Background technology
Single logining (Single Sign-On, abbreviating SSO as) mechanism is meant that a plurality of application systems (applications) are through after integrated, the user is after as long as process one-time identity authentication (being generally account number/password) is logined, can use the service of these application systems, login action and needn't when whenever switching to an application system, will try again.Here, application system is the software that is developed for certain specific purposes, it can be a specific program, also can be huge software systems of being made up of numerous stand-alone programs, as ERP (Enterprise Resources Plan), CRM (customer relation management) system.
With Enterprise Information Portal (Enterprise Information Portal, abbreviate EIP as) be example, the service of its integrated a plurality of application systems, as news browse, send and receive e-mail, calendar, project planning management, application systems such as ERP, CRM, if there is not SSO mechanism, the user must carry out before entering each application system and login action to carry out authentication, quite inconvenience.So for the user, SSO mechanism can reduce the time that repeatedly authentication spends, can also avoid possessing a plurality of authentication information simultaneously and produce the possibility of obscuring; For the manager, can manage the variation of account number by single maintenance mechanism, reduce the cost of safeguarding.
SSO mechanism is for the existing solution of Web application system, present way normally is integrated into a server with all Web application systems, login key (Sign On Key by described server in identity verification authentication information success back generation, abbreviate SOK as) and be set to the Cookie that the user holds, be used for representing to login, then come the key of logining among the access Cookie by the mechanism of web page browsing, the user needn't will try again when whenever switching to a Web application system and login action.But, such SSO mechanism can not get a desired effect for the Non-Web application system at present, this is because the Non-Web application system can't be carried out browsing, operating of webpage with browser, causes obtaining the key of logining among the Cookie, also just can not reach the effect of SSO.It is with Non-Web application system Webization in addition that a kind of way is arranged, but must go to revise former Non-Web application system like this, and both spended time money also may produce the mistake (bug) that does not originally have.Here, the Web application system is a kind of application system by the browser browse operation, and its user's interface is that hypertext (hypertext) can be shown by web browser; And the Non-Web application system is not the application system of carrying out by browser, for example with VB, C/C++, Delphi ... the application system that the supervisor language is developed.
Because the old system (legacy system) of most of enterprise still has a lot of Non-Web application systems, therefore be sought after a kind of SSO mechanism, do not influencing under original Non-Web application system framework, allow the user as long as after the process one-time identity authentication is logined, needn't do any action of logining again in the time of can between Web application system and/or Non-Web application system, switching.
Embodiment
Below in conjunction with accompanying drawing, above-mentionedly be described in more detail with other technical characterictic and advantage to inventing.
Fig. 1 is the calcspar according to the single accessing system that one embodiment of the invention illustrated.Please refer to Fig. 1, single logining of the present invention (SSO) system 100 comprises user end computer 110, webpage server 120, single logining (SSO) server 130 and checking server 140, is connected by network 200 each other.Though SSO system 100 comprises a user end computer 110, webpage server 120, a SSO server 130 and a checking server 140 in the present embodiment, is not limited only to this; For example, SSO of the present invention system can comprise many user end computer and many webpage servers, these user end computer can provide user separately to carry out the single action of logining respectively, and these webpage servers can be distinguished the different Web application system of carry (plug in), allow the user use different Web application systems by network.In addition, network 200 can be the Internet (Internet)/Intranet (Intranet)/extranet network (Extranet), Local Area Network/Wide Area Network, but is not limited only to this.
Described user end computer 110 is for being equipped with the local side computer of user side program (client).Here, the machine of computer for coming according to a series of instructions data are handled is as personal computer, mobile phone, PDA(Personal Digital Assistant) etc.; The user side program is on the local side computer that is installed in as user end computer 110, for the user provides the program of local service, as web browser 112; The user side program is by the operation of working in coordination of network and server-side program (server), wherein the server-side program is installed on the far-end computer as server 120,130,140, management resource and for the user provides the program of service, as the IIS server-side program of Microsoft.In addition, user end computer 110 also can be equipped with Non-Web application system 116.
Described webpage server 120 is the computer of the request of web browser 112 as described in the webpage element (as logining the page etc.) of management Web application system 126 and the response.In the present embodiment, described Web application system 126 is mounted on the described webpage server 120, therefore the user can link up webpage server 120 by network 200 by described web browser 112, and then the described Web application system 126 of far-end operation, but is not limited in this; For example, described Web application system 126 can be placed on special application system server (application server).Described SSO server 130 is the computer of the request of web browser 112 as described in the webpage element (as logining the page, JNLP file generating routine 132, start-up routine 134 etc.) of the described SSO of management system 100 and the response.In the present embodiment, described SSO server 130 will cooperate the authentication information (as account number/password) of 140 pairs of user's inputs of described checking server to verify.
Fig. 2 A~Fig. 3 B is applicable to SSO system 100 shown in Figure 1 for the flow chart according to the single accessing method that the embodiment of the invention illustrated.Wherein, Fig. 2 A and Fig. 2 B are connected with P1~P4, show that the user prepares each step of logining a Web application system; And Fig. 3 A and Fig. 3 B are connected with Q1~Q4, show that the user prepares each step of logining a Non-Web application system.
Please earlier simultaneously with reference to Fig. 1, Fig. 2 A and Fig. 2 B, Web application system 126 is logined in user's preparation.The user is by the operation of the web browser 112 of described user end computer 110, as the URL (or being called web page address, network address) of Web application system 126 as described in the direct input, make described web browser 112 login the page (S201) to the described Web application system 126 of described webpage server 120 requests.After described webpage server 120 receives the request of described web browser 112, the page described web browser 112 that leads of logining of described Web application system 126 can't be shown, but heavily lead described SSO system 100 login the page (S203), be equivalent to this moment described web browser 112 be placed on to described SSO server 130 requests described SSO server 130 SSO system 100 login the page.Described SSO server 130 judges whether the user logins described SSO 100 (S205) of system for the first time, if then the page described web browser 112 that leads of logining with described SSO system 100 shows, requiring the user to import authentication information, is account number/password (S207) at present embodiment.
After the user inputed account number/password (S209), SSO server 130 was to the account number/password (S211) of checking server 140 requests verification users input.Checking server 140 is verified (S213) to this account number/password, verifies that server 140 need require checking to the database that is used for managing user's authentication information (not illustrating among the figure, as Oracle, SQL Server or the like) this moment.The checking result (S215) of SSO server 130 Receipt Validation servers 140 passbacks, if the checking result is an authentication failed, then SSO server 130 shows the webpage guiding web browser 112 of authentication failed; If checking is the result represent to be proved to be successful, then SSO server 130 produces one and logins key (Sign On Key, abbreviate SOK as) and a service ticket (ServiceTicket, abbreviate ST as) (S217), wherein login key (SOK) and for example be the word string behind the information coding such as network address according to user's account number, SSO server 130, key effective time, in order to the checking of logining SSO system 100 whether to be provided; And service ticket (ST) for example is according to the word string behind information such as the title of logining key (SOK), Web application system 126 or the network address coding, in order to the checking of logining Web application system 126 to be provided, and can be according to this to the service ticket (ST) of SSO server 130 other Web application systems of request and reach the SSO effect.SSO server 130 is logined the provisional version file Cookie 114 (S219) that key (SOK) is written to web browser 112 in the user end computer 110 with this, and this service ticket (ST) passed back to webpage server 120 (S221), be about to this service ticket (ST) and be used as the URL back that parameter is added in Web application system 126 and return.
Though obtaining this service ticket (ST), webpage server 120 ought to directly be used for logining Web application system 126, but for prevent the third party when this service ticket (ST) is passed back to webpage server 120 by add other service ticket (ST) in the URL back, and then illegally obtain the rights of using of other Web application system, therefore obtain this service ticket (ST) afterwards at webpage server 120, must be earlier to SSO server 130 requests verification (S223).The title or the network address of 130 pairs of service tickets of SSO server (ST) and relevant Web application system 126 thereof are verified (S225), if authentication failed, then SSO server 130 shows the webpage guiding web browser 112 of authentication failed; If be proved to be successful, then SSO server 130 passback logins that the user imports and arrive webpage server 120 (S227) through the account number that is proved to be successful the aforementioned first time, webpage server 120 will be logined Web application system 126 (S229) with this account number, and the homepage after Web application system 126 logined heavily leads web browser 112 and shows (S231), and this moment, the user can be by web browser 112 with this account number operation Web application system 126.
In this mandatory declaration, only be that single accessing method of the present invention is logined an embodiment of a Web application system 126 in user's preparation shown in Fig. 2 A and Fig. 2 B, but be not limited only to this.In fact, login key (SOK) and login key (SOK) and can all be applicable to the present invention as long as can produce after logining for the first time by the single accessing method that the network circulation is disseminated.In addition,, therefore must adopt and come transmission information owing to can transmit account number/password at step S207, S209, S211 as the network security transmission agreement of SSL, TLS etc.
Please more simultaneously with reference to Fig. 1, Fig. 3 A and Fig. 3 B, under the prerequisite of logining SSO system 100, promptly SSO system 100 has produced and has logined key (SOK), and Non-Web application system 116 is logined in user's preparation.The user clicks the hyperlink (hyperlink) relevant with Non-Web application system 116 on the shown webpage of web browser 112, this hyperlink is led a webpage server with link, for example be webpage server 120 (S301), then the JNLP file generating routine 132 (S303) of SSO server 130 led this link again by this webpage server 120, and wherein JNLP is the abbreviation of Java Network Launching Protocol (the Java network is written into agreement).JNLP file generating routine 132 is a program of carrying out on server (servlet) in fact, in order to dynamic generation JNLP file, and Java Web Start (the be called for short JWS) application program of JNLP file in order to trigger the local side computer.
When the user carries out requirement by 112 pairs of webpage servers of web browser 120 of user end computer 110, web browser 112 can be sent some information to webpage server 120, as information such as list, Cookie, these information will be stored in the Request object of webpage server 120.When webpage server 120 is led SSO server 130 with link, the information that these web browsers 112 are sent can and then transmit and be stored in the Request object of SSO server 130.Therefore, produce in the process of JNLP file at JNLP file generating routine 132, just can from the Cookie that the Request object of SSO server 130 is comprised, obtain and login key (SOK) by the operation of Request object, this is equivalent to JNLP file generating routine 132 and grasps from user end computer 110 and login key (SOK) (S305) the Cookie 114, and it is added in the JNLP file (S307) as a parameter.Then web browser 112 reads the JNLP file automatically and triggers the JWS application program (S309) of user end computer 110, the JWS application program is then downloaded a start-up routine 134 (S311) from SSO server 130 and is temporarily stored in user end computer 110, and carries out this start-up routine 134 (S313).Start-up routine 134 was obtained by the JNLP file and was logined key (SOK) this moment, next start-up routine 134 will be logined key (SOK) to SSO server 130 requests verification by network service safe (web service security) mechanism, be proved to be successful and then logined and start Non-Web application system 116 and do not need the user once to login action again, reach the SSO effect.
Below will describe start-up routine 134 in detail and login key (SOK) to SSO server 130 requests verification, and be proved to be successful and then logined and start Non-Web application system 116 by network service safe mechanism.At first, user end computer 110 obtains the PKI (S315) of SSO server 130 from 130 downloads of SSO server, this PKI is openly can supply to download, any information that will be sent to SSO server 130 all can this public key encryption, SSO server 130 receives can obtaining this information with the deciphering of its private key again after the information of this public key encryption, and this private key then is underground and have only SSO server 130 to have.
Then, user end computer 110 produces at random makes symmetrical keys (the Session Key that symmetry is encrypted usefulness, abbreviate SK as) (S317), this symmetrical keys (SK) will together with login key (SOK) with the public key encryption (S319) of SSO server 130 after again passback give SSO server 130 (S321).Come again, the private key deciphering of SSO server 130 usefulness SSO servers 130 obtains symmetrical keys (SK) and logins key (SOK) (S323), this moment, user end computer 110 and SSO server 130 all had symmetrical keys (SK), therefore SSO server 130 can be sent to user end computer 110 after this symmetrical keys (SK) enciphered message again, and user end computer 110 just can this symmetrical keys (SK) deciphering and obtain the information of SSO server 130 transmission.
Also can obtain after the deciphering of SSO server 130 usefulness private keys and login key (SOK), it can this logins key (SOK) (S325) to checking server 140 requests verification.140 pairs of servers of checking are logined key (SOK) and are verified and will verify after (S327) that the result returns SSO server 130 (S329), if the checking result be an authentication failed, then SSO server 130 is with web browser 112 demonstrations of leading of the webpage of authentication failed; If checking is the result represent to be proved to be successful, the expression user has inputed account number/password and had successfully logined SSO system 100, therefore the account number after SSO server 130 authenticates this is encrypted (S331) with symmetrical keys (SK), passes back to user end computer 110 (S333) then.At last, user end computer 110 obtains account number after this authentication with symmetrical keys (SK) deciphering again, logins Non-Web application system 116 on the user end computer 110 with this account number.
In sum, the present invention has logined SSO system 100 and user end computer 110 is provided with under the situation of logining key (SOK), can on the webpage that web browser 112 shows, click after the hyperlink relevant because of adopting Java Web Start technology with Non-Web application system 116, dynamically produce JNLP file and adding and login key (SOK) as a parameter, and then on user end computer 110, carry out start-up routine 134, transmit by network service safe mechanism and to login key (SOK) and cooperate to SSO server 130 and verify that servers 140 verify and return the checking result, be proved to be successful and then logined and start Non-Web application system 116.Therefore, be issued to the single effect of logining between Web and the Non-Web application system not influencing original Non-Web application system framework.
More than explanation is just illustrative for invention, and nonrestrictive, those of ordinary skills understand; under the situation of the spirit and scope that do not break away from following claims and limited, can make many modifications, change; or equivalence, but all will fall within the scope of protection of the present invention.