CN102801808A - WebLogic-oriented Form identification single sign on integration method - Google Patents
WebLogic-oriented Form identification single sign on integration method Download PDFInfo
- Publication number
- CN102801808A CN102801808A CN2012102952467A CN201210295246A CN102801808A CN 102801808 A CN102801808 A CN 102801808A CN 2012102952467 A CN2012102952467 A CN 2012102952467A CN 201210295246 A CN201210295246 A CN 201210295246A CN 102801808 A CN102801808 A CN 102801808A
- Authority
- CN
- China
- Prior art keywords
- identity
- user
- weblogic
- web
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention relates to a WebLogic-oriented Form identification single sign on integration method. The method requires a single sign on filter, an identity service system and a unified user database, wherein the filter is deployed on a WebLogic application server adopting Form identification; for users not finishing identification, page login requests are acquired, and the filter guides the users to the identity service system; after the identity service system identifies the users, identity assurance including both user names and passwords, which are required for the users to login the WebLogic and acquired from the unified user database, is submitted to an identity assurance verification path on the WebLogic in an automatic POST manner; after the filter intercepts and validates the identity assurance, the users names and the passwords in the identity assurance are used for calling the WebLogic login method; and the users are guided to a protected website required to be accessed at the first time if the login is successful, otherwise, the users are guided to the login website for re-login and the passwords are updated.
Description
Technical field
The identity that the invention belongs to information security is differentiated and the access control technology field, especially, is a kind of single-sign-on integrated approach of differentiating towards the Form identity of WebLogic.
Background technology
Along with the development of Enterprise's Electronic Commercial and Working informationization, enterprise, organization have disposed a large amount of information system that specific function is provided (following general designation application system).When using different application systems, need to remember, import different user names, this problem of password in order to solve the user, people have proposed single-sign-on (Single Sign On) technology.So-called single-sign-on; Be that the user only need use an identity documents (like a user name, password; An or numbered certificate) accomplishes online identity in certain system and differentiate (i.e. login; Login) after, just can visit the every other system that he can visit and need not to input once more user name, password or use digital certificate to login.
In the application system of having disposed at present, having quite big one type is to adopt Browser/Server framework (browser/server; Be called for short the B/S framework) system that develops with the Web page technology; This type systematic be called the Web application system (the Web application system by Web server with dispose constituting above that by the web application particular Web pages technological development, that application specific functionality is provided, web application is also referred to as Web and uses).In order to realize the single-sign-on of Web application system, people have introduced one and have been called the identity service system (it is an online Web service system that provides identity to differentiate service for Identity Provider, notion IdP) and system.For the Web application system; The user only need use browser to accomplish once login (being that online identity is differentiated) in the identity service system, just can visit the Web application system that other he in this identity service system trust domain can visit and need not to carry out once more register (promptly need not to carry out identity differentiates again).
But; The application of will succeeing of single-sign-on technology; Have individual key issue to need to solve: how to make existing all kinds of Web application system to realize single-sign-on thereby Here it is with the identity service system interconnect, particularly how under the situation of the web application of not revising original Web application system and original identity authentication scheme, to realize interconnected and single-sign-on with the identity service system? This just relates to the integrated technology of single-sign-on.Under the situation that does not change the original identity authentication scheme of Web application system, realize single-sign-on, the single-sign-on Integrated Solution that is adopted just must be considered the combination with the original identity authentication scheme of system.In the present identity authentication scheme that adopts of Web application system; It is a kind of the most frequently used mechanism that the Form identity is differentiated; Why it is called as the Form identity is differentiated it is because when adopting this identity identification method; The user inputs user name, password through the Form list of the HTML of the Web page (HyperText Markup Language), through browser user name, password is submitted to server end and verifies then.
To the situation that the Web application system adopts the Form identity to differentiate, the applicant is (number of patent application: 201210083321.3) proposed a kind of single-sign-on integrated solution that need not to revise Web application system and identity authentication scheme thereof in its " the single-sign-on integrated approach of differentiating to the Form identity in the single-node login system " patent application once; But; It is to be deployed in WebLogic application server (Application Server that said single-sign-on integrated approach is used for Web; Being called for short WebLogic) the Form identity authentication scheme that goes up and depend on WebLogic (Web container, i.e. Web Container) carries out situation that identity differentiates and inapplicable to the user.This be because; The application of will succeeing of single-sign-on integrated approach described in the said patent application needs based on the HTTP plug-in unit (like Filter, Valve) of Web server (or Web container) extension mechanism exploitation and can tackle the user is submitted to user name, password authentication path (page) through browser HTTP request; But; When the Web application system adopted the Form authentication scheme that WebLogic provides, the HTTP plug-in unit (the Servlet Authentication Filter that comprises the Authentication Provider of common Servlet Filter and WebLogic) of the extension mechanism exploitation that provides based on WebLogic all can not be intercepted the HTTP that user browser is submitted to user name, password authentication path (being j_security_check) and ask.
The present invention be exactly to the Web application deployment on WebLogic and the Form identity authentication scheme that depends on WebLogic the user is carried out the situation that identity is differentiated, corresponding single-sign-on integrated solution is proposed.
Summary of the invention
The objective of the invention is to adopt the Form identity authentication scheme of WebLogic that the user is carried out the situation that identity is differentiated to the Web application that is deployed on the WebLogic application server; Propose a kind of identity discriminating setting (promptly not changing the identity identification method of WebLogic to the user, also is that the Form identity is differentiated) that need not to revise Web application (program) and WebLogic and can realize the single-sign-on integrated approach that the Form identity towards WebLogic of single-sign-on is differentiated.
To achieve these goals, the technical scheme that the present invention adopted is:
A kind of single-sign-on integrated approach of differentiating towards the Form identity of WebLogic, said method comprises single-sign-on filter (Filter), identity service system (Identity Provider) and unified user database, is characterized in:
Said single-sign-on filter: be deployed on the WebLogic application server that adopts the discriminating of Form identity; Interception HTTP request; And according to the interception HTTP request URL (Uniform Resource Locator) use pairing login page corresponding to the Web that is deployed on the WebLogic; Still identity assertion (Identity Assertion) or security token (Security Token) are verified the path; Or relevant treatment is carried out by different processing logics respectively in amended user name, password authentication path, or the situation of other pages URL;
The identity service system: the identity documents (Credential) of differentiating the page and user's submission through identity is carried out the online identity discriminating to the user; For the user who accomplishes the identity discriminating signs and issues identity assertion or the security token that proves its identity and identity-related information, and identity assertion of being signed and issued or security token are submitted to the Web application system that the user will visit through user browser; Said identity service system guarantees the validity of identity assertion or security token through the digital signature of symmetric key or unsymmetrical key;
Unified user database: be used for preserving user name, the password of user, and the user carries out user name in each Web application system of identity documents and its that identity differentiates (login), the corresponding relation of password in the identity service system in each Web application system.
Said Web application system is made up of WebLogic application server and the Web application of disposing above that; The one or more Web of said WebLogic deploy use, and each Web uses all has a unique application identities, to distinguish different application; Be deployed in each Web on the WebLogic use login page, identity assertion or security token checking path and amended user name are arranged independently, the password authentication path; Said amended user name, password authentication path are one and use pairing original user name, password authentication path (being a j_security_check) user name, password authentication path inequality with the Web that is deployed on the WebLogic.
When one not the user capture of login be deployed in that Web on the WebLogic application server uses receive the page path of safeguard protection the time, the WebLogic application server is directed to corresponding login page with the user.
Said single-sign-on filter is tackled the HTTP request of obtaining login page, and whether judges, then is directed to the identity service system with the user and carries out the identity discriminating if do not have in the completion identity discriminating of identity service system.
Said identity service system confirms earlier whether the Web application system that the user will visit is that it is trusted, system of service after obtaining customer requirements and carrying out request that identity differentiates, if not, then return bomp; Otherwise the identity documents that said identity service system is submitted to based on the user is carried out online identity to the user and is differentiated; After accomplishing the identity discriminating; Used identity documents was obtained user name, the password of user in the Web application system that will visit when the identity service system differentiated according to user identity from unified user database; And for this user sign and issue one the proof its identity identity assertion or security token; Include the said user name, the password that from unified user database, obtain in identity assertion or the security token, wherein password is encrypted; Then, the identity service system is submitted to pairing identity assertion of Web application system or the security token checking path that the user will visit through user browser with identity assertion of being signed and issued or security token.
After said single-sign-on filter interception is submitted to the identity assertion or security token in said identity assertion or security token checking path; Identity verification is asserted or the validity of security token; Checking is through therefrom obtaining user name, the password of user in the Web application system that will visit later, and password is deciphered; Then, said single-sign-on filter calls the relative users login method of WebLogic application server, carries out user login operation; After logining successfully, the user is directed to the page that receives safeguard protection of its less important visit just.
When if the HTTP request of login page is obtained in said single-sign-on filter interception; Confirm that the user accomplishes identity in the identity service system, then submit to path (being the URL of the Action of Form) to be revised as said amended user name, password authentication path the original user name in the login page in the http response of returning, password.
Obtained the login page of its Web application system that will visit as the user after, input its user name, password in this Web application system, submit user name, password then to.
After said single-sign-on filter is tackled the HTTP request that is submitted to amended user name, password authentication path, confirm whether the user accomplishes identity in the identity service system and differentiate,, then the user is directed to the identity service system and carries out the identity discriminating if do not have; Otherwise user name, the password that said single-sign-on filter uses the user to submit to calls the relative users login method of WebLogic application server, carries out user login operation; After logining successfully, upgrade the password corresponding to current user name of user in the Web application system that will visit in the unified user database earlier, then the user is directed to the page that receives safeguard protection of its less important visit just.
When the user after the identity service system accomplishes Web application system that the identity discriminated union will visit through the single-sign-on filter and accomplishes login, will visit the page (path) that receives safeguard protection.
Innovation part of the present invention is: through a single-sign-on filter; Make and to be deployed in that WebLogic goes up and to differentiate that based on the Form identity of WebLogic the Web application system that the user is carried out login process can realize single-sign-on under the situation of (that is the identity of, not revising web application and WebLogic is differentiated setting) that do not make an amendment.
Description of drawings
Fig. 1 is an overall structure block diagram of the present invention.
Embodiment
Below in conjunction with accompanying drawing the present invention is made further detailed description.
The present invention is a kind of single-sign-on integrated approach of differentiating towards the Form identity of WebLogic; This method overall structure as shown in Figure 1; Comprise the single-sign-on filter that is deployed on the WebLogic application server, identity service system and unified user database.
Single-sign-on filter on the said WebLogic of the being deployed in application server is to obtain the situation that Web uses pairing login page for the HTTP request URL of intercepting, and carries out relevant treatment as follows:
I step: let the HTTP request of obtaining login page pass through;
II step: the http response of tackling said HTTP request; Whether the information judges through being kept in session (Session) object accomplishes the identity discriminating in the identity service system; If; Then submit to the path to be revised as said amended user name, password authentication path the original user name in the login page in the http response, password, return amended http response then; Otherwise, be redirected (return http response sign indicating number 302 and respond head) through URL the identity that user browser is directed to the identity service system is differentiated the page through Location, include the application identities that the current Web that will visit of user uses in the Redirect URL.
Said identity service system differentiates that to the user capture identity HTTP request of the page handles as follows:
The first step: confirm through the Web application identities of carrying in the HTTP request URL whether the Web application that the user will visit is the Web application that the identity service system trusts and provide for it service, if not, then return error message; Otherwise, changed down for second step over to;
Second step: confirm whether accomplish the identity discriminating in the identity service system before the user, if then changed for the 3rd step over to; Otherwise, return identity and differentiate the page, and the user is carried out the identity discriminating through corresponding user identity voucher (like user name, password, or digital certificate), changed for the 3rd step over to after differentiating successfully;
The 3rd step: from unified user database, obtain respective user name, the password of user in the said Web that will visit uses according to the used identity documents of user identity discriminating;
The 4th step: for the user signs and issues identity assertion or the security token that its identity of proof reaches relevant identity information, include respective user name, the password of user in the said Web that will visit uses in identity assertion or the security token, wherein password is encrypted; Then identity assertion or security token are turned back to user browser with the mode of Form list, and the automatic POST through the Form list submits (Submit) mode that identity assertion or security token are submitted to the Web that is deployed on the WebLogic that the user need visit to use pairing identity assertion or security token checking path to.
Said single-sign-on filter on the said WebLogic of being deployed in is the situation that Web uses pairing identity assertion or security token checking path for the HTTP request URL of interception, handles as follows:
Step 1: the validity that identity verification is asserted or security token is verified, if checking is not passed through, then return error message; Otherwise, change step 2 over to;
Step 2: from identity assertion or security token, obtain user name, the password of user in the Web that will visit uses, and the password behind the enabling decryption of encrypted;
Step 3: in session object, preserve subscriber identity information, comprise that user name and the user of user in the Web that will visit uses who obtains in the step 2 accomplishes the sign that identity is differentiated in the identity service system;
Step 4: the weak method of calling the ServletAuthentication class that WebLogic provides; Obtain user name, the password of user in the Web that will visit uses in the input step two user is carried out the identity discriminating; Promptly login the operation of WebLogic; Do not pass through if call the information demonstration identity discriminating of returning, promptly login failure then returns the page of makeing mistakes; Otherwise, change step 5 over to;
Step 5: check the URL of the page that receives the safeguard protection whether user of WebLogic preservation less important visit is just arranged in the session object,, then be redirected the page that receives safeguard protection that the user is guided its first less important visit through URL if having; Otherwise, the user is guided a default page through URL is redirected.
Said single-sign-on filter on the said WebLogic of being deployed in is the situation that Web uses pairing amended user name, password authentication path for the HTTP request URL of interception, handles as follows:
Steps A: whether accomplish identity in the identity service system through session object inspection user and differentiate, if then change step B over to; Otherwise, be redirected the user to be directed to the Web that will visit to use pairing login page through URL, accomplish this processing;
Step B: from the HTTP request, obtain user name, the password that the user submits to,, then change step C over to if can successfully obtain; Otherwise, through URL is redirected the user is directed to login page, accomplish this processing;
Step C: whether the user name of user current Web is used that preserve, that return from the identity service system be consistent in the user name that inspection step B obtains and the session object, as if unanimity, then changes step D over to; Otherwise, through URL is redirected the user is directed to login page, accomplish this processing;
Step D: the weak method of calling the ServletAuthentication class that WebLogic provides; The user name that input step B obtains from the HTTP request, password carry out identity to the user and differentiate; Differentiate successfully if call return information demonstration identity, then change step e over to; Otherwise, through URL is redirected the user is directed to login page, accomplish this processing;
Step e: user name, the password that uses step B from the HTTP request, to obtain upgrade in the unified user database corresponding to the password corresponding to current user name of user in the current Web that will visit uses;
Step F: check the URL of the page that receives the safeguard protection whether user of WebLogic preservation less important visit is just arranged in the session object,, then be redirected the page that receives safeguard protection that the user is guided its first less important visit through URL if having; Otherwise, the user is guided a default page through URL is redirected.
Single-sign-on filter on the said WebLogic of being deployed in for the interception the HTTP request URL neither use pairing login page corresponding to Web; Neither be corresponding to identity assertion or security token checking path; Neither login relevant treatment as follows corresponding to the situation in amended user name, password authentication path:
The 1st step: check the URL of the page that receives the safeguard protection whether user of WebLogic preservation less important visit is just arranged in the session object,, then let the HTTP request pass through if do not have; Otherwise, changed for the 2nd step over to;
The 2nd step: the method for checking current HTTP request is GET or POST, if POST then lets the HTTP request pass through; Otherwise, changed for the 3rd step over to;
The 3rd step: check whether the URL of current HTTP request equals the URL of the page that receives safeguard protection of user's maiden visit that WebLogic preserves in the session object, is not, then let the HTTP request pass through; Otherwise, changed for the 4th step over to;
The 4th step: the method that receives the safeguard protection page of user's maiden visit that WebLogic preserves in the inspection session object is GET or POST; If GET; Then remove the information of the protected page of looking into user's maiden visit that WebLogic preserves in the session object, let the HTTP request pass through then; Otherwise, changed for the 5th step over to;
The 5th step: change the method for current HTTP request into POST; The POST parameter of submitting to when user's maiden visit that WebLogic in the session object is preserved receives the page of safeguard protection; As the current POST parameter that is revised as the HTTP request of POST method; Remove the relevant information of the page that receives safeguard protection of looking into user's maiden visit that WebLogic preserves in the session object then, let the HTTP request of revising pass through afterwards.
The function of said single-sign-on filter both can only be implemented by a common Servlet filter (Servlet Filter) module, also can be differentiated supplier's (Authentication Provider) Servlet identity discriminating filter (Servlet Authentication Filter) module common implementing by the identity of a common Servlet filter module and a WebLogic application server.
If the function of said single-sign-on filter is only implemented by a common Servlet filter module; So, the Web on the said WebLogic of the being deployed in application server uses the non-zone that receives safeguard protection that pairing said login page, identity assertion or security token checking path and amended user name, password authentication path are positioned at the WebLogic application server; All HTTP ask to comprise to be submitted to and receive safeguard protection path and the non-HTTP request that receives the safeguard protection path by said common Servlet filter module intercept process.
If said single-sign-on filter function is differentiated supplier's Servlet identity discriminating filter module common implementing by the identity of a common Servlet filter module and a WebLogic application server; So; Said identity assertion or security token checking path, and the zone that receives safeguard protection of amended user name, password authentication path or the some or all of WebLogic of being positioned at application server; Be submitted to the non-relevant HTTP request that receives the safeguard protection path by said common Servlet filter intercept process; The HTTP that is submitted to the identity assertion that receives safeguard protection or security token checking path asks, and/or be submitted to the amended user name that receives safeguard protection, the HTTP in password authentication path asks, and is differentiated the filter module intercept process by said Servlet identity; All are submitted to other and asked by the HTTP in safeguard protection path, perhaps tackle the line correlation processing of going forward side by side by said common Servlet filter or by said Servlet identity discriminating filter module.
The employed session object of single-sign-on filter is a Servlet Java Session object.
The concrete realization of said identity service system can be used any Web development technique (like J2EE etc.) and realize based on the relevant treatment flow process exploitation of foregoing identity service system.
Said identity assertion or security token; Can adopt the SAML of SAML (Security Assertion Markup Language) to assert (comprise identity differentiate assert and attribute assertion); Or the security token of WS Federation Passive Requestor Profile (WS-FPRP), or self-defining security token; Single-sign-on filter and identity service system can use the SAML agreement alternately, or WS-FPRP agreement, perhaps custom protocol.If identity assertion or security token and single-sign-on agreement are based on XML's (eXtensible Markup Language); Like SAML or WS-FPRP; The java class storehouse, kit that then can use various relevant maturations to the processing of agreement and identity assertion or security token are (like Java API for XML Processing; JAXP etc.); For the realization that relates to data encryption, digital signature, also can use java class storehouse, the kit (like Java Cryptography Extension) of various maturations.
Said unified user database can realize based on any relational database (like MySQL, SQL Server, Oracle etc.) or directory database (LDAP).
The content of not doing in this specification to describe in detail belongs to this area professional and technical personnel's known prior art.
Claims (9)
1. single-sign-on integrated approach of differentiating towards the Form identity of WebLogic, this method comprises single-sign-on filter, identity service system and unified user database, wherein:
Single-sign-on filter: be deployed on the WebLogic application server that adopts the discriminating of Form identity; Interception HTTP request; And be to use pairing login page corresponding to the Web that is deployed on the WebLogic application server according to the HTTP request URL of interception, still identity assertion or security token checking path still is amended user name, password authentication path; Still the situation of other pages URL is carried out relevant treatment by different processing logics respectively;
The identity service system: the identity documents of differentiating the page and user's submission through identity is carried out the online identity discriminating to the user; For the user who accomplishes the identity discriminating signs and issues identity assertion or the security token that proves its identity and identity-related information, and identity assertion of being signed and issued or security token are submitted to the Web application system that the user will visit through user browser; Said identity service system guarantees the validity of identity assertion or security token through the digital signature of symmetric key or unsymmetrical key;
Unified user database: be used for preserving user name, the password of user, and the user carries out user name in each Web application system of identity documents that identity differentiates and its, the corresponding relation of password in the identity service system in each Web application system;
Said Web application system is made up of WebLogic application server and the Web application that is deployed on the said WebLogic application server; The one or more Web of said WebLogic application server deploy use, and each Web uses all has a unique application identities, to distinguish different application; Be deployed in each Web on the WebLogic application server use login page, identity assertion or security token checking path and amended user name are arranged independently, the password authentication path; Said amended user name, password authentication path are one and use pairing original user name, a user name, password authentication path inequality, password authentication path with the Web that is deployed on the said WebLogic application server.
2. the single-sign-on integrated approach of differentiating towards the Form identity of WebLogic according to claim 1; It is characterized in that: said single-sign-on filter is to obtain the situation that Web uses pairing login page for the HTTP request URL of intercepting, and carries out relevant treatment as follows:
I step: let the HTTP request of obtaining login page pass through;
II step: the http response of tackling said HTTP request; Whether the information judges through being kept in the session object accomplishes the identity discriminating in the identity service system; If; Then submit to the path to be revised as said amended user name, password authentication path the original user name in the login page in the http response, password, return amended http response then; Otherwise, be redirected the identity discriminating page that user browser is directed to the identity service system through URL, include the application identities that the current Web that will visit of user uses in the Redirect URL.
3. the single-sign-on integrated approach that the Form identity towards WebLogic according to claim 1 is differentiated is characterized in that: said identity service system differentiates that to the user capture identity HTTP request of the page handles as follows:
The first step: confirm through the Web application identities of carrying in the HTTP request URL whether the Web application that the user will visit is the Web application that the identity service system trusts and provide for it service, if not, then return error message; Otherwise, changed down for second step over to;
Second step: confirm whether accomplish the identity discriminating in the identity service system before the user, if then changed for the 3rd step over to; Otherwise, return identity and differentiate the page, and through corresponding user identity voucher the user is carried out identity and differentiate, changed for the 3rd step over to after differentiating successfully;
The 3rd step: from unified user database, obtain respective user name, the password of user in the said Web that will visit uses according to the used identity documents of user identity discriminating;
The 4th step: for the user signs and issues identity assertion or the security token that its identity of proof reaches relevant identity information, include respective user name, the password of user in the said Web that will visit uses in identity assertion or the security token, wherein password is encrypted; Then identity assertion or security token are turned back to user browser with the mode of Form list, and the automatic POST way of submission through the Form list is submitted to the Web that is deployed on the WebLogic application server that the user need visit with identity assertion or security token and uses pairing identity assertion or security token checking path.
4. the single-sign-on integrated approach of differentiating towards the Form identity of WebLogic according to claim 1; It is characterized in that: said single-sign-on filter is the situation that Web uses pairing identity assertion or security token checking path for the HTTP request URL of interception, handles as follows:
Step 1: the validity that identity verification is asserted or security token is verified, if checking is not passed through, then return error message; Otherwise, change step 2 over to;
Step 2: from identity assertion or security token, obtain user name, the password of user in the Web that will visit uses, and the password behind the enabling decryption of encrypted;
Step 3: in session object, preserve subscriber identity information, comprise that user name and the user of user in the Web that will visit uses who obtains in the step 2 accomplishes the sign that identity is differentiated in the identity service system;
Step 4: the weak method of calling the ServletAuthentication class that the WebLogic application server provides; Obtain user name, the password of user in the Web that will visit uses in the input step two user is carried out the identity discriminating; Promptly login the operation of WebLogic application server; Do not pass through if call the information demonstration identity discriminating of returning, promptly login failure then returns the page of makeing mistakes; Otherwise, change step 5 over to;
Step 5: check the URL of the page that receives the safeguard protection whether user of WebLogic application server preservation less important visit is just arranged in the session object,, then be redirected the page that receives safeguard protection that the user is guided its first less important visit through URL if having; Otherwise, the user is guided a default page through URL is redirected.
5. the single-sign-on integrated approach of differentiating towards the Form identity of WebLogic according to claim 1; It is characterized in that: said single-sign-on filter is the situation that Web uses pairing amended user name, password authentication path for the HTTP request URL of interception, handles as follows:
Steps A: whether accomplish identity in the identity service system through session object inspection user and differentiate, if then change step B over to; Otherwise, be redirected the user to be directed to the Web that will visit to use pairing login page through URL, accomplish this processing;
Step B: from the HTTP request, obtain user name, the password that the user submits to,, then change step C over to if can successfully obtain; Otherwise, through URL is redirected the user is directed to login page, accomplish this processing;
Step C: whether the user name of user current Web is used that preserve, that return from the identity service system be consistent in the user name that inspection step B obtains and the session object, as if unanimity, then changes step D over to; Otherwise, through URL is redirected the user is directed to login page, accomplish this processing;
Step D: the weak method of calling the ServletAuthentication class that the WebLogic application server provides; The user name that input step B obtains from the HTTP request, password carry out identity to the user and differentiate; Differentiate successfully if call return information demonstration identity, then change step e over to; Otherwise, through URL is redirected the user is directed to login page, accomplish this processing;
Step e: user name, the password that uses step B from the HTTP request, to obtain upgrade in the unified user database corresponding to the password corresponding to current user name of user in the current Web that will visit uses;
Step F: check the URL of the page that receives the safeguard protection whether user of WebLogic preservation less important visit is just arranged in the session object,, then be redirected the page that receives safeguard protection that the user is guided its first less important visit through URL if having; Otherwise, the user is guided a default page through URL is redirected.
6. the single-sign-on integrated approach of differentiating towards the Form identity of WebLogic according to claim 1; It is characterized in that: said single-sign-on filter for the interception the HTTP request URL neither use pairing login page corresponding to Web; Neither be corresponding to identity assertion or security token checking path; Neither login relevant treatment as follows corresponding to the situation in amended user name, password authentication path:
The 1st step: check the URL of the page that receives the safeguard protection whether user of WebLogic application server preservation less important visit is just arranged in the session object,, then let the HTTP request pass through if do not have; Otherwise, changed for the 2nd step over to;
The 2nd step: the method for checking current HTTP request is GET or POST, if POST then lets the HTTP request pass through; Otherwise, changed for the 3rd step over to;
The 3rd step: check whether the URL of current HTTP request equals the URL of the page that receives safeguard protection of user's maiden visit that the WebLogic application server is preserved in the session object, is not, then let the HTTP request pass through; Otherwise, changed for the 4th step over to;
The 4th step: the method that receives the safeguard protection page of user's maiden visit that the WebLogic application server is preserved in the inspection session object is GET or POST; If GET; Then remove the information of the protected page of looking into user's maiden visit that WebLogic preserves in the session object, let the HTTP request pass through then; Otherwise, changed for the 5th step over to;
The 5th step: change the method for current HTTP request into POST; The POST parameter of submitting to when user's maiden visit that WebLogic application server in the session object is preserved receives the page of safeguard protection; As the current POST parameter that is revised as the HTTP request of POST method; Remove the relevant information of the page that receives safeguard protection of looking into user's maiden visit that WebLogic preserves in the session object then, let the HTTP request of revising pass through afterwards.
7. the single-sign-on integrated approach of differentiating towards the Form identity of WebLogic according to claim 1; It is characterized in that: the function of said single-sign-on filter both can only be implemented by a common Servlet filter module, also can be differentiated supplier's Servlet identity discriminating filter module common implementing by the identity of a common Servlet filter module and a WebLogic application server.
8. the single-sign-on integrated approach of differentiating towards the Form identity of WebLogic according to claim 7; It is characterized in that: if the function of said single-sign-on filter is only implemented by a common Servlet filter module; So, the Web on the said WebLogic of the being deployed in application server uses the non-zone that receives safeguard protection that pairing said login page, identity assertion or security token checking path and amended user name, password authentication path are positioned at the WebLogic application server; All HTTP ask to comprise to be submitted to and receive safeguard protection path and the non-HTTP request that receives the safeguard protection path by said common Servlet filter module intercept process.
9. the single-sign-on integrated approach of differentiating towards the Form identity of WebLogic according to claim 7; It is characterized in that: if said single-sign-on filter function is differentiated supplier's Servlet identity discriminating filter module common implementing by the identity of a common Servlet filter module and a WebLogic application server; So; Said identity assertion or security token checking path, and the zone that receives safeguard protection of amended user name, password authentication path or the some or all of WebLogic of being positioned at application server; Be submitted to the non-relevant HTTP request that receives the safeguard protection path by said common Servlet filter intercept process; The HTTP that is submitted to the identity assertion that receives safeguard protection or security token checking path asks, and/or be submitted to the amended user name that receives safeguard protection, the HTTP in password authentication path asks, and is differentiated the filter module intercept process by said Servlet identity; All are submitted to other and asked by the HTTP in safeguard protection path, perhaps tackle the line correlation processing of going forward side by side by said common Servlet filter or by said Servlet identity discriminating filter module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210295246.7A CN102801808B (en) | 2012-07-30 | 2012-07-30 | WebLogic-oriented Form identification single sign on integration method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210295246.7A CN102801808B (en) | 2012-07-30 | 2012-07-30 | WebLogic-oriented Form identification single sign on integration method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102801808A true CN102801808A (en) | 2012-11-28 |
| CN102801808B CN102801808B (en) | 2014-11-05 |
Family
ID=47200768
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210295246.7A Expired - Fee Related CN102801808B (en) | 2012-07-30 | 2012-07-30 | WebLogic-oriented Form identification single sign on integration method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102801808B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103914371A (en) * | 2012-12-31 | 2014-07-09 | 北京新媒传信科技有限公司 | Application test method and device |
| CN104506555A (en) * | 2015-01-06 | 2015-04-08 | 北京艾力泰尔信息技术有限公司 | Client zero-storage single sign-on method |
| CN105656926A (en) * | 2016-02-23 | 2016-06-08 | 浪潮通用软件有限公司 | System integration method based on token ring security certification technology |
| CN106339240A (en) * | 2016-08-30 | 2017-01-18 | 广西电网有限责任公司 | Weblogic one machine one-key automatic deployment method |
| CN108123932A (en) * | 2017-12-01 | 2018-06-05 | 杭州美创科技有限公司 | The method of database terminal identification under three-tier architecture |
| CN108228359A (en) * | 2016-12-15 | 2018-06-29 | 北京京东尚科信息技术有限公司 | Web programs integrate the method and system of processing data with R programs |
| CN108881317A (en) * | 2018-09-04 | 2018-11-23 | 厦门安胜网络科技有限公司 | A kind of multisystem uniform authentication method, system and computer storage medium |
| CN110036387A (en) * | 2016-12-09 | 2019-07-19 | 微软技术许可有限责任公司 | Integrated agreement system |
| CN110945850A (en) * | 2017-08-11 | 2020-03-31 | 万事达卡国际公司 | System and method for automating security control between computer networks |
| CN111104697A (en) * | 2018-10-26 | 2020-05-05 | 珠海格力电器股份有限公司 | Single sign-on control method and device and terminal |
| CN111241504A (en) * | 2020-01-16 | 2020-06-05 | 远景智能国际私人投资有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN112383401A (en) * | 2020-11-10 | 2021-02-19 | 中国科学院大学 | User name generation method and system for providing identity authentication service |
| US20210203655A1 (en) * | 2015-06-15 | 2021-07-01 | Airwatch Llc | Single sign-on for unmanaged mobile devices |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101277193A (en) * | 2008-05-05 | 2008-10-01 | 北京航空航天大学 | One-point entry and access system based on authentication service acting information facing to service architecture |
| CN102404349A (en) * | 2011-12-31 | 2012-04-04 | 山东中创软件工程股份有限公司 | Single sign-on method |
| CN102638454A (en) * | 2012-03-14 | 2012-08-15 | 武汉理工大学 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
-
2012
- 2012-07-30 CN CN201210295246.7A patent/CN102801808B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101277193A (en) * | 2008-05-05 | 2008-10-01 | 北京航空航天大学 | One-point entry and access system based on authentication service acting information facing to service architecture |
| CN102404349A (en) * | 2011-12-31 | 2012-04-04 | 山东中创软件工程股份有限公司 | Single sign-on method |
| CN102638454A (en) * | 2012-03-14 | 2012-08-15 | 武汉理工大学 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
Non-Patent Citations (2)
| Title |
|---|
| 叶晓彤等: "基于页面集成的统一身份认证SSO系统的实现", 《四川理工学院学报(自然科学版)》 * |
| 龙毅宏等: "一种对Web遗留系统透明的单点登录方案", 《信息安全与通信保密》 * |
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103914371A (en) * | 2012-12-31 | 2014-07-09 | 北京新媒传信科技有限公司 | Application test method and device |
| CN103914371B (en) * | 2012-12-31 | 2016-12-28 | 北京新媒传信科技有限公司 | A kind of method and apparatus testing application |
| CN104506555A (en) * | 2015-01-06 | 2015-04-08 | 北京艾力泰尔信息技术有限公司 | Client zero-storage single sign-on method |
| US20210203655A1 (en) * | 2015-06-15 | 2021-07-01 | Airwatch Llc | Single sign-on for unmanaged mobile devices |
| CN105656926A (en) * | 2016-02-23 | 2016-06-08 | 浪潮通用软件有限公司 | System integration method based on token ring security certification technology |
| CN106339240A (en) * | 2016-08-30 | 2017-01-18 | 广西电网有限责任公司 | Weblogic one machine one-key automatic deployment method |
| CN110036387A (en) * | 2016-12-09 | 2019-07-19 | 微软技术许可有限责任公司 | Integrated agreement system |
| CN108228359A (en) * | 2016-12-15 | 2018-06-29 | 北京京东尚科信息技术有限公司 | Web programs integrate the method and system of processing data with R programs |
| CN108228359B (en) * | 2016-12-15 | 2020-11-03 | 北京京东尚科信息技术有限公司 | Method and system for integrating web program and R program to process data |
| CN110945850A (en) * | 2017-08-11 | 2020-03-31 | 万事达卡国际公司 | System and method for automating security control between computer networks |
| CN108123932B (en) * | 2017-12-01 | 2019-09-24 | 杭州美创科技有限公司 | The method of database terminal identification under three-tier architecture |
| CN108123932A (en) * | 2017-12-01 | 2018-06-05 | 杭州美创科技有限公司 | The method of database terminal identification under three-tier architecture |
| CN108881317A (en) * | 2018-09-04 | 2018-11-23 | 厦门安胜网络科技有限公司 | A kind of multisystem uniform authentication method, system and computer storage medium |
| CN108881317B (en) * | 2018-09-04 | 2021-01-12 | 厦门安胜网络科技有限公司 | Multi-system unified authentication method, system and computer storage medium |
| CN111104697A (en) * | 2018-10-26 | 2020-05-05 | 珠海格力电器股份有限公司 | Single sign-on control method and device and terminal |
| CN111104697B (en) * | 2018-10-26 | 2022-03-01 | 珠海格力电器股份有限公司 | Single sign-on control method and device and terminal |
| CN111241504A (en) * | 2020-01-16 | 2020-06-05 | 远景智能国际私人投资有限公司 | Identity authentication method and device, electronic equipment and storage medium |
| CN111241504B (en) * | 2020-01-16 | 2024-01-05 | 远景智能国际私人投资有限公司 | Identity verification method, device, electronic equipment and storage medium |
| CN112383401A (en) * | 2020-11-10 | 2021-02-19 | 中国科学院大学 | User name generation method and system for providing identity authentication service |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102801808B (en) | 2014-11-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102801808B (en) | WebLogic-oriented Form identification single sign on integration method | |
| US11336633B2 (en) | Authentication using a feeder robot in a web environment | |
| US20200236147A1 (en) | Brokered authentication with risk sharing | |
| US10110584B1 (en) | Elevating trust in user identity during RESTful authentication and authorization | |
| CN102624737B (en) | Single sign-on integrated method for Form identity authentication in single login system | |
| Sun et al. | A billion keys, but few locks: the crisis of web single sign-on | |
| EP2314046B1 (en) | Credential management system and method | |
| US20070226783A1 (en) | User-administered single sign-on with automatic password management for web server authentication | |
| US8938789B2 (en) | Information processing system, method for controlling information processing system, and storage medium | |
| EP2689372A1 (en) | User to user delegation service in a federated identity management environment | |
| USH2279H1 (en) | Method for prevention of cross site request forgery attack | |
| US10601809B2 (en) | System and method for providing a certificate by way of a browser extension | |
| Madsen et al. | Federated identity management for protecting users from ID theft | |
| Bakar et al. | Adaptive authentication based on analysis of user behavior | |
| US20040083296A1 (en) | Apparatus and method for controlling user access | |
| US20060059111A1 (en) | Authentication method for securely disclosing confidential information over the internet | |
| CN101771534B (en) | Single sign-on method for network browser and system thereof | |
| CN107819564A (en) | A kind of design method of the single-node login system based on Public Key Infrastructure | |
| Chen et al. | Design of web service single sign-on based on ticket and assertion | |
| Berbecaru et al. | Federating e-identities across Europe, or how to build cross-border e-services | |
| Camenisch et al. | Securing user inputs for the web | |
| James | Web single sign-on systems | |
| Tauber et al. | Towards interoperability: an architecture for pan-European eID-based authentication services | |
| Carbone et al. | Design and Security Assessment of Usable Multi-factor Authentication and Single Sign-On Solutions for Mobile Applications: A Workshop Experience Report | |
| Iso et al. | A Proposal and Implementation of an ID Federation that Conceals a Web Service from an Authentication Server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20141105 Termination date: 20180730 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |