CN102045171B - Login method based on unified authentication system - Google Patents
Login method based on unified authentication system Download PDFInfo
- Publication number
- CN102045171B CN102045171B CN 201010614522 CN201010614522A CN102045171B CN 102045171 B CN102045171 B CN 102045171B CN 201010614522 CN201010614522 CN 201010614522 CN 201010614522 A CN201010614522 A CN 201010614522A CN 102045171 B CN102045171 B CN 102045171B
- Authority
- CN
- China
- Prior art keywords
- user
- ticket
- authentication
- subsystem
- login
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a unified authentication system and a login method. The system comprises a login authentication and authorization management system which is connected with a TICKET server through a service interface module. The method comprises the following steps: a user inputs a user name and a password to enter; if being a legal user, a user terminal produces local session, generates an authentication mark and stores the mark in the user terminal; the TICKET information in the local session is stored in the TICKET server; and when the user accesses a subsystem, the subsystem acquires the TICKET information from the TICKET server according to the authentication mark acquired from the user terminal so as to judge whether the user has right to access the subsystem. In the invention, in the case of subsystem access, the user does not need to carry out any other operation in addition to input the user name and the password, thus being very convenient; and in the case of huge user access quantity, the TICKET server in the system does not become a system bottleneck.
Description
Technical field
The present invention relates to a kind of method that is used for a plurality of subsystems of user capture, specifically, relate to a kind of method of the login subsystem based on the unified certification system.
Background technology
Developing a large-scale application system often need be according to different service or a plurality of subsystem of functional development, to reduce system complexity.If each subsystem all has oneself user management and user log-in authentication licensing scheme, not only can increase the system development maintenance cost, reduce systematic function and availability, do not meet the integrality requirement of application system yet.Therefore; A plurality of subsystems generally will be shared a cover user data, and a shared cover login authentication authorization flow (a unified Verification System) makes the user only need login the subsystem that once just can visit all mutual trusts; Promptly adopt SSO (Single Sign On, single-sign-on).
As user for the first time access application subsystem 1 time, because also not login can be directed in the Verification System and login.According to the log-on message that the user provides, Verification System is compared user's log-on message and user information database, and the user is carried out the identity effect, if through effect, should return to authority---the authentication marks Ticket of an authentication of user.Certainly, Verification System is also tackled Ticket and is carried out effect, judges its validity.When the user visits again subsystem 2, will this Ticket be with, as the authority of own authentication, after subsystem 2 request of receiving through with the communication of Verification System, can deliver to Verification System to Ticket and carry out effect, the legitimacy of inspection Ticket.If through effect, the user just can be under situation about need not login once more access sub-system 2.
The technology that realizes SSO at present mainly contains following several kinds: realize based on cookies; Realize based on broker (Broker-based); Realize based on agent (Agent-based); Realize based on password (Token-based); Realize based on gateway (Agent and Broker-based); Realize based on SAML (Security Assertion Markup Language, security assertion markup language).
Though above-mentioned these technology can both realize SSO; But; They exist some defectives: the first, organically do not combine login, authentication, mandate, and need the unified Verification System of frequent access during authentication; When the user capture amount was very big, Verification System will become the bottleneck of whole system; The second, can not login ageing control after the success (ageing being meant here: such as, from security consideration, require the user to login success 12 or after 24 hours, session automatic expiration, login authentication and mandate again) to the user.
Summary of the invention
The object of the present invention is to provide a kind of login method, realized a kind of process of unified logging authentication and authorization based on the login method of this unified certification system based on the unified certification system.
To achieve these goals, the present invention has adopted following technical scheme:
A kind of login method based on the unified certification system; This unified certification system comprise the generation that is used to realize user management, user role management, user authority management, user's login interface logic, session, TICKET information preservation, authentication marks TICKET generation and hold function the login authentication authentication management system, be used to store TICKET information the TICKET server, be used for regularly deleting the regular removing module of authentication marks TICKET and TICKET information; This login authentication authentication management system is connected with this TICKET server through the service interface module; This service interface module is connected with each sub-systems; Each subsystem all is equipped with the acquisition module of the authentication marks TICKET that is used to obtain the user and the TICKET information corresponding with these authentication marks TICKET; This TICKET information comprises user basic information and user role authority information, it is characterized in that: this login method comprises the steps:
Step 1: in user's login interface, the user imports username and password and logins;
Step 2: if this user is a validated user; Then in user terminal, produce local session by said login authentication authentication management system; Generate authentication marks TICKET; And these authentication marks TICKET is kept in the user terminal, wherein: the TICKET information of preserving this user who from the information database of TICKET server end, obtains in this local session;
Step 3: in the TICKET server, the authentication marks TICKET that this user obtains is corresponding with this TICKET information with this TICKET information stores for said login authentication authentication management system;
Step 4: when this user capture one sub-systems; The acquisition module of this subsystem obtains authentication marks TICKET from user terminal; According to these authentication marks TICKET that obtains, from the TICKET server, obtain this user's TICKET information, thereby judge according to this TICKET information whether this user has the right to visit this subsystem then; Wherein: if this user has the right to visit this subsystem; Then set up local session, allow this user this subsystem of role access, wherein: when this local session is crossed after date with himself; If this subsystem still can get access to said authentication marks TICKET; Then this subsystem authority that conducts interviews again judgement with the communication of TICKET server once more, if this subsystem can not get access to said authentication marks TICKET because said authentication marks TICKET is deleted by regular removing module, then this user's visit finishes.
Advantage of the present invention is:
In the present invention; After the user imports the username and password login; Whether can visit the authentication and authorization process of certain sub-systems and only accomplish, carry out any other operation again, be providing convenience property of user without the user by the communication between this subsystem and the TICKET server.
During the local session of user capture subsystem; Subsystem can be not frequently, repeated accesses TICKET server; Therefore, even the user capture amount is very huge, all pressure can all not focus on the TICKET server yet; Thereby the TICKET server can not become the bottleneck of system, has guaranteed the smooth and easy operation of whole system.
The present invention is provided with the mechanism of regular deletion authentication sign TICKET and TICKET information, and this mechanism has been alleviated the storage pressure of TICKET server, the fail safe that has improved system.
Unified certification of the present invention system is a complete unified logging authentication and authorization system solution, accomplishes SSO (single-sign-on) flow process through unified authority data form between each sub-systems and unified certification of the present invention system.
Description of drawings
Fig. 1 is the composition sketch map of unified certification of the present invention system.
Embodiment
As shown in Figure 1; Unified certification of the present invention system comprises and is used to realize that (role can classification don't bother about reason for user management, user role management; The higher-level user has lower-level user's administration authority; A user can have multiple role), the generation of the preservation of the generation of user authority management (each user to each sub-systems all different access rights can be arranged), user's login interface logic, session, TICKET information, authentication marks TICKET and preserve the login authentication authentication management system 100 of these functions and be used to store the TICKET server 200 of TICKET information; This login authentication authentication management system 100 is connected with this TICKET server 200 through service interface module 300; This server interface module 300 is connected with each sub-systems 500, and each subsystem 500 all is equipped with the acquisition module of the authentication marks TICKET that is used to obtain the user and the TICKET information corresponding with these authentication marks TICKET.
This TICKET information can comprise user basic information and user role authority information, and the user role authority information in the TICKET information is the foundation that each sub-systems realizes mandate.Login authentication authentication management system 100 makes whole system have unified user's login interface (comprising user name, password input frame).Before all subsystems of user capture, under the situation that not login or authentication of user, mandate are not passed through, this usefulness can be directed in this user's login interface per family.
This service interface module 300 is any among JMS, RMI or the CORBA.JMS (being Java Message Service, Java messenger service application programming interfaces) be in the Java platform about the API of Message Oriented Middleware, be used between two application programs or distributed system is sent message, carry out asynchronous communication.JMS can couple together login authentication authentication management system 100, TICKET server 200 and 500 of each sub-systems as the bottom data communication modes effectively, and the data communication form of standard between them reduces development cost.RMI (Remote Method Invocation, RMI) is one group of API that supports the exploitation distributed application program of Java.CORBA (Common Object Request Broker Architecture, Common Object Request Broker Architecture) is a kind of CORBA, is the object-oriented application program system standard by a kind of standard of OMG tissue formulation.
Like Fig. 1, all be connected between this login authentication authentication management system 100, TICKET server 200, each sub-systems 500 and the service interface module 300 with a framework MULE 400.Framework MULE is a lightweight message framework based on Java, and it can be fast, easily each application is coupled together, and guarantees that these can swap data between using.
In unified certification of the present invention system, the core part of TICKET server 200 is buffer memory (Cache).In buffer memory; Authentication marks TICKET adopts the mode of Key-Value (key-value pair) to store with its corresponding TICKET information; Wherein: Key is authentication marks TICKET, is a md5 encrypted characters string that is generated by the user name adding system time, and Value is a TICKET information.
In practical application, unified certification of the present invention system also can comprise the regular removing module that is used for regularly deleting authentication marks TICKET and TICKET information, that is to say that authentication marks TICKET and TICKET information have valid expiration date.Authentication marks TICKET and TICKET information cease to be in force automatically behind a setting-up time (this setting-up time can be adjusted), thus the fail safe that has improved system.In addition, also can be provided for recording user in the TICKET server 200 and login the user behavior logger module that the user of situation logins logger module, is used for recording user operation behavior situation.
Based on the invention described above unified certification system, the invention allows for a kind of login method, this login method comprises the steps:
Step 1: in user's login interface, the user imports username and password and logins;
Step 2: if the user is a validated user; Then in user terminal (WEB server), produce local session (Session) by login authentication authentication management system 100; Generate authentication marks TICKET; And these authentication marks TICKET is kept in the user terminal (browser), wherein: the TICKET information (comprising user basic information and user role authority information) of preserving this user who from the information database of server end, obtains in this local session; If the user is the disabled user, then turn back in this user's login interface, let this user login again;
Step 3: login authentication authentication management system 100 with this TICKET information stores in TICKET server 200, the authentication marks TICKET corresponding with this TICKET information (for example, with the key-value pair stored in form) that this user obtains;
Step 4: when this user capture one sub-systems 500 (like subsystem 1); The acquisition module of this subsystem 500 obtains authentication marks TICKET (perhaps from user terminal; When this subsystem of user capture; The COOKIES that can will comprise authentication marks TICKET through the browser of user terminal takes in this subsystem, thereby makes this subsystem obtain authentication marks TICKET through this COOKIES that brings into.), according to these authentication marks TICKET that obtains, from TICKET server 200, obtain this user's TICKET information, thereby judge according to this TICKET information whether this user has the right to visit this subsystem then.
In step 2, authentication marks TICKET can the COOKIES form be kept in the user terminal, thereby in step 4, the acquisition module of subsystem 500 can obtain authentication marks TICKET from the COOKIES of user terminal.
Step 4 is the authentication and authorization process of subsystem.In step 4, if this user has the right to visit this subsystem, then set up local session, allow this user this subsystem of role access with himself, wherein:
In the local session term of validity, this subsystem is need not carry out communication with TICKET server 200, can alleviate the burden of TICKET server 200 like this;
When this local session is crossed after date; If this subsystem still can get access to authentication marks TICKET (COOKIES that promptly preserves these authentication marks TICKET does not have expired); Then this subsystem authority that conducts interviews again judgement (promptly carrying out the authentication and authorization process) with 200 communications of TICKET server once more; If this subsystem can not get access to these authentication marks TICKET because authentication marks TICKET is deleted by regular removing module, then this user's visit finishes, and this user is the login user login interface once more; Obtain new authentication marks TICKET, improved security of system like this.And; If since this user's TICKET information by removing module deletion regularly and this subsystem from TICKET server 200, obtain less than this user TICKET information (perhaps; TICKET information is empty), then this user's local session finishes, and this user is login user login interface once more also; Obtain new authentication marks TICKET, security of system is enhanced.
Behind the intact subsystem 1 of user capture, remove to visit another one subsystem (like subsystem 2) again; Perhaps, in the time of user capture subsystem 1, remove to visit another one subsystem (like subsystem 2) again, so; At this moment; This user needn't login in user's login interface again, and only needs this subsystem 2 to carry out the authentication and authorization process with the direct communication of TICKET server, can confirm just whether this user has the right to visit this subsystem 2.
In the present invention; After the user imports the username and password login; Whether can visit the authentication and authorization process of certain sub-systems and only accomplish, carry out any other operation again, be providing convenience property of user without the user by the communication between this subsystem and the TICKET server.
During the local session of user capture subsystem; Subsystem can be not frequently, repeated accesses TICKET server; Therefore, even the user capture amount is very huge, all pressure can all not focus on the TICKET server yet; Thereby the TICKET server can not become the bottleneck of system, has guaranteed the smooth and easy operation of whole system.
The present invention is provided with the mechanism of regular deletion authentication sign TICKET and TICKET information, and this mechanism has been alleviated the storage pressure of TICKET server, the fail safe that has improved system.
Above-mentioned is preferred embodiment of the present invention and the know-why used thereof; For a person skilled in the art; Under the situation that does not deviate from the spirit and scope of the present invention; Any based on conspicuous changes such as the equivalent transformation on the technical scheme of the present invention basis, simple replacements, all belong within the protection range of the present invention.
Claims (2)
1. login method based on the unified certification system; This unified certification system comprise the generation that is used to realize user management, user role management, user authority management, user's login interface logic, session, TICKET information preservation, authentication marks TICKET generation and hold function the login authentication authentication management system, be used to store TICKET information the TICKET server, be used for regularly deleting the regular removing module of authentication marks TICKET and TICKET information; This login authentication authentication management system is connected with this TICKET server through the service interface module; This service interface module is connected with each sub-systems; Each subsystem all is equipped with the acquisition module of the authentication marks TICKET that is used to obtain the user and the TICKET information corresponding with these authentication marks TICKET; This TICKET information comprises user basic information and user role authority information, it is characterized in that: this login method comprises the steps:
Step 1: in user's login interface, the user imports username and password and logins;
Step 2: if this user is a validated user; Then in user terminal, produce local session by said login authentication authentication management system; Generate authentication marks TICKET; And these authentication marks TICKET is kept in the user terminal, wherein: the TICKET information of preserving this user who from the information database of TICKET server end, obtains in this local session;
Step 3: in the TICKET server, the authentication marks TICKET that this user obtains is corresponding with this TICKET information with this TICKET information stores for said login authentication authentication management system;
Step 4: when this user capture one sub-systems; The acquisition module of this subsystem obtains authentication marks TICKET from user terminal; According to these authentication marks TICKET that obtains, from the TICKET server, obtain this user's TICKET information, thereby judge according to this TICKET information whether this user has the right to visit this subsystem then; Wherein: if this user has the right to visit this subsystem; Then set up local session, allow this user this subsystem of role access, wherein: when this local session is crossed after date with himself; If this subsystem still can get access to said authentication marks TICKET; Then this subsystem authority that conducts interviews again judgement with the communication of TICKET server once more, if this subsystem can not get access to said authentication marks TICKET because said authentication marks TICKET is deleted by regular removing module, then this user's visit finishes.
2. login method as claimed in claim 1 is characterized in that:
In said step 2, said authentication marks TICKET is kept in the user terminal with the COOKIES form, thereby in said step 4, the acquisition module of subsystem obtains said authentication marks TICKET from the COOKIES of user terminal.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010614522 CN102045171B (en) | 2010-12-30 | 2010-12-30 | Login method based on unified authentication system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010614522 CN102045171B (en) | 2010-12-30 | 2010-12-30 | Login method based on unified authentication system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102045171A CN102045171A (en) | 2011-05-04 |
| CN102045171B true CN102045171B (en) | 2012-12-05 |
Family
ID=43910990
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010614522 Active CN102045171B (en) | 2010-12-30 | 2010-12-30 | Login method based on unified authentication system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102045171B (en) |
Families Citing this family (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102457514B (en) * | 2011-05-31 | 2014-08-27 | 高儒振 | Mobile terminal-oriented short message authentication method of wireless network |
| CN103034790B (en) * | 2011-09-30 | 2016-02-24 | 上海博泰悦臻网络技术服务有限公司 | Service system and user right Activiation method thereof |
| CN102523177A (en) * | 2011-12-19 | 2012-06-27 | 北京新媒传信科技有限公司 | Method and system for realization of message push service |
| CN103634271B (en) * | 2012-08-21 | 2018-07-06 | 腾讯科技(深圳)有限公司 | A kind of authority control method of authority control system, device and network request |
| CN103152336A (en) * | 2013-02-22 | 2013-06-12 | 浪潮电子信息产业股份有限公司 | Distributed authorization and authentication method in cloud computing environment |
| CN103227799A (en) * | 2013-05-13 | 2013-07-31 | 山东临沂烟草有限公司 | Implementing method of unified user management and single sign-on platform based on multiple application systems |
| CN105721486A (en) * | 2016-03-07 | 2016-06-29 | 北汽福田汽车股份有限公司 | Single-user multi-system sign-on framework and method |
| CN105763569B (en) * | 2016-04-21 | 2019-05-03 | 网宿科技股份有限公司 | To the method for account authentication, client, service platform and management platform |
| CN106101054A (en) * | 2016-04-29 | 2016-11-09 | 乐视控股(北京)有限公司 | The single-point logging method of a kind of multisystem and centralized management system |
| CN106302479B (en) * | 2016-08-18 | 2019-03-05 | 武汉斗鱼网络科技有限公司 | A kind of single-point logging method and system for multi-service internet site |
| CN108881108A (en) * | 2017-05-09 | 2018-11-23 | 北京京东尚科信息技术有限公司 | The method and apparatus of rights management |
| CN107770151A (en) * | 2017-09-01 | 2018-03-06 | 北京中燕信息技术有限公司 | A kind of enterprise's integrated work management system and its method |
| CN107733989A (en) * | 2017-09-18 | 2018-02-23 | 上海斐讯数据通信技术有限公司 | The method and system of data information transfer between a kind of current page |
| CN108768955A (en) * | 2018-05-04 | 2018-11-06 | 泰康保险集团股份有限公司 | A kind of login method and device |
| CN109491733B (en) * | 2018-09-26 | 2023-12-08 | 深圳平安医疗健康科技服务有限公司 | Interface display method based on visualization and related equipment |
| CN109740333B (en) * | 2018-12-28 | 2023-07-18 | 上汽通用五菱汽车股份有限公司 | Rights management method for integrated system and subsystem, server and storage medium |
| CN110673971A (en) * | 2019-09-30 | 2020-01-10 | 北京金山云网络技术有限公司 | Processing method and device for expiration of login session and user terminal |
| CN110990828A (en) * | 2019-11-26 | 2020-04-10 | 广州探途网络技术有限公司 | Aggregation management system and method for multi-information system |
| CN111159689A (en) * | 2019-12-30 | 2020-05-15 | 深圳市中易科技有限责任公司 | Method and system for supporting unified user management of multiple systems |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030188193A1 (en) * | 2002-03-28 | 2003-10-02 | International Business Machines Corporation | Single sign on for kerberos authentication |
| CN101026481A (en) * | 2006-02-21 | 2007-08-29 | 华为技术有限公司 | Integrated user safety management method and device |
