobile terminal, and the trusted mobile terminal is added to a trusted equipment catalog; and the second verification code is acquired from the short message gateway by the first server.
13. The intranet application access method of claim 10, wherein the intranet application access method further comprises:
Initiating a service request for the page to the proxy gateway; the service request carries the first authentication information.
14. The intranet application access method of claim 10, wherein the intranet application access method further comprises:
and initiating a removal request to the first service end, wherein the removal request is used for deleting the corresponding trusted mobile terminal in the trusted equipment directory.
15. An electronic device, the electronic device comprising: a memory, a processor, and an intranet application access program stored on the memory and executable on the processor, the intranet application access program configured to implement the steps of the intranet application access method of any one of claims 1-14.
16. A computer readable storage medium, wherein an intranet application access program is stored on the computer readable storage medium, and when executed by a processor, the intranet application access program implements the steps of the intranet application access method of any one of claims 1 to 14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310882735.0A CN116827659A (en) | 2023-07-18 | 2023-07-18 | Intranet application access method, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310882735.0A CN116827659A (en) | 2023-07-18 | 2023-07-18 | Intranet application access method, electronic equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116827659A true CN116827659A (en) | 2023-09-29 |
Family
ID=88127490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310882735.0A Pending CN116827659A (en) | 2023-07-18 | 2023-07-18 | Intranet application access method, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116827659A (en) |
-
2023
- 2023-07-18 CN CN202310882735.0A patent/CN116827659A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10594696B2 (en) | Network-based authentication and security services | |
| CN111177686B (en) | Identity authentication method, device and related equipment | |
| US9900346B2 (en) | Identification of and countermeasures against forged websites | |
| US10491587B2 (en) | Method and device for information system access authentication | |
| US8122251B2 (en) | Method and apparatus for preventing phishing attacks | |
| US8019995B2 (en) | Method and apparatus for preventing internet phishing attacks | |
| US11310232B2 (en) | Network identity authentication method and system, and user agent device used thereby | |
| CN105847245B (en) | Electronic mailbox login authentication method and device | |
| RU2570838C2 (en) | Strong authentication by providing number | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| US9992198B2 (en) | Network-based frictionless two-factor authentication service | |
| EP2657871A2 (en) | Secure configuration of mobile application | |
| CN113381979B (en) | Access request proxy method and proxy server | |
| US11770385B2 (en) | Systems and methods for malicious client detection through property analysis | |
| CN105516163A (en) | Login method, terminal device and communication system | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| US11997210B2 (en) | Protection of online applications and webpages using a blockchain | |
| CN111786996B (en) | Cross-domain synchronous login state method and device and cross-domain synchronous login system | |
| CN115664761A (en) | Single sign-on method and device, electronic equipment and readable storage medium | |
| CN116827659A (en) | Intranet application access method, electronic equipment and readable storage medium | |
| AU2014101079A4 (en) | Secure communication method | |
| CN117478422A (en) | Interface data acquisition method and system based on password-free login in decoupling state | |
| CN113965352A (en) | Third-party website login method and device, electronic equipment and storage medium | |
| CN116208392A (en) | Active defense method and device for Web attack | |
| Snyder et al. | Preventing Session Hijacking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |