CN104065616B - Single-point logging method and system - Google Patents
Single-point logging method and system Download PDFInfo
- Publication number
- CN104065616B CN104065616B CN201310089647.1A CN201310089647A CN104065616B CN 104065616 B CN104065616 B CN 104065616B CN 201310089647 A CN201310089647 A CN 201310089647A CN 104065616 B CN104065616 B CN 104065616B
- Authority
- CN
- China
- Prior art keywords
- application
- middleware
- logging
- authentication
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Information Transfer Between Computers (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a kind of single-point logging method and system, it is used to solve that the single-sign-on scheme of prior art offer is present the problems such as opening browser must be triggered by starting client carry out single-sign-on.Method includes:First application sends the logging request comprising the automated log on authorization message to the middleware being arranged in user terminal;Middleware receive logging request after, obtain with certificate server agreement shared key, and according to shared key and specify information, verify automated log on authorization message it is correct after, obtain logging on authentication;Logging on authentication is supplied to the first application by middleware;Logging on authentication is sent to application server by the first application;Wherein:Logging on authentication is used to characterize the certification that user terminal has successfully obtained certificate server.
Description
Technical field
The present invention relates to field of data service, more particularly to a kind of single-point logging method and system.
Background technology
" single-sign-on " is that a kind of business very common on current internet logs in form, and user can be allowed once to recognize
Card, repeatedly logs in, to avoid user from repeatedly inputting password, so as to improve the experience that user uses business.Such as, when client
When once accessing application server 1, because now client was also not logged on any application server, therefore can be directed into
Logged in certificate server;According to the log-on message that client is provided, certificate server carries out identity effect, if passed through
Effect, then can return to one authority of certification of client --- ticket;When client visits again other application server
When, when such as accessing application server 2, this ticket will be taken, as itself by the authority of certification;Other application
Server is received after the access request with tichket, and the ticket can be sent to certificate server carries out effect, is checked
The legitimacy of ticket;If by verification, client can just access application server 2 in the case of without logging on
.
The many web oriented applications of current single-sign-on scheme, that is, need to borrow the redirection mechanism and session pipe of browser
Reason mechanism keeps the logging status of user and is transmitted between different business, and such scheme is difficult to support across client and browse
The single-sign-on of device.Specifically, following two classes demands are that the such scheme that prior art is provided is implacable:
First kind demand:After user is logined successfully using client, certain service page is opened on a web browser, can be automatic
Logined successfully with the user identity of client;
Equations of The Second Kind demand:After user is logined successfully using browser, certain local client is run, client can be automatic
Login successfully.
For first kind demand, there is technology to propose the single-point of realization as shown in Figure 1 from client to browser at present
Login scheme.The implementation process of the program mainly comprises the steps:
First, client is successfully logged onto certificate server, and recognized after the login for receiving user input is instructed
Demonstrate,prove the certification authority of server feedback(Ticket as previously described);
Client after the access instruction application link that is provided of client is provided and is produced by user is detected, root
According to the certification authority that certificate server feeds back, generate identity documents and construct the URL comprising the identity documents;
Client is by calling browser so that browser is according to the above-mentioned URL comprising identity documents for generating to application
Server sends access request;
Then, the identity documents for being included in the request of application server request certificate server authentication-access;
Certificate server verifies to identity documents, and verifying client after Successful login, to application service
Device feedback validation result;
Finally, the information of the page after login is sent to browser and is shown by application server according to the result.
Above-mentioned flow shown in Fig. 1 is primarily present both sides defect:
1st, opening browser must be triggered by starting client by user, without supporting user's manual unlocking browser
Carry out single-sign-on;
2nd, previously described Equations of The Second Kind demand can not be met.
The content of the invention
The embodiment of the present invention provides a kind of single-point logging method and system, is used to solve the single-sign-on of prior art offer
What scheme was present must trigger opening browser by starting client carries out single-sign-on, and does not support previously described
The problem of Equations of The Second Kind demand.
The embodiment of the present invention uses following technical scheme:
A kind of single-point logging method, including:
The first application being arranged in user terminal obtains automated log on authorization message;And to being arranged at the user terminal
In middleware send comprising the automated log on authorization message logging request;Wherein:Automated log on authorization message is by recognizing
Card server is performed using shared key and specify information and calculates the operation of summary and generate;The middleware is stepped on described in receiving
After record request, the shared key with certificate server agreement is obtained, and according to the shared key and the specified letter
Breath, verify automated log on authorization message in the logging request it is correct after, obtain logging on authentication;Wherein:It is described log in
Demonstrate,prove the certification that the certificate server has been successfully obtained for characterizing the user terminal;The middleware provides logging on authentication
To the first application;Logging on authentication is sent to application server by the first application.
A kind of single-node login system, including the first application in user terminal and middleware are arranged at, wherein:
First application, for obtaining automated log on authorization message;And sent comprising described automatic to the middleware
Log in the logging request of authorization message;And obtain the logging on authentication that the middleware is provided, and logging on authentication is sent to should
Use server;Wherein:Automated log on authorization message is to perform calculating using shared key and specify information by certificate server to pluck
The operation wanted and generate;
The middleware, it is described with what certificate server was arranged for after the logging request is received, obtaining
Shared key, and according to the shared key and the specify information, the automated log on verified in the logging request is awarded
After power information is correct, obtains logging on authentication and be supplied to first application;Wherein:The logging on authentication is used to characterize the use
Family terminal has successfully obtained the certification of the certificate server.
The embodiment of the present invention has the beneficial effect that:
The single-sign-on mandate of the successful user terminal of certification can be supplied to believe with access authentication server by setting
The middleware of breath, from regardless of whether user terminal is to access application server using browser or client, can be according in
Between part obtain single-sign-on authorization message, successfully realize the single-sign-on of user terminal.This is just met above in background skill
The Equations of The Second Kind demand mentioned in art, solve prior art offer single-sign-on scheme exist must be by starting client
And triggering opening browser carries out single-sign-on, and the problem of previously described Equations of The Second Kind demand is not supported.
Brief description of the drawings
Fig. 1 is the single-sign-on scheme from client to browser of the prior art;
Fig. 2 is a kind of idiographic flow schematic diagram of single-point logging method provided in an embodiment of the present invention;
Fig. 3 is the system structure diagram for realizing embodiment 1 and embodiment 2;
Fig. 4 implements schematic flow sheet for embodiment 1;
Fig. 5 implements schematic flow sheet for embodiment 2.
Specific embodiment
Opening must be triggered by starting client in order to what the single-sign-on scheme for solving prior art offer was present
Browser carries out single-sign-on, and does not support the problem of previously described Equations of The Second Kind demand, the embodiment of the invention provides one
Plant new single-sign-on scheme.The program can be supplied to the successful user terminal of certification by setting with access authentication server
Single-sign-on authorization message middleware, from regardless of whether user terminal is to access application service using browser or client
Device, the single-sign-on authorization message that can be obtained according to middleware, successfully realizes the single-sign-on of user terminal.
Embodiments of the invention are illustrated below in conjunction with Figure of description, it will be appreciated that implementation described herein
Example is merely to illustrate and explain the present invention, and is not intended to limit the invention.And in the case where not conflicting, the reality in this explanation
The feature applied example and implement in row can be combined with each other.
First, the embodiment of the present invention provides a kind of single-point logging method as shown in Figure 2.The method mainly includes following steps
Suddenly:
Step 21, the first application being arranged in user terminal obtains automated log on authorization message;
Different from prior art, in the embodiment of the present invention, the first application is somebody's turn to do certainly when being intended to access certain server, it is necessary to first obtain
It is dynamic to log in authorization message.The automated log on authorization message is usually to use shared key and specify information to perform by certificate server
Calculate the operation of summary and generate.First application can be, but not limited to obtain this by one of following two ways automatic
Log in authorization message:
Mode one:First application from the memory space of user terminal, reading be pre-set in the memory space from
It is dynamic to log in authorization message.Such as, this just can be stored in its memory space automatic when Default Value is carried out to user terminal
Log in authorization message.
Mode two:First application sends service request to application server;And receive application server according to the business please
Negate the automated log on authorization message of feedback.Wherein:The automated log on authorization message that application server feeds back according to the service request
The process that implements can be as follows:
First, application server sends to certificate server and includes the application server after the service request is received
Mark certification request;
Then, certificate server receives certification request, and judges that the mark of the application server included in certification request is
It is no to be present in the logo collection for prestoring;Wherein:The logo collection is by allowing to be accessed for the mark structure of application server
Into;
Finally, certificate server sends automated log on authorization message when judged result is to be to application server;Using
The automated log on authorization message that server sends certificate server is transmitted to user terminal, so that first steps on automatically using acquisition
Record authorization message.
Advantage using aforesaid way two is:Can control first application only possess access pre-set allow be interviewed
The authority of the application server asked.Due to allowing of pre-setting, to be accessed for application server often legal for what is be verified
Application server, therefore employing mode two can to a certain extent avoid first using the illegal application server of access
The problems such as user profile for causing is revealed, so as to improve the legitimacy of whole single-sign-on scheme.
Step 22, the first application sends to the middleware being arranged in user terminal to be believed comprising the automated log on mandate for obtaining
The logging request of breath;
Wherein:Middleware described here can be provided in software module, or software and hardware in user terminal
The entity module being implemented in combination with.And the entity module may be disposed inside user terminal, it is also possible to be placed in outside user terminal.When
When it is placed in user terminal outside, it may be coupled to user terminal and carries out information exchange with user terminal.
Step 23, after middleware receives the logging request, obtains the shared key with certificate server agreement;
Wherein:It is as follows that middleware acquisition implements flow with the one kind for the shared key that certificate server is arranged:
First, the middleware logging on authentication that middleware access authentication server sends;Wherein:Middleware logging on authentication is to recognize
Card server authentication goes out what is correctly sent afterwards by the transmitted user authentication information of the second application in user terminal;
Then, middleware logging on authentication is sent to certificate server by middleware;
Finally, to receive certificate server shared close verify that the middleware logging on authentication correctly sends afterwards for middleware
Key.Or, authentication proof server verify the middleware logging on authentication it is correct after, it is also possible to send shared close to the middleware
Key generates information, and information is generated according to the shared key by the middleware, generates shared key.
Or, middleware directly according to the key schedule arranged with certificate server in advance can also generate this and be total to
Enjoy key.
Step 24, middleware according to obtain the shared key and previously described specify information, checking logging request in
Automated log on authorization message it is whether correct, when the result is the correct automated log on authorization message, perform step 25, it is no
Flow can then be terminated;
Step 25, middleware obtains logging on authentication;
The logging on authentication is used to characterize the certification that user terminal has successfully obtained certificate server.
Such as, in a kind of concrete implementation mode of the method provided in an embodiment of the present invention, middleware and authentication service
A shared key K and counter C can be set in device.After then middleware receives the logging request of the first application, can be with profit
A random number R is generated at random with the counter(That is challenging value)The first application is returned to, R is sent to certification clothes by the first application
Business device;Certificate server calculates summary H1 using shared key K and R, and returns to the as automated log on authorization message using H1
The H1 is returned to middleware by one application, the first application;Middleware using K verify H1, if verify K it is correct if, middleware
Just use shared key K and C and other information(The particular content of other information described here can be found in embodiment hereinafter
1)Calculate summary H2, and using the H2 that generates as logging on authentication.
Additionally, the logging on authentication can also be the user for being supplied to by certificate server and successfully obtaining certificate server certification
Terminal, and store in the user terminal.
Or, the logging on authentication can also be the single-sign-on authorization message generation that middleware is provided according to certificate server
's.Wherein:The single-sign-on authorization message characterizes the certification that user terminal has successfully obtained certificate server.For logging on authentication
This kind of acquisition pattern, if middleware had just been obtained and deposited before the transmitted logging request of the first application is received
Single-sign-on authorization message is stored up, then middleware is after the logging request is received, it is possible to directly from the memory space of itself
Middle acquisition single-sign-on authorization message, and using it as logging on authentication.And if middleware is when the logging request is received, also
Single-sign-on authorization message is not obtained, then middleware can send using the logging request as trigger condition to certificate server
User authentication information(Generally username and password), and access authentication server verify user authentication information it is correct after carry
The single-sign-on authorization message for supplying.
Logging on authentication is supplied to the first application by step 26, middleware;
Logging on authentication is sent to application server by step 27, the first application, and flow terminates.
In the embodiment of the present invention, the specify information utilized during certificate server generation automated log on authorization message can be
The challenging value that first application sends.Under the scene, 21 the step of the above method before can further include following two
Step:
Step one:Middleware generates challenging value at random after the login identity request that the first application sends is received;
Step 2:Middleware is responded to the identity that the first application sends the challenging value comprising generation, so that first
The challenging value is sent using to certificate server.
In the embodiment of the present invention, above-mentioned first application can be browser, or the other application in addition to browser.
Distinguished with prior art, using scheme provided in an embodiment of the present invention after, either what kind of application, its be intended to
When logging in application server, all automated log on authorization message and logging request can be sent to the middleware, to obtain logging on authentication.
This just meets Equations of The Second Kind demand stated in the background above, and the single-sign-on scheme for solving prior art offer is deposited
The opening browser that must be triggered by starting client carry out single-sign-on, and do not support previously described Equations of The Second Kind
The problem of demand.
In the embodiment of the present invention, the first application can be browser, and the second application can be answered for other of non-browser
With;Or second application be browser, and first application for non-browser other application.Specifically, when the second application is to browse
Device, and first application for non-browser client when, the Equations of The Second Kind demand described in background technology can be met.
Below by taking two specific embodiments as an example, describe in detail scheme provided in an embodiment of the present invention in practice should
With.
Embodiment 1
Embodiment 1 is used for single-sign-on flow of the realization from client to browser, that is, realize that user steps on the client
After recording successfully, certain service page is opened on a web browser, can be logined successfully with the user identity of client automatically.
For realizing the system structure diagram of embodiment 1 as shown in figure 3, including user terminal, application server and recognizing
Card server.Wherein:Applied comprising multiple in user terminal, those applications include the application of browser and non-browser.Tool
Body ground, the application of non-browser is indicated with " client " and " Web applications " in figure 3.
Based on the system shown in Fig. 3, detailed description below embodiment 1 implements flow.The flow is included such as Fig. 4 institutes
The following step shown:
Step 41, after user terminal successfully passes the certification of certificate server, access authentication server is returned to user terminal
The user key K for returning, and K is stored in the middleware being arranged in user terminal;
Specifically, user terminal can on a display screen show after the client operating instruction for receiving user input
User authentication information inputting interface;Then, by the user authentication information of user input(Generally comprise username and password)Send
It is authenticated to certificate server.After the user authentication information is confirmed as correctly by the verification of certificate server, use
Family terminal is obtained with the K of certificate server feedback.
Step 42, after user terminal receives the application server access instruction in user input to browser, to application
Server sends access request;
Such as, user terminal is after the application server domain name in receiving user input to browser, according to the domain name,
Access request is sent to corresponding application server.
Browser is redirected to certificate server by step 43, application server;
Step 44, certificate server to browser return authentication page info, wherein:In the certification page information remove comprising
It is displayed in outside the content in browser window, also comprising the script of browser local runtime(Such as javascript scripts);
Step 45, browser is triggered to be sent to local middleware listening port and stepped on by calling the javascript scripts
Record identity request;
Whether step 46, middleware judges user terminal has successfully passed the certification of certificate server, and such as judged result is
When, then middleware is responded to the identity that browser returns to user(Comprising ID and challenging value), and continue executing with step
Rapid 47, otherwise, middleware returns to user terminal and is not logged in notification message to browser, and terminates the single-sign-on flow;
Usually, whether can be stored with according to itself K of certificate server transmission of middleware is judging user terminal
The no certification for having successfully passed certificate server.
Additionally, above-mentioned challenging value can be, but not limited to be middleware generation a random number.
Optionally, some additional informations can also be included in the identity response of the user that middleware is returned to browser
(Such as browser is sent to the system time of the user terminal of certificate server, the URL of browser institute accession page or some are solid
Determine character string etc.).
Step 47, browser sends ID and the challenging value that middleware is returned to certificate server, automatic to ask
Log in and authorize;
Step 48, in ID and the corresponding relation of user key that certificate server is stored from itself, it is determined that browsing
The corresponding user key K of ID that device sends, and the challenging value and some other additional letter sent to browser using K
Breath(Such as browser be sent to the system time of the user terminal of certificate server, the URL of browser institute accession page or some
Fixed character string etc.)Summary is calculated, automated log on authorization message is generated, and the automated log on authorization message for generating is returned to
Browser;
Step 49, browser is triggered and sends identity documents acquisition request to middleware by calling javascript scripts,
Automated log on authorization message is carried in the request;
Step 410, middleware verifies the correctness of automated log on authorization message using the K for itself storing, if correctly, giving birth to
Into logging on authentication;
Wherein:The logging on authentication of generation is supplied to the single-sign-on authorization message of user terminal comprising certificate server.
Such as, because K is the information that certificate server sends to the user terminal of success identity, therefore K can characterize use
Family terminal can carry out single-sign-on, be supplied to the single-sign-on mandate of user terminal to believe so that K can be considered as certificate server
Breath.Or, certificate server can also be after the certification to user terminal be successfully realized, there is provided some other information is used as single-point
Log in authorization message.
Step 411, middleware returns to logging on authentication to browser;
Step 412, browser sends logging on authentication to certificate server, and certificate server is to verify logging on authentication correct
Afterwards, identity documents are generated, and browser is redirected to application server;Browser when application server is redirected to, to
Application server sends the above-mentioned identity documents that certificate server is supplied to browser;
Optionally, certificate server can also be when application server be redirected to by browser, the body that will directly generate
Part voucher is sent to application server.
Step 413, application server inquires about the correctness of the identity documents of its acquisition to certificate server;
Step 414, application server inquiry obtain the identity documents it is correct after, returned to logining successfully to browser
The information of the page after the login that user terminal is shown.
By above-mentioned steps, can be obtained and authentication storage server is supplied to due to being provided with one in the user terminal
The middleware of the single-sign-on authorization message of the successful user terminal of certification, so that user is successfully realizing using using client
After the certification of family terminal, subsequently when using browser access application server, it is possible to stepped on according to the single-point that middleware is stored
Record authorization message, successfully realizes the single-sign-on of user terminal.
Embodiment 2
For realizing the system structure diagram of embodiment 2 still as shown in figure 3, including user terminal, application server
And certificate server.
Based on the system shown in Fig. 3, detailed description below embodiment 2 implements flow.The flow is included such as Fig. 5 institutes
The following step shown:
Step 51, user terminal receives the user authentication information of user input browser, and utilizes the user authentication information
Access authentication server authentication;
Step 52, browser asks middleware logging on authentication to certificate server;
In embodiment 2, browser can be by the way of service request be sent to application server, please to certificate server
Seek middleware logging on authentication.
Step 53, certificate server returns to middleware logging on authentication to browser;
If browser uses to the mode of application server transmission service request to ask middleware logging on authentication,
Application server can send recognizing for the mark comprising the application server after the service request is received to certificate server
Card request;
Certificate server is receiving the certification request, and judging the mark of the application server included in certification request is
It is no to be present in the logo collection for prestoring;Wherein:The logo collection is by allowing to be accessed for the mark structure of application server
Into;
When if the determination result is YES, then certificate server sends automated log on authorization message to application server;Wherein:Should
Automated log on authorization message can be using the operation of user key and specify information execution calculating summary by certificate server
Generation;
Application server receive certificate server transmission automated log on authorization message after, by the automated log on mandate
Information and middleware logging on authentication are sent to user terminal so that the first application obtain automated log on authorization message and middleware with
Card.
Middleware logging on authentication is sent to middleware by step 54, browser by local method call middleware;
Such as, when installing middleware in the user terminal, middleware can register locally applied agreement(Such as:sso://),
Then the browser page in user terminal can assemble URL when middleware is called according to call parameters param(Such as sso://
param), and browser is redirected to the URL, then browser is according to locally applied agreement(Such as sso//)Note can just be found
The middleware process of the volume agreement, and calls the process, so as to realize calling middleware.
Step 55, middleware sends certification request to certificate server, and middleware logging on authentication is carried in the certification request;
Step 56, certificate server checks the correctness of middleware logging on authentication;
Step 57, certificate server is responded, together after verifying that middleware logging on authentication is correct to middleware return authentication
Shi Shuanfang consults the shared user key of generation, and the user key can serve as certificate server and be supplied to certification successfully described
The single-sign-on authorization message of user terminal;
Step 58, client receive user input enable instruction after, by calling middleware acquisition of credentials interface, to
Middleware sends the logging request of request logging on authentication;
If browser have also obtained automated log on authorization message, also be sent to for the automated log on authorization message by browser
Middleware.
Step 59, middleware calculates generation logging on authentication and returns to client locally according to user key;
Optionally, if middleware receives the automated log on authorization message of browser transmission, middleware can be according to user
Key and specify information, verify the automated log on authorization message it is correct after, regeneration logging on authentication simultaneously return to client.
Step 510, client sends certification request to application server, and stepping on for middleware return is carried in the certification request
Record voucher;
Usually, in order that certificate server can identify the user that the logging on authentication is belonged to, what client sent
ID can also be carried in the certification request.
Step 511, what is carried in the certification request that application server is sent to certificate server requests verification client steps on
Voucher is recorded, and receives certificate server and verifying the notification message that the logging on authentication correctly sends afterwards;
Assuming that also carrying ID in certification request, then the ID can be also sent to certification by application server
Server.Certificate server after ID and logging on authentication is received, in the ID and user key that prestore
Corresponding relation in, search user key corresponding with the ID for receiving;And compare the user key that finds and
Whether the user key parsed from logging on authentication is consistent;When comparative result is consistent, determine that the logging on authentication is correct, it is no
Then determine that the logging on authentication is incorrect.
Step 512, application server is returned for characterizing the information for logining successfully to client.
The above-mentioned steps included by embodiment 2, user after the certification for successfully realizing user terminal using browser, after
Continue when application server is accessed using client, it is possible to which, according to the single-sign-on authorization message that middleware is stored, success is real
The single-sign-on of existing user terminal.This also just meets Equations of The Second Kind demand stated in the background above, so as to solve
What the single-sign-on scheme that prior art is provided was present must trigger opening browser by starting client carries out single-point and steps on
Record, and the problem for not supporting previously described Equations of The Second Kind demand.
What deserves to be explained is, the either middleware in embodiment 1 or embodiment 2, it can possess and is taken to certification
Business device sends user authentication information, so that access authentication server is supplied to the single-sign-on mandate of the successful user terminal of certification
The function of information.Therefore, even if browser(Or client)During to Middleware Request logging on authentication, middleware also there is no list
Point logs in authorization message, and middleware can also be with browser(Or client)The message conduct for asking logging on authentication for sending
Trigger condition, sends user authentication information, so that access authentication server is supplied to the successful user of certification to certificate server
The single-sign-on authorization message of terminal, and based on the single-sign-on authorization message, to browser(Or client)There is provided log in
Card.
For with previously described single-point logging method identical inventive concept, the embodiment of the present invention also provides a kind of single-point
Login system, be used to solve the single-sign-on scheme presence of prior art offer must trigger opening by starting client
Browser carries out single-sign-on, and does not support the problem of previously described Equations of The Second Kind demand.The system mainly includes being arranged at
The first application and middleware in user terminal, wherein:The function of the first application and middleware is as follows:
First application, for obtaining automated log on authorization message;And awarded comprising the automated log on for obtaining to middleware transmission
The logging request of power information;And the logging on authentication that middleware is provided is obtained, and logging on authentication is sent to application server;Its
In:Automated log on authorization message is to be performed to calculate the operation of summary and give birth to using shared key and specify information by certificate server
Into;
Middleware, for the shared key for after logging request is received, obtaining and certificate server is arranged, and
According to shared key and specify information, verify automated log on authorization message in logging request it is correct after, obtain logging on authentication
And it is supplied to the first application;Wherein:Logging on authentication is used to characterize the certification that user terminal has successfully obtained certificate server.
Optionally, the first application specifically can be used for:
From the memory space of user terminal, reading is pre-set at the automated log on mandate letter in the memory space
Breath;Or
Service request is sent to application server;And obtain application server and automatic stepped on according to what the service request was fed back
Record authorization message.
Wherein:Application server is specifically included according to the process that service request feeds back automated log on authorization message:
Application server sends the mark comprising the application server after service request is received to certificate server
Certification request;
Certificate server receive certification request, and judge the application server included in certification request identify whether exist
In the logo collection for prestoring;Wherein:The logo collection is constituted by allowing the mark for being accessed for application server;
Certificate server sends automated log on authorization message when judged result is to be to application server;
The automated log on authorization message that application server sends certificate server is transmitted to user terminal, so that first should
With acquisition automated log on authorization message.
Optionally, first application that designates the information as being utilized during certificate server generation automated log on authorization message sends
Challenging value.Under such a scenario, middleware can be also used for:Before automated log on authorization message is obtained, the is being received
After the login identity request that one application sends, challenging value is generated at random;The identity comprising challenging value is sent to the first application
Response;Then the first application is additionally operable to send challenging value to certificate server.
Optionally, the middleware provided in an embodiment of the present invention specifically can be used for:During access authentication server sends
Between part logging on authentication, wherein:Middleware logging on authentication be certificate server verify by user terminal second application sent out
What the user authentication information sent correctly sent afterwards;Middleware logging on authentication is sent to certificate server;And receive authentication service
Device is verifying the shared key that middleware logging on authentication correctly sends afterwards;Or middleware is being verified according to authentication proof server
The shared key generation information that logging on authentication correctly sends afterwards, generates shared key.Or, the middleware can specifically be used
In:According to the key schedule arranged with certificate server in advance, shared key is generated.
Optionally, the first application can be browser, then the second application can be the other application of non-browser;Or second
Using that can be browser, then the first application can be the other application of non-browser.Or first application and the second application it is equal
It can be browser;Or first application and second application can be non-browser other application.
It should be understood by those skilled in the art that, embodiments of the invention can be provided as method, system or computer program
Product.Therefore, the present invention can be using the reality in terms of complete hardware embodiment, complete software embodiment or combination software and hardware
Apply the form of example.And, the present invention can be used and wherein include the computer of computer usable program code at one or more
Usable storage medium(Including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)The computer program of upper implementation is produced
The form of product.
The present invention is with reference to method according to embodiments of the present invention, equipment(System)And the flow of computer program product
Figure and/or block diagram are described.It should be understood that every first-class during flow chart and/or block diagram can be realized by computer program instructions
The combination of flow and/or square frame in journey and/or square frame and flow chart and/or block diagram.These computer programs can be provided
The processor of all-purpose computer, special-purpose computer, Embedded Processor or other programmable data processing devices is instructed to produce
A raw machine so that produced for reality by the instruction of computer or the computing device of other programmable data processing devices
The device of the function of being specified in present one flow of flow chart or multiple one square frame of flow and/or block diagram or multiple square frames.
These computer program instructions may be alternatively stored in can guide computer or other programmable data processing devices with spy
In determining the computer-readable memory that mode works so that instruction of the storage in the computer-readable memory is produced and include finger
Make the manufacture of device, the command device realize in one flow of flow chart or multiple one square frame of flow and/or block diagram or
The function of being specified in multiple square frames.
These computer program instructions can be also loaded into computer or other programmable data processing devices so that in meter
Series of operation steps is performed on calculation machine or other programmable devices to produce computer implemented treatment, so as in computer or
The instruction performed on other programmable devices is provided for realizing in one flow of flow chart or multiple flows and/or block diagram one
The step of function of being specified in individual square frame or multiple square frames.
, but those skilled in the art once know basic creation although preferred embodiments of the present invention have been described
Property concept, then can make other change and modification to these embodiments.So, appended claims are intended to be construed to include excellent
Select embodiment and fall into having altered and changing for the scope of the invention.
Obviously, those skilled in the art can carry out various changes and modification without deviating from essence of the invention to the present invention
God and scope.So, if these modifications of the invention and modification belong to the scope of the claims in the present invention and its equivalent technologies
Within, then the present invention is also intended to comprising these changes and modification.
Claims (10)
1. a kind of single-point logging method, it is characterised in that including:
The first application being arranged in user terminal obtains automated log on authorization message, and to being arranged in the user terminal
Middleware sends the logging request comprising the automated log on authorization message, wherein:Automated log on authorization message is taken by certification
Business device is performed using shared key and specify information and calculates the operation of summary and generate, it is described designate the information as described first should
With the challenging value for sending, before first application obtains automated log on authorization message, the middleware is receiving the first application
After the login identity request of transmission, the challenging value is generated at random, the middleware sends to the first application and includes the challenge
The identity response of value, so that the first application sends the challenging value to certificate server;
After the middleware receives the logging request, the shared key with certificate server agreement is obtained, and in basis
The shared key and the specify information, verify automated log on authorization message in the logging request it is correct after, obtain
Logging on authentication, wherein:The logging on authentication is used to characterize the certification that the user terminal has successfully obtained the certificate server;
Logging on authentication is supplied to the first application by the middleware;
Logging on authentication is sent to application server by the first application.
2. the method for claim 1, it is characterised in that the first application obtains automated log on authorization message, specifically includes:
From the memory space of the user terminal, reading is pre-set at the automated log in the memory space for first application
Authorization message;Or
First application sends service request to application server;
Application server sends recognizing for the mark comprising the application server after the service request is received to certificate server
Card request;
Certificate server receive certification request, and judge the application server included in certification request identify whether be present in it is pre-
In the logo collection for first storing;Wherein:The logo collection is constituted by allowing the mark for being accessed for application server;
Certificate server sends automated log on authorization message when judged result is to be to application server;
The automated log on authorization message that application server sends certificate server is transmitted to the user terminal, so that first should
With acquisition automated log on authorization message.
3. the method for claim 1, it is characterised in that the middleware obtains described common with certificate server agreement
Key is enjoyed, is specifically included:
The middleware logging on authentication that the middleware access authentication server sends, wherein:The middleware logging on authentication is to recognize
Card server authentication goes out what is correctly sent afterwards by the transmitted user authentication information of the second application in the user terminal;
The middleware logging on authentication is sent to certificate server by the middleware;And
Receive certificate server and verify the shared key that the middleware logging on authentication correctly sends afterwards;Or according to recognizing
Card server is verifying the shared key generation information that the middleware logging on authentication correctly sends afterwards, generates described shared close
Key.
4. method as claimed in claim 3, it is characterised in that the first application is browser, the second application is non-browser
Other application;Or
Second application is browser, and the first application is the other application of non-browser.
5. the method for claim 1, it is characterised in that middleware obtains the shared key with certificate server agreement,
Specifically include:
Middleware generates shared key according to the key schedule arranged with certificate server in advance.
6. a kind of single-node login system, it is characterised in that including the first application being arranged in user terminal and middleware, its
In:
First application, for obtaining automated log on authorization message;And sent comprising the automated log on to the middleware
The logging request of authorization message;And the logging on authentication that the middleware is provided is obtained, and logging on authentication is sent to using clothes
Business device;Wherein:Automated log on authorization message is to use shared key and specify information to perform by certificate server to calculate summary
Operate and generate, it is described to designate the information as the challenging value that first application sends;
The middleware, it is described shared with certificate server agreement for after the logging request is received, obtaining
Key, and according to the shared key and the specify information, verify the automated log on mandate letter in the logging request
After breath is correct, obtains logging on authentication and be supplied to first application;Wherein:The logging on authentication is used to characterize user's end
End has successfully obtained the certification of the certificate server;
The middleware, is additionally operable to before automated log on authorization message is obtained, and is receiving the login identity that the first application sends
After request, the challenging value is generated at random;The identity comprising the challenging value is sent to the described first application to respond;Then
First application is additionally operable to send the challenging value to certificate server.
7. system as claimed in claim 6, it is characterised in that first application specifically for:
From the memory space of the user terminal, reading is pre-set at the automated log on mandate letter in the memory space
Breath;Or
Service request is sent to application server;And obtain the application server and automatic stepped on according to what the service request was fed back
Record authorization message;
Wherein:The application server is specifically included according to the process that the service request feeds back automated log on authorization message:
Application server sends the mark comprising the application server after the service request is received to certificate server
Certification request;Certificate server receive certification request, and judge the application server included in certification request identify whether deposit
In being the logo collection for prestoring;Wherein:The logo collection is constituted by allowing the mark for being accessed for application server;Recognize
Card server sends automated log on authorization message when judged result is to be to application server;Application server takes certification
The automated log on authorization message that business device sends is transmitted to the user terminal, so that first application obtains automated log on mandate
Information.
8. system as claimed in claim 6, it is characterised in that the middleware specifically for:
The middleware logging on authentication that access authentication server sends, wherein:The middleware logging on authentication is that certificate server is tested
Demonstrate,prove out what is correctly sent afterwards by the transmitted user authentication information of the second application in the user terminal;
The middleware logging on authentication is sent to certificate server by the middleware;And
Receive certificate server and verify the shared key that the middleware logging on authentication correctly sends afterwards;Or according to recognizing
Card server is verifying the shared key generation information that the middleware logging on authentication correctly sends afterwards, generates described shared close
Key.
9. system as claimed in claim 8, it is characterised in that first application is browser, second application is non-
The other application of browser;Or
Second application is browser, and first application is the other application of non-browser.
10. system as claimed in claim 6, it is characterised in that the middleware specifically for:According in advance with the certification
The key schedule of server commitment, generates shared key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310089647.1A CN104065616B (en) | 2013-03-20 | 2013-03-20 | Single-point logging method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310089647.1A CN104065616B (en) | 2013-03-20 | 2013-03-20 | Single-point logging method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104065616A CN104065616A (en) | 2014-09-24 |
| CN104065616B true CN104065616B (en) | 2017-06-20 |
Family
ID=51553149
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310089647.1A Active CN104065616B (en) | 2013-03-20 | 2013-03-20 | Single-point logging method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104065616B (en) |
Families Citing this family (27)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105790945B (en) * | 2014-12-22 | 2019-09-03 | 中国移动通信集团公司 | A kind of authentication method, device and system realizing user's unique identities and authenticating |
| CN105812138B (en) * | 2014-12-31 | 2019-05-28 | 华为技术有限公司 | Processing method, device, user terminal and the login system of login |
| CN104753927B (en) * | 2015-03-12 | 2018-09-04 | 新华三技术有限公司 | A kind of method and apparatus of unified verification |
| CN106209726B (en) * | 2015-04-30 | 2020-06-05 | 中兴通讯股份有限公司 | Mobile application single sign-on method and device |
| CN106302606B (en) * | 2015-06-08 | 2019-11-29 | 中国移动通信集团湖南有限公司 | Across the application access method and device of one kind |
| US10178164B2 (en) | 2015-08-31 | 2019-01-08 | Visa International Service Association | Secure binding of software application to communication device |
| CN106982228B (en) * | 2017-05-08 | 2018-10-09 | 北京深思数盾科技股份有限公司 | A kind of realization identity authentication method and system |
| CN107844712A (en) * | 2017-11-03 | 2018-03-27 | 北京天融信网络安全技术有限公司 | A kind of browser shares the method, apparatus and computer-readable medium of voucher |
| US10642967B2 (en) * | 2017-11-28 | 2020-05-05 | American Express Travel Related Services Company, Inc. | Single sign-on solution using blockchain |
| CN108737398B (en) * | 2018-05-09 | 2022-04-26 | 平安信托有限责任公司 | Processing method and device of trust system, computer equipment and storage medium |
| CN110795720A (en) * | 2018-08-03 | 2020-02-14 | 北京京东尚科信息技术有限公司 | Information processing method, system, electronic device, and computer-readable medium |
| CN109246146B (en) * | 2018-11-01 | 2020-10-13 | 北京京航计算通讯研究所 | SAP ERP single sign-on method based on JAVA middleware integration mode |
| CN109492375B (en) * | 2018-11-01 | 2021-07-16 | 北京京航计算通讯研究所 | SAP ERP single sign-on system based on JAVA middleware integration mode |
| CN109388937B (en) * | 2018-11-05 | 2022-07-12 | 用友网络科技股份有限公司 | Single sign-on method and sign-on system for multi-factor identity authentication |
| CN109815674A (en) * | 2018-12-28 | 2019-05-28 | 深圳竹云科技有限公司 | A method of login process is automated based on image recognition |
| CN111353142A (en) * | 2019-02-15 | 2020-06-30 | 鸿合科技股份有限公司 | User information sharing method and device and electronic equipment |
| CN110032855A (en) * | 2019-02-28 | 2019-07-19 | 招银云创(深圳)信息技术有限公司 | Login method, device, computer equipment and the storage medium of application |
| CN110287682B (en) * | 2019-07-01 | 2020-12-04 | 北京芯盾时代科技有限公司 | Login method, device and system |
| CN110557259A (en) * | 2019-08-15 | 2019-12-10 | 中国人民银行数字货币研究所 | identity management method, device and system based on multiple identities |
| CN110704130A (en) * | 2019-10-10 | 2020-01-17 | 深圳前海微众银行股份有限公司 | Data processing method and device |
| CN112948802B (en) * | 2020-04-28 | 2024-03-12 | 深圳市明源云科技有限公司 | Single sign-on method, device, equipment and storage medium |
| CN111800378B (en) * | 2020-05-21 | 2023-08-11 | 视联动力信息技术股份有限公司 | Login authentication method, device, system and storage medium |
| CN112804201B (en) * | 2020-12-30 | 2023-04-28 | 绿盟科技集团股份有限公司 | Method and device for acquiring equipment information |
| CN113572763B (en) * | 2021-07-22 | 2022-10-14 | 中国工商银行股份有限公司 | Data processing method and device, electronic equipment and storage medium |
| CN113965380B (en) * | 2021-10-21 | 2024-10-15 | 上海高顿教育科技有限公司 | Single sign-on control method and device based on multiple background applications |
| CN114584353A (en) * | 2022-02-23 | 2022-06-03 | 上海外服云信息技术有限公司 | Single sign-on method for mobile terminal to access CAS |
| CN116032556B (en) * | 2022-12-13 | 2024-08-16 | 支付宝(杭州)信息技术有限公司 | Key negotiation method and device for applet application |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510877A (en) * | 2009-02-25 | 2009-08-19 | 中国网络通信集团公司 | Single-point logging-on method and system, communication apparatus |
| CN102065141A (en) * | 2010-12-27 | 2011-05-18 | 广州欢网科技有限责任公司 | Method and system for realizing single sign-on of cross-application and browser |
| CN102082666A (en) * | 2009-11-26 | 2011-06-01 | 中国移动通信集团公司 | Single login system and method and service management system as well as single login intermediate system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101521660B (en) * | 2008-02-27 | 2012-10-03 | 华为技术有限公司 | Session initiation protocol registry method, certification and authorization method, system and equipment |
-
2013
- 2013-03-20 CN CN201310089647.1A patent/CN104065616B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101510877A (en) * | 2009-02-25 | 2009-08-19 | 中国网络通信集团公司 | Single-point logging-on method and system, communication apparatus |
| CN102082666A (en) * | 2009-11-26 | 2011-06-01 | 中国移动通信集团公司 | Single login system and method and service management system as well as single login intermediate system |
| CN102065141A (en) * | 2010-12-27 | 2011-05-18 | 广州欢网科技有限责任公司 | Method and system for realizing single sign-on of cross-application and browser |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104065616A (en) | 2014-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104065616B (en) | Single-point logging method and system | |
| US20240080311A1 (en) | Managing security credentials | |
| US10171241B2 (en) | Step-up authentication for single sign-on | |
| CN108369615B (en) | Dynamically updating CAPTCHA challenges | |
| CN108810021B (en) | Query system and method for determining verification function | |
| CN105007280B (en) | A kind of application login method and device | |
| US9021570B2 (en) | System, control method therefor, service providing apparatus, relay apparatus and computer-readable medium | |
| US8819795B2 (en) | Presenting managed security credentials to network sites | |
| CN105337949B (en) | A kind of SSO authentication method, web server, authentication center and token verify center | |
| US8782768B2 (en) | Systems and methods for accessing a virtual desktop | |
| KR102698459B1 (en) | Method and system for authenticating transmission of security credentials to a device | |
| JP6044299B2 (en) | Data reference system and application authentication method | |
| WO2014048749A1 (en) | Inter-domain single sign-on | |
| EP3709592A1 (en) | Detecting web application vulnerabilities | |
| US20180026968A1 (en) | Managing security credentials | |
| CN111062023B (en) | Method and device for realizing single sign-on of multi-application system | |
| CN106656952A (en) | Authentication method, device and system for registration equipment | |
| CN106790063A (en) | A kind of method of isomery WEB system single-sign-ons | |
| CN112738021A (en) | Single sign-on method, terminal, application server, authentication server and medium | |
| CN109388937A (en) | A kind of single-point logging method and login system of multiple-factor authentication | |
| CN110069909A (en) | It is a kind of to exempt from the close method and device for logging in third party system | |
| CN114385995A (en) | Handle-based method for accessing identifier analysis micro-service to industrial Internet and identifier service system | |
| CN113765655A (en) | Access control method, device, equipment and storage medium | |
| CN114745156A (en) | Distributed single sign-on realization method and device, electronic equipment and storage medium | |
| CN109688109A (en) | The verification method and device of identifying code based on client-side information identification |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |