CN102638454B - Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol - Google Patents
Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol Download PDFInfo
- Publication number
- CN102638454B CN102638454B CN201210067271.XA CN201210067271A CN102638454B CN 102638454 B CN102638454 B CN 102638454B CN 201210067271 A CN201210067271 A CN 201210067271A CN 102638454 B CN102638454 B CN 102638454B
- Authority
- CN
- China
- Prior art keywords
- http
- identity
- user
- sign
- response
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to a plug-in type SSO (single signon) integration method oriented to an HTTP (hypertext transfer protocol) identity authentication protocol. An SSO system of the plug-in type SSO integration method comprises a Web service assembly, a Web application assembly, an SSO HTTP plug-in, a security token process page, a browser, an identity service system, a main account database and a main/secondary account binding database, wherein the SSO HTTP plug-in is the key, and is plugged into an HTTP request and response process channel of the Web service assembly utilizing the HTTP identity authentication protocol based on an expanding mechanism provided by a Web service assembly; and after a user logs in the identity service system, the SSO HTTP plug-in automatically finishes interaction with the HTTP identity authentication protocol of the Web service assembly by utilizing account name and passwords of the user on the Web application system so that the user does not need to input the account name and the passwords of the Web application system so as to log in the Web application system and realize the purpose of SSO. Through the plug-in type SSO integration method oriented to the HTTP identity authentication protocol, disclosed by the invention, the SSO does not need to change original safety configuration and functions of a system.
Description
Technical field
The identity that the invention belongs to information security is differentiated and access control technology field, especially, is a kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol.
Background technology
Along with the development of Enterprise's Electronic Commercial and Office Information, increasing enterprise, organization have set up a large amount of information systems with special purposes, be referred to as application system, as CRM system, ERP (Enterprise Resource Planning) system, financial system, the office automation system, e-mail system etc.These numerous application systems bring convenience in production, management, the office of giving people, when improving production and operating efficiency, also be with and serve puzzlement to people, Here it is, each user must remember he (or she) at account name, the password (also referred to as user name, password) of different application systems; These account names at different application systems, password may be identical, may be also different; Need to remember, use numerous different account names, the problem of password to have: the 1) difficulty of account name, password management, as account name, password are easily obscured too much, are forgotten; 2) while logining different system, all need to input account name, password at every turn, brought inconvenience to user.For this problem, produce thus so-called single-sign-on (Single SignOn, SSO) demand and technology, be that user only need to use an identity documents (as an account name, password, or a digital certificate etc.), complete after online identity is differentiated (being also login login) and just can access the every other system that can access at certain on-line system, and without again inputting account name, password or using digital certificate to carry out identity discriminating (carrying out again register).
Current types of applications system adopts the pattern of client/server (Client/Server) mostly, and wherein, standard and the current techique of some employings based on browser (Browser), Web server, adopt Browser/Server pattern (being called for short B/S pattern), the non-standard or non-general client/server technology of some employings (abbreviation C/S model).The system of B/S pattern, HyperText Transfer Protocol (HTTP) by standard between client browser and Web server carries out data interaction and transmission: the service request of HTTP form (HTTP request) is sent to Web server by browser, Web server carries out respective handling for request, Web server turns back to browser by result with the response (http response) of HTTP form afterwards, and last browser represents according to the result data returning the resultant content returning.HTTP request is made up of a request row (Request Line), multiple optional head (Header) and an optional main body (Body), wherein, from asking row and " Host " head, can construct HTTP request URL (UniformResource Locator); Http response is made up of a statusline (Status Line), multiple optional head (Header) and an optional main body (Body).Because B/S pattern adopts this general client of browser and standard technique framework, be easy to use and interoperability, be main flow and the trend of current information systems technology development, be also the technology that the application system that the present invention is directed to adopts.Adopt the application system of B/S pattern or framework to be called Web application system.
Single Sign-On Technology Used for the Web application system of B/S pattern common are at present: 1) based on Cookie's; 2) based on security gateway; 3) based on Windows Kerberos's; 4) (standard or the custom protocol) based on single-sign-on agreement: 5) other schemes.
Cookie is the Web server information that (or in client host) preserved in client browser by http response, can comprise any content, but conventionally comprise user conversation (Session) state information.Cookie has action scope, and its action scope is made up of domain name (Doma in Name) and path (Path); If the host domain name part of HTTP request and path part, in the action scope of Cookie, will comprise the Cookie of server end setting in the HTTP request that browser is submitted to.Based on the single-sign-on of Cookie, " base portion " of the domain name of requirement different information systems is identical, such as, if the domain name of two information systems is oa.example.com.cn, crm.example.com.cn, their " base portion " is all example.com.cn like this, therefore, can realize the single-sign-on based on Cookie, LTPA (the Lightweight Third Party Authentication) Single Sign-On Technology Used of IBM is based on Cookie.
Based on the single-sign-on of security gateway, adopt exactly a Web reverse proxy (Reverse Proxy) that realizes safety control function to be deployed in the different information systems after it, the outpost of the tax office (being gateway) of application system as user's access, only complete identity at security gateway and differentiate that the user of (successfully logining) could access the system being deployed in after it by security gateway, such as the WebSEAL of an IBM security gateway like this.The disadvantage of this Single Sign-On Technology Used is that in the time that concurrent user's visit capacity is very large, security gateway is performance bottleneck, and it is potential single point failure point (Single Point of Failure).
Web Single Sign-On Technology Used based on Windows Kerberos, by Windows ActiveDirectory, AD) Kerberos identity differentiate (Authentication) realize in conjunction with HTTPNegotiate agreement.The limitation of this technical scheme is: 1) it need to dispose WindowsAD or other kerberos systems; 2) require all users on AD territory, to have account and subscriber's main station will login AD territory; 3) require all Web information systems, application system to adopt HTTP Negotiate agreement to carry out user identity discriminating, and all Web information systems, application system adopt the user account in AD territory that user's access is managed and controlled; 4) be only suitable in the information system of accessing by Intranet, application system.Due to these special requirement, this has just limited the application of the single-sign-on solution based on Windows Kerberos, because, no matter from development technique angle or from the angle of applied environment, current a large amount of Web information systems, application system all do not meet these conditions (in other words, not every Web information system, application system all meet these conditions).
Mainly contain at present Security Assertion MarkupLanguage (SAML) and WS-Federation Passive Requestor Profile (being called for short WS-FPRP) for the agreement of Web single-sign-on.No matter be SAML or WS-FPRP, in its Technical Architecture, there is a system that is called Identity Provider (being called for short IdP) to provide online identity to differentiate service (being called identity service system), user only needs (use browser) to complete once login (being that online identity is differentiated) at IdP, just can access other Web information systems in this IdP trust domain and operates without logining (identity discriminatings) again.But, the application that will succeed of this Single Sign-On Technology Used scheme, have two key issues to need to solve: the one, how to solve correspondence, conversion between the account of user in different system, the 2nd, how to make existing various information system, application system and single-sign-on protocol integration.More specifically being described below of described first problem: the various information systems that relate to single-sign-on, application system has nusrmgr.cpl assembly and accounts database separately conventionally, and these information systems, application system is that the user account of base self comes user access control, like this, user logins at IdP, user account and its information system that will access at certain that identity is used while discriminating, account in application system may be not identical (certainly also may be identical), therefore, when user completes after identity discriminating at IdP, while accessing certain application system, need to carry out corresponding account's correspondence, transform, user could the account in this application system (identity) login with it, access this application system.
Conventional solution for foregoing first problem is: user uses a main account to login at IdP, this main account can be existing certain the application system account of user, or certain existing global account (as the account in Windows Active Directory), or certain special new global account creating; User's main account associates account's (being called from account) of different information systems, application system with user by certain mode in advance, and this process is called identity (account) associated (Identity Federation or Account Federation) or identity (account) binding (Identity Binding or Account Binding); When user uses its main account after IdP completes login (identity discriminating), while accessing certain application-specific system, its main account by certain mode by corresponding, change into this user this application system from account, then user is based on this from account access application system, and the process of this master and slave account's correspondence, conversion is called identity (account) mapping (Identity Mapping or Account Mapping).
In fact described Second Problem relates to the integrated technology of single-sign-on, it is the most complicated in current single-sign-on application, the most scabrous problem, the solution of this problem is had to so several schemes conventionally: the operation platform of (1) application system itself is supported relevant single-sign-on agreement (as the latest edition of OracleWebLogic Server is supported SAML agreement), therefore, if depending on operation platform, application system carries out register (user identity discriminating), so, by the user identity identification method of configuration operation platform, just can be by the interconnected single-sign-on that realizes of agreement, (2) the function realization of logining part by revising the user of application system, this may comprise revises the relevant configuration that identity is differentiated, revises corresponding user log-in block etc., (3) identity providing by operation platform is differentiated extension mechanism, as JAAS (Java Authentication and Authorization Service).
Foregoing the first integrated solution under any circumstance can not be suitable for, because the Web operation platform of most (Web service assembly, server) is not supported corresponding single-sign-on agreement.For the second solution, also inapplicable under many circumstances, because, enterprise, organization may be due to a variety of causes, and be unwilling or can not adopt the second integrated solution, such as, owing to worrying can to bring impact to the stable operation of system after modification system, or not there is not (provide relevant code as original system developer is unwilling to coordinate, or closed down etc.) in the source code of system.Foregoing the third scheme is neither all situations all suitable, the one, because this scheme is conventionally only applicable to application system and depends on the situation (as by Servlet Container, user carried out to identity discriminating) that Web operation platform (Web service assembly, Web server) carries out identity discriminating, the situation that is not suitable for application system self and carries out user identity discriminating, the 2nd, adopt this mechanism to realize single-sign-on, conventionally need to change the identity identification method before platform, and sometimes enterprise, organization because a variety of causes is unwilling to make this change (as because worry that this change can affect the operation of system or dangerous), the extension mechanism that three whether all Web operation platforms all provide identity to differentiate, this extension mechanism is provided in other words in theory, but in fact due to technical restriction, the identity authentication scheme of expansion is difficult to reach effect same with identity authentication scheme before, such as for the IIS of Microsoft (Internet Information Services) Web server, its technical documentation points out to pass through the identity identification function of ISAPI (Internet ServiceApplication Programming Interface) expansion IIS, but in fact this expansion is limited, differentiate such as being configured to anonymous identity at IIS the identity authentication scheme that could expand customization under (AnonymousAuthentication) mode, and due to the internal technology of IIS openly of Microsoft, be difficult to develop and the single-sign-on identity authentication scheme of equal effect of identity authentication scheme of IIS self based on ISAPI extension mechanism.Also all may run into similar problem for other Web operation platforms.
In the practical application of single-sign-on is integrated, Web application system depends on Web platform and adopts standard HTTP identity authentication protocol (as HTTP Basic.Digest, NTLM, Negotiate) carry out user identity discriminating, and it is a kind of situation often running into that the identity identification method of Web application system can not change, for this situation, the present invention proposes another kind of thinking and solves the integration problem that has Web application system and Single Sign-On Technology Used: not changing under the prerequisite of the original identity authentication scheme of system, configuration and function, realize single-sign-on by HTTP plug-in unit (Plug-in) technology.That is to say, under this single-sign-on Integrated Solution, the identity authentication scheme of Web operation platform is still moved and plays a role by its original mode.HTTP plug-in unit described here, refer to that the extension mechanism providing based on Web operation platform is inserted into the HTTP request of Web operation platform, responds a component software in treatment channel, this assembly can be modified to the HTTP request by it, the related content of response.A lot of Web operation platforms all provides this HTTP Plugin Mechanism, as the ISAPI of the IIS server of Microsoft, Native-Code API and Managed-CodeAPI that IIS7.0 is later, the Authentication Filter of Tomcat Valve, WebLogic, the Servlet Filter of WebSphere etc.
Summary of the invention
The object of the invention is: based on standard HTTP identity authentication protocol, user is carried out to the situation that identity discriminating and this identity differentiate that security configuration can not be revised, change for Web application system, a kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol is proposed, to overcome the deficiency of existing single-sign-on integrated technology.
To achieve these goals, the technical solution adopted in the present invention is:
A kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol, the single-node login system of described method comprises Web service assembly, Web application component, single-sign-on HTTP plug-in unit, security token processing page, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse, wherein:
Web service assembly: for Web application component provides HTTP request receiving, response transmitting function, and other relevant support functions, comprise: the service request that receives the HTTP form of user browser submission, carrying out submitting to Web application component after corresponding preliminary treatment processes, afterwards, the result that Web application component is returned, is sent to user browser with the form of http response; Based on corresponding security configuration, user is carried out to identity discriminating, access control; Maintenance customer's http session (Session) etc.;
Web application component: the functional software that particular application services is provided to user, as OA, CRM, WebMail etc., its major function is: by corresponding Web service assembly, receive the application service request submitted to by browser of user, result is turned back to user browser by Web service assembly after completing respective handling; Described Web application component and corresponding described Web service module composition Web application system;
Single-sign-on HTTP plug-in unit: the extension mechanism providing based on Web service assembly, the HTTP that is inserted into the Web service assembly of the Web application system that adopts HTTP identity authentication protocol asks, responds the component software of realizing single-sign-on function in treatment channel;
Security token processing page: at the Web page of the security token of the proof user identity that adopts the special disposal identity service system of Web service assembly deploy of Web application system of HTTP identity authentication protocol to sign and issue; Described security token processing page is deployed in the non-security Protection path (catalogue) of Web service group, submits to HTTP to ask the user of this processing page to differentiate without completing identity by browser;
Browser: the client that user and Web application system are mutual, its major function is: transmit HTTP request by http protocol to Web service assembly, the http response that reception Web service assembly returns the content that represents response;
Identity service system: provide user's online identity to differentiate the system of service, its function comprises: based on user identity voucher, user is carried out to online identity discriminating, transmit the security token that proves user identity by corresponding single-sign-on agreement and by browser to Web application system;
Main accounts database: deposit user and login the main account information of identity service system, comprise main account's account name, password, or the relevant information of data certificate corresponding to main account;
Principal and subordinate account's binding data storehouse: preserve with householder account and user's corresponding (binding) relation from account in Web application system, and from account's password.
Described Web service assembly can be HTTP Web server (as IIS), Web container (WebContainer, as Tomcat), J2EE application server (Application Server, as WebLogic, WebSphere); Described Web application system is carried out identity discriminating by certain mode to user, and wherein part Web application system adopts standard HTTP identity authentication protocol (as HTTP Basic, HTTP Negotiate) to carry out identity discriminating to user by Web service assembly; User accesses the shielded page or the resource of certain Web application system, need to use its respective account in this Web application system to complete after identity is differentiated and just can carry out; Described Web application system can have multiple.
The Plugin Mechanism that described single-sign-on HTTP plug-in unit adopts can be tackled request, the response data (carrying the HTTP request of Authorization head and the http response of carrying WWW-Authentication head) of HTTP identity authentication protocol; On the Web service assembly that described single-sign-on HTTP plug-in unit is disposed at it, be configured to tackle all HTTP request, response, or be configured to tackle all be submitted to the HTTP request and the responses thereof that are subject to the catalogue of safeguard protection or the HTTP in path request and response thereof and are submitted to security token processing page place catalogue or path.
Described single-sign-on HTTP plug-in unit has corresponding configuration information, for the information relevant with single-sign-on is set, and the digital certificate of signing as user's entry address (URL) of identity service system, to security token etc.; Alternatively, in configuration information, comprise following content: 1) in the Web application system at single-sign-on HTTP plug-in unit place, which Web page directory or path are subject to safeguard protection; 2) being subject to the catalogue of safeguard protection or HTTP identity authentication protocol that path adopts is which or which (can arrange multiple), and relevant identity authentication protocol parameter (as domain, realm etc.); 3) whether the concrete enforcement that the HTTP identity using is differentiated allows client initiatively to send and differentiate and authorization requests.Described configuration information 3) be for such situation: the HTTP identity authentication protocol (as HTTP Negotiate) having allows client browser in the time of the shielded resource of maiden visit, before Web server end returns to the response prompting that requires identity discriminating, also receive before responsive state code is " 401 " (prompting Unauthorized or Authentication required) and the http response that comprises WWW-Authenticate head at client browser, initiatively initiate identity discrimination process by client browser, initiatively submit the HTTP request that comprises Authorization head to, request server end carries out identity discriminating and resource access is authorized client user, but perhaps the concrete actualizing of certain Web assembly does not support this client initiatively to initiate the mode that identity is differentiated, this configuration information is for indicating this.Described content 1), 2) conventionally can, by certain mode, as API, configuration file read, obtain from Web service assembly, but cannot obtain under request, can pass through configuration information setting the acquisition of single-sign-on HTTP plug-in unit.
The form of the described security token that described identity service system is signed and issued depends on the single-sign-on agreement of use, can be that SAML asserts (Assertion), or WS-Federation security token (Security Token), or self-defining security token; Described identity service system guarantees the fail safe (primary, integrality) of signed and issued security token by digital signature.
User carries out online identity identity documents used while differentiating in described identity service system, can be common account name, password, can be also digital certificate, or other can identify, other electronic identity data of identifying user identity.The account that user carries out using when identity is differentiated in described identity service system is called main account.Described main accounts database is for preserving the database by householder account and relevant information, and described main accounts database can be accounts database independently, also can select the user account database of certain application system as main accounts database.Describedly refer to the account of user in certain particular Web application system from account; User's main account and its can be same from account in certain Web application system, also can be different.
Described single-sign-on HTTP plug-in unit is preserved each user's login (identity discriminating) relevant information, is called user login information.Described user login information comprises:
1) identity authentication protocol, i.e. the current use of Web service assembly, for user being carried out to the HTTP identity authentication protocol of identity discriminating;
2) server end returns to protocol data and parameter, be that Web service assembly uses HTTP identity authentication protocol to carry out identity while differentiating to client user, respond head and turn back to agreement related data and the parameter of client browser by WWW-Authentucate, as the authentication protocol indication of HTTP identity and Realm, Challenge (challenge code), key agreement parameter etc., wherein the indication of HTTP identity authentication protocol is also preserved in " identity authentication protocol " simultaneously;
3) the last time shielded URL that will access, user, before Web application system completes identity and differentiates, uses the URL of the last Web page that is subject to safeguard protection of expecting access of browser;
4) the last POST parameter, user is before Web application system completes identity discriminating, if the HTTP requesting method (Method) using while using browser the last time to access the Web page that is subject to safeguard protection is POST, the value of " the last POST parameter " is that this HTTP asks corresponding POST parameter (being the Form form data that POST mode is submitted to), otherwise its value is empty (NULL);
5) subscriber identity information, mark and differentiate user's information, comprises user's main account name, from account name and from account's password;
The above various user login information is preserved (for non-character data, preserving with the form of Base64 coding) with the form of character string, described " subscriber identity information " encrypted and have ageing, in case stopping leak reveal and replay attack, described " identity authentication protocol ", " the shielded URL that the last time will access ", " the last POST parameter " and " subscriber identity information " are kept in Cookie, and the action path of this Cookie need to comprise the non-path that is subject to safeguard protection in the path that is subject to safeguard protection and security token processing page place of Web service assembly setting simultaneously, no matter the Web page in the path that is subject to safeguard protection is also that the non-security token processing page that is subject to safeguard protection can be checked and obtained this Cookie, or, relevant user login information is kept in two different Cookie simultaneously, the action path of one of them is the path that is subject to safeguard protection, another is the non-path, security token processing page place that is subject to safeguard protection.
Single-sign-on HTTP plug-in unit offers the difference of the data storage mechanism of HTTP plug-in unit according to Web service assembly, according to following priority, as follows the relevant information in user login information is stored respectively:
1) if Web service assembly provides the data storage location that connects (Connection) based on TCP to HTTP plug-in unit, " server end returns to protocol data and parameter " is kept at the data storage location being connected based on TCP by single-sign-on HTTP plug-in unit, other information exchanges crossed to Cookie and be kept in client browser; Or,
2) if Web service group provides the data storage location based on http session (Session) to HTTP plug-in unit, " server end returns to protocol data and parameter " is kept at the data storage location based on http session by single-sign-on HTTP plug-in unit, other information exchanges crossed to Cookie and be kept in client browser; Or,
3) if single-sign-on HTTP plug-in unit has the data storage location based on TCP connection or http session of customized development, " server end returns to protocol data and parameter " is kept at being connected or the data storage location of http session based on TCP of customized development by single-sign-on HTTP plug-in unit, other information exchanges crossed to Cookie and be kept in client browser;
Otherwise,
4) single-sign-on HTTP plug-in unit is kept at all user login informations in client browser by Cookie.
The described data storage location connecting based on TCP, the data storage location that finger Web service assembly provides to HTTP plug-in unit and the TCP join dependency connection of HTTP transfer of data, it is different that TCP connects, the data storage location difference that provides (data storage location connecting based on TCP providing to ISAPI Filter as IIS); The described data storage location based on http session refers to: as long as same http session, even if TCP connects different, data storage location is still identical, it is irrelevant to be that data storage location is connected with TCP, only relevant with specific HTTP user conversation, this http session data storage mechanism is distinguished different sessions with the specific identifier of depositing in Cookie conventionally, and session data is kept in Web server (assembly), the Session object of the store data providing to Servlet Filter as Java Web container is exactly this situation.
For described " server end returns to protocol data and parameter ", in the configuration information of single-sign-on HTTP plug-in unit, must be set as follows content: each the HTTP identity authentication protocol using for Web application system, after user identity is differentiated successfully, the relative set mode of the value of " server end returns to protocol data and parameter ", the option of set-up mode is: remain unchanged, be set to sky (NULL), or be set to a space (Space).
