Background technology
Developing a large-scale application system often need be according to different service or a plurality of subsystem of functional development, to reduce system complexity.If each subsystem all has oneself user management and user log-in authentication licensing scheme, not only can increase the system development maintenance cost, reduce systematic function and availability, do not meet the integrality requirement of application system yet.Therefore; A plurality of subsystems generally will be shared a cover user data, and a shared cover login authentication authorization flow (a unified Verification System) makes the user only need login the subsystem that once just can visit all mutual trusts; Promptly adopt SSO (Single Sign On, single-sign-on).
As user for the first time access application subsystem 1 time, because also not login can be directed in the Verification System and login.According to the log-on message that the user provides, Verification System is compared user's log-on message and user information database, and the user is carried out the identity effect, if through effect, should return to authority---the authentication marks Ticket of an authentication of user.Certainly, Verification System is also tackled Ticket and is carried out effect, judges its validity.When the user visits again subsystem 2, will this Ticket be with, as the authority of own authentication, after subsystem 2 request of receiving through with the communication of Verification System, can deliver to Verification System to Ticket and carry out effect, the legitimacy of inspection Ticket.If through effect, the user just can be under situation about need not login once more access sub-system 2.
The technology that realizes SSO at present mainly contains following several kinds: realize based on cookies; Realize based on broker (Broker-based); Realize based on agent (Agent-based); Realize based on password (Token-based); Realize based on gateway (Agent and Broker-based); Realize based on SAML (Security Assertion Markup Language, security assertion markup language).
Though above-mentioned these technology can both realize SSO; But; They exist some defectives: the first, organically do not combine login, authentication, mandate, and need the unified Verification System of frequent access during authentication; When the user capture amount was very big, Verification System will become the bottleneck of whole system; The second, can not login ageing control after the success (ageing being meant here: such as, from security consideration, require the user to login success 12 or after 24 hours, session automatic expiration, login authentication and mandate again) to the user.
Summary of the invention
The object of the present invention is to provide a kind of login method, realized a kind of process of unified logging authentication and authorization based on the login method of this unified certification system based on the unified certification system.
To achieve these goals, the present invention has adopted following technical scheme:
A kind of login method based on the unified certification system; This unified certification system comprise the generation that is used to realize user management, user role management, user authority management, user's login interface logic, session, TICKET information preservation, authentication marks TICKET generation and hold function the login authentication authentication management system, be used to store TICKET information the TICKET server, be used for regularly deleting the regular removing module of authentication marks TICKET and TICKET information; This login authentication authentication management system is connected with this TICKET server through the service interface module; This service interface module is connected with each sub-systems; Each subsystem all is equipped with the acquisition module of the authentication marks TICKET that is used to obtain the user and the TICKET information corresponding with these authentication marks TICKET; This TICKET information comprises user basic information and user role authority information, it is characterized in that: this login method comprises the steps:
Step 1: in user's login interface, the user imports username and password and logins;
Step 2: if this user is a validated user; Then in user terminal, produce local session by said login authentication authentication management system; Generate authentication marks TICKET; And these authentication marks TICKET is kept in the user terminal, wherein: the TICKET information of preserving this user who from the information database of TICKET server end, obtains in this local session;
Step 3: in the TICKET server, the authentication marks TICKET that this user obtains is corresponding with this TICKET information with this TICKET information stores for said login authentication authentication management system;
Step 4: when this user capture one sub-systems; The acquisition module of this subsystem obtains authentication marks TICKET from user terminal; According to these authentication marks TICKET that obtains, from the TICKET server, obtain this user's TICKET information, thereby judge according to this TICKET information whether this user has the right to visit this subsystem then; Wherein: if this user has the right to visit this subsystem; Then set up local session, allow this user this subsystem of role access, wherein: when this local session is crossed after date with himself; If this subsystem still can get access to said authentication marks TICKET; Then this subsystem authority that conducts interviews again judgement with the communication of TICKET server once more, if this subsystem can not get access to said authentication marks TICKET because said authentication marks TICKET is deleted by regular removing module, then this user's visit finishes.
Advantage of the present invention is:
In the present invention; After the user imports the username and password login; Whether can visit the authentication and authorization process of certain sub-systems and only accomplish, carry out any other operation again, be providing convenience property of user without the user by the communication between this subsystem and the TICKET server.
During the local session of user capture subsystem; Subsystem can be not frequently, repeated accesses TICKET server; Therefore, even the user capture amount is very huge, all pressure can all not focus on the TICKET server yet; Thereby the TICKET server can not become the bottleneck of system, has guaranteed the smooth and easy operation of whole system.
The present invention is provided with the mechanism of regular deletion authentication sign TICKET and TICKET information, and this mechanism has been alleviated the storage pressure of TICKET server, the fail safe that has improved system.
Unified certification of the present invention system is a complete unified logging authentication and authorization system solution, accomplishes SSO (single-sign-on) flow process through unified authority data form between each sub-systems and unified certification of the present invention system.
Embodiment
As shown in Figure 1; Unified certification of the present invention system comprises and is used to realize that (role can classification don't bother about reason for user management, user role management; The higher-level user has lower-level user's administration authority; A user can have multiple role), the generation of the preservation of the generation of user authority management (each user to each sub-systems all different access rights can be arranged), user's login interface logic, session, TICKET information, authentication marks TICKET and preserve the login authentication authentication management system 100 of these functions and be used to store the TICKET server 200 of TICKET information; This login authentication authentication management system 100 is connected with this TICKET server 200 through service interface module 300; This server interface module 300 is connected with each sub-systems 500, and each subsystem 500 all is equipped with the acquisition module of the authentication marks TICKET that is used to obtain the user and the TICKET information corresponding with these authentication marks TICKET.
This TICKET information can comprise user basic information and user role authority information, and the user role authority information in the TICKET information is the foundation that each sub-systems realizes mandate.Login authentication authentication management system 100 makes whole system have unified user's login interface (comprising user name, password input frame).Before all subsystems of user capture, under the situation that not login or authentication of user, mandate are not passed through, this usefulness can be directed in this user's login interface per family.
This service interface module 300 is any among JMS, RMI or the CORBA.JMS (being Java Message Service, Java messenger service application programming interfaces) be in the Java platform about the API of Message Oriented Middleware, be used between two application programs or distributed system is sent message, carry out asynchronous communication.JMS can couple together login authentication authentication management system 100, TICKET server 200 and 500 of each sub-systems as the bottom data communication modes effectively, and the data communication form of standard between them reduces development cost.RMI (Remote Method Invocation, RMI) is one group of API that supports the exploitation distributed application program of Java.CORBA (Common Object Request Broker Architecture, Common Object Request Broker Architecture) is a kind of CORBA, is the object-oriented application program system standard by a kind of standard of OMG tissue formulation.
Like Fig. 1, all be connected between this login authentication authentication management system 100, TICKET server 200, each sub-systems 500 and the service interface module 300 with a framework MULE 400.Framework MULE is a lightweight message framework based on Java, and it can be fast, easily each application is coupled together, and guarantees that these can swap data between using.
In unified certification of the present invention system, the core part of TICKET server 200 is buffer memory (Cache).In buffer memory; Authentication marks TICKET adopts the mode of Key-Value (key-value pair) to store with its corresponding TICKET information; Wherein: Key is authentication marks TICKET, is a md5 encrypted characters string that is generated by the user name adding system time, and Value is a TICKET information.
In practical application, unified certification of the present invention system also can comprise the regular removing module that is used for regularly deleting authentication marks TICKET and TICKET information, that is to say that authentication marks TICKET and TICKET information have valid expiration date.Authentication marks TICKET and TICKET information cease to be in force automatically behind a setting-up time (this setting-up time can be adjusted), thus the fail safe that has improved system.In addition, also can be provided for recording user in the TICKET server 200 and login the user behavior logger module that the user of situation logins logger module, is used for recording user operation behavior situation.
Based on the invention described above unified certification system, the invention allows for a kind of login method, this login method comprises the steps:
Step 1: in user's login interface, the user imports username and password and logins;
Step 2: if the user is a validated user; Then in user terminal (WEB server), produce local session (Session) by login authentication authentication management system 100; Generate authentication marks TICKET; And these authentication marks TICKET is kept in the user terminal (browser), wherein: the TICKET information (comprising user basic information and user role authority information) of preserving this user who from the information database of server end, obtains in this local session; If the user is the disabled user, then turn back in this user's login interface, let this user login again;
Step 3: login authentication authentication management system 100 with this TICKET information stores in TICKET server 200, the authentication marks TICKET corresponding with this TICKET information (for example, with the key-value pair stored in form) that this user obtains;
Step 4: when this user capture one sub-systems 500 (like subsystem 1); The acquisition module of this subsystem 500 obtains authentication marks TICKET (perhaps from user terminal; When this subsystem of user capture; The COOKIES that can will comprise authentication marks TICKET through the browser of user terminal takes in this subsystem, thereby makes this subsystem obtain authentication marks TICKET through this COOKIES that brings into.), according to these authentication marks TICKET that obtains, from TICKET server 200, obtain this user's TICKET information, thereby judge according to this TICKET information whether this user has the right to visit this subsystem then.
In step 2, authentication marks TICKET can the COOKIES form be kept in the user terminal, thereby in step 4, the acquisition module of subsystem 500 can obtain authentication marks TICKET from the COOKIES of user terminal.
Step 4 is the authentication and authorization process of subsystem.In step 4, if this user has the right to visit this subsystem, then set up local session, allow this user this subsystem of role access with himself, wherein:
In the local session term of validity, this subsystem is need not carry out communication with TICKET server 200, can alleviate the burden of TICKET server 200 like this;
When this local session is crossed after date; If this subsystem still can get access to authentication marks TICKET (COOKIES that promptly preserves these authentication marks TICKET does not have expired); Then this subsystem authority that conducts interviews again judgement (promptly carrying out the authentication and authorization process) with 200 communications of TICKET server once more; If this subsystem can not get access to these authentication marks TICKET because authentication marks TICKET is deleted by regular removing module, then this user's visit finishes, and this user is the login user login interface once more; Obtain new authentication marks TICKET, improved security of system like this.And; If since this user's TICKET information by removing module deletion regularly and this subsystem from TICKET server 200, obtain less than this user TICKET information (perhaps; TICKET information is empty), then this user's local session finishes, and this user is login user login interface once more also; Obtain new authentication marks TICKET, security of system is enhanced.
Behind the intact subsystem 1 of user capture, remove to visit another one subsystem (like subsystem 2) again; Perhaps, in the time of user capture subsystem 1, remove to visit another one subsystem (like subsystem 2) again, so; At this moment; This user needn't login in user's login interface again, and only needs this subsystem 2 to carry out the authentication and authorization process with the direct communication of TICKET server, can confirm just whether this user has the right to visit this subsystem 2.
In the present invention; After the user imports the username and password login; Whether can visit the authentication and authorization process of certain sub-systems and only accomplish, carry out any other operation again, be providing convenience property of user without the user by the communication between this subsystem and the TICKET server.
During the local session of user capture subsystem; Subsystem can be not frequently, repeated accesses TICKET server; Therefore, even the user capture amount is very huge, all pressure can all not focus on the TICKET server yet; Thereby the TICKET server can not become the bottleneck of system, has guaranteed the smooth and easy operation of whole system.
The present invention is provided with the mechanism of regular deletion authentication sign TICKET and TICKET information, and this mechanism has been alleviated the storage pressure of TICKET server, the fail safe that has improved system.
Above-mentioned is preferred embodiment of the present invention and the know-why used thereof; For a person skilled in the art; Under the situation that does not deviate from the spirit and scope of the present invention; Any based on conspicuous changes such as the equivalent transformation on the technical scheme of the present invention basis, simple replacements, all belong within the protection range of the present invention.