CN102624737B - Single sign-on integrated method for Form identity authentication in single login system - Google Patents
Single sign-on integrated method for Form identity authentication in single login system Download PDFInfo
- Publication number
- CN102624737B CN102624737B CN201210083321.3A CN201210083321A CN102624737B CN 102624737 B CN102624737 B CN 102624737B CN 201210083321 A CN201210083321 A CN 201210083321A CN 102624737 B CN102624737 B CN 102624737B
- Authority
- CN
- China
- Prior art keywords
- user
- page
- login
- identity
- account name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a single sign-on integrated method for Form identity authentication in a single sign-on system. The single sign-on system comprises a Web application program, a Web server, a login request proxy page, a login authentication proxy page, a login authentication HTTP (hypertext transfer protocol) plug-in, a browser, an identity service system, a master account database and a master-slave account binding database. The method includes that the login request proxy page receives and acquires an HTTP request of the login page to guide a user not logging in to log in the identity service system; the identity service system submits a security token authenticating identity of the user to an account name and a password authentication URL (uniform resource locator) of the Web application system to be accessed by the user through the browser after performing the identity authentication of the user; the login authentication proxy page or the HTTP plug-in completes the security token authentication and adds the local account name and password of the Web application system to the HTTP request after receiving or intercepting the HTTP request submitted to the account name and the password authentication URL, so that the user can log in the Web application system.
Description
Technical field
The invention belongs to the single-sign-on integrated approach for Form identity verify in identity verify and the access control technology field, particularly a kind of single-node login system of information security.
Background technology
Along with the development of Enterprise's Electronic Commercial and Office Information, enterprise, organization deploy and a large amount of provide the information system of all kinds of specific function (being referred to as application system below), needing memory, the different account names inputted in different application systems, password (also referred to as user name, password) this problem in order to solve user when using different application systems, there has been proposed single-sign-on (Singie Sign On) technology.So-called single-sign-on, namely user only needs use identity documents (as account name, a password, or a digital certificate etc.) after certain on-line system completes online identity discriminating (namely login logs in), just can access the every other system that can access, and without the need to again inputting account name, password or using digital certificate to carry out identity verify.
In the application system of having disposed at present, have a quite large class to be employing Browser/Server framework (browser/server is called for short B/S framework), to adopt Web page technological development, this type systematic is called Web application system.In the system of B/S framework, client is general browser; Server end is made up of Web server, web application and database usually.Web server can be that HTTP (HyperText TransferProtocol) server (as IIS, Apache), http server+Web container are (as Apache+Tomcat, or directly receive and dispatch the Tomcat of HTTP request, response), J2EE application server (Application Server, as WebLogic, WebSphere); Web application usually based on the exploitation of certain specific page technology (as JSP/Servlet, ASP.NET, PHP), and is deployed on Web server and runs; Database is used for depositing types of applications related data.
Data interaction and transmission is carried out by HyperText TransferProtocol (HTTP): the service request (HTTP request) of HTTP form is sent to Web server by browser between client browser and Web server; After Web server carries out corresponding preliminary treatment to request, the corresponding Web page that web application is submitted in request is processed; The result that Web page returned of Web server, turns back to browser with the response of HTTP form (http response) afterwards; Finally, browser represents the resultant content returned according to the result data returned.Except transmitting except HTTP request, response data between browser and web application (Web page), Web server also provides corresponding running environment and supporting for the Web page of web application, as session (Session) data maintenance etc.
In order to limited subscriber is to the access of shielded service function or resource; namely only have the user of mandate to access, use shielded sensitive function or resource; Web application system needs to carry out identity verify (i.e. our usually said authentication, but this saying of authentication is unprofessional) to user.The mode of identity verify is a lot; wherein the most frequently used is identity verify based on account name, password; namely, before the user's shielded sensitive function that will access certain Web application system or resource, need to input it by browser and carry out logging in (Login) at account name corresponding to this Web application system, password.And in the identity verify mode adopting account name, password, for Web system, a kind of the most frequently used technical scheme is so-called Form identity verify, namely user is by the input of Form list account name, the password of the HTML (HyperText Markup Language) of Web page, and be submitted to server end by browser and carry out verifying (therefore, this account name, password identity verify mode be otherwise known as Form identity verify).
Form identity verify specifically implements two kinds of approach in Web application system, and one is be responsible for by web application, and two is be responsible for by Web server.If be responsible for by web application, then web application has special login page (as Login.jsp), for returning a login interface to browser, for user's input, submits account name, password to; Simultaneously web application also has the page (as LoginCheck.jsp) of a special verifying account name, password, be called that (login page and the login authentication page are likely same Web page to the login authentication page, as the Login.aspx of the Form identity verify in ASP.NET, but still can be used as two independently pages in logic).If be responsible for implementing Form identity verify (particularly by Web server, or be responsible for enforcement by http server, or be responsible for enforcement by dynamic page running environment, as JSP/Servlet Web Container, ASP.NET runtime), then web application needs to provide a login page equally, input account name, password for user, but web application is not provided for the login authentication page of verifying account name, password; The checking of account name, password is responsible for by the special login authentication processing logic (module) of Web server inside, this login authentication processing logic is to there being a specific URL (Uniform ResourceLocator), as j_security_check, the HTTP request being submitted to this specific URL is not sent to certain Web page process, but the login authentication processing logic being sent to Web server inside processes.Which kind of approach no matter is adopted to implement Form identity verify, when not completing the shielded resource of user's maiden visit (as certain Web page) of identity verify, login page all can return by server end (web application or Web server), and prompting user inputs account name, password; When user input account name, after password the login authentication processing logic of the login authentication page or Web server inside that they are submitted to web application by browser be verified, user can access its shielded resource needing access.
In order to realize single-sign-on, people introduce the concept that is called Identity Provider (being called for short IdP), and it is a system providing identity verify to serve online, is called identity service system.For Web application system, user only need use browser to complete in identity service system and once log in (i.e. online identity discriminating), just can access other Web application systems that can access in this identity service system trust domain and without the need to carrying out register (i.e. identity verify) again.But this Single Sign-On Technology Used scheme will succeed application, individual key issue is had to need to solve: how to make existing all kinds of Web application system can realize single-sign-on with identity service system interconnect.Particular problem is described below.
The various Web application systems relating to single-sign-on have respective nusrmgr.cpl assembly (system) and accounts database usually, and these Web application systems are normally come to control user access based on self user account (account name, password), and user carries out logging in identity service system, identity verify time the user account that uses may be not identical (certainly also possible identical) with its account in certain Web application system that will access.If different, a kind of scheme is the original application system of amendment, makes its user account accepting identity service system as the mark of identification user and the control that conducts interviews accordingly.But this scheme is owing to relating to the amendment of application system, therefore, often cannot implement.Another kind of scheme be user use one to be called the user account of main account is in identity service system login, this main account can be user's certain application system existing account, or certain existing global account (account as in WindowsActive Directory), or certain special new overall user account created; The main account of user is associated account's (being called from account) of different application systems with user by certain mode in advance, and this process is called identity (account) association (IdentityFederation or Account Federation) or identity (account) binding (IdentityBinding or Account Binding); When user use its main account identity service system complete login (i.e. identity verify) afterwards, access certain application-specific system time, its main account by certain mode by corresponding, change into this user in this application system from account, then user based on this from account access application system.This master and slave account process that is corresponding, that transform is called that identity (account) maps (Identity Mapping or Account Mapping).But, had this binding, mapping relations not enough, because original system with identity service system interaction, can not can not be completed this account conversion, therefore, need to be provided by corresponding technological means, realize required function automatically.Technology in conjunction with the first scheme Problems existing and first scheme needs, and does not a kind ofly change system original identity verify mode, user account, program and automatically can realize that principal and subordinate maps, the single-sign-on integrated technical solution that transforms is very useful and important.And Form identity verify is the most general identity verify mode that adopts at present in Web application system, therefore, research and development exploitation seems particularly important for the single-sign-on Integrated Solution of Form identity verify.For this problem, designer of the present invention also once proposed a kind of single-sign-on integrated approach (document that sees reference [1-2]) filled out based on filter (Filter) and password generation, but the method exists following not enough:
1) under many circumstances, correlation function more complicated or difficulty is realized by filter mechanism;
2) filter needs to be responsible for judging which systemic-function or resource are shielded, and this point cannot be accomplished at filter in some cases, such as, by the service logic of web application according to self, instead of based on HTTP request URL, judge that user is the need of when completing login (identity verify), then filter cannot judge that user logs in or identity verify (because filter judges based on HTTP request URL) the need of carrying out;
3) filter will tackle all HTTP request, even if it is also like this that user has completed identity verify;
4) before the account name of user, password are submitted to the login authentication page with password for embankment formula by filter, user does not carry out maiden visit (namely having skipped the operation of access login page) to login page (as Login.jsp), and in fact, Web application system is likely when user's maiden visit login page, for the later accessing operation of this user (comprising password authentication operation) does some initialization, and the operation of skipping the maiden visit page likely destroy after associative operation processing logic (as password verification process);
5) after the discriminating of filter completing user, local register; filter will be responsible for user being redirected to its shielded Web page initially will accessed; and when the POST method used when user's maiden visit locked resource; be responsible for guiding user again with the shielded resource of secondary access at the beginning of POST method and former POST parameter access by filter; more complicated on technology realizes; even difficulty, contrary the, original system itself may have this function.
For above problem, the single-sign-on integrated approach that the present invention proposes has made following improvement:
1) method of the present invention had both been applicable to adopt Web page technology (namely acting on behalf of the page) to realize single-sign-on correlation function, also be applicable to adopt Web HTTP plug-in unit (i.e. filter or similar Filter) mechanism to realize correlation function, and first select the former, only in the former unaccommodated situation, just adopt the latter; And in most cases can adopt the former, this just enormously simplify the exploitation of correlation technique;
2) login plug-in unit which systemic-function of not responsible judgement or resource are shielded, and these are still responsible for by original system, log in the flow process that plug-in unit just changes register (i.e. identity verify) pellucidly;
3) HTTP request being submitted to login page, account name/password authentication URL only tackled by login process plug-in unit (namely acting on behalf of the page, Web HTTP plug-in unit), do not tackle other all HTTP request, relevant plug-in unit is just reduced to minimum level to the impact that system may cause by this;
4) under any request, the HTTP request that user accesses login page all can reach the original login page of system, and completes relevant treatment; Would not have any impact to the relevant treatment logic of original system like this;
5) by Web server or the web application of being originally responsible for the enforcement of Form identity verify; be responsible for after user's Successful login; user is redirected to the shielded Web page that it wants initial access; when comprising user for the first time with POST way access locked resource, this just greatly reduces the complexity of single-sign-on integrated technology.
List of references:
[1] Long Yihong, Li Changyou, Tang Zhihong, Liu Xu, a kind of single-sign-on scheme transparent to Web Legacy System, information security and communication security, 10 phases in 2010, pp.67-69,72.
[2] postgraduate Li Xineng, instructor dragon is firm grand, the design and implimentation of unified identity authentication and single-node login system, Wuhan University of Technology's Master's thesis, in May, 2010.
Summary of the invention
The object of the invention is the situation adopting Form identity verify mode for Web application system in single-node login system, proposing the single-sign-on integrated approach that a kind of identity verify mode without the need to revising web application and Web application system itself just can realize single-sign-on.
To achieve these goals, the technical solution adopted in the present invention is:
For the single-sign-on integrated approach of Form identity verify in a kind of single-node login system, described single-node login system comprises web application, Web server, logging request acts on behalf of the page, login authentication acts on behalf of the page, login authentication HTTP plug-in unit, browser, identity service system, main accounts database and principal and subordinate account's binding data storehouse, wherein:
Web application: by one group based on certain Web page technological development and the program realizing certain predetermined application function that forms of the Web page be deployed on Web server;
Web server: the Web page for web application provides HTTP request to receive, response transmitting function, and other relevant support functions, comprise: the service request receiving the HTTP form that user browser is submitted to, submit to the Web application page after carrying out corresponding preliminary treatment to process, afterwards, by the result that the Web application page returns, be sent to user browser with the form of http response; Described Web server comprises HTTP Web server and corresponding dynamic page running environment (as JSP/Servlet Web Container, ASP.NETruntime); Described Web server and the web application disposed thereon constitute the Web application system realizing predetermined application function;
Logging request acts on behalf of the page: be deployed on the Web server of the Web application system adopting Form identity verify, receive the HTTP request obtaining login page, the HTTP request obtaining login page is passed to the original login page of Web application system, and according to the needs of single-sign-on, carry out respective handling to returning results;
Login authentication acts on behalf of the page: be deployed in and be responsible on the Web server of the Web application system implementing Form identity verify by web application, receive the HTTP request of the URL be submitted to corresponding to account name, password authentication function, after carrying out relevant treatment, will user be comprised to pass in the user name of application system this locality, the HTTP request of password the login authentication page of the original verifying account name of Web application system, password;
Login authentication HTTP plug-in unit: be deployed in and be responsible on the Web server of the Web application system implementing Form identity verify by Web server, interception is submitted to the HTTP request of the URL corresponding to account name, password authentication function, after carrying out relevant treatment, pass to the verifying account name of Web server inside, the login authentication processing logic of password by comprising user in the user name of application system this locality, the HTTP request of password;
Browser: user and the mutual client of Web application system, its function comprises: transmit HTTP request by http protocol to Web server, receives http response that Web server returns and represents the content of response;
Identity service system: provide user's online identity to differentiate the system of service, its function comprises: carry out online identity discriminating based on user identity voucher to user, by corresponding single-sign-on agreement and by the security token of browser to Web application system transmission proof user identity;
Main accounts database: deposit the main account information that user logs in identity service system, comprise the account name of main account, password, or the relevant information of data certificate corresponding to main account;
Principal and subordinate account's binding data storehouse: preserve by householder account and user's corresponding (binding) relation from account in Web application system, and from the password of account.
Described Web application system carries out identity verify by certain mode to user; When user accesses protected function or the resource of certain Web application system (as Web page), just can conduct interviews after needing the respective account using it in this Web application system to complete identity verify; In described Web application system, part system adopts Form identity verify mode to carry out identity verify to client user, and the enforcement of Form identity verify or be responsible for by Web server, or be responsible for by web application.
Described logging request acts on behalf of the name (as Login.jsp) that the page uses former login page, and former login page is renamed (as LoginBak.jsp); Described login authentication acts on behalf of the name (as LoginCheck.jsp) that the page uses the former login authentication page, and the former login authentication page is renamed (as LoginCheckBak.jsp).
HTTP plug-in extension that described login authentication HTTP plug-in unit sing on web server provides mechanism is inserted in the HTTP request of Web server, response treatment channel, only tackle, process the HTTP request and response that are submitted to corresponding to the URL (as j_s ecur ity_check) of account name, password authentication function, and any interception, process are not done to other all HTTP request, response.HTTP plug-in extension that described Web server provides mechanism or provided by http server, or (as JSP/Servlet WebContainer, ASP.NET runtime) that dynamic page running environment provides.
Described logging request acts on behalf of the page and login authentication acts on behalf of the page or login authentication HTTP plug-in unit has corresponding configuration information, for arranging the information relevant with single-sign-on, the user's entry address (URL) as identity service system, the digital certificate to security token signature or symmetric key etc.
Described logging request is acted on behalf of the page and login authentication and is acted on behalf of login (identity verify) relevant information that each user preserved by the page or login authentication HTTP plug-in unit, is called user login information.Described user login information comprises:
1) identity verify mark: indicate whether the security token receiving the proof user identity that identity service system is signed and issued; If user completes identity verify in identity service system, then the value of this mark is "True" (true), otherwise, be "false" (false);
2) householder's account name is used: i.e. the account name that uses when identity service system carries out identity verify of user;
3) user is from account name: namely user is at application system this locality, corresponding with main account name account name.
The above various user login information is kept at Web server (http server or dynamic page running environment) and is supplied to logging request and acts on behalf of the page and login authentication acts on behalf of (as the Session object of Servlet, HTTP Cookie) in session (Session) data storage location of the page or login authentication HTTP plug-in unit.
The form of the described security token that described identity service system is signed and issued depends on the single-sign-on agreement of use, can be that SAML (Security Assertion Marup Language) asserts (Assertion), or WS-Federation security token (Security Token), or self-defining security token; Described identity service system ensures the fail safe (primary, integrality) of signed and issued security token by digital signature.
User carries out identity documents used when online identity is differentiated in described identity service system, and can be common account name, password, also can be digital certificate, or other can identify, the electronic identity data of identifying user identity.The account of user's use when described identity service system carries out identity verify is called main account.Describedly namely refer to the account of user in certain particular Web application system from account, comprise account name, password; The main account of user and its can be same from account in certain Web application system, also can be different.
Described logging request act on behalf of the page receive obtain login page HTTP request after, as follows HTTP request is processed:
A1. the HTTP request received directly is sent to the original login page of system by inner forwarding or call-by mechanism;
A2., after original login page returns response results, check identity verify mark, if its value is "True", then allow response results directly return; If its value is "false" or does not arrange, then its value is set to "false", then being redirected by outside or being returned Web page submits to the mode of HTTP request user browser to be directed to user's login page of identity service system automatically, includes the mark of local Web application system in the URL of the HTTP request being redirected or automatically submitting to.
Be redirected or return Web page automatically submit the mode of HTTP request be directed to the user login page of identity service system after in described steps A 2 by outside when user browser is logged the request broker page, identity service system processes HTTP request as follows:
B1. by the Web application system of carrying in HTTP request URL mark determine Web application system that user will access be whether its trust, provide the system of service, if not, then return error message; Otherwise, proceed to next step;
B2. whether complete identity verify in identity service system before determining user, if so, then proceed to next step; Otherwise, user is directed to login page, and based on householder account, identity verify is carried out to user, differentiate to proceed to next step successfully;
B3. according to the Web application system that main account and the user of user will access, obtain in principal and subordinate account's binding data storehouse user in the Web application system that will access from account name and password;
B4. its main account name is comprised, from the security token from account password after account name and encryption for user generates one, and digital signature is carried out to relevant information, then the user identity comprising security token is proved that information turns back to user browser in the mode of Form list, and the URL corresponding to account name, password authentication function that the automatic POST passing through Form list submits to (Submit) mode the user identity proof information comprising security token to be submitted to user needs the Web application system of accessing.
After described login authentication acts on behalf of the page or login authentication HTTP plug-in unit receives or intercept the HTTP request be submitted to corresponding to the URL of account name, password authentication function, as follows HTTP request is processed:
C1. check in HTTP request that what comprise is account name, the password that the security token submitted to of identity service system or user directly submit to, if the former, proceed to step C2, otherwise, proceed to step C4;
C2. by the validity of digital signature authentication security token, if invalid, then the value of described identity verify mark be set to "false", return bomp; Otherwise, proceed to next step;
C3. obtain from security token the main account name of user, from account name and after deciphering from account password, and using main account name, preserve from account name as described user login information, then, the value arranging identity verify mark is "True"; To join in HTTP request in the mode meeting the original account name of system, password is submitted to from account name, password afterwards, then by the HTTP request newly formed by inner forwarding, calling or pass through mechanism is sent to the login authentication processing logic of the former login authentication page of system or Web server inside, then the response results allowing the login authentication processing logic of the former login authentication page or Web server inside return returns, and completes the process of this HTTP request;
C4. identity verify mark is checked, if its value is "false" or does not arrange, then its value is set to "false", then being redirected by outside or being returned Web page submits to the mode of HTTP request user browser to be directed to user's login page of identity service system automatically, includes the mark of local Web application system in the URL of the HTTP request being redirected or automatically submitting to; Otherwise, proceed to next step;
C5. check account name in current HTTP request whether with preserve in user login information consistent from account name, if inconsistent, then return error message; Otherwise, according to the main account name preserved in user login information, from the password account name and current HTTP request, upgrade principal and subordinate account's binding data storehouse, then by current HTTP request by inner forwarding, calling or pass through mechanism is sent to the login authentication processing logic of the former login authentication page of system or Web server inside, then the response results allowing the login authentication processing logic of the former login authentication page or Web server inside return returns, and completes the process of this HTTP request.
If at described step C3, described login authentication acts on behalf of the page or login authentication HTTP plug-in unit cannot will directly join in the HTTP request of current reception or interception from account name, password, then described login authentication acts on behalf of the page or login authentication HTTP plug-in unit at described step C3, the value arranging identity verify mark is after "True", direct generation also submits a HTTP request comprised from account name, password and other relevant informations to, be submitted to the URL corresponding to user name, password authentication function of Web application system, then returning results of this request correspondence returned; Correspondingly, at described step C1, described login authentication acts on behalf of the page or login authentication HTTP plug-in unit before carrying out relevant operational process, first by checking that relevant information determines that the HTTP request receiving or intercept is submitted to by oneself, if, then allow this HTTP request and response pass through, do not further process.
Innovation of the present invention is: by the web proxy page or HTTP plug-in unit, makes to adopt the Web application system of Form identity verify can realize single-sign-on when not making an amendment (not revising web application and identity verify mode).
A maximum feature of the present invention is: implement simple.
Accompanying drawing explanation
Fig. 1 is the overall structure block diagram of single-node login system of the present invention.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
The present invention is the single-sign-on integrated approach for Form identity verify in a kind of single-node login system, the overall structure of the single-node login system of this method as shown in Figure 1, comprise web application, Web server, logging request act on behalf of page insertion, login authentication acts on behalf of the page, login authentication HTTP plug-in unit, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse, wherein web application and Web server constitute Web application system.Be described in detail in the function of the system components summary of the invention above, no longer repeat at this.In the system component of whole single-node login system, logging request acts on behalf of the page, login authentication acts on behalf of the page, login authentication HTTP plug-in unit, identity service system, main accounts database, principal and subordinate account's binding data storehouse belong to the content that the present invention will realize, and in the content that will realize, logging request acts on behalf of the page, login authentication acts on behalf of the page and login authentication HTTP plug-in unit is again most critical, topmost part.
For the realization of identity service system, the development of information system technology of existing various maturation can be adopted, as J2EE technology, ASP.NET technology etc.; For main accounts database, LDAP, relational database can be adopted, or existing Windows Active Directory or certain application system accounts database; For principal and subordinate account's binding data storehouse, relational database can be used.As long as some information are like this preserved in principal and subordinate account's binding data storehouse: 1) the main account name of user; 2) user that main account is corresponding in the application system of each granted access from account name and password.
Logging request acts on behalf of the realization that the page and login authentication act on behalf of the page, depends on the Web page development technique that its Web server disposing place and corresponding web application adopt; And the realization of login authentication HTTP plug-in unit, depend on adopted Web server.
If web application is based on JSP/Servlet technological development, and Form identity verify is responsible for enforcement by web application, then logging request agency and login authentication act on behalf of the page can based on JSP/Servlet technological development; Logging request agency and login authentication are acted on behalf of the page, by inside forwarding (forward) mechanism, the HTTP request of reception are forwarded to corresponding former login page and the former login authentication page respectively; Login authentication act on behalf of the page can directly add in HTTP request before forwarding access customer from account name, password.
If web application is based on JSP/Servlet technological development, and Form identity verify is responsible for enforcement by Web container (JSP/Servlet Container), then logging request act on behalf of the page can JSP/Servlet technological development, and the concrete development and implementation mechanism of login authentication HTTP plug-in unit is relevant with adopted Web container or Web server.If Web container is Tomcat, then login authentication HTTP plug-in unit can be developed based on Tomcat Valve (valve); If Web server is WebSphere application server, then login authentication HTTP plug-in unit can be developed based on Servlet Filter; If Web server is GlassFish application server, then login authentication HTTP plug-in unit can be developed based on GlassFish Valve or Tomcat Valve.
If the web application adopting Form identity verify develops based on ASP.NET, then logging request is acted on behalf of the page and login authentication to act on behalf of the page is the same page based on ASP.NET technological development, be called the login agent page, and be configured to login (Login) page of ASP.NET Form identity verify; Be called that the login agent page is by Server.Transfer, current HTTP request do not passed to not adding amendment the former login page (normally Login.aspx) of the Form identity verify of ASP.NET application; The login agent page, after the checking completing security token, can generate and submit to one to comprise from the new HTTP request of account name, password to oneself.
If web application is based on PHP technological development, and Form identity verify is responsible for enforcement by web application, then logging request act on behalf of the page and login authentication act on behalf of the page can based on PHP technological development; Logging request agency and login authentication act on behalf of the page include of PHP can be forwarded to corresponding former login page and the former login authentication page respectively by the HTTP request of reception; Login authentication act on behalf of the page before forwarding by amendment _ POST directly add in HTTP request access customer from account name, password.
For based on the web application of other dynamic page technological development and other Web server, the mechanism that the HTTP request inside that can provide according to dynamic page technology forwards, calls, and the HTTP Plugin Mechanism determination specific embodiment that Web server provides.
In addition, for the concrete enforcement of involved single-sign-on agreement and security token, single-sign-on agreement and security token can adopt standard agreement, as SAML, WS-FPRP (WS-Federation Passive Request Profile) agreement, and corresponding SAML asserts, WS-Security Token is as the security token proving user identity; Or, use self-defining single-sign-on agreement and self-defining security token, as long as mutual with of the present invention and processing procedure is consistent.If single-sign-on agreement and security token are based on XML (eXtensible Markup Language), as SAML, WS-FPRP, the dynamic base, class libraries (as WindowsCommunication Foundation class libraries), API (as Java API for XMLProcessing, JAXP) etc. of various maturation then can be used to the process of XML data.For the realization relating to data encryption, digital signature, the dynamic base (as OpenSSL) of various maturation, class libraries (as Java CryptographyExtens ion), API (as Windows CryptoAPI etc.) can be used.
The content be not described in detail in this specification belongs to the known prior art of professional and technical personnel in the field.
Claims (10)
1. the single-node login system for Form identity verify, described single-node login system comprises web application, Web server, logging request acts on behalf of the page, login authentication acts on behalf of the page, login authentication HTTP plug-in unit, browser, identity service system, main accounts database and principal and subordinate account's binding data storehouse, wherein:
Web application: developed by one group of sing on web page technology and the program realizing predetermined application function that forms of the Web page be deployed on Web server;
Web server: the Web page for web application provides HTTP request to receive, response transmitting function, and other relevant support functions, comprise: the service request receiving the HTTP form that user browser is submitted to, submit to the Web application page after carrying out corresponding preliminary treatment to process, afterwards, by the result that the Web application page returns, be sent to user browser with the form of http response; Described Web server comprises HTTP Web server and corresponding dynamic page running environment; Described Web server and the web application disposed thereon constitute the Web application system realizing predetermined application function;
Logging request acts on behalf of the page: be deployed on the Web server of the Web application system adopting Form identity verify, receive the HTTP request obtaining login page, the HTTP request obtaining login page is passed to the original login page of Web application system, and according to the needs of single-sign-on, carry out respective handling to returning results;
Login authentication acts on behalf of the page: be deployed in and be responsible on the Web server of the Web application system implementing Form identity verify by web application, reception is submitted to corresponding to account name, the HTTP request of the URL of password authentication function, check that what determine to comprise in HTTP request is the account name directly submitted to of the security token submitted to of identity service system or user and password, if the former, then after the validity by digital signature authentication determination security token, the main account name of user is obtained from security token, from account name and through deciphering after from account password, and by main account name, preserve from account name as described user login information, then, the value arranging identity verify mark is "True", to join in HTTP request in the mode meeting the original account name of system, password is submitted to from account name, password afterwards, then will comprise user and to pass in the account name of application system this locality, the HTTP request of password the login authentication page of the original verifying account name of Web application system, password, if the latter, then before determining user, completed identity verify and the user that preserves in user login information of account name in HTTP request after the account name of local system is consistent, according to the main account name preserved in user login information, password from account name and current HTTP request, upgrade principal and subordinate account's binding data storehouse, then current HTTP request is forwarded by inner, to call or pass through mechanism is sent to the former login authentication page of Web application system, then the response results allowing the former login authentication page return returns, complete the process of this HTTP request,
Login authentication HTTP plug-in unit: be deployed in and be responsible on the Web server of the Web application system implementing Form identity verify by Web server, interception is submitted to corresponding to account name, the HTTP request of the URL of password authentication function, check that what determine to comprise in HTTP request is the account name directly submitted to of the security token submitted to of identity service system or user and password, if the former, then after the validity by digital signature authentication determination security token, the main account name of user is obtained from security token, from account name and through deciphering after from account password, and by main account name, preserve from account name as described user login information, then, the value arranging identity verify mark is "True", to join in HTTP request in the mode meeting the original account name of system, password is submitted to from account name, password afterwards, then will comprise user and to pass in the account name of application system this locality, the HTTP request of password the login authentication page of the original verifying account name of Web application system, password, if the latter, then before determining user, completed identity verify and the user that preserves in user login information of account name in HTTP request after the account name of local system is consistent, according to the main account name preserved in user login information, password from account name and current HTTP request, upgrade principal and subordinate account's binding data storehouse, then current HTTP request is forwarded by inner, to call or pass through mechanism is sent to the login authentication processing logic of Web server inside, then the response results allowing the login authentication processing logic of Web server inside return returns, complete the process of this HTTP request,
Browser: user and the mutual client of Web application system, its function comprises: transmit HTTP request by http protocol to Web server, receives http response that Web server returns and represents the content of response;
Identity service system: provide user's online identity to differentiate the system of service, its function comprises: carry out online identity discriminating based on user identity voucher to user, by corresponding single-sign-on agreement and by the security token of browser to Web application system transmission proof user identity;
Main accounts database: deposit the main account information that user logs in identity service system, comprise the account name of main account, password, or the relevant information of data certificate corresponding to main account;
Principal and subordinate account's binding data storehouse: preserve with householder account and user at the corresponding relation from account of Web application system or binding relationship, and from the password of account;
When user accesses protected function or the resource of certain Web application system, described Web application system will carry out identity verify to user, and namely described user could access described protected function or resource after needing the respective account using it in this Web application system to complete identity verify; In described Web application system, part system adopts Form identity verify mode to carry out identity verify to client user, and the enforcement of Form identity verify or be responsible for by Web server, or be responsible for by web application;
The form of the described security token that described identity service system is signed and issued depends on the single-sign-on agreement of use, and the form of described security token is that SAML asserts, or WS-Federation security token, or self-defining security token; Described identity service system ensures the fail safe of signed and issued security token by digital signature;
User carries out identity documents used when online identity is differentiated in described identity service system, and can be common account name, password, also can be digital certificate, or other can identify, the electronic identity data of identifying user identity; The account of user's use when described identity service system carries out identity verify is called main account; Describedly namely refer to the corresponding account of user in certain Web application system from account, comprise account name and password; The main account of user and its can be same from account in certain Web application system, also can be different.
2. the single-node login system for Form identity verify according to claim 1, is characterized in that:
Described logging request acts on behalf of the name that the page uses former login page, and former login page is renamed; Described login authentication acts on behalf of the name that the page uses the former login authentication page, and the former login authentication page is renamed; HTTP plug-in extension that described login authentication HTTP plug-in unit sing on web server provides mechanism is inserted in the HTTP request of Web server, response treatment channel, only tackle, process the HTTP request and response that are submitted to corresponding to the URL of account name, password authentication function, and any interception, process are not done to other all HTTP request, response; HTTP plug-in extension that described Web server provides mechanism or provided by http server, or dynamic page running environment provides;
Described logging request acts on behalf of the page and login authentication acts on behalf of the page or login authentication HTTP plug-in unit has corresponding configuration information, for arranging the information relevant with single-sign-on, comprise user's entry address of identity service system, to security token signature digital certificate or symmetric key;
Described logging request acts on behalf of the page and login authentication acts on behalf of the page or each user identity discriminating relevant information preserved by login authentication HTTP plug-in unit, and be called user login information, described user login information comprises:
1) identity verify mark: indicate whether the security token receiving the proof user identity that identity service system is signed and issued; If user completes identity verify in identity service system, then the value of this mark is "True", otherwise, be "false";
2) householder's account name is used: the account name that user uses when identity service system carries out identity verify;
3) user is from account name: user is at application system this locality, corresponding with main account name account name;
Described user login information is kept at Web server and is supplied to logging request and acts on behalf of the page and login authentication is acted on behalf of in the session data memory location of the page or login authentication HTTP plug-in unit.
3. the single-node login system for Form identity verify according to claim 2, is characterized in that: described logging request act on behalf of the page receive obtain login page HTTP request after, as follows HTTP request is processed:
1st step: the HTTP request received directly is sent to the original login page of system by inner forwarding or call-by mechanism;
2nd step: after original login page returns response results, checks identity verify mark, if its value is "True", then allows response results directly return; If its value is "false" or does not arrange, then its value is set to "false", then being redirected by outside or being returned Web page submits to the mode of HTTP request user browser to be directed to user's login page of identity service system automatically, includes the mark of local Web application system in the URL of the HTTP request being redirected or automatically submitting to.
4. the single-node login system for Form identity verify according to claim 3, it is characterized in that: to be acted on behalf of the page by described logging request when user browser and be redirected or return after Web page submits to the mode of HTTP request to be directed to user's login page of described identity service system automatically in described 2nd step by outside, described identity service system processes HTTP request as follows:
Step 1: by the mark of the Web application system of carrying in HTTP request URL determine Web application system that user will access be whether its trust, provide the system of service, if not, then return error message; Otherwise, proceed to step 2;
Step 2: whether complete identity verify in identity service system before determining user, if so, then proceed to step 3; Otherwise, user is directed to login page, and based on householder account, identity verify is carried out to user, differentiate to proceed to step 3 successfully;
Step 3: the Web application system will accessed according to main account and the user of user, obtain in principal and subordinate account's binding data storehouse user in the Web application system that will access from account name and password;
Step 4: comprise its main account name, from the security token from account password after account name and encryption for user generates one, and digital signature is carried out to relevant information, then the user identity comprising security token is proved that information turns back to user browser in the mode of Form list, and the user identity comprising security token proved by the automatic POST way of submission of Form list the URL corresponding to account name, password authentication function that information is submitted to user and needs the Web application system of accessing.
5. the single-node login system for Form identity verify according to claim 2, it is characterized in that: after described login authentication acts on behalf of the page or login authentication HTTP plug-in unit receives or intercept the HTTP request be submitted to corresponding to the URL of account name, password authentication function, as follows HTTP request is processed:
Step one: check in HTTP request that what comprise is the account name directly submitted to of the security token submitted to of identity service system or user and password, if the former, proceed to step 2, otherwise, proceed to step 4;
Step 2: by the validity of digital signature authentication security token, if invalid, be then set to "false" by the value of described identity verify mark, return bomp; Otherwise, proceed to step 3;
Step 3: obtain from security token the main account name of user, from account name and after deciphering from account password, and using main account name, preserve from account name as described user login information, then, the value arranging identity verify mark is "True"; To join in HTTP request in the mode meeting the original account name of system, password is submitted to from account name, password afterwards, then the HTTP request newly formed is forwarded by inside, called or call the login authentication processing logic that pass through mechanism is sent to the former login authentication page of system or Web server inside, then the response results allowing the login authentication processing logic of the former login authentication page or Web server inside return returns, and completes the process of this HTTP request;
Step 4: check identity verify mark, if its value is "false" or does not arrange, then its value is set to "false", then being redirected by outside or being returned Web page submits to the mode of HTTP request user browser to be directed to user's login page of identity service system automatically, includes the mark of local Web application system in the URL of the HTTP request being redirected or automatically submitting to; Otherwise, proceed to step 5;
Step 5: check account name in current HTTP request whether with preserve in user login information consistent from account name, if inconsistent, then return error message; Otherwise, according to the main account name preserved in user login information, from the password account name and current HTTP request, upgrade principal and subordinate account's binding data storehouse, then by current HTTP request by inner forwarding, calling or pass through mechanism is sent to the login authentication processing logic of the former login authentication page of system or Web server inside, then the response results allowing the login authentication processing logic of the former login authentication page or Web server inside return returns, and completes the process of this HTTP request.
6. the single-node login system for Form identity verify according to claim 5, it is characterized in that: if described login authentication act on behalf of the page or login authentication HTTP plug-in unit cannot by from account name in described step 3, password directly joins in the HTTP request of current reception or interception, then described login authentication acts on behalf of the value that the page or login authentication HTTP plug-in unit arrange identity verify mark in described step 3 is after "True", direct generation also submits to one to comprise from account name, the HTTP request of password and other relevant informations, what be submitted to Web application system corresponds to user name, the URL of password authentication function, then returning results of this request correspondence is returned, correspondingly, the page or login authentication HTTP plug-in unit is acted on behalf of before carrying out relevant operational process in login authentication described in described step one, first by checking whether the HTTP request that relevant information is determined to receive or intercept is submitted to by oneself, if, then allow this HTTP request and response pass through, do not further process.
7. the single-node login system for Form identity verify according to claim 1 or 3, it is characterized in that: if the HTTP request adopting the HTTP plug-in extension of a Web server deploy sing on web server of the Web application system of Form identity verify mechanism to be inserted into Web server, logging request HTTP plug-in unit in response treatment channel, and described logging request HTTP plug-in unit is only tackled and is obtained the HTTP request of login page and response and complete the operation that described logging request acts on behalf of the page, and the HTTP request all to other, any interception is not done in response, process, then keeping the situation that original login page is constant, dispose described logging request HTTP plug-in unit can reach dispose described logging request act on behalf of the same single-sign-on effect of the page.
8. the single-node login system for Form identity verify according to claim 1, it is characterized in that: if login authentication HTTP plug-in unit instead of described login authentication act on behalf of the page described in the Web server deploy being responsible for implementing the Web application system of Form identity verify at web application, then keeping the constant situation of original login page, disposing described login authentication HTTP plug-in unit and can reach and dispose described login authentication and act on behalf of the same single-sign-on effect of the page.
9. the single-node login system for Form identity verify according to claim 7, is characterized in that: only described logging request act on behalf of the page can not realize described operation time, just dispose described logging request HTTP plug-in unit and replace described logging request and act on behalf of the page.
10. the single-node login system for Form identity verify according to claim 5 or 8, it is characterized in that: only described login authentication act on behalf of the page can not realize described operation time, just dispose described logging request HTTP plug-in unit and replace described login authentication and act on behalf of the page.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210083321.3A CN102624737B (en) | 2012-03-27 | 2012-03-27 | Single sign-on integrated method for Form identity authentication in single login system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210083321.3A CN102624737B (en) | 2012-03-27 | 2012-03-27 | Single sign-on integrated method for Form identity authentication in single login system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102624737A CN102624737A (en) | 2012-08-01 |
| CN102624737B true CN102624737B (en) | 2015-05-06 |
Family
ID=46564421
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210083321.3A Expired - Fee Related CN102624737B (en) | 2012-03-27 | 2012-03-27 | Single sign-on integrated method for Form identity authentication in single login system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102624737B (en) |
Families Citing this family (33)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102833238B (en) * | 2012-08-14 | 2016-07-27 | 上海聚力传媒技术有限公司 | The auxiliary network equipment carries out the method for user's checking, device, equipment and system |
| CN103679018B (en) * | 2012-09-06 | 2018-06-12 | 百度在线网络技术(北京)有限公司 | A kind of method and apparatus for detecting CSRF loopholes |
| CN103117998B (en) * | 2012-11-28 | 2016-01-20 | 北京用友政务软件有限公司 | A kind of safety encryption based on JavaEE application system |
| US9311500B2 (en) | 2013-09-25 | 2016-04-12 | Amazon Technologies, Inc. | Data security using request-supplied keys |
| US9237019B2 (en) | 2013-09-25 | 2016-01-12 | Amazon Technologies, Inc. | Resource locators with keys |
| CN104092679B (en) * | 2014-07-02 | 2017-10-03 | 百度在线网络技术(北京)有限公司 | Log in the method and server of third party's website |
| CN104168262B (en) * | 2014-07-02 | 2017-08-18 | 百度在线网络技术(北京)有限公司 | Log in the method and server of third party's website |
| CN105306423B (en) * | 2014-07-04 | 2018-12-25 | 中国银联股份有限公司 | Unified login method for distribution Web web station system |
| CN104468785A (en) * | 2014-12-08 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | Electronic device, server device, and data request submitting method and processing method |
| CN104537486B (en) * | 2014-12-25 | 2018-07-20 | 中建材国际贸易有限公司 | A kind of data transmission method of turn-key system using PHP language and sub- control system |
| CN104735066B (en) * | 2015-03-18 | 2018-10-16 | 百度在线网络技术(北京)有限公司 | A kind of single-point logging method of object web page application, device and system |
| US10171448B2 (en) * | 2015-06-15 | 2019-01-01 | Airwatch Llc | Single sign-on for unmanaged mobile devices |
| CN105812350B (en) * | 2016-02-03 | 2020-05-19 | 北京中搜云商网络技术有限公司 | Cross-platform single sign-on system |
| CN107294917A (en) * | 2016-03-31 | 2017-10-24 | 阿里巴巴集团控股有限公司 | One kind trusts login method and device |
| CN107294916B (en) * | 2016-03-31 | 2019-10-08 | 北京神州泰岳软件股份有限公司 | Single-point logging method, single-sign-on terminal and single-node login system |
| CN108234415A (en) * | 2016-12-21 | 2018-06-29 | 百度在线网络技术(北京)有限公司 | For verifying the method and apparatus of user |
| CN106685998B (en) * | 2017-02-24 | 2020-02-07 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN109213546B (en) * | 2017-06-30 | 2021-09-07 | 武汉斗鱼网络科技有限公司 | Login processing method and device for windows client program |
| CN109145039B (en) * | 2017-12-25 | 2022-01-28 | 北极星云空间技术股份有限公司 | UI bridging method suitable for federal workflow integration |
| CN108462706B (en) * | 2018-03-06 | 2022-05-03 | 武汉理工大学 | Single sign-on method and system |
| CN109194683A (en) * | 2018-09-30 | 2019-01-11 | 北京金山云网络技术有限公司 | Logon information processing method, device and client |
| US11153306B2 (en) * | 2018-11-08 | 2021-10-19 | Citrix Systems, Inc. | Systems and methods for secure SaaS redirection from native applications |
| CN111291284A (en) * | 2018-12-10 | 2020-06-16 | 北京京东金融科技控股有限公司 | Method and device for redirecting multi-level page |
| CN109688114B (en) * | 2018-12-10 | 2021-07-06 | 迈普通信技术股份有限公司 | Single sign-on method, authentication server and application server |
| US11140146B2 (en) * | 2018-12-27 | 2021-10-05 | Konica Minolta Laboratory U.S.A., Inc. | Method and system for seamless single sign-on (SSO) for native mobile-application initiated open-ID connect (OIDC) and security assertion markup language (SAML) flows |
| CN109743163A (en) * | 2019-01-03 | 2019-05-10 | 优信拍(北京)信息科技有限公司 | Purview certification method, apparatus and system in micro services framework |
| CN111241504B (en) * | 2020-01-16 | 2024-01-05 | 远景智能国际私人投资有限公司 | Identity verification method, device, electronic equipment and storage medium |
| CN111917837A (en) * | 2020-07-13 | 2020-11-10 | 西安即刻易用网络科技有限公司 | Web micro application program publishing system and implementation method thereof |
| CN113553569B (en) * | 2021-07-06 | 2022-12-09 | 猪八戒股份有限公司 | Single sign-on method, system and terminal of Syngnathus system based on proxy server |
| CN113660204B (en) * | 2021-07-09 | 2024-01-23 | 北京航天云路有限公司 | Method for realizing unified integrated binding service |
| CN114050911B (en) * | 2021-09-27 | 2023-05-16 | 度小满科技(北京)有限公司 | Remote login method and system for container |
| CN114422229A (en) * | 2022-01-14 | 2022-04-29 | 北京从云科技有限公司 | WEB application single sign-on proxy method and device, sign-on method and server |
| CN117411729B (en) * | 2023-12-14 | 2024-05-10 | 深圳竹云科技股份有限公司 | Oracle database login method, device, computer equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007072318A2 (en) * | 2005-12-23 | 2007-06-28 | International Business Machines Corporation | Secure identity management |
| CN101771534A (en) * | 2008-12-30 | 2010-07-07 | 财团法人工业技术研究院 | Single sign-on method for network browser and system thereof |
| CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7861290B2 (en) * | 2006-09-22 | 2010-12-28 | Oracle International Corporation | Non-invasive insertion of pagelets |
-
2012
- 2012-03-27 CN CN201210083321.3A patent/CN102624737B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007072318A2 (en) * | 2005-12-23 | 2007-06-28 | International Business Machines Corporation | Secure identity management |
| CN101771534A (en) * | 2008-12-30 | 2010-07-07 | 财团法人工业技术研究院 | Single sign-on method for network browser and system thereof |
| CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
Non-Patent Citations (1)
| Title |
|---|
| 一种对Web 遗留系统透明的单点登录方案;龙毅宏等;《信息安全与通信保密》;20101031(第2010年第10期);67-72 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102624737A (en) | 2012-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102624737B (en) | Single sign-on integrated method for Form identity authentication in single login system | |
| US8412156B2 (en) | Managing automatic log in to internet target resources | |
| US9300653B1 (en) | Delivery of authentication information to a RESTful service using token validation scheme | |
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| CN101075875B (en) | Method and system for realizing monopoint login between gate and system | |
| US8141140B2 (en) | Methods and systems for single sign on with dynamic authentication levels | |
| US8453209B2 (en) | Method and system for providing internet services | |
| CN102480490B (en) | Method for preventing CSRF attack and equipment thereof | |
| CN1653781B (en) | Method and system for user-determined authentication in a federated environment | |
| CN102171984B (en) | Service provider access | |
| CN104378376A (en) | SOA-based single-point login method, authentication server and browser | |
| CN102801808B (en) | WebLogic-oriented Form identification single sign on integration method | |
| EP1841174A1 (en) | Methods and systems for multifactor authentication | |
| US8275985B1 (en) | Infrastructure to secure federated web services | |
| US20130290719A1 (en) | System and method for accessing integrated applications in a single sign-on enabled enterprise solution | |
| CN101656711A (en) | System and method for verifying website information | |
| CN101478396A (en) | Uni-directional cross-domain identity verification based on low correlation of private cipher key and application thereof | |
| CN110808840A (en) | Service processing method and device, electronic equipment and storage medium | |
| CN102946396B (en) | User agent's device, host web server and user authen method | |
| CN113761509B (en) | iframe verification login method and device | |
| KR20090095940A (en) | System and Method for Non-faced Financial Transaction by Using Verification of Transaction Step and Program Recording Medium | |
| CN101331740B (en) | Method and system for externalizing HTTP security message handling with macro support | |
| CN109729045A (en) | Single-point logging method, system, server and storage medium | |
| Wang et al. | A framework for formal analysis of privacy on SSO protocols | |
| CN102946397B (en) | User authen method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20150506 Termination date: 20160327 |