In the time that user uses certain use HTTP identity authentication protocol of browser access to carry out the Web application system of identity discriminating to user, described single-sign-on HTTP plug-in unit interception HTTP request, then to HTTP, request is processed as follows:
A1. according to relevant configuration information, determine current HTTP request URL corresponding be to be subject to the page of safeguard protection be also the non-page that is subject to safeguard protection, if be subject to safeguard protection, proceed to next step; Otherwise, allow this HTTP request pass through, complete this HTTP request and process;
A2. check " server end returns to protocol data and parameter ", if it does not arrange or its value is empty, proceed to next step; Otherwise, proceed to steps A 6;
A3. check " subscriber identity information ", if its existence and effective proceeds to next step; Otherwise, allow HTTP request pass through, complete this HTTP request and process;
In " identity authentication protocol " information of A4. preserving, obtain the HTTP identity authentication protocol of the current use of Web application system from Cookie, then, determine according to relevant configuration information whether the HTTP identity authentication protocol adopting allows client initiatively to send and differentiate and authorization requests, if do not allow, allow HTTP request pass through, complete this HTTP request and process; Otherwise, continue;
A5. from relevant configuration information, obtain the required data of HTTP identity authentication protocol and parameter (as realm parameter), according to HTTP identity authentication protocol, generate the first Authorization that the comprises identity authentication data request head of submitting to of client, and the head of generation is joined in the HTTP request of interception, then, allow amended HTTP request pass through, complete this HTTP request and process;
If A6. the value of " server end returns to protocol data and parameter " is a space, allow this HTTP request pass through, complete this HTTP request and process; Otherwise, continue;
A7. according to HTTP identity authentication protocol and other data in " server end returns to protocol data and parameter ", generate HTTP identity authentication protocol at the Authorization of current agreement phase request head, and the head of generation is joined in the HTTP request of interception, then, allow amended HTTP request pass through, complete this HTTP request and process.
Relevant configuration information described in described steps A 1, A4, A5 refer to Web service assembly and/or single-sign-on HTTP plug-in unit with safe access control, identity is differentiated, single-sign-on is relevant configuration information; Described single-sign-on HTTP plug-in unit or the corresponding interface providing by Web service assembly are inquired about the relevant configuration information of Web service assembly, or directly read relevant configuration file.
The identity discrimination process of described HTTP identity authentication protocol may need client and server to be asked, responded by HTTP to carry out the mutual of multiple steps or stage, and " the current agreement phase " of the HTTP identity authentication protocol described in described steps A 7 refers to that client is according to the current residing step of identity authentication protocol or stage; " the current agreement phase " of HTTP identity authentication protocol determined what the data content of the current Authorization head of HTTP request is; The protocol data that client can be returned according to server end and parameter, determine current residing step or stage.
Described steps A 5, the A7 of described single-sign-on HTTP plug-in unit processing stage that HTTP asks, according to the difference of HTTP identity authentication protocol, respectively as follows, produce the corresponding Authorization request head of HTTP identity authentication protocol in corresponding agreement phase:
If situation 1.1. HTTP identity authentication protocol is HTTP Basic, from Cookie deciphering " subscriber identity information " data, obtain user in Web application system from account name, password, then by the requirement of HTTP Basic agreement, form Authorization head; Otherwise,
If situation 1.2. HTTP identity authentication protocol is HTTP Digest, from Cookie deciphering " subscriber identity information " data, obtain user in Web application system from account name, password, then according to the content in " server end returns to protocol data and parameter ", and the requirement of HTTP Digest agreement, form Authorization head; Otherwise,
If situation 1.3. HTTP identity authentication protocol is HTTP NTLM, and " server end returns to protocol data and parameter " is for setting or its value are not that sky or its value are to carry out the first prompting of identity discriminating, produce NTLM Type 1 data, then press HTTP NTLM protocol requirement, form the data of Authorization head; Otherwise, first from Cookie deciphering " subscriber identity information " data, obtain user in Web application system from account name, password, then, utilize and should and be kept at from account name, password the related data (being NTLM Type 2 data) " server end returns to protocol data and parameter ", produce NTLM Type 3 data, then press HTTP NTLM protocol requirement, form Authorization head; Otherwise,
If situation 1.4. HTTP identity authentication protocol is HTTP Negotiate, first from Cookie, decipher " subscriber identity information " data, obtain user in Web application system from account name, password is (in kerberos system, in Windows AD, account name, password), then utilizing should be from account name, password calls corresponding Kerberos interface, connect the Authentication Server (identity authentication server) of Kerberos KDC (Key Distribution Center), obtain user's TGT (Ticket-Granting Ticket), and then use this TGT to call GSS-API or suitable interface (as Windows SSPI), obtain user and access the Spnego Token of Web application system, then, utilize the Spnego Token obtaining, press HTTP Negotiate protocol requirement, form Authorization head, otherwise,
Situation 1.5: if other effective HTTP identity authentication protocols are processed by related protocol; Otherwise, user browser is directed to the page of makeing mistakes.
Described single-sign-on HTTP plug-in unit completes after the relevant treatment of described steps A 2-7 processing stage that HTTP asks; allow HTTP request by front; need do following processing operation: if the URL of current HTTP request method identical with the URL preserving in " the shielded URL that the last time will access " and current HTTP request is the value non-NULL of GET and " the last POST parameter "; change the method for current HTTP request into POST, add to the data in " the last POST parameter " as POST parameter in current HTTP request.
When after described single-sign-on HTTP plug-in unit interception http response, as follows http response is processed:
B1. check responsive state and the head of http response, if responsive state code be " 401 " (prompting Unauthorized or Authentication required) and comprise WWW-Authenticate response head, proceed to next step; Otherwise, proceed to B7;
B2. check " subscriber identity information ", if its existence and effective proceeds to step; Otherwise, proceed to B6;
B3. check the value of the WWW-Authenticate head of current http response, if carrying out the initial prompt of identity discriminating and responding value that corresponding HTTP request includes Authorization head and this Authorization head is identity documents data that the HTTP identity authentication protocol of indicating in described WWW-Authenticate head is corresponding or the data after the computing of identity documents data cryptogram, proceed to next step; Otherwise, proceed to step B5;
B4. " subscriber identity information " is set to sky, the value of " server end returns to protocol data and parameter " is set to the value of the WWW-Authenticate head of http response, obtain HTTP request URL corresponding to current http response, the value that sets it as " the shielded URL that the last time will access " is preserved; If the method that HTTP corresponding to current http response asks is POST, the POST parameter of this request correspondence (being Form form data) is saved in " the last POST parameter ", otherwise the value of " the last POST parameter " is set to sky; Then, the responsive state code of http response is revised as to " 302 ", WWW-Authenticate is responded to head to be removed, http response main body (Body) and the web response body Web Length Indication that may comprise are removed, in response, add Location head, the user that its value is set to identity service system is for the login page URL that makes mistakes, this URL has added the system banner of the Web application system at single-sign-on HTTP plug-in unit place by Query String, finally, allow amended http response pass through, complete the processing of this http response;
B5. the value of " server end returns to protocol data and parameter " is set to the value of the WWW-Authenticate head of http response, obtain HTTP request URL corresponding to current http response and set it as " the shielded URL that the last time will access " value preserve; If the method that HTTP corresponding to current http response asks is POST, the POST parameter of this request correspondence is saved in " the last POST parameter ", otherwise the value of " the last POST parameter " is set to sky; Then, the responsive state code of http response is revised as to " 302 ", WWW-Authenticate is responded to head to be removed, http response main body (Body) and the web response body Web Length Indication that may comprise are removed, in response head, add Location head, its value is set to HTTP request URL corresponding to current http response, then, allow amended http response pass through, complete the processing of this http response;
B6. the HTTP identity authentication protocol of indicating in WWW-Authenticate head is saved in described " the identity authentication protocol " of described user login information, " subscriber identity information " is set to sky, the value of " server end returns to protocol data and parameter " is set to the value of the WWW-Authenticate head of http response, obtain HTTP request URL corresponding to current http response, the value that sets it as " the shielded URL that the last time will access " is preserved; If the method that HTTP corresponding to current http response asks is POST, the POST parameter of this request correspondence is saved in " the last POST parameter ", otherwise the value of " the last POST parameter " is set to sky; Then, the responsive state code of http response is revised as to " 302 ", WWW-Authenticate is responded to head to be removed, http response main body (Body) and the web response body Web Length Indication that may comprise are removed, in response, add Location head, user's login page URL that its value is identity service system, and this URL has added the system banner of the Web application system at single-sign-on HTTP plug-in unit place by Query String, finally, allow amended http response pass through, complete the processing of this http response;
B7. obtain HTTP request URL corresponding to current http response, determine the whether corresponding Web page that is subject to safeguard protection of this HTTP request URL according to relevant configuration information, if not, allow http response pass through, complete the processing of this http response; Otherwise, proceed to next step;
If B8. include WWW-Authenticate response head in http response, WWW-Authenticate responded to head and remove; If the URL that HTTP corresponding to current http response asks is identical with " the shielded URL that the last time will access ", the value of " the shielded URL that the last time will access " and " the last POST parameter " is set to sky;
B9. according in the configuration information of single-sign-on HTTP plug-in unit for presently used HTTP identity authentication protocol the set-up mode of the value of " server end returns to protocol data and parameter " that set, after user identity is differentiated successfully, the value of " server end returns to protocol data and parameter " is set, then allow amended http response pass through, complete the processing of this http response.
The value of the WWW-Authenticate head described in described step B3 is that the initial prompt of carrying out identity discriminating refers to that the value of this head is that user completes before identity discriminating; when the shielded page of maiden visit, the data of the WWW-Authenticate response head of identity discriminating are carried out in the requirement that Web server end returns for the first time.
Identity documents data described in described step B3, refer to the electronic data that can prove user identity, as account name, password (as HTTP Basic), or the security token that comprises identity validation information (as the Spnego Token of HTTP Negotiate); Described data after the computing of identity documents data cryptogram, refer to through identity documents, as user/password, by obtaining data (as the Type3 data through account name, the computing of password hash of HTTP NTLM) after certain crypto-operation (as HASH computing).
If the http response of single-sign-on HTTP plug-in unit interception comprises multiple WWW-Authenticate heads, WWW-Authenticate head and described step B4 used in described step B3, B5, used in B6, its value is saved to and in WWW-Authenticate head in " server end returns to protocol data and parameter " and described step B6, preserves the WWW-Authenticate head that " identity authentication protocol " uses, be the predetermined rules selection of basis the WWW-Authenticate head corresponding to certain HTTP identity authentication protocol (such as, press from Negotiate, NTLM, Digest is to the WWW-Authenticate head of Basic treaty override selective sequential), and at described step B4, 5, 6, the WWW-Authenticate head of deleting in 8 comprises all WWW-Authenticate heads.
Amended http response described in described step B4, B5, B6, B9 can be both the http response obtaining after directly revising in former http response data structure data structure, can be also newly-generated http response in a new http response data structure.
Relevant configuration information described in described step B7 refer to Web service assembly and/or single-sign-on HTTP plug-in unit with safe access control, identity is differentiated, single-sign-on is relevant configuration information.
In the above step, the conditional code of http response is revised or is set to " 302 " and in response, adds Location head, carry out so-called HTTP redirection, browser is directed to the page or the Web website of Location indication.
Single-sign-on HTTP plug-in unit obtains as follows respectively the related data (as request URL, Cookie, Authorization head, POST parameter etc.) in request row, head and the main body of HTTP corresponding to current http response request according to different situations processing stage of http response:
Situation 2.1: if HTTP plug-in unit can directly be accessed the related data head in HTTP request, directly obtain related data from request; Otherwise,
Situation 2.2: if Web service assembly provides the data storage location connecting based on TCP, single-sign-on HTTP plug-in unit completes all relevant treatment and comprises the request of GET mode is converted to after the request of POST mode processing stage that HTTP asks, allow HTTP request by front, the related data of current HTTP request is saved in to the data storage location connecting based on TCP, is obtained the http response processing stage by single-sign-on HTTP plug-in unit; Otherwise,
Situation 2.3: if Web service assembly provides the data storage location based on http session, single-sign-on HTTP plug-in unit completes all relevant treatment and comprises the request of GET mode is converted to after the request of POST mode processing stage that HTTP asks, allow HTTP request by front, the related data of current HTTP request is saved in to the data storage location based on http session, is obtained the http response processing stage by single-sign-on HTTP plug-in unit; Otherwise,
Situation 2.4: if the head of http response can be directly set the processing stage that HTTP asks, single-sign-on HTTP plug-in unit completes all relevant treatment and comprises the request of GET mode is converted to after the request of POST mode processing stage that HTTP asks, allow HTTP request by front, by the related data of current HTTP request, single-sign-on HTTP plug-in unit processing stage of being delivered to http response by self-defining http response head obtains, single-sign-on HTTP plug-in unit obtains after related data by self-defined head processing stage of http response, deletes this self-defined head; Otherwise,
Situation 2.5: if single-sign-on HTTP plug-in unit has the data storage location based on TCP connection or session of customized development, single-sign-on HTTP plug-in unit completes all relevant treatment and comprises the request of GET mode is converted to after the request of POST mode processing stage that HTTP asks, allow HTTP request by front, the related data of current HTTP request is saved in to connecting or the data storage location of session based on TCP of customized development, is obtained the http response processing stage by single-sign-on HTTP plug-in unit; Otherwise,
Situation 2.6: single-sign-on HTTP plug-in unit completes all relevant treatment and comprises the request of GET mode is converted to after the request of POST mode processing stage that HTTP asks, allow HTTP request by front, the single-sign-on HTTP plug-in unit processing stage of the related data of current HTTP request being sent to http response by thread (Thread) mechanism.
At described situation 2.2-2.6; single-sign-on HTTP plug-in unit completes all relevant treatment and comprises the request of GET mode is converted to after the request of POST mode processing stage that HTTP asks; allow HTTP request by front, the single-sign-on HTTP plug-in unit processing stage of only the POST parameter (if having) of the Web page that is subject to safeguard protection need to being delivered to http response.
When user browser, by single-sign-on HTTP plug-in unit, the described step B6 in http response processing stage is redirected to after user's login page of identity service system by the Location head of the conditional code of http response being revised or be set to " 302 " and http response is set, and identity service system is carried out as follows HTTP request and processed:
The Web application system mark of C1. carrying in the Query String by HTTP request URL determines whether the Web application system that user will access is the system that service is trusted, provided to identity service system, if not, return to error message; Otherwise, proceed to next step;
C2. before determining user, whether complete identity discriminating in identity service system, if so, proceed to next step; Otherwise, user is directed to login page, and based on user being carried out to identity discriminating with householder account, proceed to next step after differentiating successfully;
C3. the Web application system that will access according to user's main account and user, in principal and subordinate account's binding data storehouse, obtain user in the Web application system that will access from account name and password;
C4. for user generate one comprise its main account name, from account name and encrypt the security token from account's password, and relevant information is carried out to digital signature, then the user identity that comprises security token is proved to information turns back to user browser in the mode of Form list, and automatic POST submission (Submit) mode by Form list is submitted to the user identity proof information that comprises security token the security token processing page of the Web application system that user need to access.
Security token processing page receives after the user identity proof information that comprises security token that identity service system is signed and issued and submitted to by the automatic POST mode of Form list by user browser, processes as follows:
D1. whether effective by digital signature authentication security token, if effectively, proceed to next step; Otherwise, return to bomp;
D2. from security token, isolate user's main account name and from account name, password, deciphering is from account's password, then, in http response, create Set-Cookie head, the Cookie of " subscriber identity information " is deposited in setting, and the value of Cookie comprises main account name after encryption and from account name, password;
D3. the conditional code of http response is set to " 302 ", creates a Location head in http response, and the value of this head is set to obtain " the shielded URL that the last time will access " from Cookie, then returns to http response.
The user that described step B4 in http response processing stage is redirected to identity service system by the Location head of the conditional code of http response being revised or be set to " 302 " and http response is set by single-sign-on HTTP plug-in unit when user browser makes mistakes for login after page URL, and identity service system is carried out as follows HTTP request and processed;
E1. determine by the Web application system mark of carrying in HTTP request URL whether the Web application system that user will access is the system that service is trusted, provided to identity service system, if not, error message returned to; Otherwise, proceed to next step;
E2. point out user to input, submit to account name, the password in its Web application system that will access;
E3. user submits to after account name, password, determines whether user has logined identity service system before and completed identity discriminating, if so, proceeds to step e 5; Otherwise, proceed to next step;
E4. return to user's login page of identity service system, and based on user being carried out to identity discriminating with householder account, proceed to next step after differentiating successfully;
E5. account name, the password of the user who obtains based on step e 2, E3 in Web application system, in principal and subordinate account's binding data storehouse, upgrade user in corresponding Web application system from account name, password;
E6. for user generate one comprise its main account name, from account name and encrypt the security token from account's password, and relevant information is carried out to digital signature, then the user identity that comprises security token is proved to information turns back to user browser in the mode of Form list, and automatic POST submission (Submit) mode by Form list is submitted to the user identity proof information that comprises security token the security token processing page of the Web application system that user need to access.
If the whole Web path (catalogue) of described Web application system is all the path of safeguard protection, and cannot be among the path that is subject to safeguard protection (catalogue) or outside a non-path (catalogue) that is subject to safeguard protection is set, security token processing page is not an in esse Web page, and is only a virtual Web page path; Correspondingly, described single-sign-on HTTP plug-in unit is tackled the HTTP request that is submitted to security token processing page processing stage that HTTP asks, processing operation described in completing steps D1, then the processing stage of the response of this HTTP request, interception http response, the processing operation described in completing steps D2, D3.
If user is undertaken by web proxy (Proxy) the access of described Web application system, and by the proxy mode of HTTP identity authentication protocol, user is carried out to identity discriminating by web proxy, and web proxy provides HTTP Plugin Mechanism in its HTTP request, response treatment channel, and the HTTP plug-in unit based on this Plugin Mechanism can be tackled request, the response data of HTTP identity authentication protocol, and in the situation that making following corresponding change, method of the present invention is applicable equally:
Described Web service assembly refers to web proxy; Described Web application component refers to the whole Web system (itself also comprising one or more Web service assemblies and Web application software) after web proxy; Described web proxy and whole Web system have thereafter formed described Web application system; Described single-sign-on HTTP plug-in unit is deployed on described web proxy, and on the web proxy of disposing at it, is configured to tackle all HTTP request, response; Described http response conditional code " 401 " becomes " 407 " (prompting Proxy Authentication Required), described http response head WWW-Authenticate becomes Proxy-Authenticate head, and described HTTP request head Authorization becomes Proxy-Authorization head.
Single-sign-on integrated approach of the present invention, for be the Web application system that adopts the use of HTTP identity authentication protocol and this HTTP identity authentication protocol not replace or to change in whole single-node login system; For other Web application system, can adopt other single-sign-on integrated approach.
Innovation of the present invention is: by single-sign-on HTTP plug-in unit, make to use HTTP identity authentication protocol (as Basic, Digest, NTLM, Negotiate) user is carried out to the Web application system of identity discriminating, can in the situation that change of status is not differentiated configuration and do not revise application program, realize single-sign-on.It has solved single-sign-on common technical barrier in practical application is integrated.
A feature of the present invention is: even if user still can access the Web application system that adopts Kerberos agreement (being that HTTP Negotiate agreement and use Kerberos carry out identity discriminating) at outer net.
Accompanying drawing explanation
Fig. 1 adopts single-node login system overall structure block diagram of the present invention for this.
Embodiment
Below in conjunction with accompanying drawing, the present invention is described in further detail.
The present invention is a kind of plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol, the overall structure of the single-node login system of employing this method as shown in Figure 1, comprise Web service assembly, Web application component, single-sign-on HTTP plug-in unit, security token processing page, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse, wherein Web service assembly, Web application component have formed Web application system, and be described in detail in the summary of the invention of the function of each part above, no longer repeat at this.In the system component of whole single-node login system, single-sign-on HTTP plug-in unit, security token processing page, identity service system, main accounts database, principal and subordinate account's binding data storehouse belong to the content that the present invention will realize, and in the content that will realize, single-sign-on HTTP plug-in unit is again most critical, topmost part.
For the realization of identity service system, can adopt the development of information system technology of existing various maturations, as J2EE technology, ASP.NET technology etc.; For main accounts database, can adopt LDAP, relational database, or existing Windows Active Directory or certain application system accounts database; For principal and subordinate account's binding data storehouse, can use relational database.Principal and subordinate account's binding data storehouse is as long as preserve some information like this: 1) user's main account name; 2) user corresponding to main account in the application system of each granted access from account name and password.
The realization of single-sign-on HTTP plug-in unit and security token processing page, depends on its Web service assembly that will dispose (but needn't be the same with the development technique of Web application component).For some conventional Web service assemblies, corresponding specific embodiments is described below below.
If Web service assembly is Windows IIS5, single-sign-on HTTP plug-in unit can be realized based on ISAPI Filter, and concrete scheme is as follows.
The data storage location connecting based on TCP that single-sign-on HTTP plug-in unit uses ISAPI Filter to provide, be that ISAPI passes to the pFilterContext field in the input parameter pfc of HTTP_FILTER_CONTEXT structure type that ISAPI enters point function (Entry-Point Function) HttpFilterProc (...), preserve " server end returns to protocol data and parameter ".Single-sign-on HTTP plug-in unit (through entering point function GetFilterVersion (...) registration) is made response to SF_NOTIFY_READ_RAW_DATA, SF_NOTIFY_PREPROC_HEADERS notification event processing stage that HTTP asks, complete corresponding processing, wherein: decrypted user identity information, operating in while responding SF_NOTIFY_PREPROC_HEADERS notification event of increase Authorization request head are carried out; Convert the HTTP request of GET mode the request (when needed) of POST mode to, and join operating in while responding SF_NOTIFY_READ_RAW_DATA notification event in HTTP request body using the data in " the last POST parameter " as POST parameter and carry out; If current HTTP request is POST mode (comprising the HTTP request after GET, POST transform), single-sign-on HTTP plug-in unit is in the time of response SF_NOTIFY_READ_RAW_DATA notification event, the POST parameter of current request is kept in described pFilterContext field, is obtained the processing stage responding by single-sign-on HTTP plug-in unit.The call back function (callback function) that single-sign-on HTTP plug-in unit can provide by ISAPI Filter processing stage of HTTP obtains the various information of HTTP request row, request head, as request URL, Cookie etc.
Single-sign-on HTTP plug-in unit (through notification event registration) is made response to SF_NOTIFY_SEND_RESPONSE, SF_NOTIFY_SEND_RAW_DATA, SF_NOTIFY_END_OF_NET_SESSION notification event in http response processing stage, and complete corresponding processing, wherein: in the time of response SF_NOTIFY_SEND_RESPONSE, SF_NOTIFY_SEND_RAW_DATA notification event, complete and revise http response (comprise and revise statusline, head and deletion web response body Web), preserve the operational processes such as user login information; In the time of response SF_NOTIFY_END_OF_NET_SESSION notification event, discharge corresponding system resource.In fact, single-sign-on HTTP plug-in unit is the modification to http response processing stage of http response, both can coordinate respectively part operation at SF_NOTIFY_SEND_RESPONSE and two notification event points of SF_NOTIFY_SEND_RAW_DATA, also can complete all operations were at SF_NOTIFY_SEND_RAW_DATA notification event point, that is to say, can not respond to SF_NOTIFY_SEND_RESPONSE notification event.The call back function that single-sign-on HTTP plug-in unit processing stage of http response can provide by ISAPI Filter obtains the various information of HTTP request row, request head, as request URL, Cookie etc., and revises response, generates new response; Single-sign-on HTTP plug-in unit, the processing stage of http response, obtains the POST parameter (also adopting the scheme of situation 2.2) of the POST mode that single-sign-on HTTP plug-in unit preserves the processing stage that HTTP asks from described pFilterContext field.
And security token processing page can realize based on ISAPI Extension.Security token processing page based on ISAPIExtension can be processed request by calling the call back function of ISAPI Extension, generate response.Security token processing page or be positioned at the catalogue (path) that is not subject to safeguard protection, or be arranged in the subdirectory (subpath) that is subject to of catalogue (path) of safeguard protection not to be subject to safeguard protection.Single-sign-on HTTP plug-in unit and the security token processing page Administration API based on IIS obtains the associated safety configuration information of IIS, as shielded catalogue (path), the identity authentication protocol etc. that uses.
If Web service assembly is Windows IIS6, or by IIS6 be configured to IIS5 mode of operation, then use the single-sign-on HTTP plug-in unit of foregoing IIS5; Or, realize as follows single-sign-on HTTP plug-in unit:
Single-sign-on HTTP plug-in unit uses and method same in IIS5, preserves " server end returns to protocol data and parameter ".Single-sign-on HTTP plug-in unit is only made response to SF_NOTIFY_PREPROC_HEADERS notification event processing stage that HTTP asks, except not carrying out, GET method is changed into POST method, and the POST parameter of POST method is kept at outside the operation in pFilterContext field, the realization of other operational processes is identical with realizing in IIS5.Single-sign-on HTTP plug-in unit is in the realization in HTTP respective handling stage, except not preserving the POST parameter of POST method, and identical with IIS5 of the realization of other operational processes.Identical with IIS5 of the realization of security token processing page.
In the time that the single-sign-on HTTP plug-in unit in IIS6 adopts non-IIS5 implementation; in actual applications; can deposit some problems: owing to not preserving the POST parameter of POST method, and when needed, GET method is changed into POST method; therefore; the method using in the time of the protected page of user's maiden visit is POST, completes after identity discriminating user, will automatically again access with GET method the shielded page of just less important access; like this, user just may can not get wishing the result of acquisition.But this situation can't cause substantial infringement: the one, because the method GET method of the protected common employing of user's maiden visit, rather than POST method; The 2nd, even if because the method for the protected common employing of maiden visit is GET method, Web application system can point out user to resubmit data, the POST request after this can normally submit to,
If Web service assembly is Windows IIS 7.0 and version afterwards, except the embodiment of available foregoing IIS6, single-sign-on HTTP plug-in unit can also Native-Code HTTP Module expanded function or Managed-Code HTTP Module based on IIS be realized, and security token processing page can realize based on ISAPI Extens ion or ASP.NET.
If realize single-sign-on HTTP plug-in unit based on Native-Code HTTP Module, need to realize the derived class of a CHttpModule, and HTTP is asked to carry out single-sign-on processing in such OnBeginRequest method, in OnSendResponse method, http response is carried out to single-sign-on processing.Single-sign-on HTTP plug-in unit is kept at " server end returns to protocol data and parameter " data in the IHttpModuleContextContainer object being connected based on TCP of IHttpConnection object of Native-Code HTTP Module.Single-sign-on HTTP plug-in unit can directly read the data (comprising POST parameter) in request row, request head and the main body of corresponding HTTP request processing stage of http response.
Realize the method for single-sign-on HTTP plug-in unit based on Managed-Code HTTP Module similar with the method that realizes single-sign-on HTTP plug-in unit based on Native-Code HTTP Module.About how to develop IIS expansion module by Native-Code HTTP Module or Managed-Code HTTP Module, can be referring to the MSDN of Microsoft (Microsoft Development Network).
If the Web service assembly of Web application system is JSP/Servlet Web Container (comprising the Web Container of J2EE Application Server), single-sign-on HTTP plug-in unit can be based on Servlet Filter (this be that all Web containers have), AuthenticationFilter (as WebLogic), the Valve (as Tomcat) of Web container or other similar HTTP Plugin Mechanisms (as TAI of WebSphere etc.), specifically how to implement and can implement, the one, depend on what kind of Plugin Mechanism Web container provides, the 2nd, see whether this Plugin Mechanism can meet described single-sign-on processing demands, if the HTTP request and response of interception HTTP identity authentication protocol, can modify to HTTP request and response by certain mode.Such as, if can be tackled by Servlet Filter, Authentication Filter or Valve in the HTTP of the HTTP identity authentication protocol of certain Web Container deploy request, response, can realize single-sign-on HTTP plug-in unit based on Servlet Filter, Authentication Filter or Valve.The HTTP Plugin Mechanism providing for JSP/Servlet Web Conta iner, single-sign-on HTTP plug-in unit normally can directly read all data of HTTP request processing stage of http response.Corresponding JSP/Servlet Web Container, security token processing page can realize based on JSP/Servlet.For obtaining of security configuration information, or adopt the method that directly reads configuration file, or the interface providing by Web container obtains.
If the Web service assembly of Web application system is Apache HTTP Server, IBM HTTPWeb Server, can be based on Apache Hook and Filter exploitation single-sign-on HTTP plug-in unit, wherein, the function processing stage of HTTP request realizes based on Apache Hook, and function http response processing stage realizes based on Apache Hook and Filter, wherein, Apache Hook process head, Apache Filter processing response content.The storage of " server end returns to protocol data and parameter ", the data storage location connecting based on TCP that uses Apache to provide.For Apache Filter, single-sign-on HTTP plug-in unit can directly read all data of HTTP request processing stage of http response.Security token processing page can be based on Apache ContentHandler exploitation, or page technology (as Perl, Python) exploitation based on corresponding Web application component.To obtaining of Apache HTTP Server, IBM HTTP Web Server security configuration information, or adopt the method that directly reads configuration file, or, the interface variables providing by Apache is obtained, as the catalogue configuration information in request_rec structure, and server configuration information in conn_rec structure in request_rec structure.
For other Web service assembly, as Domino Web Server etc., have similar HTTP Plugin Mechanism, the single-sign-on HTTP plug-in unit based on these Web platforms and the specific implementation method of security token processing page and foregoing specific implementation method are similar.
In addition, for related single-sign-on agreement and the concrete enforcement of security token, single-sign-on agreement and security token can adopt standard agreement, as SAML, WS-FPRP and, and corresponding SAML asserts, WS-Security Token is as the security token that proves user identity; Or, use self-defining single-sign-on agreement and self-defining security token, as long as with of the present invention alternately and processing procedure consistent.If single-sign-on agreement and security token are based on XML (eXtensible Markup Language), as SAML, WS-FPRP, can use dynamic base, class libraries (as Windows CommunicationFoundation class libraries), API (as Java API for XML Processing, JAXP) of various maturations etc. to the processing of XML data.For the realization that relates to data encryption, digital signature, can use dynamic base (as OpenSSL), class libraries (as Java Cryptography Extension), the API (as WindowsCryptoAPI etc.) of various maturations.
The content not being described in detail in this specification belongs to the known prior art of professional and technical personnel in the field.
Claims (10)
1. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol, the single-node login system of described method comprises Web service assembly, Web application component, single-sign-on HTTP plug-in unit, security token processing page, browser, identity service system, main accounts database, principal and subordinate account's binding data storehouse, it is characterized in that:
Web service assembly: for Web application component provides HTTP request receiving, response transmitting function, and other relevant support functions, comprise: the service request that receives the HTTP form of user browser submission, carrying out submitting to Web application component after corresponding preliminary treatment processes, afterwards, the result that Web application component is returned, is sent to user browser with the form of http response; Based on corresponding security configuration, user is carried out to identity discriminating, access control; Maintenance customer's http session;
Web application component: the functional software that particular application services is provided to user, by corresponding Web service assembly, receive the application service request submitted to by browser of user, result is turned back to user browser by Web service assembly after completing respective handling; Described Web application component and corresponding described Web service module composition Web application system; Described Web application system has one at least; Described Web application system is carried out identity discriminating by certain mode to user, and wherein part Web application system adopts standard HTTP identity authentication protocol to carry out identity discriminating to user by Web service assembly; User accesses the protected page or the resource of described Web application system, need to use its respective account in corresponding Web application system to complete after identity is differentiated and just can carry out; Described standard HTTP identity authentication protocol includes but not limited to HTTP Basic, Digest, NTLM, the Negotiate identity authentication protocol towards Web;
Single-sign-on HTTP plug-in unit: the extension mechanism providing based on Web service assembly, the HTTP that is inserted into the Web service assembly of the Web application system that adopts HTTP identity authentication protocol asks, responds the component software of realizing single-sign-on function in treatment channel; Request, response data that the Plugin Mechanism that described single-sign-on HTTP plug-in unit adopts can be tackled HTTP identity authentication protocol; On the Web service assembly that described single-sign-on HTTP plug-in unit is disposed at it, be configured to tackle all HTTP request, response, or be configured to tackle all be submitted to the HTTP request and the responses thereof that are subject to the catalogue of safeguard protection or the HTTP in path request and response thereof and are submitted to security token processing page place catalogue or path; Described single-sign-on HTTP plug-in unit has corresponding configuration information, for the information relevant with single-sign-on is set, alternatively, in configuration information, comprise following content: 1) in the Web application system at single-sign-on HTTP plug-in unit place, which Web page directory or path are subject to safeguard protection; 2) being subject to the catalogue of safeguard protection or HTTP identity authentication protocol that path adopts is which or which, and relevant identity authentication protocol parameter; 3) whether the concrete enforcement that the HTTP identity using is differentiated allows client initiatively to send and differentiate and authorization requests, whether allow client browser receiving before responsive state code is " 401 " and the http response that comprises WWW-Authenticate head, initiatively submit the HTTP request that comprises Authorization head to, client user is carried out to identity discriminating to request server end and resource access is authorized;
Security token processing page: at the Web page of the security token of the proof user identity that adopts the special disposal identity service system of Web service assembly deploy of Web application system of HTTP identity authentication protocol to sign and issue; Described security token processing page is deployed in non-security Protection path or the catalogue of Web service group, submits to HTTP to ask the user of this processing page to differentiate without completing identity by browser;
Browser: the client that user and Web application system are mutual, transmits HTTP request by http protocol to Web service assembly, the http response that reception Web service assembly returns the content that represents response;
Identity service system: provide user's online identity to differentiate the system of service, based on user identity voucher, user is carried out to online identity discriminating, transmit the security token that proves user identity by corresponding single-sign-on agreement and by browser to Web application system; The form of the described security token that described identity service system is signed and issued depends on the single-sign-on agreement of use, can be that SAML asserts, or WS-Federation security token, or self-defining security token; Described identity service system guarantees primary, the integrality of signed and issued security token by digital signature;
Main accounts database: deposit user and login the main account information of identity service system, comprise main account's account name, password, or the relevant information of data certificate corresponding to main account; Described main account refers to that user carries out in described identity service system the account who uses when identity is differentiated; Described main accounts database can be accounts database independently, can be also the accounts database of certain application system;
Principal and subordinate account's binding data storehouse: preserve with householder account and the corresponding or binding relationship from account of user in Web application system, and from account's password; Describedly refer to the respective account of user in certain particular Web application system from account; User's main account and its can be same from account in certain Web application system, also can be different.
2. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 1, is characterized in that: described single-sign-on HTTP plug-in unit is preserved each user's identity and differentiated relevant information, is called user login information; Described user login information comprises:
1) identity authentication protocol: the current use of Web service assembly, for user being carried out to the HTTP identity authentication protocol of identity discriminating;
2) server end returns to protocol data and parameter: when Web service assembly uses HTTP identity authentication protocol to carry out identity discriminating to client user, respond head and turn back to protocol data and the parameter of client browser by WWW-Authentucate, indicate comprising HTTP identity authentication protocol;
3) the last time shielded URL that will access: user, before Web application system completes identity and differentiates, uses the URL of the last Web page that is subject to safeguard protection of expecting access of browser;
4) the last POST parameter: user is before Web application system completes identity discriminating, if the HTTP requesting method using while using browser the last time to access the Web page that is subject to safeguard protection is POST, the value of described the last POST parameter is that this HTTP asks corresponding POST parameter, otherwise its value is empty;
5) subscriber identity information: mark and differentiate user's information, comprises user's main account name, from account name and from account's password;
Described various user login information is preserved with the form of character string, for non-character data, preserves with the data format after Base64 coding, described subscriber identity information encrypted and have ageing, in case stopping leak reveal and replay attack, described identity authentication protocol, the last shielded URL that will access, the last POST parameter and subscriber identity information are kept in Cookie, and the action path of this Cookie need to comprise the path that is subject to safeguard protection of Web service assembly setting and the non-path that is subject to safeguard protection at security token processing page place simultaneously, no matter the Web page in the path that is subject to safeguard protection is also that the non-security token processing page that is subject to safeguard protection can be checked and obtained this Cookie, or, relevant user login information is kept in two different Cookie simultaneously, the action path of one of them is the path that is subject to safeguard protection, another is the path at the non-security token processing page place that is subject to safeguard protection,
Described single-sign-on HTTP plug-in unit offers the difference of the data storage mechanism of HTTP plug-in unit according to described Web service assembly, according to following priority, as follows described server end is returned to protocol data respectively and parameter is stored:
Situation 1: if Web service assembly provides the data storage location connecting based on TCP to HTTP plug-in unit, single-sign-on HTTP plug-in unit returns to described server end to protocol data and is kept at parameter the data storage location being connected based on TCP; Or,
Situation 2: if Web service group provides the data storage location based on http session to HTTP plug-in unit, single-sign-on HTTP plug-in unit returns to described server end to protocol data and parameter is kept at the data storage location based on http session; Or,
Situation 3: if single-sign-on HTTP plug-in unit has connecting or the data storage location of http session based on TCP of customized development, single-sign-on HTTP plug-in unit returns to described server end to protocol data and parameter and is kept at being connected or the data storage location of http session based on TCP of customized development;
Otherwise,
Situation 4: single-sign-on HTTP plug-in unit is kept at all user login informations in client browser by Cookie;
The described data storage location connecting based on TCP, refers to the TCP join dependency connection of data storage location that Web service assembly provides to HTTP plug-in unit and HTTP transfer of data, and difference, the data storage location difference providing are provided TCP; The described data storage location based on http session, refers to as long as same http session, and different even if TCP connects, data storage location is still identical, and data storage location is connected irrelevant, only relevant with specific HTTP user conversation with TCP;
Return to protocol data and parameter for described server end, in the configuration information of single-sign-on HTTP plug-in unit, must be set as follows content: each the HTTP identity authentication protocol using for Web application system, after user identity is differentiated successfully, described server end returns to the relative set mode of the value of protocol data and parameter, the option of set-up mode is: remain unchanged, be set to sky, or be set to a space.
3. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 1 and 2, it is characterized in that: in the time that user uses certain use HTTP identity authentication protocol of browser access to carry out the Web application system of identity discriminating to user, described single-sign-on HTTP plug-in unit interception HTTP request, then to HTTP, request is processed as follows:
Step 1: according to relevant configuration information, determine current HTTP request URL corresponding be to be subject to the page of safeguard protection be also the non-page that is subject to safeguard protection, if be subject to safeguard protection, proceed to step 2; Otherwise, allow this HTTP request pass through, complete this HTTP request and process;
Step 2: check that described server end returns to protocol data and parameter, if it does not arrange or its value is empty, proceed to step 3; Otherwise, proceed to step 6;
Step 3: check described subscriber identity information, if its existence and effective proceeds to step 4; Otherwise, allow HTTP request pass through, complete this HTTP request and process;
Step 4: the HTTP identity authentication protocol that obtains the current use of Web application system from Cookie in the described identity authentication protocol information of preserving, then, determine according to relevant configuration information whether the HTTP identity authentication protocol adopting allows client initiatively to send and differentiate and authorization requests, if do not allow, allow HTTP request pass through, complete this HTTP request and process; Otherwise, proceed to step 5;
Step 5: obtain HTTP identity authentication protocol required data and parameter from relevant configuration information; according to HTTP identity authentication protocol; generate the first Authorization that the comprises identity authentication data request head of submitting to of client; and the head of generation is joined in the HTTP request of interception; then; allow amended HTTP request pass through, complete this HTTP request and process;
Step 6: be a space if described server end returns to the value of protocol data and parameter, allow this HTTP request pass through, complete this HTTP request and process; Otherwise, proceed to step 7;
Step 7: return to HTTP identity authentication protocol and other data in protocol data and parameter according to described server end, generate identity authentication protocol at the Authorization of current agreement phase request head, and the head of generation is joined in the HTTP request of interception, then, allow amended HTTP request pass through, complete this HTTP request and process;
Relevant configuration information described in described step 1,4,5 refer to Web service assembly and/or single-sign-on HTTP plug-in unit with safe access control, identity is differentiated, single-sign-on is relevant configuration information;
The identity discrimination process of described HTTP identity authentication protocol needs client and server to be asked, responded by HTTP to carry out the mutual of multiple steps or stage, and the described current agreement phase of the HTTP identity authentication protocol described in described step 7 refers to that client differentiates the residing step of solicited message or stage according to the requirement of identity authentication protocol when submit identity;
Described single-sign-on HTTP plug-in unit completes after the relevant treatment of described step 2-7 processing stage that HTTP asks, allow HTTP request by front, need be handled as follows operation: if the URL method identical and that current HTTP asks of preserving in the URL of current HTTP request and described the last time shielded URL that will access is the value non-NULL of GET and described the last POST parameter, change the method for current HTTP request into POST, add to the data in described the last POST parameter as POST parameter in current HTTP request;
If the HTTP Plugin Mechanism providing based on Web service assembly, described single-sign-on HTTP plug-in unit cannot obtain the request row of HTTP request corresponding to current http response processing stage of http response, head or main body, the described step 1-7 of described single-sign-on HTTP plug-in unit processing stage that HTTP asks completes all relevant treatment and comprises the request of GET mode is converted to after the request of POST mode, allow HTTP request by front, according to following priority, single-sign-on HTTP plug-in unit processing stage of the described related data of current HTTP request being sent to http response according to following different situations:
Situation A: if Web service assembly provides the data storage location connecting based on TCP, the related data of current HTTP request is saved in to the data storage location connecting based on TCP, is obtained the http response processing stage by single-sign-on HTTP plug-in unit; Or,
Case B: if Web service assembly provides the data storage location based on http session, the related data of current HTTP request is saved in to the data storage location based on http session, is obtained the http response processing stage by single-sign-on HTTP plug-in unit; Or,
Situation C: if the head of http response can be directly set the processing stage that HTTP asks, by the related data of current HTTP request, single-sign-on HTTP plug-in unit processing stage of being delivered to http response by self-defining http response head obtains, single-sign-on HTTP plug-in unit obtains after related data by self-defined head processing stage of http response, deletes this self-defined head; Or,
Situation D: if single-sign-on HTTP plug-in unit has the data storage location based on TCP connection or session of customized development, the related data of current HTTP request is saved in to connecting or the data storage location of session based on TCP of customized development, is obtained the http response processing stage by single-sign-on HTTP plug-in unit;
Otherwise,
Situation E: the single-sign-on HTTP plug-in unit processing stage of the related data of current HTTP request being sent to http response by threading mechanism;
Single-sign-on HTTP plug-in unit processing stage that described single-sign-on HTTP plug-in unit only need to being delivered to http response by the POST parameter of the Web page that is subject to safeguard protection.
4. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 3, it is characterized in that: the described step 5,7 of described HTTP request processing procedure, described single-sign-on HTTP plug-in unit is according to the difference of HTTP identity authentication protocol, respectively as follows, produce the corresponding Authorization request head of HTTP identity authentication protocol in corresponding agreement phase:
Situation I: if identity authentication protocol agreement is HTTP Basic, from Cookie, decipher described subscriber identity information data, obtain user in Web application system from account name, password, then by the requirement of HTTP Basic agreement, form Authorization head; Or,
Situation II: if identity authentication protocol is HTTP Digest, from Cookie, decipher described subscriber identity information data, obtain user in Web application system from account name, password, then return to the content in protocol data and parameter according to described server end, and the requirement of HTTPDigest agreement, form Authorization head; Or,
Situation III: if identity authentication protocol is HTTP NTLM, and described server end return protocol data and parameter be do not arrange or its value for empty or its value be to carry out the first prompting of identity discriminating, produce NTLM Type1 data, then press HTTP NTLM protocol requirement, form the data of Authorization head; Otherwise, first from Cookie, decipher described subscriber identity information data, obtain user in Web application system from account name, password, then, utilize this from account name, password and be kept at described server end and return to the NTLM Type2 data protocol data and parameter, produce NTLM Type3 data, then press HTTP NTLM protocol requirement, form Authorization head; Or,
Situation IV: if identity authentication protocol is HTTP Negotiate, first from Cookie, decipher described subscriber identity information data, obtain user in Web application system from account name, password, also be the account name of user in kerberos system, password, then utilizing should be from account name, password calls corresponding Kerberos interface, connect the identity authentication server of Kerberos KDC, obtain user's TGT, and then use this TGT to call GSS-API or suitable interface, obtain user and access the Spnego Token of Web application system, then, utilize the Spnego Token obtaining, press HTTP Negotiate protocol requirement, form Authorization head, or,
Situation V: if other effective HTTP identity authentication protocols are processed by related protocol;
Otherwise, user browser is directed to the page of makeing mistakes.
5. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 1 and 2, is characterized in that: after described single-sign-on HTTP plug-in unit interception http response, as follows http response is processed:
The 1st step: check responsive state and the head of http response, if responsive state is " 401 " and comprise WWW-Authenticate response head, proceed to the 2nd step; Otherwise, proceed to the 7th step;
The 2nd step: check described subscriber identity information, if its existence and effective proceeds to the 3rd step; Otherwise, proceed to the 6th step;
The 3rd step: the value that checks the WWW-Authenticate head of current http response, if carrying out the initial prompt of identity discriminating and responding value that corresponding HTTP request includes Authorization head and this Authorization head is identity documents data that the HTTP identity authentication protocol of indicating in described WWW-Authenticate head is corresponding or the data after the computing of identity documents data cryptogram, proceed to the 4th step; Otherwise, proceed to the 5th step;
The 4th step: described subscriber identity information is set to sky, the value that described server end returns to protocol data and parameter is set to the value of the WWW-Authenticate head of http response, obtain HTTP request URL corresponding to current http response, the value that sets it as the shielded URL that described the last time will access is preserved; If the method that HTTP corresponding to current http response asks is POST, the POST parameter of this request correspondence is saved in described the last POST parameter, otherwise the value of described the last POST parameter is set to sky; Then, the responsive state code of http response is revised as to 302, WWW-Authenticate is responded to head to be removed, http response main body and the web response body Web Length Indication that may comprise are removed, in response, add Location head, the user that its value is set to identity service system is for the login page URL that makes mistakes, this URL has added the system banner of the Web application system at single-sign-on HTTP plug-in unit place by Query String, finally, allow amended http response pass through, complete the processing of this http response;
The 5th step: the value that described server end returns to protocol data and parameter is set to the value of the WWW-Authenticate head of http response, the value of obtaining HTTP request URL corresponding to current http response and setting it as the shielded URL that described the last time will access is preserved; If the method that HTTP corresponding to current http response asks is POST, the POST parameter of this request correspondence is saved in described the last POST parameter, otherwise the value of described the last POST parameter is set to sky; Then, the responsive state code of http response is revised as to 302, WWW-Authenticate is responded to head to be removed, http response main body and the web response body Web Length Indication that may comprise are removed, in response, add Location head, its value is set to HTTP request URL corresponding to current http response, then, allow amended http response pass through, complete the processing of this http response;
The 6th step: the HTTP identity authentication protocol of indicating in WWW-Authenticate head is saved in the described identity authentication protocol of described user login information, the value that described server end returns to protocol data and parameter is set to the value of the WWW-Authenticate head of http response, described subscriber identity information is set to sky, obtain HTTP request URL corresponding to current http response, the value that sets it as the shielded URL that described the last time will access is preserved; If the method that HTTP corresponding to current http response asks is POST, the POST parameter of this request correspondence is saved in described the last POST parameter, otherwise the value of described the last POST parameter is set to sky; Then, the responsive state code of http response is revised as to 302, WWW-Authenticate response head in http response is removed, http response main body and the web response body Web Length Indication that may comprise are removed, in response head, add Location head, user's login page URL that its value is identity service system, this URL has added the system banner of the Web application system at single-sign-on HTTP plug-in unit place by Query String, finally, allow amended http response pass through, complete the processing of this http response;
The 7th step: obtain HTTP request URL corresponding to current http response, determine the whether corresponding Web page that is subject to safeguard protection of this HTTP request URL according to relevant configuration information, if not, allow http response pass through, complete the processing of this http response; Otherwise, proceed to the 8th step;
The 8th step: if include WWW-Authenticate response head in http response, WWW-Authenticate is responded to head and remove; If the shielded URL that the URL of HTTP corresponding to current http response request and described the last time will access is identical, the shielded URL that will access of described the last time and the value of described the last POST parameter are set to sky;
The 9th step: according to the set-up mode that returns to the value of protocol data and parameter in the configuration information of single-sign-on HTTP plug-in unit for presently used HTTP identity authentication protocol described server end that set, after user identity is differentiated successfully, the value that described server end returns to protocol data and parameter is set, then allow amended http response pass through, complete the processing of this http response;
The value of the WWW-Authenticate head described in described the 3rd step is that the initial prompt of carrying out identity discriminating refers to that the value of this head is that user completes before identity discriminating, when the shielded page of maiden visit, the data of the WWW-Authenticate response head of identity discriminating are carried out in the requirement that Web server end returns for the first time;
Identity documents data described in described the 3rd step, refer to the electronic data that can prove user identity, comprise account name, password, and comprise identity validation information security token; Described data after the computing of identity documents data cryptogram, refer to after identity documents is by certain crypto-operation and obtain data;
If the http response of single-sign-on HTTP plug-in unit interception comprises multiple WWW-Authenticate heads, WWW-Authenticate head and the described the 4th used in described the 3rd step, 5, used in 6 steps, its value is saved to described server end and returns in WWW-Authenticate head in protocol data and parameter and described the 6th step and preserve the WWW-Authenticate head that described identity authentication protocol uses, it is the WWW-Authenticate head corresponding to certain HTTP identity authentication protocol of the predetermined rules selection of basis, and the described the 4th, 5, 6, the WWW-Authenticate head of deleting in 8 steps comprises all WWW-Authenticate heads,
Amended http response described in described the 4th, 5,6,9 steps can be both the http response obtaining after directly revising in former http response data structure data structure, can be also newly-generated http response in a new http response data structure;
Relevant configuration information described in described the 7th step refer to Web service assembly and/or single-sign-on HTTP plug-in unit with safe access control, identity is differentiated, single-sign-on is relevant configuration information.
6. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 5, it is characterized in that: described the 6th step of described http response processing procedure by the conditional code of http response is revised or be set to 302 and Location head that http response is set browser is redirected to after user's login page of identity service system, identity service system is carried out as follows HTTP request and is processed:
Step 1: the Web application system mark of carrying in the Query String by HTTP request URL determines whether the Web application system that user will access is the system that service is trusted, provided to identity service system, if not, error message returned to; Otherwise, proceed to step 2;
Step 2: whether complete identity discriminating in identity service system before determining user, if so, proceed to next step; Otherwise, user is directed to login page, and based on user being carried out to identity discriminating with householder account, proceed to step 3 after differentiating successfully;
Step 3: the Web application system that will access according to user's main account and user, in principal and subordinate account's binding data storehouse, obtain user in the Web application system that will access from account name and password;
Step 4: for user generate one comprise its main account name, from account name and encrypt the security token from account's password, and relevant information is carried out to digital signature, then the user identity that comprises security token is proved to information turns back to user browser in the mode of Form list, and automatic POST way of submission by Form list is submitted to the user identity proof information that comprises security token the security token processing page of the Web application system that user need to access.
7. according to the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol described in claim 1 or 2 or 6, it is characterized in that: described security token processing page receives after the user identity proof information that comprises security token that described identity service system is signed and issued and submitted to by the automatic POST mode of Form list by user browser, processes as follows:
I step: whether effective by digital signature authentication security token, if effectively, proceed to II step; Otherwise, return to bomp;
II step: isolate user's main account name and from account name, password from security token, deciphering is from account's password, then, in http response, create Set-Cookie head, the Cookie of described subscriber identity information is deposited in setting, the value of Cookie comprise after encryption with householder's account name and from account name, password;
III step: the conditional code of http response is set to 302, creates a Location head in http response, the value of this head is set to obtain from Cookie the shielded URL that described the last time will access, and then returns to http response.
8. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 5, it is characterized in that: described the 4th step processing stage of described http response by the conditional code of http response is revised or be set to 302 and Location head that http response the is set user of browser being redirected to identity service system make mistakes after page URL for login, identity service system is carried out as follows HTTP request and is processed:
The first step: determine by the Web application system mark of carrying in HTTP request URL whether the Web application system that user will access is the system that service is trusted, provided to identity service system, if not, return to error message; Otherwise, proceed to second step;
Second step: prompting user inputs, submits to account name, password in its Web application system that will access;
The 3rd step: user submits to after account name, password, determines whether user has logined identity service system before and completed identity discriminating, if so, proceeds to the 5th step; Otherwise, proceed to the 4th step;
The 4th step: return to user's login page of identity service system, and based on user being carried out to identity discriminating with householder account, proceed to the 5th step after differentiating successfully;
The 5th step: account name, the password of user in Web application system obtaining based on second and third step, in principal and subordinate account's binding data storehouse, upgrade user in corresponding Web application system from account name, password;
The 6th step: for user generate one comprise its main account name, from account name and encrypt the security token from account's password, and relevant information is carried out to digital signature, then the user identity that comprises security token is proved to information turns back to user browser in the mode of Form list, and automatic POST way of submission by Form list is submitted to the user identity proof information that comprises security token the security token processing page of the Web application system that user need to access.
9. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 7, it is characterized in that: if the whole Web path of described Web application system or catalogue are all path or the path of safeguard protection, and cannot be subject among the path of safeguard protection or catalogue or outside non-path or a catalogue that is subject to safeguard protection is set, security token processing page is not an in esse Web page, and is only a virtual Web page path; Correspondingly, described single-sign-on HTTP plug-in unit is tackled the HTTP request that is submitted to security token processing page processing stage that HTTP asks, complete the described processing operation of described I step, then the processing stage of the response of this HTTP request, interception http response, completes the described processing operation of described II, III step.
10. the plug-in type single-sign-on integrated approach towards HTTP identity authentication protocol according to claim 1, it is characterized in that: if user is undertaken by web proxy the access of described Web application system, and by the proxy mode of HTTP identity authentication protocol, user is carried out to identity discriminating by web proxy, and web proxy is in its HTTP request, in response treatment channel, provide HTTP Plugin Mechanism, and the HTTP plug-in unit based on this Plugin Mechanism can be tackled the request of HTTP identity authentication protocol, response data, in the situation that making following corresponding change, described method is applicable equally:
Described Web service assembly refers to web proxy; Described Web application component refers to the whole Web system after web proxy; Described web proxy and whole Web system have thereafter formed described Web application system; Described single-sign-on HTTP plug-in unit is deployed on described web proxy, and on the web proxy of disposing at it, is configured to tackle all HTTP request, response; Described http response conditional code " 401 " becomes " 407 "; Described http response head WWW-Authenticate becomes Proxy-Authenticate head; Described HTTP request head Authorization becomes Proxy-Authorization head.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210067271.XA CN102638454B (en) | 2012-03-14 | 2012-03-14 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210067271.XA CN102638454B (en) | 2012-03-14 | 2012-03-14 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102638454A CN102638454A (en) | 2012-08-15 |
| CN102638454B true CN102638454B (en) | 2014-05-21 |
Family
ID=46622698
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210067271.XA Expired - Fee Related CN102638454B (en) | 2012-03-14 | 2012-03-14 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102638454B (en) |
Families Citing this family (38)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102801808B (en) * | 2012-07-30 | 2014-11-05 | 武汉理工大学 | WebLogic-oriented Form identification single sign on integration method |
| CN103152351A (en) * | 2013-03-15 | 2013-06-12 | 深信服网络科技(深圳)有限公司 | Network equipment and AD (Active Directory) domain single sign on method and system |
| CN103312505B (en) * | 2013-04-08 | 2016-03-02 | 河海大学 | The construction method that a kind of easy-to-use single-sign-on realizes |
| WO2015042547A1 (en) * | 2013-09-20 | 2015-03-26 | Oracle International Corporation | Web-based interface integration for single sign-on |
| US11057395B2 (en) | 2014-03-24 | 2021-07-06 | Micro Focus Llc | Monitoring for authentication information |
| CN104077179B (en) * | 2014-06-16 | 2017-06-06 | 武汉理工大学 | A kind of local API Calls method of web oriented browser |
| CN104158797B (en) * | 2014-07-14 | 2017-03-08 | 武汉理工大学 | The password User logs in mutually integrated with identification type password differentiates implementation |
| CN104519050B (en) * | 2014-11-14 | 2019-03-12 | 百度在线网络技术(北京)有限公司 | Login method and login system |
| CN104468785A (en) * | 2014-12-08 | 2015-03-25 | 上海斐讯数据通信技术有限公司 | Electronic device, server device, and data request submitting method and processing method |
| CN104394172B (en) * | 2014-12-12 | 2018-05-25 | 用友网络科技股份有限公司 | Single-sign-on apparatus and method |
| CN104468592B (en) * | 2014-12-12 | 2017-10-31 | 北京百度网讯科技有限公司 | Login method and login system |
| CN104580406B (en) * | 2014-12-23 | 2019-11-26 | 北京百度网讯科技有限公司 | A kind of method and apparatus of synchronous logging state |
| CN104660583B (en) * | 2014-12-29 | 2018-05-29 | 国家电网公司 | A kind of cryptographic services method based on Web cryptographic services |
| CN104735066B (en) * | 2015-03-18 | 2018-10-16 | 百度在线网络技术(北京)有限公司 | A kind of single-point logging method of object web page application, device and system |
| CN106161521B (en) * | 2015-04-01 | 2019-09-10 | 阿里巴巴集团控股有限公司 | The processing method and processing device of hypertext transfer protocol requests |
| CN105407102B (en) * | 2015-12-10 | 2019-05-17 | 四川长虹电器股份有限公司 | Http request data reliability verifying method |
| CN105653901A (en) * | 2015-12-29 | 2016-06-08 | 深圳市科漫达智能管理科技有限公司 | Component repository management method and system |
| CN105978994B (en) * | 2016-06-22 | 2019-01-18 | 武汉理工大学 | A kind of login method of web oriented system |
| CN105959311A (en) * | 2016-07-04 | 2016-09-21 | 天闻数媒科技(湖南)有限公司 | Single sign-on method and device for application system |
| WO2018013089A1 (en) | 2016-07-12 | 2018-01-18 | Hewlett-Packard Development Company, L.P. | Credential for a service |
| CN107204970B (en) * | 2016-11-02 | 2021-02-23 | 北京神州泰岳信息安全技术有限公司 | Single sign-on method and related device |
| CN107248971A (en) * | 2016-12-21 | 2017-10-13 | 常熟市盛铭信息技术有限公司 | A kind of design and application method of unified subscriber authentication |
| CN106685998B (en) * | 2017-02-24 | 2020-02-07 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN109600403B (en) * | 2017-09-30 | 2021-11-02 | 北京国双科技有限公司 | Method and device for sending information |
| CN107911376A (en) * | 2017-11-29 | 2018-04-13 | 南京莱斯信息技术股份有限公司 | The WEB systems single-sign-on and access control implementation method of a kind of non-invasive |
| CN108667791B (en) * | 2017-12-18 | 2021-01-01 | 中国石油天然气股份有限公司 | Identity authentication method |
| CN108650209B (en) * | 2018-03-06 | 2021-05-14 | 北京信安世纪科技股份有限公司 | Single sign-on method, system, device and authentication method |
| CN109726544A (en) * | 2018-09-07 | 2019-05-07 | 网联清算有限公司 | Service management and device |
| CN109067914B (en) * | 2018-09-20 | 2019-12-13 | 星环信息科技(上海)有限公司 | web service proxy method, device, equipment and storage medium |
| US20200106766A1 (en) * | 2018-09-28 | 2020-04-02 | Konica Minolta Laboratory U.S.A., Inc. | Method and system for security assertion markup language (saml) service provider-initiated single sign-on |
| CN110032842B (en) * | 2019-03-03 | 2020-11-13 | 北京立思辰安科技术有限公司 | Method and system for simultaneously supporting single sign-on and third party sign-on |
| AU2019446557A1 (en) * | 2019-05-23 | 2021-11-25 | Citrix Systems, Inc. | Secure web application delivery platform |
| CN110661787A (en) * | 2019-09-04 | 2020-01-07 | 苏宁云计算有限公司 | Method and device for capturing Http redirection state code and computer equipment |
| CN113127821A (en) * | 2019-12-31 | 2021-07-16 | 远景智能国际私人投资有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN111371775A (en) * | 2020-02-28 | 2020-07-03 | 深信服科技股份有限公司 | Single sign-on method, device, equipment, system and storage medium |
| CN112416345B (en) * | 2020-11-16 | 2022-10-21 | 中国电子科技集团公司第二十八研究所 | Universal client software integration system |
| CN112822237B (en) * | 2020-12-28 | 2022-07-15 | 北京奇艺世纪科技有限公司 | Network request transmission method and device |
| CN113839966B (en) * | 2021-11-26 | 2022-02-22 | 北京慧点科技有限公司 | Security management system based on micro-service |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN101075875A (en) * | 2007-06-14 | 2007-11-21 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN101588348A (en) * | 2008-05-22 | 2009-11-25 | 中国电信股份有限公司 | System logging method and system logging device based on Web |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| CN102215232A (en) * | 2011-06-07 | 2011-10-12 | 浪潮齐鲁软件产业有限公司 | Single sign-on method |
-
2012
- 2012-03-14 CN CN201210067271.XA patent/CN102638454B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1812403A (en) * | 2005-01-28 | 2006-08-02 | 广东省电信有限公司科学技术研究院 | Single-point logging method for realizing identification across management field |
| CN101075875A (en) * | 2007-06-14 | 2007-11-21 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN101588348A (en) * | 2008-05-22 | 2009-11-25 | 中国电信股份有限公司 | System logging method and system logging device based on Web |
| CN101651666A (en) * | 2008-08-14 | 2010-02-17 | 中兴通讯股份有限公司 | Method and device for identity authentication and single sign-on based on virtual private network |
| CN102215232A (en) * | 2011-06-07 | 2011-10-12 | 浪潮齐鲁软件产业有限公司 | Single sign-on method |
Non-Patent Citations (8)
| Title |
|---|
| 企业信息门户单点登录系统的实现;谭立球等;《计算机工程》;20050905;第31卷(第17期);全文 * |
| 单点登录系统模型分析;淡艳等;《成都大学学报(自然科学版)》;20080630;第27卷(第2期);全文 * |
| 吴群.安全单点登录问题的研究与实现.《计算机与现代化》.2004,(第106期), |
| 基于Web服务的单点登录系统的研究与实现;胡毅时等;《北京航空航天大学学报》;20040330;第30卷(第3期);全文 * |
| 安全单点登录问题的研究与实现;吴群;《计算机与现代化》;20040630(第106期);全文 * |
| 淡艳等.单点登录系统模型分析.《成都大学学报(自然科学版)》.2008,第27卷(第2期), |
| 胡毅时等.基于Web服务的单点登录系统的研究与实现.《北京航空航天大学学报》.2004,第30卷(第3期), |
| 谭立球等.企业信息门户单点登录系统的实现.《计算机工程》.2005,第31卷(第17期), |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102638454A (en) | 2012-08-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| US8683565B2 (en) | Authentication | |
| US8151317B2 (en) | Method and system for policy-based initiation of federation management | |
| AU2003212723B2 (en) | Single sign-on secure service access | |
| US7631346B2 (en) | Method and system for a runtime user account creation operation within a single-sign-on process in a federated computing environment | |
| US7860883B2 (en) | Method and system for distributed retrieval of data objects within multi-protocol profiles in federated environments | |
| EP2307982B1 (en) | Method and service integration platform system for providing internet services | |
| KR100800339B1 (en) | Method and system for user-determined authentication and single-sign-on in a federated environment | |
| US7698375B2 (en) | Method and system for pluggability of federation protocol runtimes for federated user lifecycle management | |
| US7860882B2 (en) | Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations | |
| US8893242B2 (en) | System and method for pool-based identity generation and use for service access | |
| US20060218628A1 (en) | Method and system for enhanced federated single logout | |
| WO2013099065A1 (en) | Authentication coordination system and id provider device | |
| US20050188212A1 (en) | Access control for federated identities | |
| JP2009519529A (en) | Method and system for extending authentication methods | |
| CN107872455A (en) | A kind of cross-domain single login system and its method | |
| CN112468481A (en) | Single-page and multi-page web application identity integrated authentication method based on CAS | |
| US9009799B2 (en) | Secure access | |
| US20050273596A1 (en) | Architecture and design for central authentication and authorization in an on-demand utility environment using a secured global hashtable | |
| CN108243164B (en) | Cross-domain access control method and system for E-government cloud computing | |
| WO2009066858A1 (en) | Personal information management apparatus and personal information management method | |
| CN113411324B (en) | Method and system for realizing login authentication based on CAS and third-party server | |
| KR100992016B1 (en) | Method and apparatus for providing federated functionality within a data processing system | |
| KR20100071752A (en) | Apparatus and method of service interaction for single login and logout | |
| Balaji et al. | Web-Based System—Authentication to Single Log-on to Several Applications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140521 Termination date: 20180314 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |