CN102638454A - Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol - Google Patents
Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol Download PDFInfo
- Publication number
- CN102638454A CN102638454A CN201210067271XA CN201210067271A CN102638454A CN 102638454 A CN102638454 A CN 102638454A CN 201210067271X A CN201210067271X A CN 201210067271XA CN 201210067271 A CN201210067271 A CN 201210067271A CN 102638454 A CN102638454 A CN 102638454A
- Authority
- CN
- China
- Prior art keywords
- http
- identity
- user
- sign
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a plug-in type SSO (single signon) integration method oriented to an HTTP (hypertext transfer protocol) identity authentication protocol. An SSO system of the plug-in type SSO integration method comprises a Web service assembly, a Web application assembly, an SSO HTTP plug-in, a security token process page, a browser, an identity service system, a main account database and a main/secondary account binding database, wherein the SSO HTTP plug-in is the key, and is plugged into an HTTP request and response process channel of the Web service assembly utilizing the HTTP identity authentication protocol based on an expanding mechanism provided by a Web service assembly; and after a user logs in the identity service system, the SSO HTTP plug-in automatically finishes interaction with the HTTP identity authentication protocol of the Web service assembly by utilizing account name and passwords of the user on the Web application system so that the user does not need to input the account name and the passwords of the Web application system so as to log in the Web application system and realize the purpose of SSO. Through the plug-in type SSO integration method oriented to the HTTP identity authentication protocol, disclosed by the invention, the SSO does not need to change original safety configuration and functions of a system.
Description
Technical field
The identity that the invention belongs to information security is differentiated and the access control technology field, especially, is a kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol.
Background technology
Development along with Enterprise's Electronic Commercial and Working informationization; More and more enterprises, organization have set up a large amount of information systems with special purposes; The general designation application system is like CRM system, ERP (Enterprise Resource Planning) system, financial system, the office automation system, e-mail system etc.These numerous application systems bring convenience in production, management, the office of giving people; When improving production and operating efficiency; Also bring some puzzlements to people; Here it is, each user must be remembered that he (perhaps she) at account name, the password (being also referred to as user name, password) of different application systems; These account names at different application systems, password possibly be identical, also possibly be different; Need remember, use numerous different account names, the problem of password to have: the 1) difficulty of account name, password management, obscure easily too much, forget like account name, password; All need import account name, password when 2) logining different system at every turn, bring inconvenience to the user.To this problem; Produced so-called single-sign-on (Single SignOn thus; SSO) demand and technology, promptly the user only need use an identity documents (like an account name, password, or a numbered certificate etc.); Accomplish online identity discriminating (also being the login login) back at certain on-line system and just can visit the every other system that can visit, and need not to import once more account name, password or use digital certificate to carry out identity discriminating (promptly carrying out register again).
Present types of applications system adopts the pattern of client/server (Client/Server) mostly; And wherein; The employing that has is based on the standard and the current techique of browser (Browser), Web server; Promptly adopt Browser/Server pattern (being called for short the B/S pattern), the non-standard or non-general client/server technology of the employing that has (abbreviation C/S model).The system of B/S pattern; HyperText Transfer Protocol (HTTP) through standard between client browser and the Web server carries out data interaction and transmission: browser is sent to Web server with the services request (HTTP request) of HTTP form; Web server carries out handled to request; Web server turns back to browser with result with the response (http response) of HTTP form afterwards, and last browser represents the resultant content that returns according to the result data that returns.The HTTP request is made up of a request row (Request Line), a plurality of optional head (Header) and an optional main body (Body); Wherein, can construct HTTP request URL (UniformResource Locator) from asking row and " Host " head; Http response is made up of a statusline (Status Line), a plurality of optional head (Header) and an optional main body (Body).Because the B/S pattern adopts this general client of browser and standard technique framework, be easy to use and interoperability, be the main flow and the trend of present information systems technology development, also be the technology that application system adopted that the present invention is directed to.Adopted the application system of B/S pattern or framework to be called the Web application system.
Single-sign-on technology common having at present to the Web application system of B/S pattern: 1) based on Cookie's; 2) based on security gateway; 3) based on Windows Kerberos's; 4) based on (standard or the custom protocol) of single-sign-on agreement: 5) other schemes.
Cookie is that Web server passes through the http response information that (or in client host) preserved in client browser, can comprise any content, but comprise user conversation (Session) state information usually.Cookie has action scope, and its action scope is made up of domain name (Doma in Name) and path (Path); If the host domain name part of HTTP request and path part in the action scope of Cookie, will comprise the Cookie that server end is provided with in the HTTP request that then browser is submitted to.Based on the single-sign-on of Cookie, require " base portion " of domain name of different information systems identical, such as; If the domain name of two information systems is oa.example.com.cn; Crm.example.com.cn, their " base portion " all is example.com.cn like this, therefore; Can realize the single-sign-on based on Cookie, the LTPA of IBM (Lightweight Third Party Authentication) single-sign-on technology just is based on Cookie's.
Single-sign-on based on security gateway; Adopt a Web reverse proxy (Reverse Proxy) that realizes the security control function to be deployed in the different information systems of its back, the outpost of the tax office (being gateway) of application system exactly as user capture; Only accomplish identity and differentiate that the user of (promptly successfully logining) could be deployed in the system of its back through the security gateway visit, such as the WebSEAL security gateway like this of IBM at security gateway.The disadvantage of this single-sign-on technology is that when concurrent user's visit capacity was very big, security gateway was a performance bottleneck, and it is potential single point failure point (Single Point of Failure).
Based on the Web single-sign-on technology of Windows Kerberos, through Windows ActiveDirectory, Kerberos identity AD) differentiates that (Authentication) combines the HTTPNegotiate agreement to realize.The limitation of this technical scheme is: 1) it need dispose WindowsAD or other kerberos systems; 2) require all users on the AD territory, to have account and subscriber's main station will login the AD territory; 3) require all Web information systems, application system to adopt HTTP Negotiate agreement to carry out user identity and differentiate, and all Web information systems, application system adopt the user account in AD territory that user capture is managed and controlled; 4) only be adapted to pass through information system, the application system that Intranet is visited.Because these special demands; This has just limited the application based on the single-sign-on solution of Windows Kerberos; Because; No matter from the development technique angle still from the angle of applied environment, present a large amount of Web information systems, application system all do not meet these conditions (in other words, not every Web information system, application system all meet these conditions).
Agreement to the Web single-sign-on mainly contains Security Assertion MarkupLanguage (SAML) and WS-Federation Passive Requestor Profile (being called for short WS-FPRP) at present.No matter be SAML or WS-FPRP; In its Technical Architecture, all there is a system that is called Identity Provider (being called for short IdP) to provide online identity to differentiate service (being called the identity service system); The user only needs (use browser) to accomplish once login (being that online identity is differentiated) at IdP, just can visit other Web information systems in this IdP trust domain and need not to login (identity discriminatings) again and operate.But; The application of will succeeing of this single-sign-on technical scheme; Have two key issues to need to solve: the one, how to solve correspondence, conversion between the account of user in different system, the 2nd, how to make that existing various information system, application system and single-sign-on agreement are integrated.More specifically being described below of said first problem: the various information systems, the application system that relate to single-sign-on all have separately nusrmgr.cpl assembly and accounts database usually; And these information systems, application system are that the user account of base self comes user access is controlled; Like this; The user logins at IdP, employed user account possibly be (also possible identical certainly) inequality with it certain information system that will visit, account in the application system when identity was differentiated; Therefore; Differentiate the back, when visiting certain application system, need carry out corresponding, the conversion of corresponding account when the user accomplishes identity at IdP, the user could login, visit this application system with its account's (identity) in this application system.
Solution commonly used for foregoing first problem is: the user uses a main account to login at IdP; This main account can be existing certain the application system account of user; Or certain existing global account (like the account among the Windows Active Directory), or certain special new global account of creating; User's main account associates account's (being called from the account) of different information systems, application system with the user through certain mode in advance, and this process is called identity (account) related (Identity Federation or Account Federation) or identity (account) is bound (Identity Binding or Account Binding); When the user uses its main account after IdP accomplishes login (identity discriminating), when visiting certain application-specific system; Its main account through certain mode by corresponding, change into this user this application system from the account; Then the user from the account access application system, this master and slave account process corresponding, that transform is called identity (account) mapping (Identity Mapping or Account Mapping) based on this.
In fact said second problem relates to the integrated technology of single-sign-on; It is the most complicated, the most scabrous problem during present single-sign-on is used; Solution to this problem has so several kinds of schemes usually: the operation platform of (1) application system itself is supported relevant single-sign-on agreement (latest edition like OracleWebLogic Server is supported the SAML agreement); Therefore, if depending on operation platform, application system carries out register (user identity discriminating), so; Through the user identity identification method of configuration operation platform, just can pass through the interconnected realization single-sign-on of agreement; (2) login function partly through the user who revises application system and realize, this possibly comprise revises the relevant configuration that identity is differentiated, revises corresponding user log-in block etc.; (3) identity that provides through operation platform is differentiated extension mechanism, like JAAS (Java Authentication and Authorization Service).
Foregoing first kind of integrated solution under any circumstance can both not be suitable for, because present most Web operation platform (Web service assembly, server) is not supported corresponding single-sign-on agreement.For second kind of solution, also inapplicable under many circumstances, because; Enterprise, organization possibly be unwilling perhaps can not adopt second kind of integrated solution owing to a variety of causes, such as; Owing to worry to bring influence to the stable operation of system after the modification system; Perhaps, there be not (be unwilling to cooperate the code that provides relevant like the original system developer, or closed down etc.) in the source code of system.Foregoing the third scheme is neither all situations all suitable; The one, because this scheme only is applicable to that usually application system depends on Web operation platform (Web service assembly, Web server) and carries out the situation (differentiating as by Servlet Container the user being carried out identity) that identity is differentiated, is not suitable for application system self and carries out the situation that user identity is differentiated; The 2nd, adopt this mechanism to realize single-sign-on; Usually need to change the identity identification method before the platform, and sometimes enterprise, organization because a variety of causes is unwilling to make this change (as influencing the operation of system or dangerous because worry this change); Three all Web operation platforms extension mechanisms of all providing identity to differentiate whether; This extension mechanism is provided in other words in theory; But in fact because technical restriction; The identity authentication scheme of expansion is difficult to reach and the same effect of identity authentication scheme before; Such as for the IIS of Microsoft (Internet Information Services) Web server; Its technical documentation points out to pass through the identity identification function of ISAPI (Internet ServiceApplication Programming Interface) expansion IIS, but in fact this expansion is limited, differentiates the identity authentication scheme that could expand customization under (AnonymousAuthentication) mode such as being configured to anonymous identity at IIS; And because Microsoft's internal technology of IIS openly, be difficult to develop the single-sign-on identity authentication scheme with the equal effect of identity authentication scheme of IIS self based on the ISAPI extension mechanism.Also all may run into similar problem for other Web operation platforms.
In the practical application of single-sign-on was integrated, the Web application system depended on the Web platform and adopts standard HTTP identity authentication protocol (like HTTP Basic.Digest; NTLM; Negotiate) carry out user identity and differentiate, and the identity identification method of Web application system can not to change be a kind of situation that often runs into, to this situation; The present invention proposes the integration problem that another kind of thinking solves existing Web application system and single-sign-on technology: under the prerequisite that does not change the original identity authentication scheme of system, configuration and function, realize single-sign-on through HTTP plug-in unit (Plug-in) technology.That is to say that under this single-sign-on Integrated Solution, the identity authentication scheme of Web operation platform is still moved by its original mode and played a role.HTTP plug-in unit described here; Be meant that the extension mechanism that provides based on the Web operation platform is inserted into the HTTP request of Web operation platform, a component software in the response process passage, this assembly can be to making amendment through its HTTP request, the related content of response.A lot of Web operation platforms all provides this HTTP Plugin Mechanism; ISAPI like the IIS server of Microsoft; Native-Code API and Managed-CodeAPI that IIS7.0 is later; The Authentication Filter of Tomcat Valve, WebLogic, the Servlet Filter of WebSphere etc.
Summary of the invention
The objective of the invention is: based on standard HTTP identity authentication protocol the user is carried out the situation that identity is differentiated and this identity discriminating security configuration can not be revised, change to the Web application system; A kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol is proposed, to overcome the deficiency of existing single-sign-on integrated technology.
To achieve these goals, the technical scheme that the present invention adopted is:
A kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol; The single-node login system of said method comprises Web service assembly, Web application component, single-sign-on HTTP plug-in unit, security token processing page, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse, wherein:
The Web service assembly: the HTTP request receives, the response transmitting function for the Web application component provides; And other relevant support functions; Comprise: receive the services request of the HTTP form that user browser submits to, carry out submitting to the Web application component after the corresponding preliminary treatment and handle, afterwards; The result that the Web application component is returned is sent to user browser with the form of http response; Based on corresponding security configuration, the user is carried out identity discriminating, access control; Maintenance customer's http session (Session) etc.;
Web application component: the functional software that particular application services is provided to the user; Like OA, CRM, WebMail etc.; Its major function is: through the relevant Web serviced component; Receive the application service request that the user submits to through browser, after the completion handled result is turned back to user browser through the Web service assembly; Said Web application component has constituted the Web application system with corresponding said Web service assembly;
Single-sign-on HTTP plug-in unit:, be inserted into the component software of realizing the single-sign-on function in the HTTP request, response process passage of the Web service assembly of the Web application system that adopts HTTP identity authentication protocol based on the extension mechanism that the Web service assembly provides;
Security token processing page: the Web page of the security token of the proof user identity of signing and issuing in the special disposal identity service system of the Web service assembly deploy of the Web application system that adopts HTTP identity authentication protocol; Said security token processing page is deployed in the non-safeguard protection path (catalogue) of Web service group, promptly submits to HTTP to ask the user of this processing page to need not to accomplish identity through browser and differentiates;
Browser: user and the mutual client of Web application system, its major function is: transmit the HTTP request through http protocol to the Web service assembly, http response that reception Web service assembly returns and the content that represents response;
Identity service system: provide user's online identity to differentiate the system of service; Its function comprises: based on the user identity voucher user is carried out online identity and differentiate, transmit the security token of proof user identity through corresponding single-sign-on agreement and by browser to the Web application system;
Main accounts database: deposit the main account information that the user logins the identity service system, comprise main account's account name, password, or the relevant information of the data certificate of main account correspondence;
Principal and subordinate account's binding data storehouse: preserve with householder account and user and concern in corresponding (binding) from the account of Web application system, and from account's password.
Said Web service assembly can be HTTP Web server (like IIS), Web container (WebContainer is like Tomcat), J2EE application server (Application Server is like WebLogic, WebSphere); Said Web application system is carried out identity through certain mode to the user and is differentiated that wherein part Web application system adopts standard HTTP identity authentication protocol (like HTTP Basic, HTTP Negotiate) that the user is carried out the identity discriminating through the Web service assembly; The shielded page or the resource of certain Web application system of user capture need to use its respective account in this Web application system to accomplish and just can carry out after identity is differentiated; Said Web application system can have a plurality of.
The Plugin Mechanism that said single-sign-on HTTP plug-in unit adopts can be tackled request, the response data (promptly carrying the HTTP request of Authorization head and the http response of carrying the WWW-Authentication head) of HTTP identity authentication protocol; Said single-sign-on HTTP plug-in unit is configured to tackle all HTTP request, response on the Web service assembly that it is disposed, perhaps be configured to tackle HTTP request and response thereof that all are submitted to the HTTP request and the response thereof in the catalogue that receives safeguard protection or path and are submitted to security token processing page place catalogue or path.
Said single-sign-on HTTP plug-in unit has corresponding configuration information, is used to be provided with the information relevant with single-sign-on, like user's entry address (URL) of identity service system, to the digital certificate of security token signature etc.; Alternatively, comprise following content in the configuration information: 1) which Web page directory or path receive safeguard protection in the Web application system at single-sign-on HTTP plug-in unit place; 2) receiving the catalogue of safeguard protection or the HTTP identity authentication protocol that adopts in the path is which or which (promptly can be provided with a plurality of), and relevant identity authentication protocol parameter (like domain, realm etc.); 3) whether the practical implementation of employed HTTP identity discriminating allows client initiatively to send discriminating and authorization requests.Said configuration information 3) be to such situation: the HTTP identity authentication protocol (like HTTP Negotiate) that has allows client browser in the time of the shielded resource of maiden visit; Before the Web server end returns the response prompting that requires the identity discriminating; Also promptly client browser receive the responsive state sign indicating number be " 401 " (prompting Unauthorized or Authentication required) and comprise the http response of WWW-Authenticate head before; Initiatively initiate the identity discrimination process by client browser; Promptly initiatively submit the HTTP request that comprises the Authorization head to, the request server end carries out the identity discriminating to the client user and resource access is authorized; But perhaps the concrete actualizing of certain Web assembly does not support this client initiatively to initiate the mode that identity is differentiated, this configuration information promptly is used for this is indicated.Said content 1), 2) can read like API, configuration file through certain mode usually, obtain from the Web service assembly, but can't obtain request down, can pass through the configuration information setting and the acquisition of single-sign-on HTTP plug-in unit.
The form of the said security token that said identity service system is signed and issued depends on the single-sign-on agreement of use, can be that SAML asserts (Assertion), perhaps WS-Federation security token (Security Token), perhaps self-defining security token; The fail safe (primary, integrality) of the security token that said identity service system guarantees through digital signature to be signed and issued.
The user carries out online identity used identity documents when differentiating in said identity service system, can be common account name, password, also can be digital certificate, perhaps other can identify, other electronic identity data of identifying user identity.The user is called main account the account that said identity service system carries out using when identity is differentiated.Said main accounts database is to be used to preserve the database with householder account and relevant information, and said main accounts database can be an accounts database independently, and the user account database that also can select certain application system is as main accounts database.Saidly promptly refer to the account of user in certain particular Web application system from the account; User's main account and its can be same from the account in certain Web application system, also can be different.
Said single-sign-on HTTP plug-in unit is preserved each user's login (identity discriminating) relevant information, is called user login information.Said user login information comprises:
1) identity authentication protocol, i.e. the HTTP identity authentication protocol current use of Web service assembly, that be used for the user is carried out the identity discriminating;
2) server end returns protocol data and parameter; Be that the Web service assembly uses HTTP identity authentication protocol that the client user is carried out identity when differentiating; Turn back to the agreement related data and the parameter of client browser through WWW-Authentucate response head; Like the authentication protocol indication of HTTP identity and Realm, Challenge (challenge code), key agreement parameter etc., wherein the indication of HTTP identity authentication protocol is also preserved in " identity authentication protocol " simultaneously;
3) the last time shielded URL that will visit, promptly the user uses the URL of the Web page that receives safeguard protection of the last expectation visit of browser before the Web application system is accomplished identity and differentiated;
4) the last POST parameter; The user is before the Web application system is accomplished the identity discriminating; If using the HTTP requesting method (Method) that uses when browser is the last visits the Web page that receives safeguard protection is POST; Then the value of " the last POST parameter " is the corresponding POST parameter (being the Form form data that the POST mode is submitted to) of this HTTP request, otherwise its value is empty (NULL);
5) subscriber identity information, sign and differentiate user's information comprises user's main account name, from account name and from account's password;
The above various user login information is preserved (for non-character data, preserving with the form of Base64 coding) with the form of character string; Said " subscriber identity information " encrypted and have ageing, in case stopping leak reveals and replay attack; Said " identity authentication protocol ", " the shielded URL that the last time will visit ", " the last POST parameter " and " subscriber identity information " are kept among the Cookie; And the action path of this Cookie need comprise the non-path that receives safeguard protection in path that receives safeguard protection and security token processing page place of Web service assembly setting simultaneously; Promptly no matter the Web page in receiving the path of safeguard protection also is that the non-security token processing page that receives safeguard protection can both be checked and obtained this Cookie; Perhaps; Relevant user login information is kept among two different Cookie simultaneously; The action path of one of them is the path that receives safeguard protection, and another is the non-path, security token processing page place that receives safeguard protection.
Single-sign-on HTTP plug-in unit offers the difference of the data storage mechanism of HTTP plug-in unit according to the Web service assembly, according to following priority, as follows the relevant information in the user login information is stored respectively:
1) if the Web service assembly provides the data storage location that connects (Connection) based on TCP to the HTTP plug-in unit; Then single-sign-on HTTP plug-in unit is kept at the data storage location that is connected based on TCP with " server end returns protocol data and parameter ", and other information are kept in the client browser through Cookie; Perhaps,
2) if the Web service group provides the data storage location based on http session (Session) to the HTTP plug-in unit; Then single-sign-on HTTP plug-in unit is kept at the data storage location based on http session with " server end returns protocol data and parameter ", and other information are kept in the client browser through Cookie; Perhaps,
3) if single-sign-on HTTP plug-in unit has the data storage location based on TCP connection or http session of customized development; Then single-sign-on HTTP plug-in unit is kept at being connected or the data storage location of http session based on TCP of customized development with " server end returns protocol data and parameter ", and other information are kept in the client browser through Cookie;
Otherwise,
4) single-sign-on HTTP plug-in unit is kept at all user login informations in the client browser through Cookie.
The said data storage location that connects based on TCP; The TCP join dependency couplet that refers to data storage location that the Web service assembly provides to the HTTP plug-in unit and HTTP transfer of data; It is different that TCP connects, the data storage location that then provides different (data storage locations that connect based on TCP that provide to ISAPI Filter like IIS); Said data storage location based on http session refers to: so long as same http session; Even if TCP connects different; Data storage location is still identical; It is irrelevant to be that data storage location is connected with TCP, and only relevant with specific HTTP user conversation, this http session data storage mechanism is distinguished different sessions with the specific identifier of depositing among the Cookie usually; And the session data are kept in the Web server (assembly), the Session object of the store data that provides to Servlet Filter like Java Web container is exactly this situation.
To said " server end returns protocol data and parameter "; In the configuration information of single-sign-on HTTP plug-in unit, must set following content: for each HTTP identity authentication protocol of Web application system use; After user identity is differentiated successfully, the relative set mode of the value of " server end returns protocol data and parameter ", the option of set-up mode is: remain unchanged; Be set to sky (NULL), or be set to a space (Space).
When the user uses certain use HTTP identity authentication protocol of browser access that the user is carried out the Web application system of identity discriminating, said single-sign-on HTTP plug-in unit interception HTTP request, as follows HTTP is asked to handle then:
A1. according to relevant configuration information, confirm current HTTP request URL corresponding be to receive the page of safeguard protection also be the non-page that receives safeguard protection, if receive safeguard protection, then change next step over to; Otherwise, let this HTTP request pass through, accomplish this HTTP Request Processing;
A2. inspection " server end returns protocol data and parameter " if it is not provided with or it is worth for empty, then changes next step over to; Otherwise, change steps A 6 over to;
A3. inspection " subscriber identity information " is if its existence and effective then changes next step over to; Otherwise, let the HTTP request pass through, accomplish this HTTP Request Processing;
Obtain the HTTP identity authentication protocol of the current use of Web application system in " identity authentication protocol " information of A4. from Cookie, preserving; Then; Confirm according to relevant configuration information whether the HTTP identity authentication protocol that is adopted allows client initiatively to send and differentiate and authorization requests; If do not allow, then let the HTTP request pass through, accomplish this HTTP Request Processing; Otherwise, continue;
A5. from relevant configuration information, obtain required data and the parameter (like the realm parameter) of HTTP identity authentication protocol; According to HTTP identity authentication protocol; Generate the first Authorization request head of submitting to that comprises the identity authentication data of client, and the head that generates is joined in the HTTP request of interception, then; Let amended HTTP request pass through, accomplish this HTTP Request Processing;
A6. if the value of " server end returns protocol data and parameter " is a space, then let this HTTP request pass through, accomplish this HTTP Request Processing; Otherwise, continue;
A7. according to HTTP identity authentication protocol and other data in " server end returns protocol data and parameter "; Generate HTTP identity authentication protocol at the Authorization of current agreement phase request head; And the head that generates joined in the HTTP request of interception; Then, let amended HTTP request pass through, accomplish this HTTP Request Processing.
Relevant configuration information described in said steps A 1, A4, the A5 refers to the differentiating with safe access control, identity of Web service assembly and/or single-sign-on HTTP plug-in unit, the relevant configuration information of single-sign-on; Said single-sign-on HTTP plug-in unit or the relevant configuration information of inquiring about the Web service assembly through the corresponding interface that the Web service assembly provides perhaps directly read the relevant configuration file.
The identity discrimination process of said HTTP identity authentication protocol possibly need client and server end to carry out the mutual of a plurality of steps or stage through HTTP request, response, and " the current agreement phase " of the HTTP identity authentication protocol described in the said steps A 7 is meant that client is according to identity authentication protocol present located step or stage; " the current agreement phase " of HTTP identity authentication protocol determined what the data content of the current Authorization head of HTTP request is; Protocol data and parameter that client can be returned according to server end are confirmed present located step or stage.
Said single-sign-on HTTP plug-in unit is at said steps A 5, the A7 in HTTP Request Processing stage; Difference according to HTTP identity authentication protocol; Respectively as follows, produce the corresponding Authorization request head of HTTP identity authentication protocol in corresponding agreement phase:
Situation 1.1. is if HTTP identity authentication protocol is HTTP Basic; Then from Cookie the deciphering " subscriber identity information " data, obtain the user in the Web application system from account name, password; By the requirement of HTTP Basic agreement, form the Authorization head then; Otherwise,
Situation 1.2. is if HTTP identity authentication protocol is HTTP Digest; Then from Cookie the deciphering " subscriber identity information " data, obtain the user in the Web application system from account name, password; Then according to the content in " server end returns protocol data and parameter "; And the requirement of HTTP Digest agreement, form the Authorization head; Otherwise,
Situation 1.3. is if HTTP identity authentication protocol is HTTP NTLM; And " server end returns protocol data and parameter " is for setting or its value are not to carry out the first prompting that identity is differentiated for empty or its value; Then produce NTLM Type 1 data; Press HTTP NTLM protocol requirement then, form the data of Authorization head; Otherwise; Earlier from Cookie deciphering " subscriber identity information " data, obtain the user in the Web application system from account name, password; Then, utilize from account name, password and to be kept at the related data (being NTLM Type 2 data) " server end returns protocol data and parameter ", produce NTLM Type 3 data; Press HTTP NTLM protocol requirement then, form the Authorization head; Otherwise,
Situation 1.4. is if HTTP identity authentication protocol is HTTP Negotiate; Then earlier from Cookie deciphering " subscriber identity information " data, obtain the user in the Web application system from account name, password (promptly kerberos system; In Windows AD, account name, password), utilize then and should call corresponding Kerberos interface from account name, password; The Authentication Server (identity authentication server) that connects Kerberos KDC (Key Distribution Center); Obtain user's TGT (Ticket-Granting Ticket), and then use this TGT to call GSS-API or suitable interface (like Windows SSPI), obtain the Spnego Token of user capture Web application system; Then; Utilize the Spnego Token that obtains, press HTTP Negotiate protocol requirement, form the Authorization head; Otherwise,
Situation 1.5: if other effective HTTP identity authentication protocols are then handled by related protocol; Otherwise, user browser is directed to the page of makeing mistakes.
After said single-sign-on HTTP plug-in unit is accomplished the relevant treatment of said steps A 2-7 in the HTTP Request Processing stage; Before letting the HTTP request pass through; Need do following processing operation: if the URL of current HTTP request is identical with the URL of preservation in " the shielded URL that the last time will visit " and method current HTTP request is the value non-NULL of GET and " the last POST parameter "; Then the method with current HTTP request changes POST into, and the data in " the last POST parameter " are added in the current HTTP request as the POST parameter.
After said single-sign-on HTTP plug-in unit interception http response, as follows http response is handled:
B1. check the responsive state and the head of http response, if the responsive state sign indicating number be " 401 " (prompting Unauthorized or Authentication required) and comprise WWW-Authenticate response head, then change next step over to; Otherwise, change B7 over to;
B2. inspection " subscriber identity information " is if its existence and effective then changes the step over to; Otherwise, change B6 over to;
B3. check the value of the WWW-Authenticate head of current http response; If carry out value that initial prompt that identity differentiates and the corresponding HTTP request package of response contain Authorization head and this Authorization head and be corresponding identity documents data of the HTTP identity authentication protocol of indicating in the said WWW-Authenticate head or the data after the computing of identity documents data cryptogram, then change next step over to; Otherwise, change step B5 over to;
B4. " subscriber identity information " is set to sky; The value of " server end returns protocol data and parameter " is set to the value of the WWW-Authenticate head of http response; Obtain the corresponding HTTP request URL of current http response, its value as " the shielded URL that the last time will visit " is preserved; If the method for the HTTP request that current http response is corresponding is POST, then will ask corresponding POST parameter (being the Form form data) to be saved in " the last POST parameter ", otherwise the value of " the last POST parameter " is set to sky; Then; The responsive state sign indicating number of http response is revised as " 302 ", WWW-Authenticate is responded head remove, the http response main body (Body) and the web response body Web Length Indication that possibly comprise are removed; In response, add the Location head; The user that its value is set to the identity service system is for the login page URL that makes mistakes, and this URL has added the system banner of the Web application system at single-sign-on HTTP plug-in unit place through Query String, and is last; Let amended http response pass through, accomplish the processing of this http response;
B5. the value of " server end returns protocol data and parameter " is set to the value of the WWW-Authenticate head of http response, obtains the corresponding HTTP request URL of current http response and with its value preservation as " the shielded URL that the last time will visit "; If the method for the HTTP request that current http response is corresponding is POST, then will ask corresponding POST parameter to be saved in " the last POST parameter ", otherwise the value of " the last POST parameter " is set to sky; Then, the responsive state sign indicating number of http response is revised as " 302 ", WWW-Authenticate is responded head remove; The http response main body (Body) and the web response body Web Length Indication that possibly comprise are removed; In the response head, add the Location head, its value is set to the corresponding HTTP request URL of current http response, then; Let amended http response pass through, accomplish the processing of this http response;
B6. the HTTP identity authentication protocol of indicating in the WWW-Authenticate head is saved in said " the identity authentication protocol " of said user login information; " subscriber identity information " is set to sky; The value of " server end returns protocol data and parameter " is set to the value of the WWW-Authenticate head of http response; Obtain the corresponding HTTP request URL of current http response, its value as " the shielded URL that the last time will visit " is preserved; If the method for the HTTP request that current http response is corresponding is POST, then will ask corresponding POST parameter to be saved in " the last POST parameter ", otherwise the value of " the last POST parameter " is set to sky; Then; The responsive state sign indicating number of http response is revised as " 302 ", WWW-Authenticate is responded head remove, the http response main body (Body) and the web response body Web Length Indication that possibly comprise are removed; In response, add the Location head; Its value is user's login page URL of identity service system, and this URL added the system banner of the Web application system at single-sign-on HTTP plug-in unit place through Query String, and is last; Let amended http response pass through, accomplish the processing of this http response;
B7. obtain the corresponding HTTP request URL of current http response, confirm the whether corresponding Web page that receives safeguard protection of this HTTP request URL according to relevant configuration information, if not, then let http response pass through, accomplish the processing of this http response; Otherwise, change next step over to;
B8. if include WWW-Authenticate response head in the http response, then WWW-Authenticate is responded head and remove; If the URL of the HTTP request that current http response is corresponding is identical with " the shielded URL that the last time will visit ", then the value of " the shielded URL that the last time will visit " and " the last POST parameter " is set to sky;
B9. according to the set-up mode that is directed against the value of presently used HTTP identity authentication protocol " server end returns protocol data and parameter " that set, after user identity is differentiated successfully in the configuration information of single-sign-on HTTP plug-in unit; The value of " server end returns protocol data and parameter " is set; Let amended http response pass through then, accomplish the processing of this http response.
The value of the WWW-Authenticate head described in the said step B3 is that the initial prompt of carrying out the identity discriminating is meant that the value of this head is before the user accomplishes the identity discriminating; During the shielded page of maiden visit, the data of the WWW-Authenticate response head that identity differentiates are carried out in the requirement that the Web server end returns for the first time.
Identity documents data described in the said step B3 are meant the electronic data that can prove user identity, like account name, password (like HTTP Basic), or comprise the security token (like the Spnego Token of HTTP Negotiate) of identity validation information; Said data after the computing of identity documents data cryptogram are meant through identity documents, like user/password, through obtaining data (like the Type3 data through account name, password hash operations of HTTP NTLM) behind certain crypto-operation (like the HASH computing).
If the http response of single-sign-on HTTP plug-in unit interception comprises a plurality of WWW-Authenticate heads; Used among used WWW-Authenticate head and said step B4, B5, the B6 among the then said step B3, its value is saved among WWW-Authenticate head and the said step B6 in " server end returns protocol data and parameter " and preserves " identity authentication protocol " employed WWW-Authenticate head; Be the WWW-Authenticate head selected of the predetermined rule of a basis corresponding to certain HTTP identity authentication protocol (such as; By WWW-Authenticate head from Negotiate, NTLM, Digest to Basic treaty override selective sequential), and the WWW-Authenticate head of deletion comprises all WWW-Authenticate heads in said step B4,5,6,8.
Amended http response described in said step B4, B5, B6, the B9 both can be the http response that after direct modification on the former http response data structure, obtains on data structure, also can be newly-generated http response on a new http response data structure.
Relevant configuration information described in the said step B7 refers to Web service assembly and/or single-sign-on HTTP plug-in unit differentiates with safe access control, identity, the relevant configuration information of single-sign-on.
In the above step, the conditional code of http response is revised or is set to " 302 " and in response, adds the Location head, promptly carry out so-called HTTP redirection, browser is directed to the page or the Web website of Location indication.
Single-sign-on HTTP plug-in unit obtains the related data (like request URL, Cookie, Authorization head, POST parameter etc.) in request row, head and the main body of the corresponding HTTP request of current http response respectively according to different situations as follows processing stage of http response:
Situation 2.1:, then directly from request, obtain related data if the HTTP plug-in unit can directly be visited the related data head in the HTTP request; Otherwise,
Situation 2.2: if the Web service assembly provides the data storage location that connects based on TCP; After then single-sign-on HTTP plug-in unit was accomplished all relevant treatment and is comprised that request with the GET mode converts the request of POST mode in the HTTP Request Processing stage; Before letting the HTTP request pass through; The related data of current HTTP request is saved in the data storage location that connects based on TCP, obtains the http response processing stage by single-sign-on HTTP plug-in unit; Otherwise,
Situation 2.3: if the Web service assembly provides the data storage location based on http session; After then single-sign-on HTTP plug-in unit was accomplished all relevant treatment and is comprised that request with the GET mode converts the request of POST mode in the HTTP Request Processing stage; Before letting the HTTP request pass through; The related data of current HTTP request is saved in the data storage location based on http session, obtains the http response processing stage by single-sign-on HTTP plug-in unit; Otherwise,
Situation 2.4: as if the head that http response can directly be set in the HTTP Request Processing stage; After then single-sign-on HTTP plug-in unit was accomplished all relevant treatment and is comprised that request with the GET mode converts the request of POST mode in the HTTP Request Processing stage; Before letting the HTTP request pass through; Related data with current HTTP request; Single-sign-on HTTP plug-in unit processing stage of being delivered to http response through self-defining http response head obtains, and single-sign-on HTTP plug-in unit is deleted this self-defined head after the processing stage of http response, obtaining related data through self-defined head; Otherwise,
Situation 2.5: if single-sign-on HTTP plug-in unit has the data storage location based on TCP connection or session of customized development; After then single-sign-on HTTP plug-in unit was accomplished all relevant treatment and is comprised that request with the GET mode converts the request of POST mode in the HTTP Request Processing stage; Before letting the HTTP request pass through; The related data of current HTTP request is saved in connecting or the data storage location of session based on TCP of customized development, obtains the http response processing stage by single-sign-on HTTP plug-in unit; Otherwise,
Situation 2.6: after single-sign-on HTTP plug-in unit was accomplished all relevant treatment and comprised that request with the GET mode converts the request of POST mode in the HTTP Request Processing stage; Before letting the HTTP request pass through, the single-sign-on HTTP plug-in unit the processing stage of being sent to http response through the machine-processed related data of thread (Thread) with current HTTP request.
At said situation 2.2-2.6; After single-sign-on HTTP plug-in unit was accomplished all relevant treatment and is comprised that request with the GET mode converts the request of POST mode in the HTTP Request Processing stage; Before letting the HTTP request pass through, only need will receive the single-sign-on HTTP plug-in unit of POST parameter (if having) processing stage of being delivered to http response of the Web page of safeguard protection.
By single-point login HTTP plug-in unit after the said step B6 in http response the processing stage is redirected to user's login page of identity service system through the Location head of the conditional code of http response being revised or be set to " 302 " and http response is set, the identity service system carries out the HTTP Request Processing as follows when user browser:
The Web application system sign of C1. carrying among the Query String through the HTTP request URL confirms whether the Web application system that the user will visit is the system that the identity service system trusts, provides service, if not, then return error message; Otherwise, change next step over to;
C2. confirm whether accomplish the identity discriminating in the identity service system before the user, if then change next step over to; Otherwise, the user is directed to login page, and differentiates based on the user being carried out identity with householder account, change next step over to after differentiating successfully;
C3. the Web application system that will visit according to user's main account and user, in principal and subordinate account's binding data storehouse, obtain the user in the Web application system that will visit from account name and password;
C4. for the user generate one comprise its main account name, from account name and the security token after encrypting from account's password; And relevant information carried out digital signature; The user identity proof information that will comprise security token then turns back to user browser with the mode of Form list, and the user identity proof information that will comprise security token of automatic POST submission (Submit) mode through the Form list is submitted to the security token processing page of the Web application system that the user need visit.
The security token processing page receive that the identity service system is signed and issued and the user identity proof information that comprises security token submitted to through the automatic POST mode of Form list by user browser after, handle as follows:
D1. whether effective through the digital signature authentication security token, if effectively, change next step over to; Otherwise, return bomp;
D2. from security token, isolate user's main account name and from account name, password; Deciphering is from account's password; Then; In http response, create the Set-Cookie head, the Cookie that deposits " subscriber identity information " be set, the value of Cookie comprise after the encryption main account name and from account name, password;
D3. the conditional code of http response is set to " 302 ", in http response, creates a Location head, and the value of this head is set to from Cookie, obtain " the shielded URL that the last time will visit ", returns http response then.
The user that said step B4 in http response the processing stage is redirected to the identity service system through the Location head of the conditional code of http response being revised or be set to " 302 " and http response is set by single-point login HTTP plug-in unit when user browser makes mistakes for login behind the page URL, and the identity service system carries out the HTTP Request Processing as follows;
E1. confirm through the Web application system sign of carrying in the HTTP request URL whether the Web application system that the user will visit is the system that the identity service system trusts, provides service, if not, error message then returned; Otherwise, change next step over to;
E2. point out the user to import, submit to account name, password in its Web application system that will visit;
E3. after the user submits account name, password to, confirm whether logined the completion identity discriminating of identity service system before the user, if then change step e 5 over to; Otherwise, change next step over to;
E4. return user's login page of identity service system, and differentiate, change next step over to after differentiating successfully based on the user being carried out identity with householder account;
E5. account name, the password of user in the Web application system that obtains based on step e 2, E3, in principal and subordinate account's binding data storehouse, upgrade the user in the Web of correspondence application system from account name, password;
E6. for the user generate one comprise its main account name, from account name and the security token after encrypting from account's password; And relevant information carried out digital signature; The user identity proof information that will comprise security token then turns back to user browser with the mode of Form list, and the user identity proof information that will comprise security token of automatic POST submission (Submit) mode through the Form list is submitted to the security token processing page of the Web application system that the user need visit.
If the whole Web path (catalogue) of said Web application system all is the path of safeguard protection; And can't among the path that receives safeguard protection (catalogue) or outside a non-path (catalogue) that receives safeguard protection is set; Then the security token processing page is not an in esse Web page, and only is a virtual Web page path; Correspondingly; Said single-sign-on HTTP plug-in unit is submitted to the HTTP request of security token processing page in the interception of HTTP Request Processing stage; The described processing operation of completing steps D1; The processing stage of this HTTP request responding, tackle http response then, completing steps D2, the described processing operation of D3.
If the user carries out through web proxy (Proxy) the visit of said Web application system; And by the proxy mode of web proxy through HTTP identity authentication protocol the user being carried out identity differentiates; And web proxy provides HTTP Plugin Mechanism in its HTTP request, response process passage; And request, the response data that can tackle HTTP identity authentication protocol based on the HTTP plug-in unit of this Plugin Mechanism, then in that to make under the situation of following corresponding change method of the present invention suitable equally:
Said Web service assembly refers to web proxy; Said Web application component refers to the whole Web system (itself also comprising one or more Web service assemblies and Web application software) after the web proxy; Said web proxy and whole Web system have thereafter constituted said Web application system; Said single-sign-on HTTP plug-in unit is deployed on the said web proxy, and on its web proxy of disposing, is configured to tackle all HTTP request, response; Described http response conditional code " 401 " becomes " 407 " (prompting Proxy Authentication Required); Said http response head WWW-Authenticate becomes the Proxy-Authenticate head, and said HTTP request head Authorization becomes the Proxy-Authorization head.
Single-sign-on integrated approach of the present invention, to be the Web application system that adopts the use of HTTP identity authentication protocol and this HTTP identity authentication protocol not replace or to change in the whole single-node login system; For other Web application system, can adopt other single-sign-on integrated approach.
Innovation part of the present invention is: through single-sign-on HTTP plug-in unit; Make and use HTTP identity authentication protocol (like Basic; Digest; NTLM Negotiate) carries out the Web application system that identity is differentiated to the user, can differentiate configuration and do not revise under the situation of application program and realize single-sign-on not changing identity.It has solved single-sign-on common technical barrier in practical application is integrated.
Characteristics of the present invention are: even if the user still can visit the Web application system that adopts Kerberos agreement (being that HTTP Negotiate agreement and use Kerberos carry out the identity discriminating) at outer net.
Description of drawings
Fig. 1 adopts single-node login system overall structure block diagram of the present invention for this.
Embodiment
Below in conjunction with accompanying drawing the present invention is made further detailed description.
The present invention is a kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol; The overall structure of the single-node login system of employing this method is as shown in Figure 1; Comprise Web service assembly, Web application component, single-sign-on HTTP plug-in unit, security token processing page, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse; Wherein Web service assembly, Web application component have constituted the Web application system; And described in detail in the function of each part summary of the invention in front, no longer repeat at this.In the system component of whole single-node login system; Single-sign-on HTTP plug-in unit, security token processing page, identity service system, main accounts database, principal and subordinate account's binding data storehouse belong to the content that the present invention will realize; And in the content that will realize, single-sign-on HTTP plug-in unit is again most critical, most important part.
For the realization of identity service system, can adopt the development of information system technology of existing various maturations, like J2EE technology, ASP.NET technology etc.; For main accounts database, can adopt LDAP, relational database, or existing Windows Active Directory or certain application system accounts database; For principal and subordinate account's binding data storehouse, can use relational database.Principal and subordinate account's binding data storehouse is as long as preserve some information like this: 1) user's main account name; 2) the corresponding user of main account in the application system of each granted access from account name and password.
Its Web service assembly that will dispose (but needn't be the same with the development technique of Web application component) is depended in the realization of single-sign-on HTTP plug-in unit and security token processing page.To some Web service assemblies commonly used, corresponding specific embodiments is described below below.
If the Web service assembly is Windows IIS5, then single-sign-on HTTP plug-in unit can be realized based on ISAPI Filter, and concrete scheme is following.
The data storage location that single-sign-on HTTP plug-in unit uses ISAPI Filter to provide based on the TCP connection; Be that ISAPI passes to ISAPI and goes into the pFilterContext field among the input parameter pfc of HTTP_FILTER_CONTEXT structure type of point function (Entry-Point Function) HttpFilterProc (...), preserve " server end returns protocol data and parameter ".Single-sign-on HTTP plug-in unit (through going into point function GetFilterVersion (...) registration) is made response in the HTTP Request Processing stage to SF_NOTIFY_READ_RAW_DATA, SF_NOTIFY_PREPROC_HEADERS notification event; Completion is corresponding to be handled, and wherein: decrypted user identity information, operating in when responding the SF_NOTIFY_PREPROC_HEADERS notification event of increase Authorization request head are carried out; Convert the HTTP of GET mode request the request (when needed) of POST mode to, and will the data in " the last POST parameter " join and carry out when operating in the HTTP request body responds the SF_NOTIFY_READ_RAW_DATA notification event as the POST parameter; If current HTTP request is POST mode (comprising the HTTP request after GET, POST transform); Single-sign-on HTTP plug-in unit is when response SF_NOTIFY_READ_RAW_DATA notification event; The POST parameter of current request is kept in the said pFilterContext field, obtains in the response process stage by single-sign-on HTTP plug-in unit.Single-sign-on HTTP plug-in unit can obtain the various information of HTTP request row, request head through the call back function (callback function) that ISAPI Filter provides the processing stage of HTTP, like request URL, Cookie etc.
Single-sign-on HTTP plug-in unit (through notification event registration) is made response to SF_NOTIFY_SEND_RESPONSE, SF_NOTIFY_SEND_RAW_DATA, SF_NOTIFY_END_OF_NET_SESSION notification event in http response the processing stage; And accomplish accordingly and handle; Wherein: when response SF_NOTIFY_SEND_RESPONSE, SF_NOTIFY_SEND_RAW_DATA notification event, accomplish and revise http response (comprise and revise statusline, head and deletion web response body Web), preserve operational processes such as user login information; When response SF_NOTIFY_END_OF_NET_SESSION notification event, discharge corresponding system resources.In fact; Single-sign-on HTTP plug-in unit processing stage of http response to the modification of http response; Both can cooperate the completion part operation respectively at SF_NOTIFY_SEND_RESPONSE and two notification event points of SF_NOTIFY_SEND_RAW_DATA; Also can accomplish all operations, that is to say, can the SF_NOTIFY_SEND_RESPONSE notification event not responded at SF_NOTIFY_SEND_RAW_DATA notification event point.Single-sign-on HTTP plug-in unit processing stage of http response can obtain the various information of HTTP request row, request head through the call back function that ISAPI Filter provides, and like request URL, Cookie etc., and revises response, generates new response; Single-sign-on HTTP plug-in unit obtains the POST parameter (also promptly adopt the scheme of situation 2.2) of single-sign-on HTTP plug-in unit in the POST mode of HTTP Request Processing stage preservation from said pFilterContext field processing stage of http response.
And the security token processing page can realize based on ISAPI Extension.Security token processing page based on ISAPIExtension can be handled request through the call back function that calls ISAPI Extension, generate response.The security token processing page perhaps is positioned at the catalogue (path) that does not receive safeguard protection, perhaps is arranged in a subdirectory (subpath) that does not receive safeguard protection of the catalogue (path) that receives safeguard protection.Single-sign-on HTTP plug-in unit and security token processing page are obtained the associated safety configuration information of IIS based on the Administration API of IIS, like shielded catalogue (path), the identity authentication protocol that uses etc.
If the Web service assembly is Windows IIS6, then perhaps IIS6 is configured to the IIS5 mode of operation, use the single-sign-on HTTP plug-in unit of foregoing IIS5 then; Perhaps, realize single-sign-on HTTP plug-in unit as follows:
Same method among use of single-sign-on HTTP plug-in unit and the IIS5 is preserved " server end returns protocol data and parameter ".Single-sign-on HTTP plug-in unit is only made response to the SF_NOTIFY_PREPROC_HEADERS notification event in the HTTP Request Processing stage; Except not carrying out the GET method is changed into the POST method; And the POST parameter of POST method is kept at outside the operation in the pFilterContext field, the realization of other operational processes is identical with the realization among the IIS5.Single-sign-on HTTP plug-in unit is in the realization in HTTP handled stage, except the POST parameter of not preserving the POST method, and identical among the realization of other operational processes and the IIS5.Identical among the realization of security token processing page and the IIS5.
When the single-sign-on HTTP plug-in unit among the IIS6 adopts non-IIS5 implementation, in practical application, can deposit some problems: owing to do not preserve the POST parameter of POST method; And when needed, the GET method is changed into the POST method, therefore; The method of when the protected page of user's maiden visit, using is POST, then after the user accomplishes the identity discriminating, will visit the shielded page of less important visit just with the GET method automatically once more; Like this, the user just possibly can not get hoping the result that obtains.But this situation can't cause substantial infringement: the one, because the method GET method of the protected common employing of user's maiden visit, rather than the POST method; The 2nd, even if because the method for the protected common employing of maiden visit is the GET method, the Web application system can point out the user to resubmit data, the normally submission of POST request after this,
If the Web service assembly is Windows IIS 7.0 and version afterwards; Then except the embodiment of available foregoing IIS6; Single-sign-on HTTP plug-in unit can also be realized based on Native-Code HTTP Module expanded function or the Managed-Code HTTP Module of IIS, and the security token processing page can realize based on ISAPI Extens ion or ASP.NET.
If realize single-sign-on HTTP plug-in unit based on Native-Code HTTP Module; Then need realize the derived class of a CHttpModule; And in such OnBeginRequest method, HTTP is asked to carry out single-sign-on and handle, in the OnSendResponse method, http response is carried out single-sign-on and handle.Single-sign-on HTTP plug-in unit is kept at " server end returns protocol data and parameter " data in the IHttpModuleContextContainer object that is connected based on TCP of IHttpConnection object of Native-Code HTTP Module.Single-sign-on HTTP plug-in unit can directly read the data (comprising the POST parameter) in request row, request head and the main body of corresponding HTTP request processing stage of http response.
Realize that based on Managed-Code HTTP Module the method for single-sign-on HTTP plug-in unit is similar with the method that realizes single-sign-on HTTP plug-in unit based on Native-Code HTTP Module.About how to develop the IIS expansion module through Native-Code HTTP Module or Managed-Code HTTP Module, can be referring to the MSDN (Microsoft Development Network) of Microsoft.
If the Web service assembly of Web application system is JSP/Servlet Web Container (the Web Container that comprises J2EE Application Server); Then single-sign-on HTTP plug-in unit can be based on the Valve (like Tomcat) of Servlet Filter (this is that all Web containers have), AuthenticationFilter (like WebLogic), Web container or other similar HTTP Plugin Mechanisms (like TAI of WebSphere etc.); Specifically how to implement and can implement; The one, depend on what kind of Plugin Mechanism the Web container provides; The 2nd, see whether this Plugin Mechanism can satisfy described single-sign-on processing demands; As the HTTP request and response that can tackle HTTP identity authentication protocol, can make amendment to HTTP request and response through certain mode.Such as; If can then can be realized single-sign-on HTTP plug-in unit by Servlet Filter, Authentication Filter or Valve interception based on Servlet Filter, Authentication Filter or Valve in the HTTP of the HTTP identity authentication protocol of certain Web Container deploy request, response.For the HTTP Plugin Mechanism that JSP/Servlet Web Conta iner provides, single-sign-on HTTP plug-in unit normally can directly read all data of HTTP request the processing stage of http response.Corresponding JSP/Servlet Web Container, the security token processing page can realize based on JSP/Servlet.For obtaining of security configuration information, perhaps adopt the method that directly reads configuration file, perhaps, the interface that provides through the Web container obtains.
If the Web service assembly of Web application system is Apache HTTP Server, IBM HTTPWeb Server; Then can be based on Apache Hook and Filter exploitation single-sign-on HTTP plug-in unit, wherein, the function in HTTP Request Processing stage realizes based on Apache Hook; And the function http response the processing stage realizes based on Apache Hook and Filter; Wherein, Apache Hook process head, Apache Filter processing response content.The storage of " server end returns protocol data and parameter ", the data storage location that uses Apache to provide based on the TCP connection.For Apache Filter, single-sign-on HTTP plug-in unit can directly read all data of HTTP request the processing stage of http response.The security token processing page can perhaps be developed based on the page technology (like Perl, Python) of corresponding Web application component based on Apache ContentHandler exploitation.To obtaining of Apache HTTP Server, IBM HTTP Web Server security configuration information; Perhaps adopt the method that directly reads configuration file; Perhaps; Interface variables through Apache provides is obtained, like the catalogue configuration information in the request_rec structure, and the conn_rec structure server configuration information in the request_rec structure.
For other Web service assembly; Like Domino Web Server etc.; Similar HTTP Plugin Mechanism is all arranged, similar based on the practical implementation method and the foregoing practical implementation method of the single-sign-on HTTP plug-in unit of these Web platforms and security token processing page.
In addition; For the related single-sign-on agreement and the practical implementation of security token; Single-sign-on agreement and security token can adopt standard agreement, as SAML, WS-FPRP and, and corresponding SAML asserts, WS-Security Token is as the security token of proof user identity; Perhaps, use self-defining single-sign-on agreement and self-defining security token, if with of the present invention alternately and processing procedure consistent.If single-sign-on agreement and security token are based on XML's (eXtensible Markup Language); Like SAML, WS-FPRP; The dynamic base, class libraries (like Windows CommunicationFoundation class libraries), API that then can use various maturations to the processing of XML data are (like Java API for XML Processing, JAXP) etc.For the realization that relates to data encryption, digital signature, can use dynamic base (like OpenSSL), class libraries (like Java Cryptography Extension), the API (like WindowsCryptoAPI etc.) of various maturations.
The content of not doing in this specification to describe in detail belongs to this area professional and technical personnel's known prior art.
Claims (10)
1. plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol; The single-node login system of said method comprises Web service assembly, Web application component, single-sign-on HTTP plug-in unit, security token processing page, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse, it is characterized in that:
The Web service assembly: the HTTP request receives, the response transmitting function for the Web application component provides; And other relevant support functions; Comprise: receive the services request of the HTTP form that user browser submits to, carry out submitting to the Web application component after the corresponding preliminary treatment and handle, afterwards; The result that the Web application component is returned is sent to user browser with the form of http response; Based on corresponding security configuration, the user is carried out identity discriminating, access control; Maintenance customer's http session;
Web application component: the functional software that particular application services is provided to the user; Through the relevant Web serviced component; Receive the application service request that the user submits to through browser, after the completion handled result is turned back to user browser through the Web service assembly; Said Web application component has constituted the Web application system with corresponding said Web service assembly; Said Web application system has one at least; Said Web application system is carried out identity through certain mode to the user and is differentiated that wherein part Web application system adopts standard HTTP identity authentication protocol that the user is carried out the identity discriminating through the Web service assembly; The protected page or the resource of the said Web application system of user capture need to use its respective account in corresponding Web application system to accomplish and just can carry out after identity is differentiated; Said standard HTTP identity authentication protocol includes but not limited to HTTP Basic, Digest, NTLM, the Negotiate identity authentication protocol towards Web;
Single-sign-on HTTP plug-in unit:, be inserted into the component software of realizing the single-sign-on function in the HTTP request, response process passage of the Web service assembly of the Web application system that adopts HTTP identity authentication protocol based on the extension mechanism that the Web service assembly provides; Request, response data that the Plugin Mechanism that said single-sign-on HTTP plug-in unit adopts can be tackled HTTP identity authentication protocol; Said single-sign-on HTTP plug-in unit is configured to tackle all HTTP request, response on the Web service assembly that it is disposed, perhaps be configured to tackle HTTP request and response thereof that all are submitted to the HTTP request and the response thereof in the catalogue that receives safeguard protection or path and are submitted to security token processing page place catalogue or path; Said single-sign-on HTTP plug-in unit has corresponding configuration information; Be used to be provided with the information relevant with single-sign-on; Alternatively, comprise following content in the configuration information: 1) which Web page directory or path receive safeguard protection in the Web application system at single-sign-on HTTP plug-in unit place; 2) receiving the catalogue of safeguard protection or the HTTP identity authentication protocol that adopts in the path is which or which, and relevant identity authentication protocol parameter; 3) whether the practical implementation of employed HTTP identity discriminating allows client initiatively to send discriminating and authorization requests; Promptly whether allow client browser receive the responsive state sign indicating number be " 401 " and comprise the http response of WWW-Authenticate head before; Initiatively submit the HTTP request that comprises the Authorization head to, the client user is carried out the identity discriminating to the request server end and resource access is authorized;
Security token processing page: the Web page of the security token of the proof user identity of signing and issuing in the special disposal identity service system of the Web service assembly deploy of the Web application system that adopts HTTP identity authentication protocol; Said security token processing page is deployed in the non-safeguard protection path or the catalogue of Web service group, promptly submits to HTTP to ask the user of this processing page to need not to accomplish identity through browser and differentiates;
Browser: user and the mutual client of Web application system, transmit the HTTP request through http protocol to the Web service assembly, http response that reception Web service assembly returns and the content that represents response;
The identity service system: the system that provides user's online identity to differentiate service, based on the user identity voucher user is carried out online identity and differentiate, transmit the security token of proof user identity to the Web application system through corresponding single-sign-on agreement and by browser; The form of the said security token that said identity service system is signed and issued depends on the single-sign-on agreement of use, can be that SAML asserts, perhaps WS-Federation security token, perhaps self-defining security token; Primary, the integrality of the security token that said identity service system guarantees through digital signature to be signed and issued;
Main accounts database: deposit the main account information that the user logins the identity service system, comprise main account's account name, password, or the relevant information of the data certificate of main account correspondence; Said main account refers to that the user carries out the account that uses when identity is differentiated in said identity service system; Said main accounts database can be an accounts database independently, also can be the accounts database of certain application system;
Principal and subordinate account's binding data storehouse: preserve with householder account and the corresponding or binding relationship from account of user in the Web application system, and from account's password; Saidly promptly refer to the respective account of user in certain particular Web application system from the account; User's main account and its can be same from the account in certain Web application system, also can be different.
2. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 1 is characterized in that: said single-sign-on HTTP plug-in unit is preserved each user's identity and is differentiated relevant information, is called user login information; Said user login information comprises:
1) identity authentication protocol: the HTTP identity authentication protocol current use of Web service assembly, that be used for the user is carried out the identity discriminating;
2) server end returns protocol data and parameter: when the Web service assembly uses HTTP identity authentication protocol that the client user is carried out the identity discriminating; Respond protocol data and the parameter that head turns back to client browser through WWW-Authentucate, indicate comprising HTTP identity authentication protocol;
3) the last time shielded URL that will visit: the user uses the URL of the Web page that receives safeguard protection of the last expectation visit of browser before the Web application system is accomplished identity and differentiated;
4) the last POST parameter: the user is before the Web application system is accomplished the identity discriminating; If using the HTTP requesting method that uses when browser is the last visits the Web page that receives safeguard protection is POST; The value of then said the last POST parameter is the corresponding POST parameter of this HTTP request, otherwise its value is empty;
5) subscriber identity information: sign and differentiate user's information comprises user's main account name, from account name and from account's password;
Said various user login information is preserved with the form of character string, for non-character data, then preserves with the data format behind the Base64 coding; Said subscriber identity information encrypted and have ageing, in case stopping leak reveals and replay attack; Shielded URL, the last POST parameter and subscriber identity information that said identity authentication protocol, the last time will visit are kept among the Cookie; And the action path of this Cookie need comprise the path that receives safeguard protection of Web service assembly setting and the non-path that receives safeguard protection at security token processing page place simultaneously; Promptly no matter the Web page in receiving the path of safeguard protection also is that the non-security token processing page that receives safeguard protection can both be checked and obtained this Cookie; Perhaps; Relevant user login information is kept among two different Cookie simultaneously; The action path of one of them is the path that receives safeguard protection, and another is the non-path that receives the security token processing page place of safeguard protection;
Said single-sign-on HTTP plug-in unit offers the difference of the data storage mechanism of HTTP plug-in unit according to said Web service assembly, according to following priority, as follows said server end is returned protocol data respectively and parameter is stored:
Situation 1: if the Web service assembly provides the data storage location that connects based on TCP to the HTTP plug-in unit, then single-sign-on HTTP plug-in unit returns said server end to protocol data and is kept at the data storage location that is connected based on TCP with parameter; Perhaps,
Situation 2: if the Web service group provides the data storage location based on http session to the HTTP plug-in unit, then single-sign-on HTTP plug-in unit returns said server end to protocol data and parameter is kept at the data storage location based on http session; Perhaps,
Situation 3: if single-sign-on HTTP plug-in unit has connecting or the data storage location of http session based on TCP of customized development, then single-sign-on HTTP plug-in unit returns said server end to protocol data and parameter and is kept at being connected or the data storage location of http session based on TCP of customized development;
Otherwise,
Situation 4: single-sign-on HTTP plug-in unit is kept at all user login informations in the client browser through Cookie;
The said data storage location that connects based on TCP refers to that the data storage location that the Web service assembly provides to the HTTP plug-in unit and the TCP join dependency of HTTP transfer of data join, and TCP connects difference, the data storage location difference that then provides; Said data storage location based on http session refers to so long as same http session, and different even if TCP connects, data storage location is still identical, and promptly data storage location is connected with TCP and has nothing to do, and is only relevant with specific HTTP user conversation;
Return protocol data and parameter to said server end; In the configuration information of single-sign-on HTTP plug-in unit, must set following content: for each HTTP identity authentication protocol of Web application system use; After user identity was differentiated successfully, said server end returned the relative set mode of the value of protocol data and parameter, and the option of set-up mode is: remain unchanged; Be set to sky, or be set to a space.
3. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 1 and 2; It is characterized in that: when the user uses certain use HTTP identity authentication protocol of browser access that the user is carried out the Web application system of identity discriminating; Said single-sign-on HTTP plug-in unit interception HTTP request, as follows HTTP is asked to handle then:
Step 1: according to relevant configuration information, confirm current HTTP request URL corresponding be to receive the page of safeguard protection also be the non-page that receives safeguard protection, if receive safeguard protection, then change step 2 over to; Otherwise, let this HTTP request pass through, accomplish this HTTP Request Processing;
Step 2: check that said server end returns protocol data and parameter,, then change step 3 over to if it is not provided with or its value is empty; Otherwise, change step 6 over to;
Step 3: check said subscriber identity information, if its existence and effective then changes step 4 over to; Otherwise, let the HTTP request pass through, accomplish this HTTP Request Processing;
Step 4: the HTTP identity authentication protocol that obtains the current use of Web application system in the said identity authentication protocol information of from Cookie, preserving; Then; Confirm according to relevant configuration information whether the HTTP identity authentication protocol that is adopted allows client initiatively to send and differentiate and authorization requests; If do not allow, then let the HTTP request pass through, accomplish this HTTP Request Processing; Otherwise, change step 5 over to;
Step 5: from relevant configuration information, obtain required data and the parameter of HTTP identity authentication protocol; According to HTTP identity authentication protocol; Generate the first Authorization request head of submitting to that comprises the identity authentication data of client, and the head that generates is joined in the HTTP request of interception, then; Let amended HTTP request pass through, accomplish this HTTP Request Processing;
Step 6: if said server end returns the value of protocol data and parameter is a space, then lets this HTTP request pass through, and accomplishes this HTTP Request Processing; Otherwise, change step 7 over to;
Step 7: return HTTP identity authentication protocol and other data in protocol data and the parameter according to said server end; Generate the identity authentication protocol at the Authorization of current agreement phase request head; And the head that generates joined in the HTTP request of interception; Then, let amended HTTP request pass through, accomplish this HTTP Request Processing;
Said step 1,4, relevant configuration information described in 5 refer to Web service assembly and/or single-sign-on HTTP plug-in unit differentiates with safe access control, identity, the relevant configuration information of single-sign-on;
The identity discrimination process of said HTTP identity authentication protocol needs client and server end to carry out the mutual of a plurality of steps or stage through HTTP request, response, and the said current agreement phase of the HTTP identity authentication protocol described in the said step 7 is meant that client differentiates residing step of solicited message or stage according to the current submission identity that requires of identity authentication protocol;
After said single-sign-on HTTP plug-in unit is accomplished the relevant treatment of said step 2-7 in the HTTP Request Processing stage; Before letting the HTTP request pass through; Need handle operation as follows: if the URL that preserves among the URL of current HTTP request and said the last time shielded URL that will visit is identical and method that current HTTP asks is the value non-NULL of GET and said the last POST parameter; Then the method with current HTTP request changes POST into, and the data in the said the last POST parameter are added in the current HTTP request as the POST parameter;
If the HTTP Plugin Mechanism that provides based on the Web service assembly; Said single-sign-on HTTP plug-in unit can't obtain request row, head or the main body of the corresponding HTTP request of current http response processing stage of http response; Then said single-sign-on HTTP plug-in unit is after the said step 1-7 in HTTP Request Processing stage accomplishes all relevant treatment and comprises that request with the GET mode converts the request of POST mode into; Before letting the HTTP request pass through; According to following priority, the single-sign-on HTTP plug-in unit the processing stage of according to following different situations the said related data of current HTTP request being sent to http response:
Situation A: if the Web service assembly provides the data storage location that connects based on TCP, then the related data with current HTTP request is saved in the data storage location that connects based on TCP, is obtained the http response processing stage by single-sign-on HTTP plug-in unit; Perhaps,
Case B: if the Web service assembly provides the data storage location based on http session, then the related data with current HTTP request is saved in the data storage location based on http session, is obtained the http response processing stage by single-sign-on HTTP plug-in unit; Perhaps,
Situation C: as if the head that http response can directly be set in the HTTP Request Processing stage; The related data of then current HTTP being asked; Single-sign-on HTTP plug-in unit processing stage of being delivered to http response through self-defining http response head obtains; Single-sign-on HTTP plug-in unit is deleted this self-defined head after the processing stage of http response, obtaining related data through self-defined head; Perhaps,
Situation D: if single-sign-on HTTP plug-in unit has the data storage location based on TCP connection or session of customized development; Then the related data of current HTTP request is saved in connecting or the data storage location of session based on TCP of customized development, obtains the http response processing stage by single-sign-on HTTP plug-in unit;
Otherwise,
Situation E: the single-sign-on HTTP plug-in unit the processing stage of through threading mechanism the related data of current HTTP request being sent to http response;
Single-sign-on HTTP plug-in unit processing stage that said single-sign-on HTTP plug-in unit only need will receiving the POST parameter of the Web page of safeguard protection to be delivered to http response.
4. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 3; It is characterized in that: the said step 5,7 of described HTTP Request Processing process; Said single-sign-on HTTP plug-in unit is according to the difference of HTTP identity authentication protocol; Respectively as follows, produce the corresponding Authorization request head of HTTP identity authentication protocol in corresponding agreement phase:
Situation I: if identity authentication protocol agreement is HTTP Basic; Then from Cookie the deciphering said subscriber identity information data, obtain the user in the Web application system from account name, password; By the requirement of HTTP Basic agreement, form the Authorization head then; Perhaps,
Situation II: if the identity authentication protocol is HTTP Digest; Then from Cookie the deciphering said subscriber identity information data, obtain the user in the Web application system from account name, password; Return the content in protocol data and the parameter according to said server end then; And the requirement of HTTPDigest agreement, form the Authorization head; Perhaps,
Situation III: if the identity authentication protocol is HTTP NTLM; And said server end returns protocol data and parameter is that setting or its value are to carry out the first prompting that identity is differentiated for empty perhaps its value; Then produce NTLM Type 1 data; Press HTTP NTLM protocol requirement then, form the data of Authorization head; Otherwise; Earlier from Cookie the said subscriber identity information data of deciphering, obtain the user in the Web application system from account name, password; Then, utilize this from account name, password and be kept at said server end and return NTLM Type 2 data protocol data and the parameter, produce NTLM Type 3 data; Press HTTP NTLM protocol requirement then, form the Authorization head; Perhaps,
Situation IV: if the identity authentication protocol is HTTP Negotiate; Then earlier from Cookie the said subscriber identity information data of deciphering, obtain the user in the Web application system from account name, password, also be account name, the password of user in kerberos system, utilize then and should call corresponding Kerberos interface from account name, password; The identity authentication server that connects Kerberos KDC; Obtain user's TGT, and then use this TGT to call GSS-API or suitable interface, obtain the Spnego Token of user capture Web application system; Then; Utilize the Spnego Token that obtains, press HTTP Negotiate protocol requirement, form the Authorization head; Perhaps,
Situation V: if other effective HTTP identity authentication protocols are then handled by related protocol;
Otherwise, user browser is directed to the page of makeing mistakes.
5. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 1 and 2 is characterized in that: after the said single-sign-on HTTP plug-in unit interception http response, as follows http response is handled:
The 1st step: the responsive state and the head of inspection http response if responsive state is " 401 " and comprise WWW-Authenticate response head, then changed for the 2nd step over to; Otherwise, changed for the 7th step over to;
The 2nd step: check said subscriber identity information, if its existence and effective then changed for the 3rd step over to; Otherwise, changed for the 6th step over to;
The 3rd step: the value of checking the WWW-Authenticate head of current http response; If carry out value that initial prompt that identity differentiates and the corresponding HTTP request package of response contain Authorization head and this Authorization head and be corresponding identity documents data of the HTTP identity authentication protocol of indicating in the said WWW-Authenticate head or the data after the computing of identity documents data cryptogram, then changed for the 4th step over to; Otherwise, changed for the 5th step over to;
The 4th step: said subscriber identity information is set to sky; The value that said server end returns protocol data and parameter is set to the value of the WWW-Authenticate head of http response; Obtain the corresponding HTTP request URL of current http response, the value of its shielded URL that will visit as said the last time is preserved; If the method for the HTTP request that current http response is corresponding is POST, then will ask corresponding POST parameter to be saved in the said the last POST parameter, otherwise the value of said the last POST parameter is set to sky; Then; The responsive state sign indicating number of http response is revised as 302, WWW-Authenticate is responded head remove, the http response main body and the web response body Web Length Indication that possibly comprise are removed; In response, add the Location head; The user that its value is set to the identity service system is for the login page URL that makes mistakes, and this URL has added the system banner of the Web application system at single-sign-on HTTP plug-in unit place through Query String, and is last; Let amended http response pass through, accomplish the processing of this http response;
The 5th step: the value that said server end returns protocol data and parameter is set to the value of the WWW-Authenticate head of http response, obtains the corresponding HTTP request URL of current http response and with the value preservation of its shielded URL that will visit as said the last time; If the method for the HTTP request that current http response is corresponding is POST, then will ask corresponding POST parameter to be saved in the said the last POST parameter, otherwise the value of said the last POST parameter is set to sky; Then, the responsive state sign indicating number of http response is revised as 302, WWW-Authenticate is responded head remove; The http response main body and the web response body Web Length Indication that possibly comprise are removed; In response, add the Location head, its value is set to the corresponding HTTP request URL of current http response, then; Let amended http response pass through, accomplish the processing of this http response;
The 6th step: the HTTP identity authentication protocol of indicating in the WWW-Authenticate head is saved in the said identity authentication protocol of said user login information; The value that said server end returns protocol data and parameter is set to the value of the WWW-Authenticate head of http response; Said subscriber identity information is set to sky; Obtain the corresponding HTTP request URL of current http response, the value of its shielded URL that will visit as said the last time is preserved; If the method for the HTTP request that current http response is corresponding is POST, then will ask corresponding POST parameter to be saved in the said the last POST parameter, otherwise the value of said the last POST parameter is set to sky; Then; The responsive state sign indicating number of http response is revised as 302, the response of the WWW-Authenticate in http response head is removed, the http response main body and the web response body Web Length Indication that possibly comprise are removed; In the response head, add the Location head; Its value is user's login page URL of identity service system, and this URL has added the system banner of the Web application system at single-sign-on HTTP plug-in unit place through Query String, and is last; Let amended http response pass through, accomplish the processing of this http response;
The 7th step: obtain the corresponding HTTP request URL of current http response, confirm the whether corresponding Web page that receives safeguard protection of this HTTP request URL according to relevant configuration information, if not, then let http response pass through, accomplish the processing of this http response; Otherwise, changed for the 8th step over to;
The 8th step:, then WWW-Authenticate is responded head and remove if include WWW-Authenticate response head in the http response; If the shielded URL that the URL of the HTTP request that current http response is corresponding and said the last time will visit is identical, the shielded URL that then said the last time will visit and the value of said the last POST parameter are set to sky;
The 9th step: according to being directed against the set-up mode that presently used HTTP identity authentication protocol said server end that set, after user identity is differentiated successfully returns the value of protocol data and parameter in the configuration information of single-sign-on HTTP plug-in unit; The value that said server end returns protocol data and parameter is set; Let amended http response pass through then, accomplish the processing of this http response;
The value of the WWW-Authenticate head described in said the 3rd step is that the initial prompt of carrying out the identity discriminating is meant that the value of this head is before the user accomplishes the identity discriminating; During the shielded page of maiden visit, the data of the WWW-Authenticate response head that identity differentiates are carried out in the requirement that the Web server end returns for the first time;
Identity documents data described in said the 3rd step are meant the electronic data that can prove user identity, comprise account name, password, and comprise identity validation information security token; Said data after the computing of identity documents data cryptogram are meant after identity documents is through certain crypto-operation to obtain data;
If the http response of single-sign-on HTTP plug-in unit interception comprises a plurality of WWW-Authenticate heads; Then used WWW-Authenticate head and used in said the 4th, 5,6 steps, its value are saved to said server end and return WWW-Authenticate head and the employed WWW-Authenticate head of the said identity authentication protocol of preservation in said the 6th step in protocol data and the parameter in said the 3rd step; Be the WWW-Authenticate head that the predetermined rule of a basis is selected, and the WWW-Authenticate head of deletion comprise all WWW-Authenticate heads in said the 4th, 5,6,8 steps corresponding to certain HTTP identity authentication protocol;
Amended http response described in said the 4th, 5,6,9 steps both can be the http response that after direct modification on the former http response data structure, obtains on data structure, also can be newly-generated http response on a new http response data structure;
Relevant configuration information refers to Web service assembly and/or single-sign-on HTTP plug-in unit described in said the 7th step differentiates with safe access control, identity, the relevant configuration information of single-sign-on.
6. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 5; It is characterized in that: said the 6th step of described http response processing procedure, the identity service system carried out the HTTP Request Processing as follows through the conditional code of http response being revised or being set to 302 and after Location head that http response is set is redirected to user's login page of identity service system with browser:
Step 1: the Web application system sign of carrying among the Query String through the HTTP request URL confirms whether the Web application system that the user will visit is the system that the identity service system trusts, provides service, if not, then return error message; Otherwise, change step 2 over to;
Step 2: confirm whether accomplish the identity discriminating in the identity service system before the user, if then change next step over to; Otherwise, the user is directed to login page, and differentiates based on the user being carried out identity with householder account, change step 3 over to after differentiating successfully;
Step 3: according to the Web application system that user's main account and user will visit, in principal and subordinate account's binding data storehouse, obtain the user in the Web application system that will visit from account name and password;
Step 4: for the user generate one comprise its main account name, from account name and the security token after encrypting from account's password; And relevant information carried out digital signature; The user identity proof information that will comprise security token then turns back to user browser with the mode of Form list, and the user identity proof information that will comprise security token of the automatic POST way of submission through the Form list is submitted to the security token processing page of the Web application system that the user need visit.
7. according to claim 1 or 2 or 6 described plug-in type single-sign-on integrated approaches towards HTTP identity authentication protocol; It is characterized in that: said security token processing page receive that said identity service system is signed and issued and the user identity proof information that comprises security token submitted to through the automatic POST mode of Form list by user browser after, handle as follows:
The I step: whether effective through the digital signature authentication security token, if effectively, change the II step over to; Otherwise, return bomp;
II step: from security token, isolate user's main account name and from account name, password; Deciphering is from account's password; Then; In http response, create the Set-Cookie head, the Cookie that deposits said subscriber identity information be set, the value of Cookie comprise after the encryption with householder's account name with from account name, password;
The III step: the conditional code of http response is set to 302, in http response, creates a Location head, and the value of this head is set to the shielded URL that said the last time of acquisition will visit from Cookie, returns http response then.
8. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 5; It is characterized in that: said the 4th step the processing stage of described http response through the conditional code of http response is revised or be set to 302 and Location head that http response the is set user of browser being redirected to the identity service system make mistakes behind the page URL for login, the identity service system carries out the HTTP Request Processing as follows:
The first step: confirm through the Web application system sign of carrying in the HTTP request URL whether the Web application system that the user will visit is the system that the identity service system trusts, provides service, if not, then return error message; Otherwise, changed for second step over to;
Second step: the prompting user imports, submits to account name, password in its Web application system that will visit;
The 3rd step: after the user submits account name, password to, confirm whether logined the completion identity discriminating of identity service system before the user, if then changed for the 5th step over to; Otherwise, changed for the 4th step over to;
The 4th step: return user's login page of identity service system, and based on the user being carried out identity discriminating, changed for the 5th step over to after differentiating successfully with householder account;
The 5th step: account name, the password of user in the Web application system that obtains based on second and third step, in principal and subordinate account's binding data storehouse, upgrade the user in the Web of correspondence application system from account name, password;
The 6th step: for the user generate one comprise its main account name, from account name and the security token after encrypting from account's password; And relevant information carried out digital signature; The user identity proof information that will comprise security token then turns back to user browser with the mode of Form list, and the user identity proof information that will comprise security token of the automatic POST way of submission through the Form list is submitted to the security token processing page of the Web application system that the user need visit.
9. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 7; It is characterized in that: if the whole Web path of said Web application system or path or the path that catalogue all is safeguard protection; And can't among path that receives safeguard protection or the catalogue or outside a non-path or a catalogue that receives safeguard protection is set; Then security token processing page or leaf is not an in esse Web page, and only is a virtual Web page path; Correspondingly; Said single-sign-on HTTP plug-in unit is submitted to the HTTP request of security token processing page in the interception of HTTP Request Processing stage; Accomplish said I and go on foot described processing operation; Then the processing stage of this HTTP request responding, the interception http response is accomplished said II, III goes on foot described processing operation.
10. according to each described plug-in type single-sign-on integrated approach among claim 1, the 3-5 towards HTTP identity authentication protocol; It is characterized in that: if the user carries out through web proxy the visit of said Web application system; And by the proxy mode of web proxy through HTTP identity authentication protocol the user being carried out identity differentiates; And web proxy provides HTTP Plugin Mechanism in its HTTP request, response process passage; And request, the response data that can tackle HTTP identity authentication protocol based on the HTTP plug-in unit of this Plugin Mechanism, then in that to make under the situation of following corresponding change method of the present invention suitable equally:
Said Web service assembly refers to web proxy; Said Web application component refers to the whole Web system after the web proxy; Said web proxy and whole Web system have thereafter constituted said Web application system; Said single-sign-on HTTP plug-in unit is deployed on the said web proxy, and on its web proxy of disposing, is configured to tackle all HTTP request, response; Said http response conditional code " 401 " becomes " 407 "; Said http response head WWW-Authenticate becomes the Proxy-Authenticate head; Said HTTP request head Authorization becomes the Proxy-Authorization head.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210067271.XA CN102638454B (en) | 2012-03-14 | 2012-03-14 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210067271.XA CN102638454B (en) | 2012-03-14 | 2012-03-14 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102638454A true CN102638454A (en) | 2012-08-15 |
| CN102638454B CN102638454B (en) | 2014-05-21 |
Family
ID=46622698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210067271.XA Expired - Fee Related CN102638454B (en) | 2012-03-14 | 2012-03-14 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102638454B (en) |
Cited By (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801808A (en) * | 2012-07-30 | 2012-11-28 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
| CN103152351A (en) * | 2013-03-15 | 2013-06-12 | 深信服网络科技(深圳)有限公司 | Network equipment and AD (Active Directory) domain single sign on method and system |
| CN103312505A (en) * | 2013-04-08 | 2013-09-18 | 河海大学 | Easy construction method for realizing SSO (Single Sign On) |
| CN104077179A (en) * | 2014-06-16 | 2014-10-01 | 武汉理工大学 | Local application program interface (API) calling method for web browser |
| CN104158797A (en) * | 2014-07-14 | 2014-11-19 | 武汉理工大学 | Word and indentifying password integrated user login authentication implementation method |
| CN104394172A (en) * | 2014-12-12 | 2015-03-04 | 用友软件股份有限公司 | Single sign-on device and method |
| CN104468785A (en) * | 2014-12-08 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | Electronic device, server device, and data request submitting method and processing method |
| CN104468592A (en) * | 2014-12-12 | 2015-03-25 | 北京百度网讯科技有限公司 | Login method and system |
| CN104519050A (en) * | 2014-11-14 | 2015-04-15 | 百度在线网络技术(北京)有限公司 | Login method and login system |
| CN104580406A (en) * | 2014-12-23 | 2015-04-29 | 北京百度网讯科技有限公司 | Method and device for synchronizing login status |
| CN104660583A (en) * | 2014-12-29 | 2015-05-27 | 国家电网公司 | Encryption service method based on Web encryption service |
| CN104735066A (en) * | 2015-03-18 | 2015-06-24 | 百度在线网络技术(北京)有限公司 | Single sign-on method, device and system oriented to web page applications |
| CN105407102A (en) * | 2015-12-10 | 2016-03-16 | 四川长虹电器股份有限公司 | Http request data reliability verification method |
| CN105659557A (en) * | 2013-09-20 | 2016-06-08 | 甲骨文国际公司 | Web-based interface integration for single sign-on |
| CN105653901A (en) * | 2015-12-29 | 2016-06-08 | 深圳市科漫达智能管理科技有限公司 | Component repository management method and system |
| CN105959311A (en) * | 2016-07-04 | 2016-09-21 | 天闻数媒科技(湖南)有限公司 | Single sign-on method and device for application system |
| CN105978994A (en) * | 2016-06-22 | 2016-09-28 | 武汉理工大学 | Web system oriented logging-in method |
| WO2016155491A1 (en) * | 2015-04-01 | 2016-10-06 | 阿里巴巴集团控股有限公司 | Method and device for processing hypertext transfer protocol request |
| CN106685998A (en) * | 2017-02-24 | 2017-05-17 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN107204970A (en) * | 2016-11-02 | 2017-09-26 | 北京神州泰岳信息安全技术有限公司 | Single-point logging method and relevant apparatus |
| CN107248971A (en) * | 2016-12-21 | 2017-10-13 | 常熟市盛铭信息技术有限公司 | A kind of design and application method of unified subscriber authentication |
| CN107911376A (en) * | 2017-11-29 | 2018-04-13 | 南京莱斯信息技术股份有限公司 | The WEB systems single-sign-on and access control implementation method of a kind of non-invasive |
| CN108650209A (en) * | 2018-03-06 | 2018-10-12 | 北京信安世纪科技股份有限公司 | A kind of method of single-sign-on, system, device and authentication method |
| CN108667791A (en) * | 2017-12-18 | 2018-10-16 | 中国石油天然气股份有限公司 | Identity authentication method |
| CN109074439A (en) * | 2016-07-12 | 2018-12-21 | 惠普发展公司,有限责任合伙企业 | Certificate for service |
| CN109067914A (en) * | 2018-09-20 | 2018-12-21 | 星环信息科技(上海)有限公司 | Proxy Method, device, equipment and the storage medium of Web service |
| CN109600403A (en) * | 2017-09-30 | 2019-04-09 | 北京国双科技有限公司 | A kind of method and device sending information |
| CN109726544A (en) * | 2018-09-07 | 2019-05-07 | 网联清算有限公司 | Service management and device |
| CN110032842A (en) * | 2019-03-03 | 2019-07-19 | 北京立思辰安科技术有限公司 | The method for supporting single-sign-on and third party login simultaneously |
| CN110661787A (en) * | 2019-09-04 | 2020-01-07 | 苏宁云计算有限公司 | Method and device for capturing Http redirection state code and computer equipment |
| CN110971585A (en) * | 2018-09-28 | 2020-04-07 | 柯尼卡美能达美国研究所有限公司 | Single sign-on method and system initiated by security assertion markup language service provider |
| CN111371775A (en) * | 2020-02-28 | 2020-07-03 | 深信服科技股份有限公司 | Single sign-on method, device, equipment, system and storage medium |
