CN102404349B - Single sign-on method - Google Patents
Single sign-on method Download PDFInfo
- Publication number
- CN102404349B CN102404349B CN201110460189.9A CN201110460189A CN102404349B CN 102404349 B CN102404349 B CN 102404349B CN 201110460189 A CN201110460189 A CN 201110460189A CN 102404349 B CN102404349 B CN 102404349B
- Authority
- CN
- China
- Prior art keywords
- user
- url
- login
- client
- checking
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention provides a single sign-on method, comprising the steps of setting a reading mode of all modules of an accessed platform in advance, wherein the reading mode comprises an interception mode for all items in the corresponding module; and performing interception checking to a user login URL (Uniform Resource Locator) and a user certificate checking URL according to the reading mode. In the invention, interception checking can be performed to the user login URL and the user certificate checking URL according to the different items of different modules, so as to solve the problem that all simple URL interception checking can not meet the practical requirements.
Description
Technical field
The present invention relates to Message Processing technical field, more particularly, relate to single sign-on method.
Background technology
The system that some are larger and platform, be generally all made up of a lot of modules.For example Trustie platform, is just made up of modules such as collaborative platform, door, project door, dimension visitor, defect management, mail tabulation, forums.These modules share identical database user table, but the login of modules is but separate, for example, logined mail tabulation, also need again to login if enter the words of forum.So user is using when these application modules, and inconvenient.
Single sign-on (SSO) can allow user once login, and repeatedly uses.But because Trustie platform is made up of multiple modules, the technology that each module adopts is different, and the work that each module needs SSO single-sign-on to do is not identical yet.We use SSO single-sign-on just need to expand according to the actual conditions of different modules under these circumstances.
For example: SSO has three service for checking credentials interfaces: user logins URL, user's voucher verification URL, user publishes URL.But the interception that existing SSO can only be all URL to these three kinds of address validations checking, but in larger systems/platforms, the situation of the URL address that the each module of possibility need to be verified is different.For example, for project door module, only need to tackle mail tabulation and these two projects of forum, remaining does not need interception.The now interception of simple all URL checking can not meet actual demand.
Summary of the invention
In view of this, the object of the invention is to provide single sign-on method, to solve above-mentioned a series of problem.
For achieving the above object, the invention provides following technical scheme:
A kind of single sign-on method, based on http agreement, described method comprises:
In advance the modules of accessed platform is set to reading manner, described reading manner comprises the interception mode of each project in corresponding module;
According to described reading manner, user is logined to URL and user's voucher verification URL tackles checking.
Visible, in the present invention, can be according to the disparity items of disparate modules, user is logined to URL and user's voucher verification URL tackles checking, thereby the interception checking that has solved simple all URL can not meet the problem of actual demand.
Accompanying drawing explanation
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The single sign-on method flow chart that Fig. 1 provides for the embodiment of the present invention.
Embodiment
For quote and know for the purpose of, the technical term that hereinafter uses, write a Chinese character in simplified form or abridge and be summarized as follows:
AJAX: the noun of being created by Jesse James Gaiiett, refers to a kind of webpage development technology that creates interaction network page application;
HTTPS:Hypertext Transfer Protocol Secure, super word transmission security agreement;
HTTP:Hyper Text Transfer Protocol, HTML (Hypertext Markup Language);
SQL:Structured Query Language, SQL.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Based on the embodiment in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
SSO generally uses https agreement.Use https agreement to generate corresponding safety certificate in service end, if client and service end be not on same station server, the certificate that so also service end must be generated copy on the machine of client sets up trust, and whole layoutprocedure is cumbersome.
In addition, SSO has three service for checking credentials interfaces: user logins URL, user's voucher verification URL, user publishes URL.But the interception that existing SSO can only be all URL to these three kinds of address validations checking, but in larger systems/platforms, the situation of the URL address that the each module of possibility need to be verified is different.For example, for project door module, only need to tackle mail tabulation and these two projects of forum, remaining does not need interception.The now interception of simple all URL checking can not meet actual demand.
In view of this, the embodiment of the invention discloses a kind of single sign-on method based on http agreement, referring to Fig. 1, the method comprises:
S1, in advance the modules of accessed platform is set to reading manner, described reading manner comprises the interception mode of each project in corresponding module;
Take project door module as example, if its needs are tackled mail tabulation and these two projects of forum, remaining does not need interception.So, two interception mode corresponding to project of the mail tabulation of project door module and forum are set to "Yes" in advance, and in project door module, the interception mode of sundry item is set to "No".
S2, according to described reading manner, user is logined to URL and user's voucher verification URL tackles checking.
Still to be specifically set as example in step S1, in the time that project door module is conducted interviews, in the time of the list of user's access mail and two projects of forum, need to login URL and user's voucher verification URL tackles checking to user.
Concrete, login URL for user, can be by expansion login validation method the xml file to client application (xml file needs the user that verify to login URL, user's voucher verification URL for configuring.) in the parameter (this parameter login URL, user's voucher verification URL for user) that arranges judge the mode that reads URL; Filter again according to the reading manner of URL by expansion extensible authentication method, simultaneously the configuration of the xml of corresponding change application client.
The processing mode of family voucher verification URL is similar with entry address.User publishes URL not to be needed to process.
Existing single-sign-on, only provides the checking that simple username and password is identical, but some platform, and username and password all leaves in database, now needs to solve SSO and be linked to the problem of database.
Be linked to the problem of database for SSO, in other embodiments of the invention, said method also can comprise the steps:
Add MD5 algorithm for encryption deciphering class in client, and the dependence in injecting data storehouse in the xml of client file.
Existing single-sign-on, the password that some platform is deposited the database of username and password is to encrypt by MD5 algorithm, in view of this, in other embodiments of the invention, said method also can comprise the steps:
The dependence of injecting MD5 algorithm for encryption class in the xml of client file.Also add MD5 algorithm for encryption deciphering class in the client of SSO, in SSO client xml file, inject the dependence of encrypting class.
Existing single-sign-on can only get the user name of login user, but can not obtain other specifying informations of login user, such as mailbox, telephone number etc.
In view of this, in other embodiments of the invention, said method also can comprise the steps: to provide the dependence of querying attributes, and storage SQL query conditional attribute and Query Result attribute are provided.Querying condition attribute and Query Result attribute can be used for obtaining the user profile of login.
Concrete, SSO provides the dependence of querying attributes, and storage SQL query conditional attribute and Query Result attribute are provided.In the time need to obtaining other information of login user, revise storage SQL query conditional attribute and the map corresponding with Query Result attribute, in map, add the attribute that needs inquiry.By the AttributePrincipal of SSO, obtain other information of the user profile of login, the deployerConfigContext.xml file of cas service end is revised in corresponding change simultaneously.
Http protocol is considered to stateless protocol, cannot learn user's browse state, and when it is after service end completes response, server has just lost and the contacting of this browser.
The limitation of http protocol has been filled up in the invention of Session: by SESSION recording user for information about, while again web server being mentioned to request with this identity, do to confirm for user.Session can be for authenticating user identification, program state record, parameter transmission etc. between the page.When switching a user between multiple pages, the invention of Session (session) can preserve this user's information.
The duration of each Session object is the time that user accesses to add inactive time.
May there is following sight: when a user opens a page, while automatically login with post request, session is expired, and server cannot be obtained data like this.
For this situation, the present invention utilizes Spring Security to provide one to be called SavedRequest function, crosses after date at seesion, and post request is saved.
The part of module of some platform, for example " general introduction " in Trustie platform and " download " do not need login interception, only need checking interception in order to show the user name of login.
For this situation, in other embodiments of the invention, said method also can comprise the steps:
The filtration of configure user login URL, user's voucher verification URL in web.xml file;
Inherit user rs credentials checking class, and preserve the user profile problem of logining in session corresponding to user;
Change the configuration parameter in the xml file of corresponding client.
In existing SSO, there is the problem that ajax can not be cross-domain.For this reason, said method provided by the invention also can comprise the steps:
Whether login at service end authentication of users, if logined, the information of login user is preserved with JSONObject.
Further:
If the biography of client ginseng is not empty, the information of the login user of preserving with JSONObject is returned to client.
In addition, in other embodiments of the invention, said method also can comprise:
Adding identifying code at login page selects;
Receive identifying code, user name and the password of user's input;
Verify according to identifying code, user name and the password of described user's input.
In this specification, each embodiment adopts the mode of going forward one by one to describe, and what each embodiment stressed is and the difference of other embodiment, between each embodiment identical similar part mutually referring to.For the disclosed system of embodiment and device, because it corresponds to the method disclosed in Example, so description is fairly simple, relevant part illustrates referring to method part.
One of ordinary skill in the art will appreciate that all or part of flow process realizing in above-described embodiment method, can carry out the hardware that instruction is relevant by computer program to complete, described program can be stored in a computer read/write memory medium, described program, in the time carrying out, can comprise as the flow process of the embodiment of above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
To the above-mentioned explanation of the disclosed embodiments, make professional and technical personnel in the field can realize or use the present invention.To be apparent for those skilled in the art to the multiple modification of these embodiment, General Principle as defined herein can, in the situation that not departing from the spirit or scope of the present invention, realize in other embodiments.Therefore, the present invention will can not be restricted to these embodiment shown in this article, but will meet the widest scope consistent with principle disclosed herein and features of novelty.
Claims (5)
1. a single sign-on method, is characterized in that, based on http agreement, described method comprises:
In advance the modules of accessed platform is set to reading manner, described reading manner comprises the interception mode of each project in corresponding module;
Described interception mode is set to "Yes" or "No";
According to described reading manner, user is logined to URL and user's voucher verification URL tackles checking;
Also comprise:
The dependence in injecting data storehouse in the xml of client file, described database stores username and password;
Also comprise:
Add MD5 algorithm for encryption deciphering class in client, and the dependence of injecting MD5 algorithm for encryption class in the xml of client file;
Also comprise: the dependence of querying attributes is provided, and storage sql querying condition attribute and Query Result attribute are provided;
Also comprise: cross after date at session, preserve post request.
2. the method for claim 1, is characterized in that, also comprises:
The filtration of configure user login URL, user's voucher verification URL in web.xml file;
Inherit user rs credentials checking class, and preserve the user profile problem of logining in session corresponding to user;
Change the configuration parameter in the xml file of corresponding client.
3. method as claimed in claim 2, is characterized in that,
Whether login at service end authentication of users, if logined, the information of login user is preserved with JSONObject.
4. method as claimed in claim 3, is characterized in that,
If the biography of client ginseng is not empty, the information of the login user of preserving with JSONObject is returned to client.
5. method as claimed in claim 4, is characterized in that,
Adding identifying code at login page selects;
Receive identifying code, user name and the password of user's input;
Verify according to identifying code, user name and the password of described user's input.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110460189.9A CN102404349B (en) | 2011-12-31 | 2011-12-31 | Single sign-on method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110460189.9A CN102404349B (en) | 2011-12-31 | 2011-12-31 | Single sign-on method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102404349A CN102404349A (en) | 2012-04-04 |
| CN102404349B true CN102404349B (en) | 2014-05-21 |
Family
ID=45886135
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110460189.9A Active CN102404349B (en) | 2011-12-31 | 2011-12-31 | Single sign-on method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102404349B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801808B (en) * | 2012-07-30 | 2014-11-05 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
| CN108881130B (en) * | 2017-05-16 | 2021-07-30 | 中国移动通信集团重庆有限公司 | Security control method and device for session control information |
| CN108664778B (en) * | 2018-03-26 | 2021-03-30 | 苏州科达科技股份有限公司 | User identity authentication method and device and electronic equipment |
| CN109218389B (en) * | 2018-07-05 | 2021-08-27 | 东软集团股份有限公司 | Method, device and storage medium for processing service request and electronic equipment |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065147A (en) * | 2011-01-07 | 2011-05-18 | 深圳市易聆科信息技术有限公司 | Method and device for obtaining user login information based on enterprise application system |
-
2011
- 2011-12-31 CN CN201110460189.9A patent/CN102404349B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102065147A (en) * | 2011-01-07 | 2011-05-18 | 深圳市易聆科信息技术有限公司 | Method and device for obtaining user login information based on enterprise application system |
Non-Patent Citations (6)
| Title |
|---|
| 一种基于Yale-CAS的单点登录解决方案;卢清平 等;《合肥学院学报》;20050930;第15卷(第3期);第37-40页 * |
| 卢清平 等.一种基于Yale-CAS的单点登录解决方案.《合肥学院学报》.2005,第15卷(第3期),第37-40页. |
| 基于JOSSO的WEB单点登录的设计与实现;杨普 等;《电脑知识与技术》;20080831;第3卷(第5期);第974-977页 * |
| 杨普 等.基于JOSSO的WEB单点登录的设计与实现.《电脑知识与技术》.2008,第3卷(第5期),第974-977页. |
| 统一的身份认证和访问控制之单点登录系统设计与实现;金斌;《中国优秀硕士学位论文全文数据库信息科技辑》;20080615(第06期);正文第13页倒数1-2段,第15页第1段,第34页第2-4行,第35页最后一段,第36页第1段,第36页最后一行至第37页第4行,第37页第10-12行,第38页第4-15行,图4-2,图4-7 * |
| 金斌.统一的身份认证和访问控制之单点登录系统设计与实现.《中国优秀硕士学位论文全文数据库信息科技辑》.2008,(第06期),正文第13页倒数1-2段,第15页第1段,第34页第2-4行,第35页最后一段,第36页第1段,第36页最后一行至第37页第4行,第37页第10-12行,第38页第4-15行,图4-2,图4-7. |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102404349A (en) | 2012-04-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106682028B (en) | Method, device and system for acquiring webpage application | |
| US20230370464A1 (en) | Systems and methods for controlling sign-on to web applications | |
| US10484385B2 (en) | Accessing an application through application clients and web browsers | |
| US8745718B1 (en) | Delivery of authentication information to a RESTful service using token validation scheme | |
| JP5651112B2 (en) | Form entry and automatic password generation using digital ID | |
| Chandra et al. | Python requests essentials | |
| US8504543B1 (en) | Automatic API generation for a web application | |
| US20150188906A1 (en) | Multi-domain applications with authorization and authentication in cloud environment | |
| CN106549907B (en) | A kind of web app access method, device and system | |
| US9479533B2 (en) | Time based authentication codes | |
| CN106416125A (en) | Automatic directory join for virtual machine instances | |
| US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
| CN109165500A (en) | A kind of single sign-on authentication system and method based on cross-domain technology | |
| CN111818088A (en) | Authorization mode management method and device, computer equipment and readable storage medium | |
| CN102404349B (en) | Single sign-on method | |
| CN102801713A (en) | Website logging-in method and system as well as accessing management platform | |
| Mehta | RESTful Java Patterns and Best Practices | |
| Spasovski | OAuth 2.0 Identity and Access Management Patterns | |
| Nascimento | OAuth 2.0 Cookbook: Protect Your Web Applications Using Spring Security | |
| Berbecaru et al. | On the design, implementation and integration of an Attribute Provider in the Pan-European eID infrastructure | |
| Nickel | Mastering Identity and Access Management with Microsoft Azure | |
| CN109600342A (en) | Uniform authentication method and device based on one-point technique | |
| Vester | RESTful API lifecycle management | |
| US20170180451A1 (en) | System and method for remotely accessing a local computer network via a web interface | |
| Tykkyläinen | Configurable integrations with 3RD party identity providers in a multi-tenant SaaS application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20211213 Address after: 250014 No. 41-1 Qianfo Shandong Road, Lixia District, Jinan City, Shandong Province Patentee after: SHANDONG CIVIC SE COMMERCIAL MIDDLEWARE Co.,Ltd. Address before: 250014 No. 41-1 Qianfo Shandong Road, Jinan City, Shandong Province Patentee before: SHANDONG CVIC SOFTWARE ENGINEERING Co.,Ltd. Patentee before: Shandong Zhongchuang software commercial middleware Co., Ltd |