CN102624737A - Single sign-on integrated method for Form identity authentication in single login system - Google Patents
Single sign-on integrated method for Form identity authentication in single login system Download PDFInfo
- Publication number
- CN102624737A CN102624737A CN2012100833213A CN201210083321A CN102624737A CN 102624737 A CN102624737 A CN 102624737A CN 2012100833213 A CN2012100833213 A CN 2012100833213A CN 201210083321 A CN201210083321 A CN 201210083321A CN 102624737 A CN102624737 A CN 102624737A
- Authority
- CN
- China
- Prior art keywords
- page
- user
- identity
- login
- http
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a single sign-on integrated method for Form identity authentication in a single sign-on system. The single sign-on system comprises a Web application program, a Web server, a login request proxy page, a login authentication proxy page, a login authentication HTTP (hypertext transfer protocol) plug-in, a browser, an identity service system, a master account database and a master-slave account binding database. The method includes that the login request proxy page receives and acquires an HTTP request of the login page to guide a user not logging in to log in the identity service system; the identity service system submits a security token authenticating identity of the user to an account name and a password authentication URL (uniform resource locator) of the Web application system to be accessed by the user through the browser after performing the identity authentication of the user; the login authentication proxy page or the HTTP plug-in completes the security token authentication and adds the local account name and password of the Web application system to the HTTP request after receiving or intercepting the HTTP request submitted to the account name and the password authentication URL, so that the user can log in the Web application system.
Description
Technical field
The identity that the invention belongs to information security is differentiated and the access control technology field, the single-sign-on integrated approach of differentiating to the Form identity in particularly a kind of single-node login system.
Background technology
Development along with Enterprise's Electronic Commercial and Working informationization; Enterprise, organization have disposed a large amount of information system that all kinds of specific functions are provided (following general designation application system); Need to remember, import different account names, this problem of password (being also referred to as user name, password) in different application systems when using different application systems in order to solve the user, people have proposed single-sign-on (Singie Sign On) technology.So-called single-sign-on; Be that the user only need use an identity documents (like an account name, password; An or numbered certificate etc.) after certain on-line system is accomplished online identity and is differentiated (being the login login); Just can visit the every other system that can visit, and need not to import once more account name, password or use digital certificate to carry out the identity discriminating.
In the application system of having disposed at present, having quite big one type is to adopt Browser/Server framework (browser/server is called for short the B/S framework), the exploitation of employing Web page technology, and this type systematic is called the Web application system.In the system of B/S framework, client is general browser; Server end is made up of Web server, web application and database usually.Web server can be that HTTP (HyperText Transfer Protocol) server (like IIS, Apache), http server+Web container are (like Apache+Tomcat; Or the Tomcat that directly receives and dispatches the HTTP request, responds), J2EE application server (Application Server is like WebLogic, WebSphere); Web application is usually based on certain specific page technology (like JSP/Servlet, ASP.NET, PHP) exploitation, and is deployed on the Web server and moves; Database is used to deposit the types of applications related data.
Carry out data interaction and transmission through HyperText Transfer Protocol (HTTP) between client browser and the Web server: browser is sent to Web server with the services request (HTTP request) of HTTP form; After Web server carries out corresponding preliminary treatment to request, request is submitted to the corresponding Web page of web application and handled; Web server result that the Web page is returned afterwards turns back to browser with the response (http response) of HTTP form; At last, browser represents the resultant content that returns according to the result data that returns.Except between browser and web application (the Web page), transmitting HTTP request, the response data, Web server also provides corresponding running environment and supporting for the Web page of web application, like session (Session) data maintenance etc.
For the visit of limited subscriber to shielded service function or resource; Promptly have only the user of mandate to visit, use shielded sensitive function or resource; The Web application system need be carried out identity to the user and differentiated (be our usually said authentication, but this saying of authentication being unprofessional).The mode that identity is differentiated is a lot; The wherein the most frequently used identity that is based on account name, password is differentiated; Be before the user will visit the shielded sensitive function or resource of certain Web application system, need import it through browser and login (Login) at this Web application system corresponding account name, password.And in the identity identification method that adopts account name, password; For the Web system; A kind of the most frequently used technical scheme is that so-called Form identity is differentiated; Be Form list input account name, the password of the user HTML (HyperText Markup Language) that passes through the Web page, and be submitted to server end through browser and verify (therefore, this account name, password identity identification method are otherwise known as Form identity differentiate).
The Form identity differentiates that the practical implementation in the Web application system has two kinds of approach, the one, be responsible for by web application, and the 2nd, be responsible for by Web server.If be responsible for by web application, then web application has special login page (like Login.jsp), is used for returning a login interface to browser, supplies user's input, submits account name, password to; Web application also has the page (like LoginCheck.jsp) of a special verifying account name, password simultaneously; (login page and the login authentication page might be the same Web pages to be called the login authentication page; Like the Login.aspx of the discriminating of the Form identity among the ASP.NET, but can still be used as two independently pages in logic).If being responsible for implementing the Form identity by Web server differentiates (particularly; Perhaps be responsible for enforcement, perhaps be responsible for enforcement, like JSP/Servlet Web Container, ASP.NET runtime) by dynamic page running environment by http server; Then web application need provide a login page equally; Supply the user to import account name, password, still, web application is not provided for the login authentication page of verifying account name, password; The checking of account name, password is responsible for by the inner special login authentication processing logic (module) of Web server; This login authentication processing logic is to there being a specific URL (Uniform Resource Locator); Like j_security_check; The HTTP request that is submitted to this specific URL is not sent to certain Web page and handles, and handles but be sent to the inner login authentication processing logic of Web server.No matter adopting which kind of approach to implement the Form identity differentiates; When not accomplishing the shielded resource of user's maiden visit (like certain Web page) of identity discriminating; Server end (web application or Web server) all can return login page, and the prompting user imports account name, password; When the login authentication page or the inner login authentication processing logic of Web server that the user imports account name, password and through browser they is submitted to web application verify pass through after, the user can visit its shielded resource that need visit.
In order to realize single-sign-on, people have introduced one and have been called the Identity Provider notion of (being called for short IdP), and it is an online system that provides identity to differentiate service, is called the identity service system.For the Web application system; The user only need use browser to accomplish once login (being that online identity is differentiated) in the identity service system, just can visit other the Web application systems that can visit in this identity service system trust domain and need not to carry out register (being that identity is differentiated) again.But the application of will succeeing of this single-sign-on technical scheme has individual key issue to need to solve: how to make existing all kinds of Web application system to realize single-sign-on with the identity service system interconnect.Particular problem is described below.