| CN101355527A (en) * | 2008-08-15 | 2009-01-28 | 深圳市中兴移动通信有限公司 | Method for implementing single-point LOG striding domain name |
-
2010
- 2010-12-30 CN CN 201010614522 patent/CN102045171B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030188193A1 (en) * | 2002-03-28 | 2003-10-02 | International Business Machines Corporation | Single sign on for kerberos authentication |
| CN101026481A (en) * | 2006-02-21 | 2007-08-29 | 华为技术有限公司 | Integrated user safety management method and device |
| CN101355527A (en) * | 2008-08-15 | 2009-01-28 | 深圳市中兴移动通信有限公司 | Method for implementing single-point LOG striding domain name |
Non-Patent Citations (1)
| Title |
|---|
| 郑壮贤 等.基于Cookie的门户网站单点登录系统设计实现.《计算机技术与发展》.2008,第18卷(第6期),第199页至201页. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102045171A (en) | 2011-05-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102045171B (en) | Login method based on unified authentication system | |
| US10484385B2 (en) | Accessing an application through application clients and web browsers | |
| US7546630B2 (en) | Methods, systems, and media to authenticate a user | |
| CN103248680B (en) | Method and system for sharing network disk data | |
| CN108476216B (en) | System and method for integrating a transactional middleware platform with a centralized access manager for single sign-on in an enterprise-class computing environment | |
| CN104320423B (en) | Single-sign-on lightweight implementation method based on Cookie | |
| CN101159557B (en) | Single point logging method, device and system | |
| JP5334693B2 (en) | Network management method, network management program, network system, and relay device | |
| US20150248286A1 (en) | System and methods for remote maintenance in an electronic network with multiple clients | |
| CN101098231B (en) | Information processing system, recording medium storing control program, and computer data signal embodied in a carrier wave | |
| CN101277193A (en) | One-point entry and access system based on authentication service acting information facing to service architecture | |
| US20080141350A1 (en) | Authentication for computer system management | |
| CN106134154A (en) | The technology that the authentication token operation utilizing machine to generate services | |
| CN104168304B (en) | Single-node login system and method under VDI environment | |
| CN103095720B (en) | A kind of method for managing security of cloud storage system of dialogue-based management server | |
| CN104255007A (en) | Oauth framework | |
| CN107770192A (en) | Identity authentication method and computer-readable recording medium in multisystem | |
| CN105141580B (en) | A kind of resource access control method based on the domain AD | |
| CN104283875A (en) | Cloud disk authority management method | |
| CN107743702A (en) | The single-sign-on of trustship mobile device | |
| CN106453396A (en) | Double token account login method and login verification device | |
| CN106844111A (en) | The access method of cloud storage NFS | |
| CN105049445B (en) | A kind of access control method and free-standing access controller | |
| CN102694867A (en) | Attribution-based cross-security domain access control method and system in SOA (Service Oriented Architecture) | |
| CN104580081A (en) | Integrated SSO (single sign on) system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Free format text: FORMER OWNER: BEIJING CLOUDEX SOFTWARE SERVICES CO., LTD. Effective date: 20121022 Owner name: BEIJING CENTURY BROADBAND INTERNET DATA CENTER CO. Free format text: FORMER OWNER: BEIJING BANYANO DATA CENTER SOLUTIONS LTD. Effective date: 20121022 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20121022 Address after: 100015 No. 3, building 5, building 1, Jiuxianqiao East Road, Chaoyang District, Beijing Applicant after: Beijing Century Broadband Internet Data Center Co., Ltd. Address before: 100015 No. 3, building 5, building 1, Jiuxianqiao East Road, Chaoyang District, Beijing Applicant before: Beijing BANYANO Data Center Solutions Ltd. Applicant before: Beijing CloudEx Software Service Co., Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |