CN101471777B - Access control system and method between domains based on domain name - Google Patents
Access control system and method between domains based on domain name Download PDFInfo
- Publication number
- CN101471777B CN101471777B CN2007103085529A CN200710308552A CN101471777B CN 101471777 B CN101471777 B CN 101471777B CN 2007103085529 A CN2007103085529 A CN 2007103085529A CN 200710308552 A CN200710308552 A CN 200710308552A CN 101471777 B CN101471777 B CN 101471777B
- Authority
- CN
- China
- Prior art keywords
- server
- user
- authentication
- domain
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 238000003780 insertion Methods 0.000 claims description 61
- 230000037431 insertion Effects 0.000 claims description 61
- 238000013507 mapping Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000000605 extraction Methods 0.000 claims description 2
- 239000000284 extract Substances 0.000 abstract description 5
- 238000012795 verification Methods 0.000 description 3
- 239000012467 final product Substances 0.000 description 2
- 230000001965 increasing effect Effects 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Abstract
The invention discloses a cross-domain access control system based on a domain name and a method. The method comprises the step as follows: in step one, a network access control server extracts user domain information in a certification request sent by a user client; in step two, corresponding relation information between a domain and an identity authentication server is stored in the network access control server; the network access control server searches the corresponding identity authentication server according to the user domain information, and transmits the certification request to the searched identity authentication server; and in step three, the identity authentication server performs the user identity authentication according to the received certification request. The network access control server can be directly communicated with a native-place identity authentication server, and a data packet need not to be transmitted through accessing a domain identity authentication server, so that the authentication delay is reduced, and the extensibility is strong.
Description
Technical field
The invention belongs to the access control technical field in the network security technology, particularly relate to a kind of network access control system and method for striding management domain.
Background technology
At present each Internet Service Provider generally carries out in various degree access control to network user.Access control was meant before the customer access network resource, by authenticating user identification system identification user identity, determined that the user whether can accesses network and set the process of access rights.
Simultaneously, the website on the network may belong to different management domains with resource, is provided and is managed by different mechanisms, thereby make whole network be divided into a plurality of different management domains.Along with the resource on the Internet becomes increasingly abundant and user's roaming, mobility enhancing, increasing user uses network outside this management domain.Thereby it is essential to provide cross-domain access control service to become.Provide service by cooperation to the user between cross-domain each management domain of access control service request, this mode will bring the user new experience at the aspects such as diversity, agility, fail safe, simplicity rich, service of resource, also can alleviate the lower deployment cost of Virtual network operator simultaneously greatly.
See also the structural representation that Figure 1 shows that access control system 100 in the prior art.
Network insertion Control Server 102 is used to implement network insertion control, receives the request that subscription client 101 sends, and transmits to predetermined authentication server.
Authentication server 103,104 is in respectively in A, the B management domain, stores the user profile of affiliated user among management domain A, the B respectively, and authentication service is provided.
Suppose that this subscription client 101 is the user in B territory, current being in the A territory when this subscription client 101 needs access network, needs cross-domain (A territory) to initiate authentication to affiliated territory (B territory), thus access network.This cross-domain network insertion control flow chart sees also shown in Figure 2.
Step 201, network insertion Control Server 102 receives the authentication request that subscription client 101 sends, and transmits authentication request to the authentication server 103 of the current field;
Step 202, domain information under the user that authentication server 103 extracts in the described authentication request;
Step 203, authentication server 103 judges whether this subscription client 101 is this territory user, if, carry out authentification of user, execution in step 204, if not, search the authentication server of territory correspondence under the user-be called local domain authentication server by pre-configure information in the authentication server 103, authentication request is transmitted to local domain authentication server, carries out authentification of user, execution in step 204;
If authentication server 103 judges that obtaining this subscription client 101 is not this territory user, is transmitted to authentication request the authentication server 104 in B territory;
This pre-configure information is the correspondence relationship information of domain name and authentication server address, and each authentication server of the prior art all is provided with this pre-configure information, closes on the information of management domain with recording section;
Step 204 judges whether by authentication, if by authentication, and authentication server return authentication success packet, subscription client 101 inserts the networking, if do not pass through, responds the authentification failure packet, finishes.
In said process, if the user is the user in the current field, this verification process comprises:
Client<-the network insertion Control Server<-this territory authentication server.
If cross-domain authentication, verification process comprises:
Client<-the network insertion Control Server<-this territory authentication server<-territory, local authentication server.
In this process, the problem of existence mainly contains:
(1) when cross-domain visit, when being the non-current intra domain user of user, all to pass through the access domain server forwards, increase the access control time delay to the identification authentication data bag of territory, local authentication server, give user service experience poor, influenced the service quality of Internet service provider.
(2) on authentication server, the authentication server information of territory correspondence is static configuration under the user, can only discern the user in limited pre-configured territory like this, and other territories user can not insert current network, makes system not have extensibility like this.In addition, when the authentication server in certain territory changes,, then need to revise one by one the configuration on each authentication server, increased administrative staff's workload, also can cause service disruption as changing the IP address.
Summary of the invention
The object of the present invention is to provide a kind of cross-domain access control system and method,, improve autgmentability to have reduced the authentication time-delay based on domain name.
For achieving the above object, the invention provides a kind of cross-domain connection control method, comprising based on domain name:
Step 1, domain information under the user in the authentication request that network insertion Control Server extraction subscription client sends;
Step 2, store the correspondence relationship information of territory and authentication server in the described network insertion Control Server, described network insertion Control Server is searched corresponding authentication server according to domain information under the described user, and transmits described authentication request to the authentication server that finds;
Step 3, described authentication server carries out authenticating user identification according to the described authentication request that receives.
Described network insertion Control Server utilizes a buffer memory, stores the correspondence relationship information of described territory and authentication server.
Described step 2 further comprises:
When described network insertion Control Server when successful search is to corresponding authentication server, send analysis request to name server, comprise the affiliated domain information of user in the described analysis request, the domain name server is resolved according to domain information under the described user, to described network insertion Control Server return with described user under the information of the corresponding authentication server of domain information.
Described step 2 further comprises: described network insertion Control Server utilizes the described buffer memory of information updating of the authentication server that returns of domain name server.
Described step 3 also comprises:
If described authentication is passed through, described authentication server sends authentication success packet and user right information to described network insertion Control Server, and described network insertion Control Server utilizes described user right information setting controlled condition;
If described authentication is not passed through, described authentication server sends the authentification failure packet to described network insertion Control Server.
Described step 3 authentication is by also comprising the following steps: afterwards
Step 1, the de-registration request of subscription client domain information under described network insertion Control Server transmission comprises the user;
Step 2, described network insertion Control Server are extracted domain information under this user, search with the user under the corresponding authentication server information in territory, transmit de-registration request to described authentication server;
Step 3, described authentication server is finished user log off according to described de-registration request, sends to described network insertion Control Server and nullifies success message;
Step 4, described network insertion Control Server is received described cancellation success message, deletes described controlled condition.
The invention also discloses a kind of cross-domain access control system, comprising based on domain name:
Subscription client is used to send the authentication request that comprises user ID, comprises the affiliated domain information of user in the described user ID;
The network insertion Control Server, store the correspondence relationship information of territory and authentication server, described network insertion Control Server receives described authentication request, search corresponding authentication server according to domain information under the described user, and transmit described authentication request to the authentication server that finds;
Authentication server is used for carrying out authenticating user identification according to the described authentication request that receives.
Described network insertion Control Server comprises a buffer memory, is used to store the correspondence relationship information of territory and authentication server.
Described system also comprises a name server, is used to provide the domain name mapping service, stores the correspondence relationship information of territory and authentication server in the domain name server.
Described user ID can identify by user name/password, one or more realizations in the knowledge system sign, digital signature sign.
Utilize said system of the present invention and method, the network insertion Control Server can directly be communicated by letter with the local authentication server, and packet does not need to deliver by the access domain authentication server, has reduced the authentication time-delay.In addition, when the authentication server of certain territory correspondence changes, only need the corresponding configuration of the clauses and subclauses of change name server to get final product, do not need to change other server, also can not cause service disruption.
Description of drawings
Figure 1 shows that the structural representation of access control system in the prior art;
Figure 2 shows that cross-domain network insertion control flow chart in the prior art;
Figure 3 shows that the structural representation of the cross-domain access control system based on domain name of the present invention;
Figure 4 shows that cross-domain network insertion control flow chart of the present invention;
Figure 5 shows that cross-domain network of the present invention disconnects control flow chart;
Figure 6 shows that the detailed realization flow figure of step 402 of the present invention;
Figure 7 shows that the detailed realization flow figure of step 605 of the present invention.
Embodiment
Below cooperate embodiment and accompanying drawing, describe technical characterictic of the present invention in detail.
See also the structural representation that Figure 3 shows that the cross-domain access control system based on domain name of the present invention.
Cross-domain access control system 300 comprises subscription client 301, network insertion Control Server 302, name server 304, authentication server 306.
Network insertion Control Server 302 is used to implement network insertion control, forbids that unverified user uses Internet resources, makes authenticated user use Internet resources in due authority, transmits control information.
In this network insertion Control Server 302, be provided with a buffer memory 303, be used for the user's of the recent access network of buffer memory the correspondence relationship information of affiliated territory and corresponding authentication server.Each territory all has the authentication server of a correspondence, and promptly domain name can realize that with the authentication server address corresponding, concrete corresponding relation can be as shown in table 1:
Table 1
| Domain name A | Authentication server address A1 |
| Domain name B | Authentication server address B1 |
Table 2
| Title | Type | The address |
| Domain name A | Authentication | Authentication server address A1 |
| Domain name B | Authentication | Authentication server address B1 |
See also and Figure 4 shows that cross-domain network insertion control flow chart of the present invention.
Step 401, when the needs access network, subscription client 301 sends the authentication request that comprises user ID, and user ID comprises the affiliated domain information of user;
This user ID can for example be the sign of userid@domain form, and wherein, userid is a user name, and domain is the domain name in territory under the user;
Step 402, network insertion Control Server 302 receives this authentication request, extract domain information under this user, utilize described buffer memory 303 search with the user under corresponding authentication server 306 information in territory, and transmit authentication request to this authentication server 306;
Step 403, authentication server 306 carries out authenticating user identification according to the authentication request that receives, if by authentication, if execution in step 404 is not by authentication, execution in step 406;
Step 404, authentication server 306 sends authentication success packet and user right information to network insertion Control Server 302;
See also and Figure 5 shows that cross-domain network of the present invention disconnects control flow chart.
Step 501, when the user need disconnect network, subscription client 301 sent de-registration request to network insertion Control Server 302, comprises user ID in this de-registration request, and user ID comprises the affiliated domain information of user;
Step 502, network insertion Control Server 302 receives this de-registration request, extract domain information under this user, utilize described buffer memory 303 search with the user under corresponding authentication server 306 information in territory, and transmit de-registration request to this authentication server 306;
Step 503, authentication server 306 is finished user log off according to the de-registration request that receives, and sends to network insertion Control Server 302 and nullifies success message;
Step 504, network insertion Control Server 302 are received this cancellation success message, and the controlled condition of setting in the deletion step 405 realizes that network disconnects.
See also the detailed realization flow figure that Figure 6 shows that step 402 of the present invention.
Step 602, utilize described buffer memory 303 search with the user under corresponding authentication server 306 information in territory, if find, execution in step 603, if do not find, execution in step 604;
Step 603 is transmitted authentication request, execution in step 403 to this authentication server 306;
Step 607 sends failed message to subscription client 301, finishes.
See also the detailed realization flow figure that Figure 7 shows that step 605 of the present invention.
Step 701, name server 304 is received this analysis request, in clauses and subclauses 305, search the information of the domain name correspondence in territory under this user according to domain information under the user in the analysis request, if find, execution in step 606, promptly return authentication server 306 addresses of finding, if do not find, execution in step 607.
As seen, utilize said method of the present invention and system, this verification process only by client<-the network insertion Control Server<-the approach transmission of authentication server, promptly, the network insertion Control Server can directly be communicated by letter with the local authentication server, packet does not need to deliver by the access domain authentication server, has reduced the authentication time-delay.
In addition, when the authentication server of certain territory correspondence changes, only need the corresponding configuration of the clauses and subclauses of change name server to get final product, do not need to change other server, also can not cause service disruption, autgmentability is strong.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (5)
1. the cross-domain connection control method based on domain name is characterized in that, comprising:
Step 1, domain information under the user in the authentication request that network insertion Control Server extraction subscription client sends;
Step 2, described network insertion Control Server is by the correspondence relationship information of territory and authentication server under the user of the recent access network of a buffer memory, described network insertion Control Server is searched corresponding authentication server according to domain information under the described user, and transmits described authentication request to the authentication server that finds;
Step 3, described authentication server carries out authenticating user identification according to the described authentication request that receives;
Wherein, step 2 further comprises: when described network insertion Control Server when successful search is to corresponding authentication server, send analysis request to name server, comprise the affiliated domain information of user in the described analysis request, the domain name server is resolved according to domain information under the described user, to described network insertion Control Server return with described user under the information of the corresponding authentication server of domain information, described network insertion Control Server utilizes the described buffer memory of information updating of the authentication server that returns of domain name server;
When authentication server changes, only change the corresponding relation in territory and authentication server under the user in the domain name server.
2. the method for claim 1 is characterized in that, described step 3 also comprises:
If described authentication is passed through, described authentication server sends authentication success packet and user right information to described network insertion Control Server, and described network insertion Control Server utilizes described user right information setting controlled condition;
If described authentication is not passed through, described authentication server sends the authentification failure packet to described network insertion Control Server.
3. method as claimed in claim 2 is characterized in that, described step 3 authentication is by also comprising the following steps: afterwards
Step 1, the de-registration request of subscription client domain information under described network insertion Control Server transmission comprises the user;
Step 2, described network insertion Control Server are extracted domain information under this user, search with the user under the corresponding authentication server information in territory, transmit de-registration request to described authentication server;
Step 3, described authentication server is finished user log off according to described de-registration request, sends to described network insertion Control Server and nullifies success message;
Step 4, described network insertion Control Server is received described cancellation success message, deletes described controlled condition.
4. the cross-domain access control system based on domain name is characterized in that, comprising:
Subscription client is used to send the authentication request that comprises user ID, comprises the affiliated domain information of user in the described user ID;
The network insertion Control Server, it is by the correspondence relationship information of territory and authentication server under the user of the recent access network of a buffer memory, described network insertion Control Server receives described authentication request, search corresponding authentication server according to domain information under the described user, and transmit described authentication request to the authentication server that finds;
Authentication server is used for carrying out authenticating user identification according to the described authentication request that receives;
Name server is used to provide the domain name mapping service, stores the correspondence relationship information of territory and authentication server in the domain name server;
When authentication server changes, only change the corresponding relation in territory and authentication server under the user in the domain name server.
5. system as claimed in claim 4 is characterized in that, described user ID is by one or more realizations in user name/password sign, knowledge system sign, the digital signature sign.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007103085529A CN101471777B (en) | 2007-12-29 | 2007-12-29 | Access control system and method between domains based on domain name |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007103085529A CN101471777B (en) | 2007-12-29 | 2007-12-29 | Access control system and method between domains based on domain name |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101471777A CN101471777A (en) | 2009-07-01 |
| CN101471777B true CN101471777B (en) | 2011-08-31 |
Family
ID=40828919
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007103085529A Active CN101471777B (en) | 2007-12-29 | 2007-12-29 | Access control system and method between domains based on domain name |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101471777B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101969426B (en) * | 2009-07-28 | 2013-11-27 | 英业达股份有限公司 | Distributed user authentication system and method |
| CN101998360B (en) * | 2009-08-11 | 2015-05-20 | 中兴通讯股份有限公司 | Method for building identity management trusting and identity provider and service provider |
| CN101998398A (en) * | 2009-08-11 | 2011-03-30 | 中兴通讯股份有限公司 | System and method for accessing service provider in accessing place |
| CN102045173A (en) * | 2009-10-12 | 2011-05-04 | 华为终端有限公司 | Authentication method, device and system of user equipment |
| CN102111761B (en) * | 2009-12-28 | 2014-01-01 | 华为终端有限公司 | Secrete key management method and equipment |
| CN102143045B (en) * | 2010-08-12 | 2014-02-19 | 华为技术有限公司 | Method, device and system for processing service message in wireless local area network |
| CN102882555B (en) * | 2012-08-30 | 2015-04-08 | 华为技术有限公司 | Domain access control method, domain searching method and communication apparatus |
| CN103795530B (en) * | 2012-10-31 | 2017-11-03 | 华为技术有限公司 | A kind of method, device and the main frame of cross-domain controller certification |
| CN103051626B (en) * | 2012-12-21 | 2016-09-28 | 华为技术有限公司 | A kind of authentication method and the network equipment |
| CN110149235B (en) * | 2019-05-28 | 2020-11-24 | 中山大学 | Tree-shaped network proxy system supporting multi-user and multi-network protocol and capable of being dynamically expanded |
| CN110661816B (en) * | 2019-10-22 | 2021-11-05 | 北京印刷学院 | Cross-domain authentication method based on block chain and electronic equipment |
| CN113949710B (en) * | 2021-10-15 | 2024-04-05 | 北京奇艺世纪科技有限公司 | Data processing method and server cluster |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564626A (en) * | 2004-03-22 | 2005-01-12 | 西安电子科技大学 | Radio LAN security access method based on roaming key exchange authentication protocal |
| CN1744543A (en) * | 2004-09-04 | 2006-03-08 | 华为技术有限公司 | Method for realizing roaming of accessing data net by labelling subscriber home address using domainname |
-
2007
- 2007-12-29 CN CN2007103085529A patent/CN101471777B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564626A (en) * | 2004-03-22 | 2005-01-12 | 西安电子科技大学 | Radio LAN security access method based on roaming key exchange authentication protocal |
| CN1744543A (en) * | 2004-09-04 | 2006-03-08 | 华为技术有限公司 | Method for realizing roaming of accessing data net by labelling subscriber home address using domainname |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101471777A (en) | 2009-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101471777B (en) | Access control system and method between domains based on domain name | |
| US20080092213A1 (en) | Method, system and server for realizing secure assignment of dhcp address | |
| CN103546432B (en) | Realize method and system and browser, the name server of cross-domain redirect | |
| CN103067337B (en) | Identity federation method, identity federation intrusion detection & prevention system (IdP), identity federation service provider (SP) and identity federation system | |
| CN109819068B (en) | User terminal, block chain domain name resolution method thereof, computer equipment and computer readable storage medium | |
| CN111885604B (en) | Authentication method, device and system based on heaven and earth integrated network | |
| CN101540755A (en) | Method, system and device for recovering data | |
| CN101540757A (en) | Method and system for identifying network and identification equipment | |
| CN102316416A (en) | Access method for terminal and wireless communication network | |
| CN104683306A (en) | Safe and controllable internet real-name certification mechanism | |
| CN110225017B (en) | Identity authentication method, equipment and storage medium based on alliance block chain | |
| CN103023856A (en) | Single sign-on method, single sign-on system, information processing method and information processing system | |
| CN106209900A (en) | A kind of method that smart lock is registered to repeater | |
| KR20120102765A (en) | Method and system for accessing network through public device | |
| CN105592180A (en) | Portal authentication method and device | |
| CN101867589A (en) | Network identification authentication server and authentication method and system thereof | |
| CN105516395A (en) | Network address assignment method and device | |
| CN101616414A (en) | Method, system and server that terminal is authenticated | |
| EP3855695B1 (en) | Access authentication | |
| CN109379339B (en) | Portal authentication method and device | |
| US8661517B2 (en) | Method and system for accessing network through public equipment | |
| US9112843B2 (en) | Method and system for subscriber to log in internet content provider (ICP) website in identity/location separation network and login device thereof | |
| CN102882686A (en) | Authentication method and authentication device | |
| CN103107976A (en) | Content provider/service provider (CP/SP) user identification authentication method and system and authentication support device | |
| WO2020147854A1 (en) | Authentication method, apparatus and system, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C53 | Correction of patent for invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Xu Zhijun Inventor after: Zhang Yujun Inventor after: Shen Lingnan Inventor before: Xu Zhijun Inventor before: Zhang Yujun |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: XU ZHIJUN ZHANG YUJUN TO: XU ZHIJUN ZHANG YUJUN SHEN LINGNAN |
|
| ASS | Succession or assignment of patent right |
Owner name: HANGZHOU EWELL TECHNOLOGY CO., LTD. Free format text: FORMER OWNER: INSTITUTE OF COMPUTING TECHNOLOGY, CHINESE ACADEMY OF SCIENCES Effective date: 20140114 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 100080 HAIDIAN, BEIJING TO: 310053 HANGZHOU, ZHEJIANG PROVINCE |
|
| TR01 | Transfer of patent right |
Effective date of registration: 20140114 Address after: Hangzhou City, Zhejiang province 310053 Binjiang District Dongxin Road No. 66 East communication city D, 2 floor Patentee after: Hangzhou Medical Technology Co., Ltd. Address before: 100080 Haidian District, Zhongguancun Academy of Sciences, South Road, No. 6, No. Patentee before: Institute of Computing Technology, Chinese Academy of Sciences |
|
| C56 | Change in the name or address of the patentee | ||
| CP01 | Change in the name or title of a patent holder |
Address after: Hangzhou City, Zhejiang province 310053 Binjiang District Dongxin Road No. 66 East communication city D, 2 floor Patentee after: Medical Technology Co., Ltd. Address before: Hangzhou City, Zhejiang province 310053 Binjiang District Dongxin Road No. 66 East communication city D, 2 floor Patentee before: Hangzhou Medical Technology Co., Ltd. |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Access control system and method between domains based on domain name Effective date of registration: 20190522 Granted publication date: 20110831 Pledgee: Bank of China Limited Hangzhou Binjiang Branch Pledgor: Medical Technology Co., Ltd. Registration number: 2019330000133 |
|
| PE01 | Entry into force of the registration of the contract for pledge of patent right |