The various Web application systems that relate to single-sign-on all have separately nusrmgr.cpl assembly (system) and accounts database usually; And these Web application systems are normally come user access control based on self user account (account name, password), and the user logins in the identity service system, employed user account possibly be (also possible identical certainly) inequality with its account in the Web application system that certain will be visited when identity was differentiated.If different, a kind of scheme is to revise original application system, makes its user account of accepting the identity service system as identification user's the sign and the control that conducts interviews in view of the above.But therefore this scheme, often can't be implemented owing to relate to the modification of application system.Another kind of scheme is that the user uses a user account that is called main account in the identity service system login; This main account can be existing certain the application system account of user; Or certain existing global account (like the account among the Windows Active Directory), or certain special new overall user account of creating; User's main account associates account's (being called from the account) of different application systems with the user through certain mode in advance, and this process is called identity (account) related (Identity Federation or Account Federation) or identity (account) is bound (Identity Binding or Account Binding); When the user uses its main account after the identity service system accomplishes login (being that identity is differentiated), when visiting certain application-specific system; Its main account through certain mode by corresponding, change into this user this application system from the account, then the user based on this from the account access application system.This master and slave account process corresponding, that transform is called identity (account) mapping (Identity Mapping or Account Mapping).But, this binding, mapping relations have been arranged not enough, because original system can not can not accomplish this account's conversion automatically with the identity service system interaction, therefore, need provide, realize required function through the corresponding techniques means.The problem that exists in conjunction with first kind of scheme and the Technology Need of second kind of scheme a kind ofly do not change the original identity identification method of system, user account, program and can realize automatically that the single-sign-on integrated technology scheme that the principal and subordinate is shone upon, transformed is very useful and important.And the Form identity differentiates it is to adopt the most general identity identification method at present in the Web application system, and therefore, the single-sign-on Integrated Solution that the research and development exploitation is differentiated to the Form identity seems particularly important.To this problem, designer of the present invention had also once proposed a kind of single-sign-on integrated approach of filling out based on filter (Filter) and password generation (document that sees reference [1-2]), but that this method exists is following not enough:
1) under many circumstances, realizes correlation function more complicated or difficulty with filter mechanism;
2) filter need be responsible for judging that which systemic-function or resource are shielded; And can't accomplish this point at filter in some cases; Such as, by the service logic of web application according to self, rather than based on the HTTP request URL; Whether judges need be accomplished under the situation of login (identity discriminating), and then whether filter can't judges need be logined or identity discriminating (because filter is based on the judgement of HTTP request URL);
3) filter will be tackled all HTTP requests, differentiates it also is like this even if the user has accomplished identity;
4) before filter is submitted to the login authentication page for the embankment formula with user's account name, password with password; The user does not carry out maiden visit (promptly having skipped the operation of visit login page) to login page (like Login.jsp); And in fact; The Web application system might be when user's maiden visit login page; For the later accessing operation of this user (comprise password authentication operation) is done some initialization, and the associative operation processing logic (like password verification process) of the operation of skipping the maiden visit page after might having destroyed;
5) after filter is accomplished user's discriminating, local register; Filter will be responsible for the user is redirected to the shielded Web page that it initially will be visited, and under the situation of the POST method of when user's maiden visit locked resource, using, and is responsible for the guiding user once more with the shielded resource of POST method and the less important visit just of former POST parameter access by filter; On technology realizes is more complicated; Even difficulty, opposite the, original system itself possibly have this function.
To above problem, the single-sign-on integrated approach that the present invention proposes has been made following improvement:
1) method of the present invention both had been applicable to and has adopted Web page technology (promptly acting on behalf of the page) to realize the single-sign-on correlation function; Also be applicable to and adopt Web HTTP plug-in unit (being filter or similar filter device) mechanism to realize correlation function; And at first select the former for use; Only under the former unaccommodated situation, just adopt the latter; And in most cases can adopt the former, this has just simplified the exploitation of correlation technique greatly;
2) login plug-in unit which systemic-function of not responsible judgement or resource are shielded, and these still are responsible for by original system, and the login plug-in unit has just changed the flow process of register (being that identity is differentiated) pellucidly;
3) login process plug-in unit (promptly acting on behalf of the page, Web HTTP plug-in unit) is only tackled the HTTP request that is submitted to login page, account name/password authentication URL; Other all HTTP requests are not tackled, and this plug-in unit of just will being correlated with is reduced to minimum level to the influence that system possibly cause;
4) under any request, the HTTP of user capture login page request all can reach the original login page of system, and accomplishes relevant treatment; So just can the relevant treatment logic of original system not had any impact;
5) differentiate Web server or the web application of implementing by the original Form identity of being responsible for; Be responsible for after the user successfully logins; The user is redirected to the shielded Web page that it wants initial access; Comprise the user for the first time under the situation with POST way access locked resource, this just greatly reduces the complexity of single-sign-on integrated technology.
List of references:
[1] Long Yihong, Li Changyou, Tang Zhihong, Liu Xu, a kind of to the transparent single-sign-on scheme of Web Legacy System, information security and communication security, 2010 10 phases, pp.67-69,72.
[2] postgraduate Li Xineng, the instructor dragon is firm grand, the design of unified identity authentication and single-node login system and realization, Wuhan University of Technology's Master's thesis, in May, 2010.
Summary of the invention
The objective of the invention is to adopt the situation of Form identity identification method, propose the single-sign-on integrated approach that a kind of identity identification method that need not to revise web application and Web application system itself just can be realized single-sign-on to Web application system in the single-node login system.
To achieve these goals, the technical scheme that the present invention adopted is:
The single-sign-on integrated approach of differentiating to the Form identity in a kind of single-node login system; Said single-node login system comprises that web application, Web server, logging request are acted on behalf of the page, login authentication is acted on behalf of the page, login authentication HTTP plug-in unit, browser, identity service system, main accounts database and principal and subordinate account's binding data storehouse, wherein:
Web application: develop and be deployed in certain predetermined application functional programs of realization that the Web page on the Web server is formed based on certain Web page technology by one group;
Web server: the HTTP request receives, the response transmitting function for the Web page of web application provides; And other relevant support functions; Comprise: receive the services request of the HTTP form that user browser submits to, carry out submitting to the Web application page after the corresponding preliminary treatment and handle, afterwards; The result that the Web application page is returned is sent to user browser with the form of http response; Said Web server comprises HTTP Web server and corresponding dynamic page running environment (like JSP/Servlet Web Container, ASP.NET runtime); Said Web server has constituted the Web application system that realizes the predetermined application function with the web application of disposing above that;
Logging request is acted on behalf of the page: be deployed on the Web server of the Web application system that adopts the discriminating of Form identity; The HTTP request of login page is obtained in reception; The HTTP request of obtaining login page is passed to the original login page of Web application system; And, return results is carried out handled according to the needs of single-sign-on;
Login authentication is acted on behalf of the page: be deployed in by web application and be responsible for implementing on the Web server of the Web application system that the Form identity differentiates; Reception is submitted to the HTTP request corresponding to the URL of account name, password authentication function; After carrying out relevant treatment, will comprise the user passes to the original verifying account name of Web application system, password in the HTTP of the local user name of application system, password request the login authentication page;
Login authentication HTTP plug-in unit: be deployed in by Web server and be responsible for implementing on the Web server of the Web application system that the Form identity differentiates; Interception is submitted to the HTTP request corresponding to the URL of account name, password authentication function; After carrying out relevant treatment, will comprise the user and pass to the inner verifying account name of Web server, the login authentication processing logic of password in the HTTP of the local user name of application system, password request;
Browser: user and the mutual client of Web application system, its function comprises: transmit the HTTP request through http protocol to Web server, http response that the reception Web server returns and the content that represents response;
Identity service system: provide user's online identity to differentiate the system of service; Its function comprises: based on the user identity voucher user is carried out online identity and differentiate, transmit the security token of proof user identity through corresponding single-sign-on agreement and by browser to the Web application system;
Main accounts database: deposit the main account information that the user logins the identity service system, comprise main account's account name, password, or the relevant information of the data certificate of main account correspondence;
Principal and subordinate account's binding data storehouse: preserve with householder account and user and concern in corresponding (binding) from the account of Web application system, and from account's password.
Said Web application system is carried out identity through certain mode to the user and is differentiated; When the protected function of certain Web application system of user capture or resource (like the Web page), need to use its respective account in this Web application system to accomplish and just can conduct interviews after identity is differentiated; In the said Web application system, the part system adopts Form identity identification method that the client user is carried out identity and differentiates, and the enforcement that the Form identity is differentiated or responsible by Web server perhaps is responsible for by web application.
Said logging request is acted on behalf of the name (like Login.jsp) that the page uses former login page, and former login page is renamed (like LoginBak.jsp); Said login authentication is acted on behalf of the name (like LoginCheck.jsp) that the page uses the former login authentication page, and the former login authentication page is renamed (like LoginCheckBak.jsp).
The HTTP plug-in unit extension mechanism that said login authentication HTTP plug-in unit provides based on Web server is inserted in the HTTP request, response process passage of Web server; Only tackle, handle HTTP request and the response of the URL (like j_s ecur ity_check) that is submitted to corresponding to account name, password authentication function, and any interception, processing are not done in other all HTTP requests, response.The HTTP plug-in unit extension mechanism that said Web server provides or provide, or dynamic page running environment (like JSP/Servlet Web Container, the ASP.NET runtime) that provide by http server.
Said logging request acts on behalf of the page and login authentication is acted on behalf of the page or login authentication HTTP plug-in unit has corresponding configuration information; Be used to be provided with the information relevant, like user's entry address (URL) of identity service system, to the digital certificate of security token signature or symmetric key etc. with single-sign-on.
Said logging request is acted on behalf of the page and login authentication and is acted on behalf of login (identity discriminating) relevant information that the page or login authentication HTTP plug-in unit are preserved each user, is called user login information.Said user login information comprises:
1) identity identification marker: the security token of the proof user identity that indicates whether to receive that the identity service system is signed and issued; If the user accomplishes identity in the identity service system and differentiates, then the value of this sign be " very " (true), otherwise, be " vacation " (false);
2) use householder's account name: employed account name when promptly the user carries out the identity discriminating in the identity service system;
3) user is from account name: promptly the user is at local, corresponding with the main account name account name of application system.
The above various user login information is kept at Web server (http server or dynamic page running environment) and offers logging request and act on behalf of the page and login authentication and act on behalf of in session (Session) data storage location of the page or login authentication HTTP plug-in unit (like the Session object of Servlet, HTTP Cookie).
The form of the said security token that said identity service system is signed and issued depends on the single-sign-on agreement of use; Can be that SAML (Security Assertion Marup Language) asserts (Assertion); Perhaps WS-Federation security token (Security Token), perhaps self-defining security token; The fail safe (primary, integrality) of the security token that said identity service system guarantees through digital signature to be signed and issued.
The user carries out online identity used identity documents when differentiating in said identity service system, can be common account name, password, also can be digital certificate, perhaps other can identify, the electronic identity data of identifying user identity.The user is called main account the account that said identity service system carries out using when identity is differentiated.Saidly promptly refer to the account of user, comprise account name, password in certain particular Web application system from the account; User's main account and its can be same from the account in certain Web application system, also can be different.
After said logging request was acted on behalf of the page and received the HTTP request of obtaining login page, request was handled to HTTP as follows:
A1. the HTTP request that receives directly is sent to the original login page of system through inside forwarding or call-by mechanism;
A2. after original login page returned response results, inspection identity identification marker if its value is " very ", then let response results directly return; If its value is " vacation " or not setting; Then its value is set to " vacation "; Be redirected or return the Web page then through the outside and submit to the HTTP request mode that user browser is directed to user's login page of identity service system automatically, include the sign of local Web application system among the URL of the HTTP request that is redirected or submits to automatically.
When user browser is acted on behalf of the page after said steps A 2 is redirected through the outside or returns the Web page and submit to the HTTP request mode to be directed to user's login page of identity service system automatically by logging request, the identity service system as follows to HTTP request handle:
B1. the sign of the Web application system through carrying in the HTTP request URL confirm Web application system that the user will visit whether be its trust, provide the system of service, if not, then return error message; Otherwise, change next step over to;
B2. confirm whether accomplish the identity discriminating in the identity service system before the user, if then change next step over to; Otherwise, the user is directed to login page, and differentiates based on the user being carried out identity with householder account, change next step over to after differentiating successfully;
B3. the Web application system that will visit according to user's main account and user, in principal and subordinate account's binding data storehouse, obtain the user in the Web application system that will visit from account name and password;
B4. for the user generate one comprise its main account name, from account name and the security token after encrypting from account's password; And relevant information carried out digital signature; The user identity proof information that will comprise security token then turns back to user browser with the mode of Form list, and the user identity proof information that will comprise security token of automatic POST submission (Submit) mode through the Form list is submitted to the URL corresponding to account name, password authentication function of the Web application system that the user need visit.
After said login authentication was acted on behalf of the page or login authentication HTTP plug-in unit and received or intercept the HTTP request that is submitted to corresponding to the URL of account name, password authentication function, request was handled to HTTP as follows:
C1. check that what comprise in the HTTP request is account name, the password that the security token submitted to of identity service system or user directly submit to,, change step C2 over to if the former, otherwise, change step C4 over to;
C2. through the validity of digital signature authentication security token, if invalid, the value of then said identity identification marker is set to " vacation ", returns bomp; Otherwise, change next step over to;
C3. from security token, obtain the user main account name, from account name and after deciphering from account's password, and with main account name, preserves as said user login information from account name, then, the value that the identity identification marker is set is " very "; To join from the mode that account name, password are submitted to the original account name of compliance with system, password the HTTP request afterwards; The HTTP request that will newly form is then transmitted, is called through inside or pass through mechanism is sent to the former login authentication page of system or the inner login authentication processing logic of Web server; The response results that lets the inner login authentication processing logic of the former login authentication page or Web server return is then returned, and accomplishes this HTTP processing of request;
C4. check the identity identification marker; If its value is " vacation " or not setting; Then its value is set to " vacation "; Be redirected or return the Web page then through the outside and submit to the HTTP request mode that user browser is directed to user's login page of identity service system automatically, include the sign of local Web application system among the URL of the HTTP request that is redirected or submits to automatically; Otherwise, change next step over to;
C5. check in the current HTTP request account name whether with user login information in preserve consistent from account name, as if inconsistent, then return error message; Otherwise; According to the main account name of preserving in the user login information, password from account name and current HTTP request; Upgrade principal and subordinate account's binding data storehouse; Then current HTTP request is transmitted, called through inside or pass through mechanism is sent to the former login authentication page of system or the inner login authentication processing logic of Web server, the response results that lets the inner login authentication processing logic of the former login authentication page or Web server return is then returned, and accomplishes this HTTP processing of request.
If at said step C3; Said login authentication acts on behalf of the page or login authentication HTTP plug-in unit can't be with the HTTP request that directly joins current reception or interception from account name, password; Then said login authentication is acted on behalf of the page or login authentication HTTP plug-in unit at said step C3; The value that the identity identification marker is set for " very " after; Directly generate and submit to a HTTP request that comprises from account name, password and other relevant informations, be submitted to the URL corresponding to user name, password authentication function of Web application system, will ask corresponding return results to return then; Correspondingly; At said step C1; Said login authentication is acted on behalf of the page or login authentication HTTP plug-in unit before carrying out relevant operational processes, and the HTTP request of at first confirming to receive or intercept through the inspection relevant information is by own submission, if; Then let this HTTP request and response pass through, do not further process.
Innovation part of the present invention is: through the web proxy page or HTTP plug-in unit, make the Web application system that adopts the Form identity to differentiate under the situation of (not revising web application and identity identification method) that do not make an amendment, to realize single-sign-on.
Maximum characteristics of the present invention are: implement simple.
Description of drawings
Fig. 1 is the overall structure block diagram of single-node login system of the present invention.
Embodiment
Below in conjunction with accompanying drawing the present invention is made further detailed description.
The present invention is the single-sign-on integrated approach of differentiating to the Form identity in a kind of single-node login system; The overall structure of the single-node login system of this method is as shown in Figure 1; Comprise that web application, Web server, logging request are acted on behalf of page insertion, login authentication is acted on behalf of the page, login authentication HTTP plug-in unit, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse, wherein web application and Web server have constituted the Web application system.Describe in detail in the function of each part of the system summary of the invention in front, no longer repeat at this.In the system component of whole single-node login system; Logging request is acted on behalf of the page, login authentication and is acted on behalf of the page, login authentication HTTP plug-in unit, identity service system, main accounts database, principal and subordinate account's binding data storehouse and belong to the content that the present invention will realize; And in the content that will realize, logging request is acted on behalf of the page, login authentication acts on behalf of the page and login authentication HTTP plug-in unit is again most critical, most important part.
For the realization of identity service system, can adopt the development of information system technology of existing various maturations, like J2EE technology, ASP.NET technology etc.; For main accounts database, can adopt LDAP, relational database, or existing Windows Active Directory or certain application system accounts database; For principal and subordinate account's binding data storehouse, can use relational database.Principal and subordinate account's binding data storehouse is as long as preserve some information like this: 1) user's main account name; 2) the corresponding user of main account in the application system of each granted access from account name and password.
Logging request is acted on behalf of the realization that the page and login authentication are acted on behalf of the page, depends on its Web server of disposing the place and the corresponding Web page development that web application adopted technology; And the Web server that is adopted is depended in the realization of login authentication HTTP plug-in unit.
If web application is based on the JSP/Servlet technological development, and the Form identity differentiates and is responsible for enforcement by web application, then logging request agency and login authentication act on behalf of the page can be based on the JSP/Servlet technological development; Logging request agency and login authentication are acted on behalf of the page can be forwarded to the corresponding former login page and the former login authentication page respectively with the HTTP request that receives through inner (forward) mechanism of transmitting; Login authentication act on behalf of the page can be directly before forwarding in the HTTP request, add access customer from account name, password.
If web application is based on the JSP/Servlet technological development; And the Form identity is differentiated by Web container (JSP/Servlet Container) and is responsible for enforcement; Then but logging request is acted on behalf of page JSP/Servlet technological development, and the concrete development and implementation mechanism of login authentication HTTP plug-in unit is relevant with the Web container or the Web server that are adopted.If the Web container is Tomcat, then login authentication HTTP plug-in unit can be developed based on Tomcat Valve (valve); If Web server is the WebSphere application server, then login authentication HTTP plug-in unit can be developed based on Servlet Filter; If Web server is the GlassFish application server, then login authentication HTTP plug-in unit can be based on GlassFish Valve or Tomcat Valve exploitation.
If the web application that adopts the Form identity to differentiate is based on the ASP.NET exploitation; Then logging request is acted on behalf of the page and login authentication is acted on behalf of the same page that the page is based on the ASP.NET technological development; Be called the login agent page, and be configured to login (Login) page that ASP.NET Form identity is differentiated; Be called the login agent page and can pass through Server.Transfer, current HTTP request is not added the former login page (normally Login.aspx) of the Form identity discriminating of passing to the ASP.NET application with revising; The login agent page can generate and submit to one to comprise from the new HTTP of account name, password and ask to oneself after the checking of accomplishing security token.
If web application is based on the PHP technological development, and the Form identity differentiates and is responsible for enforcement by web application, then logging request act on behalf of the page and login authentication act on behalf of the page can be based on the PHP technological development; But logging request agency and login authentication are acted on behalf of the include of the page PHP HTTP request that receives are forwarded to the corresponding former login page and the former login authentication page respectively; Login authentication act on behalf of the page before forwarding can through revise directly in the HTTP request, add access customer from account name, password.
For based on the web application of other dynamic page technological development and other Web server; Can ask the inner mechanism of transmitting, calling according to the HTTP that the dynamic page technology provides, and the HTTP Plugin Mechanism that Web server provides is confirmed concrete embodiment.
In addition; For the related single-sign-on agreement and the practical implementation of security token; Single-sign-on agreement and security token can adopt standard agreement; Like SAML, WS-FPRP (WS-Federation Passive Request Profile) agreement, and corresponding SAML asserts, WS-Security Token is as the security token of proof user identity; Perhaps, use self-defining single-sign-on agreement and self-defining security token, if with of the present invention alternately and processing procedure consistent.If single-sign-on agreement and security token are based on XML's (eXtensible Markup Language); Like SAML, WS-FPRP; The dynamic base, class libraries (like Windows Communication Foundation class libraries), API that then can use various maturations to the processing of XML data are (like Java API for XML Processing, JAXP) etc.For the realization that relates to data encryption, digital signature, can use dynamic base (like OpenSSL), class libraries (like Java Cryptography Extens ion), the API (like Windows CryptoAPI etc.) of various maturations.
The content of not doing in this specification to describe in detail belongs to this area professional and technical personnel's known prior art.
Claims (10)
1. be directed against the single-sign-on integrated approach that the Form identity is differentiated in a single-node login system; Said single-node login system comprises that web application, Web server, logging request are acted on behalf of the page, login authentication is acted on behalf of the page, login authentication HTTP plug-in unit, browser, identity service system, main accounts database and principal and subordinate account's binding data storehouse, wherein:
Web application: develop and be deployed in the realization predetermined application functional programs that the Web page on the Web server is formed based on the Web page technology by one group;
Web server: the HTTP request receives, the response transmitting function for the Web page of web application provides; And other relevant support functions; Comprise: receive the services request of the HTTP form that user browser submits to, carry out submitting to the Web application page after the corresponding preliminary treatment and handle, afterwards; The result that the Web application page is returned is sent to user browser with the form of http response; Said Web server comprises HTTP Web server and corresponding dynamic page running environment; Said Web server has constituted the Web application system that realizes the predetermined application function with the web application of disposing above that;
Logging request is acted on behalf of the page: be deployed on the Web server of the Web application system that adopts the discriminating of Form identity; The HTTP request of login page is obtained in reception; The HTTP request of obtaining login page is passed to the original login page of Web application system; And, return results is carried out handled according to the needs of single-sign-on;
Login authentication is acted on behalf of the page: be deployed in by web application and be responsible for implementing on the Web server of the Web application system that the Form identity differentiates; Reception is submitted to the HTTP request corresponding to the URL of account name, password authentication function; After carrying out relevant treatment, will comprise the user passes to the original verifying account name of Web application system, password in the HTTP of the local user name of application system, password request the login authentication page;
Login authentication HTTP plug-in unit: be deployed in by Web server and be responsible for implementing on the Web server of the Web application system that the Form identity differentiates; Interception is submitted to the HTTP request corresponding to the URL of account name, password authentication function; After carrying out relevant treatment, will comprise the user and pass to the inner verifying account name of Web server, the login authentication processing logic of password in the HTTP of the local user name of application system, password request;
Browser: user and the mutual client of Web application system, its function comprises: transmit the HTTP request through http protocol to Web server, http response that the reception Web server returns and the content that represents response;
Identity service system: provide user's online identity to differentiate the system of service; Its function comprises: based on the user identity voucher user is carried out online identity and differentiate, transmit the security token of proof user identity through corresponding single-sign-on agreement and by browser to the Web application system;
Main accounts database: deposit the main account information that the user logins the identity service system, comprise main account's account name, password, or the relevant information of the data certificate of main account correspondence;
Principal and subordinate account's binding data storehouse: preserve corresponding relation or the binding relationship in the Web application system from the account with householder account and user, and from account's password;
When the protected function of certain Web application system of user capture or resource; Said Web application system will be carried out identity to the user and differentiated that promptly said user need use its respective account in this Web application system to accomplish could visit said protected function or resource after identity is differentiated; In the said Web application system, the part system adopts Form identity identification method that the client user is carried out identity and differentiates, and the enforcement that the Form identity is differentiated or responsible by Web server perhaps is responsible for by web application;
The form of the said security token that said identity service system is signed and issued depends on the single-sign-on agreement of use, and the form of said security token is that SAML asserts, perhaps WS-Federation security token, perhaps self-defining security token; The fail safe of the security token that said identity service system guarantees through digital signature to be signed and issued;
The user carries out online identity used identity documents when differentiating in said identity service system, can be common account name, password, also can be digital certificate, perhaps other can identify, the electronic identity data of identifying user identity; The user is called main account the account that said identity service system carries out using when identity is differentiated; Saidly promptly refer to the corresponding account of user, comprise account name and password in certain Web application system from the account; User's main account and its can be same from the account in certain Web application system, also can be different.
2. the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system according to claim 1 is characterized in that:
Said logging request is acted on behalf of the name that the page uses former login page, and former login page is renamed; Said login authentication is acted on behalf of the name that the page uses the former login authentication page, and the former login authentication page is renamed; The HTTP plug-in unit extension mechanism that said login authentication HTTP plug-in unit provides based on Web server is inserted in the HTTP request, response process passage of Web server; Only tackle, handle the HTTP request and the response that are submitted to corresponding to the URL of account name, password authentication function, and any interception, processing are not done in other all HTTP requests, response; HTTP plug-in unit extension mechanism that said Web server provides or provide by http server, or dynamic page running environment provides;
Said logging request acts on behalf of the page and login authentication is acted on behalf of the page or login authentication HTTP plug-in unit has corresponding configuration information; Be used to the information relevant with single-sign-on is set, comprise user's entry address of identity service system, the digital certificate or the symmetric key of security token signature;
Said logging request acts on behalf of the page and login authentication is acted on behalf of the page or login authentication HTTP plug-in unit is preserved each user identity discriminating relevant information, is called user login information, and said user login information comprises:
1) identity identification marker: the security token of the proof user identity that indicates whether to receive that the identity service system is signed and issued; If the user accomplishes identity in the identity service system and differentiates that then the value of this sign is " very ", otherwise, be " vacation ";
2) use householder's account name: employed account name when the user carries out the identity discriminating in the identity service system;
3) user is from account name: the user is at local, corresponding with the main account name account name of application system;
Said user login information is kept at Web server and offers that logging request is acted on behalf of the page and login authentication is acted on behalf of in the session data memory location of the page or login authentication HTTP plug-in unit.
3. the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system according to claim 2; It is characterized in that: after said logging request was acted on behalf of the page and received the HTTP request of obtaining login page, request was handled to HTTP as follows:
The 1st step: the HTTP request that receives directly is sent to the original login page of system through inside forwarding or call-by mechanism;
The 2nd step: after original login page returned response results, inspection identity identification marker if its value is " very ", then let response results directly return; If its value is " vacation " or not setting; Then its value is set to " vacation "; Be redirected or return the Web page then through the outside and submit to the HTTP request mode that user browser is directed to user's login page of identity service system automatically, include the sign of local Web application system among the URL of the HTTP request that is redirected or submits to automatically.
4. the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system according to claim 3; It is characterized in that: when user browser is acted on behalf of the page and is redirected or returns the Web page through the outside and submit to the HTTP request mode to be directed to user's login page of said identity service system automatically in said the 2nd step by said logging request after, said identity service system as follows to HTTP request handle:
Step 1: through the sign of the Web application system of carrying in the HTTP request URL confirm Web application system that the user will visit whether be its trust, provide the system of service, if not, then return error message; Otherwise, change step 2 over to;
Step 2: confirm whether accomplish the identity discriminating in the identity service system before the user, if then change step 3 over to; Otherwise, the user is directed to login page, and differentiates based on the user being carried out identity with householder account, change step 3 over to after differentiating successfully;
Step 3: according to the Web application system that user's main account and user will visit, in principal and subordinate account's binding data storehouse, obtain the user in the Web application system that will visit from account name and password;
Step 4: for the user generate one comprise its main account name, from account name and the security token after encrypting from account's password; And relevant information carried out digital signature; The user identity proof information that will comprise security token then turns back to user browser with the mode of Form list, and the user identity proof information that will comprise security token of the automatic POST way of submission through the Form list is submitted to the URL corresponding to account name, password authentication function of the Web application system that the user need visit.
5. the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system according to claim 2; It is characterized in that: after said login authentication was acted on behalf of the page or login authentication HTTP plug-in unit and received or intercept the HTTP request that is submitted to corresponding to the URL of account name, password authentication function, request was handled to HTTP as follows:
Step 1: what comprise in the inspection HTTP request is security token or direct account name and the password of submitting to of user that the identity service system is submitted to, if the former, changes step 2 over to, otherwise, change step 4 over to;
Step 2: through the validity of digital signature authentication security token, if invalid, the value of then said identity identification marker is set to " vacation ", returns bomp; Otherwise, change step 3 over to;
Step 3: from security token, obtain the user main account name, from account name and after deciphering from account's password, and with main account name, preserves as said user login information from account name, then, the value that the identity identification marker is set is " very "; To join from the mode that account name, password are submitted to the original account name of compliance with system, password the HTTP request afterwards; The HTTP request that will newly form is then transmitted, is called or call pass through mechanism through inside and is sent to the former login authentication page of system or the inner login authentication processing logic of Web server; The response results that lets the inner login authentication processing logic of the former login authentication page or Web server return is then returned, and accomplishes this HTTP processing of request;
Step 4: inspection identity identification marker; If its value is " vacation " or not setting; Then its value is set to " vacation "; Be redirected or return the Web page then through the outside and submit to the HTTP request mode that user browser is directed to user's login page of identity service system automatically, include the sign of local Web application system among the URL of the HTTP request that is redirected or submits to automatically; Otherwise, change step 5 over to;
Step 5: check in the current HTTP request account name whether with user login information in preserve consistent from account name, as if inconsistent, then return error message; Otherwise; According to the main account name of preserving in the user login information, password from account name and current HTTP request; Upgrade principal and subordinate account's binding data storehouse; Then current HTTP request is transmitted, called through inside or pass through mechanism is sent to the former login authentication page of system or the inner login authentication processing logic of Web server, the response results that lets the inner login authentication processing logic of the former login authentication page or Web server return is then returned, and accomplishes this HTTP processing of request.
6. the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system according to claim 5; It is characterized in that: if said login authentication is acted on behalf of the page or login authentication HTTP plug-in unit can't be with the HTTP request that directly joins current reception or interception from account name, password in said step 3; Then said login authentication act on behalf of the page or login authentication HTTP plug-in unit be provided with the identity identification marker in said step 3 value for " very " after; Directly generate and submit to a HTTP request that comprises from account name, password and other relevant informations; Be submitted to the URL corresponding to user name, password authentication function of Web application system, will ask corresponding return results to return then; Correspondingly; Before login authentication described in the said step 1 is acted on behalf of the page or login authentication HTTP plug-in unit and is being carried out relevant operational processes; At first confirm through the inspection relevant information whether the HTTP request that receives or intercept is submitted to by oneself; If, then let this HTTP request and response pass through, do not further process.
7. according to the single-sign-on integrated approach of differentiating to the Form identity in claim 1 or the 3 described single-node login systems; It is characterized in that: if be inserted into the HTTP request of Web server, the logging request HTTP plug-in unit in the response process passage at HTTP plug-in unit extension mechanism of Web server deploy of the Web application system that adopts the Form identity to differentiate based on Web server; And said logging request HTTP plug-in unit is only tackled the HTTP request and the response of obtaining login page and is accomplished said logging request and act on behalf of the page in the operation described in the claim 3; And any interception, processing are not done in other all HTTP requests, response; Then keeping the constant situation of original login page, disposing said logging request HTTP plug-in unit and can reach and dispose said logging request and act on behalf of the same single-sign-on effect of the page.
8. the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system according to claim 1; It is characterized in that: if said login authentication HTTP plug-in unit of Web server deploy rather than the said login authentication of being responsible for implementing the Web application system that the Form identity differentiates at web application are acted on behalf of the page; Then keeping the constant situation of original login page, disposing said login authentication HTTP plug-in unit and can reach and dispose said login authentication and act on behalf of the same single-sign-on effect of the page.
9. the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system according to claim 7; It is characterized in that: only when said logging request is acted on behalf of the page and can not be realized the said operation of claim 3, just dispose said logging request HTTP plug-in unit and replace said logging request and act on behalf of the page.
10. according to the single-sign-on integrated approach of differentiating to the Form identity in claim 5 or the 8 described single-node login systems; It is characterized in that: only when said login authentication was acted on behalf of the page and can not be realized the said operation of claim 5, just replacing said login authentication by the said logging request HTTP plug-in unit of the said deployment of claim 8 acted on behalf of the page.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210083321.3A CN102624737B (en) | 2012-03-27 | 2012-03-27 | Single sign-on integrated method for Form identity authentication in single login system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210083321.3A CN102624737B (en) | 2012-03-27 | 2012-03-27 | Single sign-on integrated method for Form identity authentication in single login system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102624737A true CN102624737A (en) | 2012-08-01 |
| CN102624737B CN102624737B (en) | 2015-05-06 |
Family
ID=46564421
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210083321.3A Expired - Fee Related CN102624737B (en) | 2012-03-27 | 2012-03-27 | Single sign-on integrated method for Form identity authentication in single login system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102624737B (en) |
Cited By (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833238A (en) * | 2012-08-14 | 2012-12-19 | 上海聚力传媒技术有限公司 | Method, device, equipment and system for assisting network equipment to carry out user authentication |
| CN103117998A (en) * | 2012-11-28 | 2013-05-22 | 北京用友政务软件有限公司 | Safety reinforcing method based on JavaEE application system |
| CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
| CN104092679A (en) * | 2014-07-02 | 2014-10-08 | 百度在线网络技术(北京)有限公司 | Method for logging in third-party site and server |
| CN104168262A (en) * | 2014-07-02 | 2014-11-26 | 百度在线网络技术(北京)有限公司 | Method and server for logging in third party site |
| CN104468785A (en) * | 2014-12-08 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | Electronic device, server device, and data request submitting method and processing method |
| CN104537486A (en) * | 2014-12-25 | 2015-04-22 | 中建材国际贸易有限公司 | Data transmission method for main control system and sub-control system by using PHP language |
| CN104735066A (en) * | 2015-03-18 | 2015-06-24 | 百度在线网络技术(北京)有限公司 | Single sign-on method, device and system oriented to web page applications |
| CN105306423A (en) * | 2014-07-04 | 2016-02-03 | 中国银联股份有限公司 | Unified login method for distributed web station system |
| CN105612716A (en) * | 2013-09-25 | 2016-05-25 | 亚马逊技术有限公司 | Resource locators with keys |
| CN105812350A (en) * | 2016-02-03 | 2016-07-27 | 北京中搜云商网络技术有限公司 | Cross-platform single-point registration system |
| CN106685998A (en) * | 2017-02-24 | 2017-05-17 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN107294916A (en) * | 2016-03-31 | 2017-10-24 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
| CN107294917A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | One kind trusts login method and device |
| CN107690792A (en) * | 2015-06-15 | 2018-02-13 | 安维智有限公司 | The single-sign-on of mobile device without management |
| CN108234415A (en) * | 2016-12-21 | 2018-06-29 | 百度在线网络技术(北京)有限公司 | For verifying the method and apparatus of user |
| US10037428B2 (en) | 2013-09-25 | 2018-07-31 | Amazon Technologies, Inc. | Data security using request-supplied keys |
| CN108462706A (en) * | 2018-03-06 | 2018-08-28 | 武汉理工大学 | A kind of single-point logging method and system |
| CN109145039A (en) * | 2017-12-25 | 2019-01-04 | 北极星云空间技术股份有限公司 | A method of the UI suitable for federalism workflow composing is bridged |
| CN109194683A (en) * | 2018-09-30 | 2019-01-11 | 北京金山云网络技术有限公司 | Logon information processing method, device and client |
| CN109213546A (en) * | 2017-06-30 | 2019-01-15 | 武汉斗鱼网络科技有限公司 | Login process method and device for windows client-side program |
| CN109688114A (en) * | 2018-12-10 | 2019-04-26 | 迈普通信技术股份有限公司 | Single-point logging method, certificate server and application server |
| CN109743163A (en) * | 2019-01-03 | 2019-05-10 | 优信拍(北京)信息科技有限公司 | Purview certification method, apparatus and system in micro services framework |
| CN111241504A (en) * | 2020-01-16 | 2020-06-05 | 远景智能国际私人投资有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN111291284A (en) * | 2018-12-10 | 2020-06-16 | 北京京东金融科技控股有限公司 | Method and device for redirecting multi-level page |
| CN111385100A (en) * | 2018-12-27 | 2020-07-07 | 柯尼卡美能达美国研究所有限公司 | Method, computer readable medium and mobile device for accessing resources |
| CN111917837A (en) * | 2020-07-13 | 2020-11-10 | 西安即刻易用网络科技有限公司 | Web micro application program publishing system and implementation method thereof |
| CN113228007A (en) * | 2018-11-08 | 2021-08-06 | 思杰系统有限公司 | System and method for secure SAAS redirection from native applications |
| CN113553569A (en) * | 2021-07-06 | 2021-10-26 | 猪八戒股份有限公司 | Single sign-on method, system and terminal of Syngnathus system based on proxy server |
| CN113660204A (en) * | 2021-07-09 | 2021-11-16 | 北京航天云路有限公司 | Method for realizing unified integrated binding service |
| CN114050911A (en) * | 2021-09-27 | 2022-02-15 | 度小满科技(北京)有限公司 | Container remote login method and system |
| CN114422229A (en) * | 2022-01-14 | 2022-04-29 | 北京从云科技有限公司 | WEB application single sign-on proxy method and device, sign-on method and server |
| CN117411729A (en) * | 2023-12-14 | 2024-01-16 | 深圳竹云科技股份有限公司 | Oracle database login method, device, computer equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007072318A2 (en) * | 2005-12-23 | 2007-06-28 | International Business Machines Corporation | Secure identity management |
| US20080077809A1 (en) * | 2006-09-22 | 2008-03-27 | Bea Systems, Inc. | Credential Vault Encryption |
| CN101771534A (en) * | 2008-12-30 | 2010-07-07 | 财团法人工业技术研究院 | Single sign-on method for network browser and system thereof |
| CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
-
2012
- 2012-03-27 CN CN201210083321.3A patent/CN102624737B/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007072318A2 (en) * | 2005-12-23 | 2007-06-28 | International Business Machines Corporation | Secure identity management |
| US20080077809A1 (en) * | 2006-09-22 | 2008-03-27 | Bea Systems, Inc. | Credential Vault Encryption |
| CN101771534A (en) * | 2008-12-30 | 2010-07-07 | 财团法人工业技术研究院 | Single sign-on method for network browser and system thereof |
| CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
Non-Patent Citations (1)
| Title |
|---|
| 龙毅宏等: "一种对Web 遗留系统透明的单点登录方案", 《信息安全与通信保密》 * |
Cited By (55)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833238A (en) * | 2012-08-14 | 2012-12-19 | 上海聚力传媒技术有限公司 | Method, device, equipment and system for assisting network equipment to carry out user authentication |
| CN102833238B (en) * | 2012-08-14 | 2016-07-27 | 上海聚力传媒技术有限公司 | The auxiliary network equipment carries out the method for user's checking, device, equipment and system |
| CN103679018B (en) * | 2012-09-06 | 2018-06-12 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for detecting CSRF loopholes |
| CN103679018A (en) * | 2012-09-06 | 2014-03-26 | 百度在线网络技术(北京)有限公司 | Method and device for detecting CSRF loophole |
| CN103117998B (en) * | 2012-11-28 | 2016-01-20 | 北京用友政务软件有限公司 | A kind of safety encryption based on JavaEE application system |
| CN103117998A (en) * | 2012-11-28 | 2013-05-22 | 北京用友政务软件有限公司 | Safety reinforcing method based on JavaEE application system |
| US11146538B2 (en) | 2013-09-25 | 2021-10-12 | Amazon Technologies, Inc. | Resource locators with keys |
| US10936730B2 (en) | 2013-09-25 | 2021-03-02 | Amazon Technologies, Inc. | Data security using request-supplied keys |
| US11777911B1 (en) | 2013-09-25 | 2023-10-03 | Amazon Technologies, Inc. | Presigned URLs and customer keying |
| CN105612716B (en) * | 2013-09-25 | 2020-02-11 | 亚马逊技术有限公司 | System and method for providing access to data |
| US10412059B2 (en) | 2013-09-25 | 2019-09-10 | Amazon Technologies, Inc. | Resource locators with keys |
| US10037428B2 (en) | 2013-09-25 | 2018-07-31 | Amazon Technologies, Inc. | Data security using request-supplied keys |
| CN105612716A (en) * | 2013-09-25 | 2016-05-25 | 亚马逊技术有限公司 | Resource locators with keys |
| WO2016000425A1 (en) * | 2014-07-02 | 2016-01-07 | 百度在线网络技术(北京)有限公司 | Method and server for logging in to third-party site |
| CN104168262B (en) * | 2014-07-02 | 2017-08-18 | 百度在线网络技术(北京)有限公司 | Log in the method and server of third party's website |
| CN104092679B (en) * | 2014-07-02 | 2017-10-03 | 百度在线网络技术(北京)有限公司 | Log in the method and server of third party's website |
| CN104092679A (en) * | 2014-07-02 | 2014-10-08 | 百度在线网络技术(北京)有限公司 | Method for logging in third-party site and server |
| CN104168262A (en) * | 2014-07-02 | 2014-11-26 | 百度在线网络技术(北京)有限公司 | Method and server for logging in third party site |
| CN105306423A (en) * | 2014-07-04 | 2016-02-03 | 中国银联股份有限公司 | Unified login method for distributed web station system |
| CN105306423B (en) * | 2014-07-04 | 2018-12-25 | 中国银联股份有限公司 | Unified login method for distribution Web web station system |
| CN104468785A (en) * | 2014-12-08 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | Electronic device, server device, and data request submitting method and processing method |
| CN104537486A (en) * | 2014-12-25 | 2015-04-22 | 中建材国际贸易有限公司 | Data transmission method for main control system and sub-control system by using PHP language |
| CN104537486B (en) * | 2014-12-25 | 2018-07-20 | 中建材国际贸易有限公司 | A kind of data transmission method of turn-key system using PHP language and sub- control system |
| CN104735066A (en) * | 2015-03-18 | 2015-06-24 | 百度在线网络技术(北京)有限公司 | Single sign-on method, device and system oriented to web page applications |
| CN107690792A (en) * | 2015-06-15 | 2018-02-13 | 安维智有限公司 | The single-sign-on of mobile device without management |
| CN105812350A (en) * | 2016-02-03 | 2016-07-27 | 北京中搜云商网络技术有限公司 | Cross-platform single-point registration system |
| CN107294917A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | One kind trusts login method and device |
| CN107294916A (en) * | 2016-03-31 | 2017-10-24 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
| CN107294916B (en) * | 2016-03-31 | 2019-10-08 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
| CN108234415A (en) * | 2016-12-21 | 2018-06-29 | 百度在线网络技术(北京)有限公司 | For verifying the method and apparatus of user |
| CN106685998A (en) * | 2017-02-24 | 2017-05-17 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN109213546A (en) * | 2017-06-30 | 2019-01-15 | 武汉斗鱼网络科技有限公司 | Login process method and device for windows client-side program |
| CN109213546B (en) * | 2017-06-30 | 2021-09-07 | 武汉斗鱼网络科技有限公司 | Login processing method and device for windows client program |
| CN109145039A (en) * | 2017-12-25 | 2019-01-04 | 北极星云空间技术股份有限公司 | A method of the UI suitable for federalism workflow composing is bridged |
| CN108462706A (en) * | 2018-03-06 | 2018-08-28 | 武汉理工大学 | A kind of single-point logging method and system |
| CN108462706B (en) * | 2018-03-06 | 2022-05-03 | 武汉理工大学 | Single sign-on method and system |
| CN109194683A (en) * | 2018-09-30 | 2019-01-11 | 北京金山云网络技术有限公司 | Logon information processing method, device and client |
| CN113228007A (en) * | 2018-11-08 | 2021-08-06 | 思杰系统有限公司 | System and method for secure SAAS redirection from native applications |
| CN109688114B (en) * | 2018-12-10 | 2021-07-06 | 迈普通信技术股份有限公司 | Single sign-on method, authentication server and application server |
| CN109688114A (en) * | 2018-12-10 | 2019-04-26 | 迈普通信技术股份有限公司 | Single-point logging method, certificate server and application server |
| CN111291284A (en) * | 2018-12-10 | 2020-06-16 | 北京京东金融科技控股有限公司 | Method and device for redirecting multi-level page |
| CN111385100A (en) * | 2018-12-27 | 2020-07-07 | 柯尼卡美能达美国研究所有限公司 | Method, computer readable medium and mobile device for accessing resources |
| CN111385100B (en) * | 2018-12-27 | 2023-12-26 | 柯尼卡美能达美国研究所有限公司 | Method, computer readable medium and mobile device for accessing resources |
| CN109743163A (en) * | 2019-01-03 | 2019-05-10 | 优信拍(北京)信息科技有限公司 | Purview certification method, apparatus and system in micro services framework |
| CN111241504B (en) * | 2020-01-16 | 2024-01-05 | 远景智能国际私人投资有限公司 | Identity verification method, device, electronic equipment and storage medium |
| CN111241504A (en) * | 2020-01-16 | 2020-06-05 | 远景智能国际私人投资有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN111917837A (en) * | 2020-07-13 | 2020-11-10 | 西安即刻易用网络科技有限公司 | Web micro application program publishing system and implementation method thereof |
| CN113553569A (en) * | 2021-07-06 | 2021-10-26 | 猪八戒股份有限公司 | Single sign-on method, system and terminal of Syngnathus system based on proxy server |
| CN113660204A (en) * | 2021-07-09 | 2021-11-16 | 北京航天云路有限公司 | Method for realizing unified integrated binding service |
| CN113660204B (en) * | 2021-07-09 | 2024-01-23 | 北京航天云路有限公司 | Method for realizing unified integrated binding service |
| CN114050911A (en) * | 2021-09-27 | 2022-02-15 | 度小满科技(北京)有限公司 | Container remote login method and system |
| CN114050911B (en) * | 2021-09-27 | 2023-05-16 | 度小满科技(北京)有限公司 | Remote login method and system for container |
| CN114422229A (en) * | 2022-01-14 | 2022-04-29 | 北京从云科技有限公司 | WEB application single sign-on proxy method and device, sign-on method and server |
| CN117411729A (en) * | 2023-12-14 | 2024-01-16 | 深圳竹云科技股份有限公司 | Oracle database login method, device, computer equipment and medium |
| CN117411729B (en) * | 2023-12-14 | 2024-05-10 | 深圳竹云科技股份有限公司 | Oracle database login method, device, computer equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102624737B (en) | 2015-05-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102624737B (en) | Single sign-on integrated method for Form identity authentication in single login system | |
| US8412156B2 (en) | Managing automatic log in to internet target resources | |
| US9300653B1 (en) | Delivery of authentication information to a RESTful service using token validation scheme | |
| Li et al. | Security issues in OAuth 2.0 SSO implementations | |
| CN102480490B (en) | Method for preventing CSRF attack and equipment thereof | |
| CN105007280B (en) | A kind of application login method and device | |
| US8006289B2 (en) | Method and system for extending authentication methods | |
| EP2359576B1 (en) | Domain based authentication scheme | |
| CN103220259B (en) | The use of Oauth API, call method, equipment and system | |
| US8141140B2 (en) | Methods and systems for single sign on with dynamic authentication levels | |
| CN102801808B (en) | WebLogic-oriented Form identification single sign on integration method | |
| CN104378376A (en) | SOA-based single-point login method, authentication server and browser | |
| US8275985B1 (en) | Infrastructure to secure federated web services | |
| US20130290719A1 (en) | System and method for accessing integrated applications in a single sign-on enabled enterprise solution | |
| CN101656711A (en) | System and method for verifying website information | |
| CN102171984A (en) | Service provider access | |
| CN110808840A (en) | Service processing method and device, electronic equipment and storage medium | |
| CN102739678B (en) | Single-sign-on treatment system and single-sign-on processing method | |
| CN108259457A (en) | A kind of WEB authentication methods and device | |
| JP4932154B2 (en) | Method and system for providing user authentication to a member site in an identity management network, method for authenticating a user at a home site belonging to the identity management network, computer readable medium, and system for hierarchical distributed identity management | |
| CN102946396A (en) | User agent device, host web server and user authentication method | |
| Al-Sinani et al. | CardSpace-Liberty integration for CardSpace users | |
| CN109729045A (en) | Single-point logging method, system, server and storage medium | |
| Wang et al. | A framework for formal analysis of privacy on SSO protocols | |
| Gibbons et al. | Security evaluation of the OAuth 2.0 framework |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150506 Termination date: 20160327 |