CN103853949A - Method for identifying identity of user on heterogeneous computer environment - Google Patents

Method for identifying identity of user on heterogeneous computer environment Download PDF

Info

Publication number
CN103853949A
CN103853949A CN201210512422.8A CN201210512422A CN103853949A CN 103853949 A CN103853949 A CN 103853949A CN 201210512422 A CN201210512422 A CN 201210512422A CN 103853949 A CN103853949 A CN 103853949A
Authority
CN
China
Prior art keywords
user
library name
resource library
abstract
abstract resource
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201210512422.8A
Other languages
Chinese (zh)
Inventor
李圳龙
罗笑南
杨艾琳
刘海亮
汤武惊
吴超如
郭江波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Research Institute of Sun Yat Sen University
Original Assignee
Shenzhen Research Institute of Sun Yat Sen University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Research Institute of Sun Yat Sen University filed Critical Shenzhen Research Institute of Sun Yat Sen University
Priority to CN201210512422.8A priority Critical patent/CN103853949A/en
Publication of CN103853949A publication Critical patent/CN103853949A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to a method for identifying an identity of a user on a heterogeneous computer environment. The method comprises the following steps of defining a group of unique prefixes, and determining one type of user resource base of each prefix; defining a group of abstract resource base names, and enabling the name of each abstract resource base to indicate the address of each user resource base; verifying the user on a heterogeneous computer, and distributing a sequence, wherein the sequence contains one unique prefix, a reference of the name of each abstract resource base, and a unique identifier of each abstract resource base for indicating the user in the resource base.

Description

On the computer environment of an isomery, carry out the method for subscriber authentication
Technical field
The present invention relates to the method for carrying out subscriber authentication on the computer environment of an isomery.
Background technology
If task is authorized operation in the computer environment of isomery, the inconsistency of heterogeneous system will become huge problem.For this reason, the authentication information of known users must be by transmitting someway.The method makes the system receiving must recognize these authentication informations.Therefore, it must with other people more specific authentication information, these authentication informations must be significant, instead of data just.Only understand authentication information recipient, he just can take further subscriber authorisation action.Shining upon a user ID (a computer environment part wherein) can only partly deal with problems to another user ID, because each mapping process can cause the loss of information,, wherein user may authenticate oneself once in the global context of computing machine.Therefore, In view of the foregoing, the certification that improves user in the urgent need to.
Typical computer system needs user oneself to carry out authentication to system conventionally.Authentication is the technical condition precedent that user carries out any mandate.The network that only has computer system or be made up of computer system can carry out authentication to user, determines his identity, and user just can be authorized to carry out some operation, as added on network, and amendment or deletion data.Internet era before, user's identity is only for the space limited, normally single computing machine.For example, in the enough single computer of a user resource base (a, ldap directory), all users carry out authentication.But, along with the development of computer network, only have and use the no longer enough of a single user resource base.Therefore the future development that, concept is also carried out authentication on the whole computer environment toward for being made up of multiple computer systems.One of them example is the model of the current dynamic catalogue of Microsoft, and wherein multiple territories are combined in one " forest ".Under such theory, the domain name before actual user ID is enough to represent a unique mark.
But current most computer environment is not same structure, except using replaceable hardware and software, and these software and hardwares use different certification policys.In dynamic catalogue, be " asia zli " such as, user uses MS program verification oneself.ID on unix system is " en=Zhen Li, ou=users, ou=China, dc=asia, dc=company, dc=com ".Another one example is Windows NT: user is represented by a SID (secure identifier) therein.SID be one
Unique numerical value that can overall authenticated in Windows territory.The form of SID can be identified by the mankind and by the software processing of non-Windows, look similar: zli@myorg.com
And in Lightweight Directory Access Protocol (LDAP), ldap directory is that a centralized service reaching is maintained in the user's entry in other entries.Normally by it, the position in tree-like hierarchical structure represents LDAP object.For example " en=zhenli, ou=userzh=asizdc=mycomp, dc=org "
By the above, clearly, do not have simple method to identify all method for expressing of an actual user.Above-mentioned difficulties, all can occur when access resources in a user or computing machine or application program computer environment at isomery no matter be.
Summary of the invention
On the computer environment of an isomery, carry out the method for subscriber authentication, various embodiment are as follows: the method for carrying out subscriber authentication in the computer environment of an isomery comprises: one, defined one group of unique prefix, each prefix represents the type of a user resource base; Two, defined one group of abstract thesaurus title, each abstract data bank title represents the address of user resource base; Three, verify described user at the computing machine of isomery, by distributing a sequence to contain a unique prefix, the unique identifier of the user in the resources bank of quoting and being pointed to by abstract resource library name of an abstract resources bank title.Therefore, provide a unique authentication or nomenclature scheme, it can identify type and the source of user resource base, and wherein different types can represent different proof rules.Based on the above, this scheme provides a unique authentication scheme, makes the mankind or inhuman user can compare to verify whether certain user is legal identity and the authorized activity of going to carry out request.So can use an identical resources bank, have the entry of ambiguity because all by using definite proof scheme to eliminate.As a concrete user's authentication information was collected together by different verification methods.
In addition, can freely exchange because all participants of heterogeneous computer environment are using same language aspect user profile about user's information, want in addition to make the mankind be easier to understand.The latter is very important, because modern communication protocol, as XML (SOAP), needs the form of printing (people are readable) using.
In an embodiment, the prefix that the unique prefix of this group comprises the type that represents at least one user resource base.For example LDAP server (LDAP) Windows active directory server (ADS) security certificate function (SAF), particularly RACF, ACF2 or TopSecret.Also can use arbitrarily
The prefix of the user resource base of one group of unique local operation system increases or replaces.Due to the type of user resource base by prefix only determine, described embodiment can carry out authenticated very neatly, manages by the covert rule of a user resource base being loaded in computer environment.Step 2 may comprise the catalogue that defines an abstract resource library name, and this catalogue mapping refers to the name in actual physical address and abstract resource storehouse.One of this catalogue definition is quoted, the mapping of abstract resource library name and different true address (for example IP address).Multiple true address can have an identical abstract resource library name, for example, if resources bank uses multiple host-host protocols (TCP/IP, SSL, HTTP, HTTPS etc.).
In an embodiment, may there be multiple corresponding abstract resource library names of quoting, if need to be from different access resources storehouses, the network address.Abstract resource library name catalogue can realize by database.Method described here can be carried out enforcement according to the program in computer system stores medium.
Brief description of the drawings
In order to be illustrated more clearly in the embodiment of the present invention or technical scheme of the prior art, to the accompanying drawing of required use in embodiment or description of the Prior Art be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
Fig. 1: the design drawing of the embodiment in a heterogeneous computer environment;
User's authentication string in c:3 heterogeneous computer environment of Fig. 2 a-Fig. 2.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiment.Based on the embodiment in the present invention, those of ordinary skill in the art, not making all other embodiment that obtain under creative work prerequisite, belong to the scope of protection of the invention.
Fig. 1 has explained the design drawing of a typical computer environment that comprises 3 user's 1,3,5 access applications 10.In certain embodiments, computer environment is isomery.Such as user 1,3,5 and application program 10 are to operate in different hardware platforms, such as Windows server, unix server or mainframe system, or use identical hardware platform but different operating system.It in some computer environment, may be also homogeneous environment.
User in the system of Fig. 1 perhaps authenticated, can for example access application 10 of executed activity.In this environment, there are multiple different user resource bases.The example of Fig. 1 has comprised two resources banks 20,22.User resource base 22 authenticated are in step 102.The computer environment of known Fig. 1 has been simplified in large quantities.In a real computer environment (in the embodiment of anticipation), should there is a large amount of distributed resources banks widely to authenticate a large amount of users.Therefore, embodiment should not be subject to illustrated restriction.
Resources bank 20,22 in Fig. 1 offers each mankind or non-human user, such as client 1,3,5, is called user principal name (UPN).Perhaps, UPN specifies in a prefix (type), and in lower one deck entry (resources bank of a real user), for the authentication information of authenticated.This verification process has resources bank 20,22 specific rules separately to carry out.Due to the dirigibility of this invention, there is no need to coordinate the authenticate ruler in different resource storehouse 20,22 in isomerous environment here.In addition, new resources bank can join in environment at any time as required.
In order to make to become like this possibility, also need an abstract reference name (ARN) in UPN.This ARN must be unique the each user resource base of certification and the address information being necessary, for resources bank 20,22 communication.If the ARN of two entries is inconsistent, they also may point to the resources bank of same reality.The ARN list storage of all activities, and can be by all entities access in this computer environment in ARN catalogue 30.ARN catalogue 30 can realize back and forth by database 31.As shown in Figure 1, client 1,3,5 and application program 10 can access ARN catalogue 30.This catalogue 30 can be by copying to improve the utilization factor of computer environment.
By the above, can there is the corresponding concrete user resource base of multiple reference names.Whether quote identical or different resources bank in order to find out two different reference name, the resource library name being stored in ARN catalogue must can realize comparison mechanism.Utilizing quoting in UPN to be conducive to actual resources bank does not need invalid UPN just can realize change.Therefore, the address of resources bank can not need to coordinate all UPN and just can change, and can also simplify like this management of UPN.Finally, the addressing information of resources bank may not can be directly stored in UPN, but with a name symbol.
As shown in the design drawing of Fig. 1, ARN catalogue 30 is in order to retrieve available another name, and client 1,3,5 connects (in a series of step 104).For example, which is that current main resources bank is for certification? this alias 203 (comparison diagram 2) will be used as the unique main body name of composition.
Then, in step 106, in the time that client 1,3,5 sends the request of a concrete action of an application program 10, ARN catalogue 30 and application program 10 couple together (in step 108), and application program 10 is for understanding the user authentication information of sending.More accurately, client 1,3, and 5 may comprise UPN in their request 106, and then this request is employed journey 10 and identifies, and connect ARN catalogue 30 be then the user resource base 20,22 connecting separately.
A UPN perhaps comprises, except prefix and quoting, and a main identifier.This outstanding feature symbol has been determined mankind or the non-human user in a user resource base uniquely.The syntactic representation of this main identifier is determined according to prefix described above, and wherein prefix table understands the type of user resource base.Coding rule as for outstanding feature symbol can use each user resource base in concrete environment.
Fig. 2 a has shown 3 examples for the UPN character string that authenticates to Fig. 2 c.UPN character string itself, for portability, is encoded by the mode of UTF-8 conventionally.
In the example of Fig. 2 a, prefix 201 represents a LDAP user resource base.Quoting afterwards 203 shows a user resource base " Asia ".Utilize ARN catalogue, all requests all can actual physical address of feedback, makes the user resource base of quoting can be found.Outstanding feature symbol 205 is finally determined concrete user rule according to LDAP resources bank in the resources bank of quoting.
At Fig. 2 b, prefix 201 represents a user resource base of the active directory server of a Microsoft.Quote the user resource base that 203 " AME " represents an ADS type, remaining outstanding feature symbol 205 represents that a concrete user " ZhenLi " is at the AME of the ADS specifically quoting resources bank.
Finally, the 3rd example represents the UPN of an embodiment, and this embodiment is an invention that has safety certifying method, and the method is used on the mainframe of IBM conventionally.In like manner, prefix 201 represents the type of this resources bank.Quoting afterwards 203 can allow to search user's concrete SAF resources bank, and user " LZL " is wherein certified.
The character string of the sequence of the different elements of the UPN that Fig. 2 a-c represents is only all some of them exemplary.Prefix wherein, quote with outstanding feature symbol and can arrange or separate with suitable separator with different orders.
Obviously Fig. 2 a-c is a wherein part of a large amount of UPN.The principle of this invention is that a user can be confirmed uniquely, does not need to specify a single or limited authentication mechanism.On the contrary, all new user resource base types can be used and be produced corresponding UPN.

Claims (16)

1. the method for carrying out subscriber authentication on the computer environment of an isomery, the method comprises:
Utilize one or more computing machines to carry out following operation:
A. define one group of unique prefix, each prefix identifies a kind of user resource base type.
B. define one group of abstract resource library name, the address of each abstract resource library name mark one user resource base, wherein each resource library name is mapped to a user resources library name and is used for retrieving the address information needing, also, comprised that abstract resource library name catalogue of definition refers to abstract resource library name for mapping and abstract resource library name is mapped to actual physical address;
C. by distributing a sequence to identify user in heterogeneous computer environment.The unique identifier in user resource base of quoting with one that this sequence comprises a unique prefix, an abstract resource library name, wherein this user resource base is shone upon by abstract resource library directory.Wherein quoting of abstract resource library name shone upon abstract resource library name, abstract resource library name is shone upon actual user resource base address, whether the unique identifier of user is determined user uniquely by the rule of one or more user resource bases here, and be legal according to user resource base authentication of users.If resources bank can visit by various protocols, multiple physical addresss can have an identical abstract resource library name, and abstract resource library directory can select suitable physical address to carry out feedback request.
2. the method in claim 1, one group of unique prefix wherein at least comprises with next user resources type: LDAP server (LDAP); Windows active directory server (ADS); Security certificate function (SAF), comprises RACF, ACF2 or TopSecret.
3. in the method for claim 1, the user resource base that the unique prefix of this group comprises local operation system.
4. in the method for claim 1, can there is multiple quoting to point to a single abstract resource library name.
5. in the method for claim 1, abstract resource library name catalogue is realized by database.
6. in the method for claim 1, further comprise that at least one application program operating on heterogeneous system can access abstract resource library name catalogue, with authenticating users.
7. in the method for claim 1, the abstract resource library name in sequence has identified a user resource base, for the authentication information of authentication of users.
8. in the method for claim 1, sequence is a character string, and form is " prefix: quote: identifier ", and element wherein can change order.
9. a permanent storage medium comprises the programmed instruction that a user under heterogeneous computer environment authenticates.Wherein this instruction is carried out following functions by processor:
A. define one group of unique prefix, the type of a kind of user resource base of each prefix mark;
B. define one group of abstract resource library name, the address of each abstract resource library name mark one user resource base, wherein each resource library name is mapped to a user resources library name and is used for retrieving the address information needing, also, comprised that abstract resource library name catalogue of definition refers to abstract resource library name for mapping and abstract resource library name is mapped to actual physical address;
C. by distributing a sequence to identify user in heterogeneous computer environment.The unique identifier in user resource base of quoting with one that this sequence comprises a unique prefix, an abstract resource library name, wherein this user resource base is shone upon by abstract resource library directory.Wherein quoting of abstract resource library name shone upon abstract resource library name, abstract resource library name is shone upon actual user resource base address, whether the unique identifier of user is determined user uniquely by the rule of one or more user resource bases here, and be legal according to user resource base authentication of users.If resources bank can visit by various protocols, multiple physical addresss can have an identical abstract resource library name, and abstract resource library directory can select suitable physical address to carry out feedback request.
10. the permanent storage media in claim 9, one group of unique prefix wherein at least comprises following user resource base type: LDAP server (LDAP); Windows active directory server (ADS); Security certificate function (SAF), comprises RACF, ACF2 or TopSecret.
Permanent storage media in 11. claims 9, the user resource base that wherein the unique prefix of this group comprises local operation system.
Permanent storage media in 12. claims 9, wherein has multiple quoting and points to a single abstract resource library name.
Permanent storage media in 13. claims 9, abstract resource library name catalogue wherein can realize with database.
Permanent storage media in 14. claims 9, programmed instruction is wherein wanted further to carry out the application program access abstract resource library name catalogue by least one isomerous environment, with authenticated.
Permanent storage media in 15. claims 9, the abstract resource library name in sequence represents a user resource base, with the authentication information of authentication of users.
16. realize the computer system that user authenticates in heterogeneous computer environment, comprising a processor, a storer being connected with processor, this storer comprises programmed instruction: define one group of unique prefix, a kind of user resource base type of each prefix mark; Define one group of abstract resource library name, each abstract resource library name mark one user resource base address.Wherein each resource library name is mapped to a user resources library name and is used for retrieving the address information needing, also, comprised that abstract resource library name catalogue of definition refers to abstract resource library name for mapping and abstract resource library name is mapped to actual physical address; And in heterogeneous computer environment, identify user by distributing a sequence.The unique identifier in user resource base of quoting with one that this sequence comprises a unique prefix, an abstract resource library name, wherein this user resource base is shone upon by abstract resource library directory.Wherein quoting of abstract resource library name shone upon abstract resource library name, abstract resource library name is shone upon actual user resource base address, whether the unique identifier of user is determined user uniquely by the rule of one or more user resource bases here, and be legal according to user resource base authentication of users.If resources bank can visit by various protocols, multiple physical addresss can have an identical abstract resource library name, and abstract resource library directory can select suitable physical address to carry out feedback request.
CN201210512422.8A 2012-12-04 2012-12-04 Method for identifying identity of user on heterogeneous computer environment Pending CN103853949A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201210512422.8A CN103853949A (en) 2012-12-04 2012-12-04 Method for identifying identity of user on heterogeneous computer environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201210512422.8A CN103853949A (en) 2012-12-04 2012-12-04 Method for identifying identity of user on heterogeneous computer environment

Publications (1)

Publication Number Publication Date
CN103853949A true CN103853949A (en) 2014-06-11

Family

ID=50861596

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201210512422.8A Pending CN103853949A (en) 2012-12-04 2012-12-04 Method for identifying identity of user on heterogeneous computer environment

Country Status (1)

Country Link
CN (1) CN103853949A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070171921A1 (en) * 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and systems for interacting, via a hypermedium page, with a virtual machine executing in a terminal services session
CN101325493A (en) * 2007-06-14 2008-12-17 软件股份公司 Method and system for authenticating a user
US20090067623A1 (en) * 2007-09-12 2009-03-12 Samsung Electronics Co., Ltd. Method and apparatus for performing fast authentication for vertical handover
CN101946455A (en) * 2008-02-21 2011-01-12 上海贝尔股份有限公司 One-pass authentication mechanism and system for heterogeneous networks
CN101951319B (en) * 2010-09-29 2012-04-18 中国航天科工集团第四研究院第四总体设计部 Unified identity authentication method supporting data integration of heterogeneous application module

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070171921A1 (en) * 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and systems for interacting, via a hypermedium page, with a virtual machine executing in a terminal services session
CN101325493A (en) * 2007-06-14 2008-12-17 软件股份公司 Method and system for authenticating a user
US20090067623A1 (en) * 2007-09-12 2009-03-12 Samsung Electronics Co., Ltd. Method and apparatus for performing fast authentication for vertical handover
CN101946455A (en) * 2008-02-21 2011-01-12 上海贝尔股份有限公司 One-pass authentication mechanism and system for heterogeneous networks
CN101951319B (en) * 2010-09-29 2012-04-18 中国航天科工集团第四研究院第四总体设计部 Unified identity authentication method supporting data integration of heterogeneous application module

Similar Documents

Publication Publication Date Title
CN112615849B (en) Micro-service access method, device, equipment and storage medium
CN109522735B (en) Data permission verification method and device based on intelligent contract
TWI473029B (en) Extensible and programmable multi-tenant service architecture
RU2598324C2 (en) Means of controlling access to online service using conventional catalogue features
US8813225B1 (en) Provider-arbitrated mandatory access control policies in cloud computing environments
EP2510466B1 (en) Delegated and restricted asset-based permissions management for co-location facilities
CN104094576B (en) Different cloud service data and behavior are integrated based on the trusting relationship between cloud service
CN103488791B (en) Data access method, system and data warehouse
CN109977690A (en) A kind of data processing method, device and medium
US9985949B2 (en) Secure assertion attribute for a federated log in
CN112085417A (en) Industrial Internet identification distribution and data management method based on block chain
US20080034438A1 (en) Multiple hierarchy access control method
CN110417863A (en) Generate method and apparatus, identity authentication method and the device of identity code
CN101729541B (en) Method and system for accessing resources of multi-service platform
CN101626369A (en) Method, device and system for single sign-on
CN103001945A (en) Diversified resource identifier safety access method
CN111310230B (en) Spatial data processing method, device, equipment and medium
KR101110928B1 (en) Method and system for operating a computer network which is intended for content publishing
US10333939B2 (en) System and method for authentication
CN101325493B (en) Method and system for authenticating a user
US20220385596A1 (en) Protecting integration between resources of different services using service-generated dependency tags
KR20070076342A (en) User Group Role / Permission Management System and Access Control Methods in a Grid Environment
CN113239255B (en) Heterogeneous data resource sharing method and device, computer equipment and medium
Koo et al. Interoperable access control framework for services demanding high level security among heterogeneous iot platforms
CN103853949A (en) Method for identifying identity of user on heterogeneous computer environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20140611