| WO2020232698A1 (en) * | 2019-05-23 | 2020-11-26 | Citrix Systems, Inc. | Secure web application delivery platform |
| CN112416345A (en) * | 2020-11-16 | 2021-02-26 | 中国电子科技集团公司第二十八研究所 | Universal client software integration system |
| CN112822237A (en) * | 2020-12-28 | 2021-05-18 | 北京奇艺世纪科技有限公司 | Network request transmission method and device |
| US11057395B2 (en) | 2014-03-24 | 2021-07-06 | Micro Focus Llc | Monitoring for authentication information |
| CN113127821A (en) * | 2019-12-31 | 2021-07-16 | 远景智能国际私人投资有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN113839966A (en) * | 2021-11-26 | 2021-12-24 | 北京慧点科技有限公司 | Security management system based on micro-service |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN101075875A (en) * | 2007-06-14 | 2007-11-21 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN101588348A (en) * | 2008-05-22 | 2009-11-25 | 中国电信股份有限公司 | System logging method and system logging device based on Web |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| CN102215232A (en) * | 2011-06-07 | 2011-10-12 | 浪潮齐鲁软件产业有限公司 | Single sign-on method |
-
2012
- 2012-03-14 CN CN201210067271.XA patent/CN102638454B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN101075875A (en) * | 2007-06-14 | 2007-11-21 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN101588348A (en) * | 2008-05-22 | 2009-11-25 | 中国电信股份有限公司 | System logging method and system logging device based on Web |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| CN102215232A (en) * | 2011-06-07 | 2011-10-12 | 浪潮齐鲁软件产业有限公司 | Single sign-on method |
Non-Patent Citations (4)
| Title |
|---|
| 吴群: "安全单点登录问题的研究与实现", 《计算机与现代化》, no. 106, 30 June 2004 (2004-06-30) * |
| 淡艳等: "单点登录系统模型分析", 《成都大学学报(自然科学版)》, vol. 27, no. 2, 30 June 2008 (2008-06-30) * |
| 胡毅时等: "基于Web服务的单点登录系统的研究与实现", 《北京航空航天大学学报》, vol. 30, no. 3, 30 March 2004 (2004-03-30) * |
| 谭立球等: "企业信息门户单点登录系统的实现", 《计算机工程》, vol. 31, no. 17, 5 September 2005 (2005-09-05) * |
Cited By (63)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801808A (en) * | 2012-07-30 | 2012-11-28 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
| CN102801808B (en) * | 2012-07-30 | 2014-11-05 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
| CN103152351A (en) * | 2013-03-15 | 2013-06-12 | 深信服网络科技(深圳)有限公司 | Network equipment and AD (Active Directory) domain single sign on method and system |
| CN103312505A (en) * | 2013-04-08 | 2013-09-18 | 河海大学 | Easy construction method for realizing SSO (Single Sign On) |
| CN103312505B (en) * | 2013-04-08 | 2016-03-02 | 河海大学 | The construction method that a kind of easy-to-use single-sign-on realizes |
| US10693865B2 (en) | 2013-09-20 | 2020-06-23 | Oracle International Corporation | Web-based interface integration for single sign-on |
| US10225244B2 (en) | 2013-09-20 | 2019-03-05 | Oracle International Corporation | Web-based interface integration for single sign-on |
| CN105659557B (en) * | 2013-09-20 | 2019-11-01 | 甲骨文国际公司 | The method and system of network-based Interface integration for single-sign-on |
| CN105659557A (en) * | 2013-09-20 | 2016-06-08 | 甲骨文国际公司 | Web-based interface integration for single sign-on |
| US11057395B2 (en) | 2014-03-24 | 2021-07-06 | Micro Focus Llc | Monitoring for authentication information |
| CN104077179B (en) * | 2014-06-16 | 2017-06-06 | 武汉理工大学 | A kind of local API Calls method of web oriented browser |
| CN104077179A (en) * | 2014-06-16 | 2014-10-01 | 武汉理工大学 | Local application program interface (API) calling method for web browser |
| CN104158797A (en) * | 2014-07-14 | 2014-11-19 | 武汉理工大学 | Word and indentifying password integrated user login authentication implementation method |
| CN104519050A (en) * | 2014-11-14 | 2015-04-15 | 百度在线网络技术(北京)有限公司 | Login method and login system |
| CN104519050B (en) * | 2014-11-14 | 2019-03-12 | 百度在线网络技术(北京)有限公司 | Login method and login system |
| CN104468785A (en) * | 2014-12-08 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | Electronic device, server device, and data request submitting method and processing method |
| CN104468592B (en) * | 2014-12-12 | 2017-10-31 | 北京百度网讯科技有限公司 | Login method and login system |
| CN104394172B (en) * | 2014-12-12 | 2018-05-25 | 用友网络科技股份有限公司 | Single-sign-on apparatus and method |
| CN104394172A (en) * | 2014-12-12 | 2015-03-04 | 用友软件股份有限公司 | Single sign-on device and method |
| CN104468592A (en) * | 2014-12-12 | 2015-03-25 | 北京百度网讯科技有限公司 | Login method and system |
| CN104580406B (en) * | 2014-12-23 | 2019-11-26 | 北京百度网讯科技有限公司 | A kind of method and apparatus of synchronous logging state |
| CN104580406A (en) * | 2014-12-23 | 2015-04-29 | 北京百度网讯科技有限公司 | Method and device for synchronizing login status |
| CN104660583B (en) * | 2014-12-29 | 2018-05-29 | 国家电网公司 | A kind of cryptographic services method based on Web cryptographic services |
| CN104660583A (en) * | 2014-12-29 | 2015-05-27 | 国家电网公司 | Encryption service method based on Web encryption service |
| CN104735066A (en) * | 2015-03-18 | 2015-06-24 | 百度在线网络技术(北京)有限公司 | Single sign-on method, device and system oriented to web page applications |
| WO2016155491A1 (en) * | 2015-04-01 | 2016-10-06 | 阿里巴巴集团控股有限公司 | Method and device for processing hypertext transfer protocol request |
| CN105407102A (en) * | 2015-12-10 | 2016-03-16 | 四川长虹电器股份有限公司 | Http request data reliability verification method |
| CN105407102B (en) * | 2015-12-10 | 2019-05-17 | 四川长虹电器股份有限公司 | Http request data reliability verifying method |
| CN105653901A (en) * | 2015-12-29 | 2016-06-08 | 深圳市科漫达智能管理科技有限公司 | Component repository management method and system |
| CN105978994B (en) * | 2016-06-22 | 2019-01-18 | 武汉理工大学 | A kind of login method of web oriented system |
| CN105978994A (en) * | 2016-06-22 | 2016-09-28 | 武汉理工大学 | Web system oriented logging-in method |
| CN105959311A (en) * | 2016-07-04 | 2016-09-21 | 天闻数媒科技(湖南)有限公司 | Single sign-on method and device for application system |
| CN109074439A (en) * | 2016-07-12 | 2018-12-21 | 惠普发展公司,有限责任合伙企业 | Certificate for service |
| US11176238B2 (en) | 2016-07-12 | 2021-11-16 | Hewlett-Packard Development Company, L.P. | Credential for a service |
| CN109074439B (en) * | 2016-07-12 | 2022-04-15 | 惠普发展公司,有限责任合伙企业 | Credentials for services |
| CN107204970B (en) * | 2016-11-02 | 2021-02-23 | 北京神州泰岳信息安全技术有限公司 | Single sign-on method and related device |
| CN107204970A (en) * | 2016-11-02 | 2017-09-26 | 北京神州泰岳信息安全技术有限公司 | Single-point logging method and relevant apparatus |
| CN107248971A (en) * | 2016-12-21 | 2017-10-13 | 常熟市盛铭信息技术有限公司 | A kind of design and application method of unified subscriber authentication |
| CN106685998A (en) * | 2017-02-24 | 2017-05-17 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN109600403A (en) * | 2017-09-30 | 2019-04-09 | 北京国双科技有限公司 | A kind of method and device sending information |
| CN107911376A (en) * | 2017-11-29 | 2018-04-13 | 南京莱斯信息技术股份有限公司 | The WEB systems single-sign-on and access control implementation method of a kind of non-invasive |
| CN108667791A (en) * | 2017-12-18 | 2018-10-16 | 中国石油天然气股份有限公司 | Identity authentication method |
| CN108667791B (en) * | 2017-12-18 | 2021-01-01 | 中国石油天然气股份有限公司 | Identity authentication method |
| CN108650209A (en) * | 2018-03-06 | 2018-10-12 | 北京信安世纪科技股份有限公司 | A kind of method of single-sign-on, system, device and authentication method |
| CN108650209B (en) * | 2018-03-06 | 2021-05-14 | 北京信安世纪科技股份有限公司 | Single sign-on method, system, device and authentication method |
| CN109726544A (en) * | 2018-09-07 | 2019-05-07 | 网联清算有限公司 | Service management and device |
| CN109067914A (en) * | 2018-09-20 | 2018-12-21 | 星环信息科技(上海)有限公司 | Proxy Method, device, equipment and the storage medium of Web service |
| CN109067914B (en) * | 2018-09-20 | 2019-12-13 | 星环信息科技(上海)有限公司 | web service proxy method, device, equipment and storage medium |
| CN110971585A (en) * | 2018-09-28 | 2020-04-07 | 柯尼卡美能达美国研究所有限公司 | Single sign-on method and system initiated by security assertion markup language service provider |
| CN110032842A (en) * | 2019-03-03 | 2019-07-19 | 北京立思辰安科技术有限公司 | The method for supporting single-sign-on and third party login simultaneously |
| US11799849B2 (en) | 2019-05-23 | 2023-10-24 | Citrix Systems, Inc. | Secure web application delivery platform |
| US11799850B2 (en) | 2019-05-23 | 2023-10-24 | Citrix Systems, Inc. | Secure web application delivery platform |
| US11252147B2 (en) | 2019-05-23 | 2022-02-15 | Citrix Systems, Inc. | Secure web application delivery platform |
| US11252148B2 (en) | 2019-05-23 | 2022-02-15 | Citrix Systems, Inc. | Secure web application delivery platform |
| WO2020232698A1 (en) * | 2019-05-23 | 2020-11-26 | Citrix Systems, Inc. | Secure web application delivery platform |
| CN110661787A (en) * | 2019-09-04 | 2020-01-07 | 苏宁云计算有限公司 | Method and device for capturing Http redirection state code and computer equipment |
| CN113127821A (en) * | 2019-12-31 | 2021-07-16 | 远景智能国际私人投资有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN111371775A (en) * | 2020-02-28 | 2020-07-03 | 深信服科技股份有限公司 | Single sign-on method, device, equipment, system and storage medium |
| CN112416345A (en) * | 2020-11-16 | 2021-02-26 | 中国电子科技集团公司第二十八研究所 | Universal client software integration system |
| CN112416345B (en) * | 2020-11-16 | 2022-10-21 | 中国电子科技集团公司第二十八研究所 | Universal client software integration system |
| CN112822237A (en) * | 2020-12-28 | 2021-05-18 | 北京奇艺世纪科技有限公司 | Network request transmission method and device |
| CN113839966B (en) * | 2021-11-26 | 2022-02-22 | 北京慧点科技有限公司 | Security management system based on micro-service |
| CN113839966A (en) * | 2021-11-26 | 2021-12-24 | 北京慧点科技有限公司 | Security management system based on micro-service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102638454B (en) | 2014-05-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| KR102429633B1 (en) | Automatic login method and device between multiple websites | |
| US8683565B2 (en) | Authentication | |
| JP5744656B2 (en) | System for providing single sign-on and control method thereof, service providing apparatus, relay apparatus, and program | |
| US7631346B2 (en) | Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment | |
| US7860883B2 (en) | Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments | |
| US7346923B2 (en) | Federated identity management within a distributed portal server | |
| US8006289B2 (en) | Method and system for extending authentication methods | |
| KR100800339B1 (en) | Method and system for user-determined authentication and single-sign-on in a federated environment | |
| CN1726690B (en) | Method and system for native authentication protocols in a heterogeneous federated environment | |
| US8151317B2 (en) | Method and system for policy-based initiation of federation management | |
| AU2003212723B2 (en) | Single sign-on secure service access | |
| US8607322B2 (en) | Method and system for federated provisioning | |
| US7860882B2 (en) | Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations | |
| US20060218628A1 (en) | Method and system for enhanced federated single logout | |
| US20080021866A1 (en) | Method and system for implementing a floating identity provider model across data centers | |
| JP5602165B2 (en) | Method and apparatus for protecting network communications | |
| CN107872455A (en) | A kind of cross-domain single login system and its method | |
| CN112468481A (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| WO2005114946A1 (en) | An apparatus, computer-readable memory and method for authenticating and authorizing a service request sent from a service client to a service provider | |
| CN102209046A (en) | Network resource integration system and method | |
| WO2009066858A1 (en) | Personal information management apparatus and personal information management method | |
| CN113411324B (en) | Method and system for realizing login authentication based on CAS and third-party server | |
| JP6383293B2 (en) | Authentication system | |
| KR100992016B1 (en) | Method and apparatus for providing federated functionality within a data processing system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140521 Termination date: 20180314 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |