CN104618449B - A kind of method and device for realizing web single-sign-ons - Google Patents

A kind of method and device for realizing web single-sign-ons Download PDF

Info

Publication number
CN104618449B
CN104618449B CN201410855128.6A CN201410855128A CN104618449B CN 104618449 B CN104618449 B CN 104618449B CN 201410855128 A CN201410855128 A CN 201410855128A CN 104618449 B CN104618449 B CN 104618449B
Authority
CN
China
Prior art keywords
web server
target web
client
information
cross
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410855128.6A
Other languages
Chinese (zh)
Other versions
CN104618449A (en
Inventor
肖春亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
NSFOCUS Information Technology Co Ltd
Beijing NSFocus Information Security Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NSFOCUS Information Technology Co Ltd, Beijing NSFocus Information Security Technology Co Ltd filed Critical NSFOCUS Information Technology Co Ltd
Priority to CN201410855128.6A priority Critical patent/CN104618449B/en
Publication of CN104618449A publication Critical patent/CN104618449A/en
Application granted granted Critical
Publication of CN104618449B publication Critical patent/CN104618449B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/562Brokering proxy services

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses one kind to realize web single-point logging methods and device, method is, the proxy server of client is preset as fort machine, it is that the client sets cross-domain access cookie information by the fort machine, when client needs to carry out single-sign-on, directly the cross-domain access cookie information is sent to fort machine, single-sign-on can be achieved according only to the response data packet comprising user profile that fort machine is sent in client, special login system need not be installed in the client, effectively reduce the complexity for realizing single-sign-on process;And, client only realizes single-sign-on by cross-domain access cookie information and response data packet, there is no any restrictions to client browser, the various browsers that can parse above-mentioned cross-domain access cookie information and response data packet, strong applicability can be applied to.

Description

Method and device for realizing web single sign-on
Technical Field
The invention relates to the field of network security, in particular to a method and a device for realizing web single sign-on.
Background
The bastion machine is an operation and maintenance safety auditing system, and has the main functions of single sign-on, account management, resource authorization and operation auditing. The bastion machine cuts off direct access of operation and maintenance personnel to the server by adopting a protocol proxy mode for common operation and maintenance protocols (such as RDP, VNC, HTTP and the like); specifically, all operation and maintenance operations performed on the server by the operation and maintenance personnel need to be performed through the bastion machine. And the fortress machine records the operation of the operation and maintenance personnel into a log file for the auditing personnel to carry out safety audit and accountability.
Therefore, the bastion function can realize the single sign-on function, wherein the single sign-on is that in the application system, the user can access all mutually trusted application systems only by logging on once. The single sign-on mode is adopted, so that the account sign-on process can be simplified, the safety of the account and the password is protected, and the unified management of the account is facilitated.
At present, the process of realizing single sign-on of the fortress machine is as follows: installing a special login system (software) in a client, and configuring login information of a target web server in the special login system, such as a user name, a password, a login button and the like; when the special login system detects a target web server which a user needs to access, the special login system starts an IE (Internet Explorer; network pathfinder) browser and accesses the target web server in the IE browser; and the special login system carries out user name and password substitution, thereby realizing the single sign-on process. The information interaction between the special login system and the IE browser is realized through an OLE (Object Linking and Embedding) automatic interface of the browser. The OLE technology only supports the browser of the IE kernel, and cannot support other browsers; in addition, by adopting the single sign-on mode, software needs to be installed on the client, and the implementation process is complex.
In summary, in the prior art, the problem of high implementation complexity and small application range exists in the implementation of the single sign-on mode by using the bastion machine.
Disclosure of Invention
The embodiment of the invention provides a method and a device for realizing web single sign-on, which are used for solving the problems of high complexity and small application range of the single sign-on mode in the prior art.
The embodiment of the invention provides the following specific technical scheme:
a method for realizing web single sign-on is applied to a bastion machine-based system architecture, the bastion machine-based system comprises a client, a target web server and a bastion machine with a proxy service function, and the method comprises the following steps:
the bastion machine receives a target web server access request sent by a client; the target web server access request carries cross-domain access cookie information, and the cross-domain access cookie information is generated by the bastion machine according to server information of the target web server preset in a management interface of the local target web server; the client is the client which takes the bastion machine as a proxy server;
the bastion machine forwards the target web server access request to a target web server according to the cross-domain access cookie information, and informs the target web server to generate a response data packet according to the target web server access request;
when the bastion machine determines that the path information of the login interface of the destination web server carried in the access request of the destination web server is correct, adding the user information of the client for logging in the destination web server into the response data packet;
and the bastion machine sends the response data packet added with the user information to the client, and instructs the client to log in the target web server according to the response data packet added with the user information in a single point mode.
A device for realizing web single sign-on is applied to a bastion machine-based system architecture, the bastion machine-based system comprises a client and a target web server, and the method comprises the following steps:
the receiving unit is used for receiving a target web server access request sent by a client; the target web server access request carries cross-domain access cookie information and a target web server identifier, and the cross-domain access cookie information is generated according to server information of the target web server preset in a management interface of the target web server; the client is a client which takes the local as a proxy server;
a sending unit, configured to forward the destination web server access request to a destination web server according to the cross-domain access cookie information, and notify the destination web server to generate a response data packet according to the destination web server access request;
the adding unit is used for adding the user information of the target web server logged by the client in the response data packet when the path information of the login interface of the target web server carried in the target web server access request is determined to be correct;
and the sending unit is also used for sending the response data packet added with the user information to the client and indicating the client to log in the target web server according to the response data packet added with the user information in a single point mode.
In the embodiment of the invention, a bastion machine with an agent service function is arranged between a target web server and a client, and when the bastion machine receives a target web server access request sent by the client, the target web server access request sent by the client is directly forwarded to the target web server according to cross-domain access cookie information; adding user information for logging in the target web server into a response data packet generated by the target web server and then sending the response data packet to the client; and the client loads the response data packet added with the user information and logs in the target web server in a single-point mode. The invention adopts the technical scheme that a proxy server of a client is preset as a bastion machine, cross-domain access cookie information is set for the client through the bastion machine, when the client needs to perform single sign-on, the cross-domain access cookie information is directly sent to the bastion machine, the client can realize the single sign-on only according to a response data packet containing user information sent by the bastion machine, a special sign-on system is not required to be installed in the client, and the complexity of realizing the single sign-on process is effectively reduced; in addition, the client side can realize single sign-on only by accessing the cookie information and responding the data packet across the domain, the browser of the client side is not limited at all, the method can be applied to various browsers capable of analyzing the cookie information and responding the data packet across the domain, and the applicability is high.
Drawings
FIG. 1 is a schematic diagram of a bastion machine-based system architecture in an embodiment of the invention;
FIG. 2 is a flowchart of an embodiment of the present invention for implementing web single sign-on;
FIG. 3 is a schematic diagram illustrating signaling interaction in a web single sign-on process according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a single sign-on process under specific application scenarios in an embodiment of the present invention;
fig. 5 is a schematic structural diagram of an apparatus for implementing web single sign-on in an embodiment of the present invention.
Detailed Description
The method aims to solve the problems that in the prior art, a single sign-on mode is high in implementation complexity and small in application range. In the embodiment of the invention, when the bastion machine receives the target web server access request sent by the client, the target web server access request sent by the client is directly forwarded to the target web server according to the cross-domain access cookie information; adding user information for logging in the target web server into a response data packet generated by the target web server and then sending the response data packet to the client; and the client loads the response data packet added with the user information and logs in the target web server in a single-point mode. The invention adopts the technical scheme that a proxy server of a client is preset as a bastion machine, cross-domain access cookie information is set for the client through the bastion machine, when the client needs to perform single sign-on, the cross-domain access cookie information is directly sent to the bastion machine, the client can realize the single sign-on only according to a response data packet containing user information sent by the bastion machine, a special sign-on system is not required to be installed in the client, and the complexity of realizing the single sign-on process is effectively reduced; in addition, the client side can realize single sign-on only by accessing the cookie information and responding the data packet across the domain, the browser of the client side is not limited at all, the method can be applied to various browsers capable of analyzing the cookie information and responding the data packet across the domain, and the applicability is high.
Referring to fig. 1, a schematic diagram of a bastion machine-based system architecture in an embodiment of the present invention is shown, wherein the bastion machine-based system includes a client, a bastion machine and a destination web server. The client is used for presenting an operation interface to a user and sending a target web server login request to the bastion machine; the bastion machine is used for forwarding a data packet from a client to a target web server and forwarding a data packet from the target web server to the client, the bastion machine comprises a management interface of the target web server, server information of each target web server can be set in the bastion machine through the management interface of the target web server so as to manage each target web server, the server information comprises a corresponding relation between a server identifier and an accessible domain name and a login interface corresponding to each target web server, and the login interface is a main page corresponding to the target web server; and the destination web server is used for responding to the request sent by the client, and one destination web server corresponds to one or more accessible domain names, such as the accessible domain names corresponding to the hundredth servers including www.baidu.com and s1.bdstatic.
The embodiments of the present invention will be described in further detail with reference to the accompanying drawings.
Referring to fig. 2, in the embodiment of the present invention, a process of implementing single sign-on includes:
step 200: and the bastion machine receives a destination web server access request sent by the client.
In the embodiment of the invention, the proxy server is set as the bastion machine in the browser of the client, namely, in the proxy server option of the browser, the address of the proxy server is set as the IP address of the bastion machine, and the port of the proxy server is set as the port monitored by the web proxy in the bastion machine, so that when the client runs a browser application program, the client can be connected to the bastion machine through the IP address and the port monitored by the web proxy in the bastion machine to perform information interaction with the bastion machine.
And logging in a management interface of the target web server, and pre-configuring each target web server identification and the corresponding accessible domain name under the jurisdiction of the bastion machine in the management interface of the target web server. Optionally, each set destination web server identifier and the accessible domain name corresponding to the destination web server identifier are stored in a database of the bastion machine, and an accessible domain name mapping table may be stored in the database of the bastion machine, where the accessible domain name mapping table includes all destination web server identifiers governed by the bastion machine and at least one accessible domain name corresponding to each destination web server identifier. All accessible domain names corresponding to any one destination web server can be stored in the database, and partial accessible domain names corresponding to any one destination web server can also be stored. In addition, a login interface corresponding to each target web server governed by the bastion machine needs to be configured in advance in a management interface of the target web server of the bastion machine, and for each target web server, a login interface corresponding to the target web server is configured, namely information such as a user name tag, a password tag, and main account information, slave account information, path information of the login interface, and the like in the login interface is configured, wherein the slave account information is the user name and the password information of the target web server logged in by the client.
Further, after the information in the management interface of the target web server is configured, the bastion machine performs cross-domain access setting, which specifically includes: the client generates an accessible domain request and sends the accessible domain request to the bastion machine so as to request which accessible domain names exist from the bastion machine; when the bastion machine receives an accessible domain request sent by a client, acquiring a cookie information character string by a URL (Uniform Resource Locator) according to the URL carried in the accessible domain request; the bastion machine acquires at least one accessible domain name corresponding to the target web server from a database of the bastion machine; the bastion machine respectively generates appointed labels corresponding to all the accessible domain names according to the cookie information character strings; generating a response message containing all the designated labels according to the designated labels corresponding to the accessible domain names, sending the response message to the client, and instructing the client to generate a cross-domain access setting request corresponding to the corresponding accessible domain names according to the designated labels contained in the response message; when the bastion machine sets a request according to cross-domain access sent by the client, cross-domain access setting is carried out, and cross-domain access cookie information is generated; and the bastion machine sends the cross-domain access cookie information to the client and instructs the client to generate a target web server access request according to the cross-domain access cookie information.
Specifically, the bastion machine acquires corresponding cookie information according to the cookie information character string; and using the cookie information as cross-domain access cookie information; the cookie information contains destination web server identification and user information, the user information comprises primary account information and secondary account information, and the primary account information is user name and password information of the login bastion machine.
In an actual application scenario, the designated tag is an iframe tag, and the iframe tag can trigger the client to set accessible domain name information to be accessed in a feedback manner. Wherein the cookie information can be sent to the bastion machine in the following form:
http://SASH_IP:proxy_port/?NSSF_PASS&cookie
wherein SAHF _ IP represents the IP address of the bastion machine; proxy _ port represents the port identification of the bastion machine; NSSF _ PASS is a cross-domain configuration request mark; the cookie represents cookie information to be set, and the cookie information comprises destination web server identification, primary account information and secondary account information. For example, the above-mentioned destination web server access request may be expressed as:
http://10.245.34.132:50010/?NSSF_PASS&8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF
the response message generated by the bastion machine containing the specified tag can be implemented by the following code:
< iframe src ═ http:// XXX/? cookie & NSSF _ BBPAAM & accessible Domain name >
The specified tag is an iframe tag, and the embodiment only gives a code corresponding to a specific field in the iframe tag, where the specific field may be an src field; http:// XXX/represents the host (associated with accessible domain name) that needs to set the cross-domain cookie request; the cookie represents cookie information needing to be set, and the cookie information comprises destination web server identification, primary account information and secondary account information; the accessible domain name represents at least one accessible domain name corresponding to the destination web server; NSSF _ BBPAAM is a flag that sets the iframe tag request for cross-domain cookies. For example, the response message containing the specified tag may be in the form of:
<iframe
src="http://www.baidu.com/?8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF&NSSF_BBPAAM&www.baidu.com">
as another example, the response message containing the specified tag may be in the form of:
<iframe
src="http://s1.bdstatic.com/?8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF&NSSF_BBPAAM&s1.bdstatic.com">
optionally, when the destination web server corresponds to a plurality of accessible domain names, the bastion machine sends a response message to the client, wherein the response message comprises a plurality of Iframe tags, and each Iframe tag comprises an accessible domain name.
The client side can generate the cross-domain access setting request according to the response message sent by the bastion machine, and the cross-domain access setting request can adopt the following format:
http:// XXX/? cookie & NSSF _ BBPAAM & accessible domain name
Wherein, http:// XXX/represents the host needing to set cross-domain access; the cookie represents cookie information needing to be set, and the cookie information comprises destination web server identification, primary account information and secondary account information; the accessible domain name represents an accessible domain name corresponding to the destination web server; NSSF _ BBPAAM is a flag that sets the iframe tag request for cross-domain cookies. For example, the cross-domain access setting request may be in the form of:
http://www.baidu.com/?8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF&NSSF_BBPAAM&www.baidu.com
for another example, the cross-domain access setting request may be in the form of:
http://www.bdstatic.com/?8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF&NSSF_BBPAAM&s1.bdstatic.com
in the embodiment of the invention, when the number of the accessible domain names contained in the response message sent by the bastion machine is one, the client sends a cross-domain access setting request to the bastion machine according to the accessible domain names; when the number of the accessible domain names contained in the response message sent by the bastion machine is multiple, the client generates a corresponding number of cross-domain access setting requests according to the accessible domain names and the number of the accessible domain names and sends the cross-domain access setting requests to the bastion machine.
Based on the cross-domain access setting request, the bastion machine carries out cross-domain access setting locally and generates cross-domain access cookie information; the bastion machine can perform cross-domain access setting locally through the following codes:
HTTP/1.1200 Ok\r\n
…\r\n
set-cookie, wherein the NSSF _ BBPA _ destination host identity is cookie information; path ═/; domain-accessible domain name r \ n
…\r\n
Through the set-cookie field, cross-domain cookie information setting of accessible domain names is performed, for example, for two accessible domains corresponding to baidu, the cross-domain access setting can be represented by the following form:
for a first accessible domain name:
HTTP/1.1200 Ok\r\n
…\r\n
set-cookie:
NSSF_BBPA_baidu=8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF;
path=/;domain=www.baidu.com\r\n
…\r\n
for a second accessible domain name:
HTTP/1.1200 Ok\r\n
…\r\n
set-cookie:
NSSF_BBPA_baidu=8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF;
path=/;domain=s1.bdstatic.com\r\n
…\r\n
the cross-domain access cookie information sent by the bastion machine to the client can be represented by the following forms:
GET/HTTP/1.1\r\n
Host:www.baidu.com\r\n
Cookie:
NSSF_BBPA_baidu=8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF\r\n
or,
GET/HTTP/1.1\r\n
Host:s1.bdstatic.com\r\n
Cookie:
NSSF_BBPA_baidu=8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF\r\n
wherein, the "Cookie:
NSSF _ BBPA _ baidu ═ 8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF \ r \ n "and" Cookie:
NSSF _ BBPA _ baidu ═ 8348ED79FE93B25120AF1BE73146B28B117E078E1A4CADCF \ r \ n ", i.e., cross-domain access cookie information.
Further, the client stores the corresponding relation between the cross-domain access cookie information and the accessible domain name in the client, and when the client receives the indication that the user needs to access the target web server, the cookie information stored in the client is added to the access request of the target web server and sent to the bastion machine.
Step 210: and the bastion machine forwards the access request of the target web server to the target web server according to the cross-domain access cookie information and informs the target web server to generate a response data packet according to the access request of the target web server.
In the embodiment of the invention, based on the cross-domain access cookie information setting process, a client sends a target web server access request containing cross-domain access cookie information to a bastion machine, and the bastion machine verifies the identity of the client according to the main account information contained in the cross-domain access cookie information; when the client identity authentication is passed, the bastion machine queries the path information of the login interface of the target web server in a database according to the login interface path information of the target web server and the target web server identification carried in the target web server access request; when the login interface path information of the target web server carried in the target web server access request is the same as the queried path information of the login interface of the target web server, the bastion machine determines that the login interface path information of the target web server carried in the target web server access request is correct, at the moment, the judgment result can be identified through a judgment field, for example, when the login interface path information of the target web server is correct, the judgment field is set to be single _ logic 1, when the login interface path information of the target web server is different, the judgment field is set to be single _ logic 0, and the corresponding relation between the judgment field and the login request is cached in the bastion machine. And the bastion machine sends the target web server access request to the target web server no matter whether the login interface path information of the target web server carried in the target web server access request is correct or not.
Further, the response data packet generated by the destination web server is a code in an HTML (HyperText Mark-up language) format.
Step 220: and when the bastion machine determines that the path information of the login interface of the target web server carried in the target web server access request is correct, adding user information corresponding to the client and logging in the target web server into the response data packet.
In the embodiment of the invention, the bastion machine judges whether the login interface path information of the target web server is correct or not according to the judging field of the local cache; and when the bastion machine determines that the login interface path information of the target web server is correct, adding user information corresponding to the client for logging in the target web server into the login interface information according to the login interface information contained in the response data packet.
Optionally, the process of adding the user information corresponding to the client in the login interface information may be implemented by js (javascript) code.
Step 230: and the bastion machine sends the response data packet added with the user information to the client, and instructs the client to log in the target web server according to the response data packet added with the user information in a single point mode.
In the embodiment of the invention, after the client receives the response data packet added with the user information, the HTML code and the JS code contained in the response data packet are operated, the JS code can automatically add a user name in an input frame corresponding to a user name tag in a generated login interface of the target web server, and automatically add a password in an input frame corresponding to a password tag, and the operation of clicking a login button is simulated, namely, the user only needs to input main account information in the fortress machine to log in the fortress machine, when the user needs to visit the target web server governed by the fortress machine, the JS code simulates to log in the target web server governed by the fortress machine and other web servers, so that the user can log in the target web server in a single point mode.
The JS code is automatically generated by the bastion machine according to the server information in the management interface of the target web server, and the JS code can be referred to as the following form:
the user name _ tag, password _ tag and logic _ button respectively represent the attributes of a user name, a password and a login button label; the username _ value and password _ value respectively represent values of a user name and a password logged in to the target server.
Further, when the path information of the target web server login interface carried in the target web server access request is different from the path information of the target web server login interface obtained through query, the bastion machine sends the response data packet to the client.
Based on the above technical solution, referring to fig. 3, a schematic diagram of signaling interaction between the client and the bastion machine in the process of setting the cross-domain access in the embodiment of the present invention is shown. The client sends an accessible domain request to the bastion machine, wherein the accessible domain request comprises a cookie information character string; the bastion machine generates a response message containing a specified label according to the cookie information character string and sends the response message to the client; the client generates a cross-domain access setting request according to the response message containing the specified label and sends the cross-domain access setting request to the bastion machine; the bastion machine generates cross-domain access cookie information according to the cross-domain access setting request and sends the cross-domain access cookie information to the client; the client generates a target web server login request according to the cross-domain access cookie information; and the bastion machine processes the response data packet sent by the target web server and then sends the response data packet to the client.
By adopting the technical scheme of the invention, the bastion machine inserts the JS code into the response data packet sent by the target web server according to the cross-domain access cookie information, the JS code is executed after the browser loads the login page of the target web server, the operations of replacing and filling the user name and the password and submitting the form are carried out, and the client can realize single sign-on through any browser; the system does not need to be reconstructed, and because the login system corresponding to the bastion machine is irrelevant to the specific content of the target web server, the target web server is newly added or deleted, any object does not need to be modified on any target web server under the control of the bastion machine, and the system reconstruction difficulty is effectively reduced.
Based on the above technical solution, referring to fig. 4, the following describes the single sign-on process in detail in conjunction with a specific application scenario:
step 400: the client sends a destination web server access request to the bastion machine.
Step 401: and the bastion machine receives the target web server access request, analyzes the target web server access request and acquires cookie information contained in the target web server access request.
Step 402: the bastion machine judges whether the login path is correct or not according to the cookie information, if so, the step 403 is executed, otherwise, the step 404 is executed;
step 403: the fortress sets the judgment field single _ logic to 1.
Step 404: setting judgment field single _ logic of fortress machine to be 0
Step 405: the bastion machine sends the destination web server access request to the corresponding destination web server.
Step 406: the destination web server generates a response data packet according to the destination web server access request.
Step 407: and the bastion machine receives the response data packet sent by the destination web server.
Step 408: judging whether the single _ logic is 1 or not by the bastion machine, and if so, executing a step 409; otherwise, step 410 is performed.
Step 409: and the bastion machine adds a JS code containing user information in the response data packet and sends the response data packet added with the JS code to the client.
Step 410: and the bastion machine sends the response data packet to the client.
Step 411: and the client generates a corresponding interface according to the response data packet.
Based on the above technical solution, referring to fig. 5, an embodiment of the present invention provides an apparatus for implementing web single sign-on, which is applied to a bastion machine-based system architecture, where the bastion machine-based system includes a client and a destination web server, the apparatus includes a receiving unit 50, a sending unit 51, and an adding unit 52, where:
a receiving unit 50, configured to receive a destination web server access request sent by a client; the target web server access request carries cross-domain access cookie information and a target web server identifier, and the cross-domain access cookie information is generated according to server information of the target web server preset in a management interface of the target web server; the client is a client which takes the local as a proxy server;
a sending unit 51, configured to forward the destination web server access request to a destination web server according to the cross-domain access cookie information, and notify the destination web server to generate a response data packet according to the destination web server access request;
an adding unit 52, configured to add, in the response packet, user information that the client logs in the destination web server when it is determined that the path information of the login interface of the destination web server, which is carried in the destination web server access request, is correct;
the sending unit 51 is further configured to send the response packet with the added user information to the client, and instruct the client to log in to the destination web server according to the response packet with the added user information in a single point.
Further, the apparatus further includes a cross-domain access cookie information generating unit 53, configured to: when an accessible domain request sent by a client is received, acquiring a cookie information character string contained in a URL according to the URL request carried in the accessible domain request; acquiring at least one accessible domain name corresponding to the target web server identification from a database according to the target web server identification; the database stores server information of the target web server preset in a management interface of the target web server, wherein the server information comprises a corresponding relation between a server identifier and an accessible domain name and a server login interface; respectively generating a designated label corresponding to each accessible domain name based on the cookie information character string; generating a response message containing all designated labels according to the designated labels corresponding to the accessible domain names, sending the response message to the client, and indicating the client to generate a cross-domain access setting request corresponding to the corresponding accessible domain names according to the designated labels; and when a cross-domain access setting request sent by the client is received, performing cross-domain access setting according to the cookie information character string, and generating cross-domain access cookie information.
Optionally, the cross-domain access cookie information generating unit 53 is specifically configured to: acquiring corresponding cookie information according to the cookie information character string, and taking the cookie information as cross-domain access cookie information; the cookie information comprises an identification of a destination web server, primary account information and secondary account information.
Further, the apparatus further comprises a determining unit 54 configured to: acquiring login interface path information of a target web server and a target web server identifier carried in the target web server access request; according to the target web server identification, inquiring path information of a login interface of the target web server in a database; and when the path information of the target web server login interface carried in the target web server access request is the same as the queried path information of the target web server login interface, determining that the path information of the target web server login interface carried in the target web server access request is correct.
Optionally, the sending unit 51 is further configured to: and when the target web server login interface path information carried in the target web server access request is different from the queried target web server login interface path information, sending the response data packet to the client.
In conclusion, the bastion machine receives a target web server access request sent by the client; the bastion machine forwards a target web server access request to a target web server according to the cross-domain access cookie information, and informs the target web server to generate a response data packet according to the target web server access request; when the bastion machine determines that the path information of the login interface of the target web server carried in the target web server access request is correct, adding user information corresponding to the client and logging in the target web server into the response data packet; and the bastion machine sends the response data packet added with the user information to the client, and instructs the client to log in the target web server according to the response data packet added with the user information in a single point mode. The invention adopts the technical scheme that a proxy server of a client is preset as a bastion machine, cross-domain access cookie information is set for the client through the bastion machine, when the client needs to perform single sign-on, the cross-domain access cookie information is directly sent to the bastion machine, the client can realize the single sign-on only according to a response data packet containing user information sent by the bastion machine, a special sign-on system is not required to be installed in the client, and the complexity of realizing the single sign-on process is effectively reduced; in addition, the client side can realize single sign-on only by accessing the cookie information and responding the data packet across the domain, the browser of the client side is not limited at all, the method can be applied to various browsers capable of analyzing the cookie information and responding the data packet across the domain, and the applicability is high.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made in the embodiments of the present invention without departing from the spirit or scope of the embodiments of the invention. Thus, if such modifications and variations of the embodiments of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to encompass such modifications and variations.

Claims (10)

1. A method for realizing web single sign-on is applied to a bastion machine-based system architecture, and is characterized in that the bastion machine-based system comprises a client, a target web server and a bastion machine with a proxy service function, and the method comprises the following steps:
the bastion machine receives a target web server access request sent by a client; the target web server access request carries cross-domain access cookie information, the cross-domain access cookie information is generated by the bastion machine according to server information of the target web server preset in a management interface of the local target web server and is sent to the client, and the client is instructed to generate the target web server access request according to the cross-domain access cookie information; the client is the client which takes the bastion machine as a proxy server;
the bastion machine forwards the target web server access request to a target web server according to the cross-domain access cookie information, and informs the target web server to generate a response data packet according to the target web server access request;
when the bastion machine determines that the path information of the login interface of the destination web server carried in the access request of the destination web server is correct, adding the user information of the client for logging in the destination web server into the response data packet;
and the bastion machine sends the response data packet added with the user information to the client, and instructs the client to log in the target web server according to the response data packet added with the user information in a single point mode.
2. The method of claim 1, wherein the bastion machine generates a method of cross-domain access cookie information according to the server information of the destination web server preset in a management interface of a local destination web server, comprising:
the bastion machine receives an accessible domain request sent by a client, and acquires a cookie information character string contained in the URL according to a Uniform Resource Locator (URL) carried in the accessible domain request;
the bastion machine acquires at least one accessible domain name corresponding to a target web server identifier from a database of the bastion machine according to the target web server identifier; the database stores server information of the target web server preset in a management interface of the target web server, wherein the server information comprises a corresponding relation between a target web server identifier and an accessible domain name and a server login interface;
respectively generating a designated label corresponding to each accessible domain name based on the cookie information character string; and
generating a response message containing all designated labels according to the designated labels corresponding to the accessible domain names, and sending the response message to the client, and instructing the client to generate a cross-domain access setting request corresponding to the corresponding accessible domain names according to the designated labels;
and when the bastion machine receives a cross-domain access setting request sent by the client, cross-domain access setting is carried out according to the cookie information character string, and cross-domain access cookie information is generated.
3. The method as claimed in claim 2, wherein the bastion machine performs cross-domain access setting according to the cookie information string and generates cross-domain access cookie information, and specifically comprises:
the bastion machine acquires corresponding cookie information according to the cookie information character string, and takes the cookie information as cross-domain access cookie information; the cookie information comprises an identification of a destination web server, primary account information and secondary account information.
4. A method according to any one of claims 1 to 3, wherein the method for the bastion machine to determine whether the path information of the login interface of the destination web server carried in the destination web server access request is correct comprises the following steps:
the bastion machine acquires login interface path information of a target web server and a target web server identifier carried in the target web server access request;
the bastion machine inquires path information of a login interface of the target web server in a database according to the target web server identification;
and when the path information of the target web server login interface carried in the target web server access request is the same as the queried path information of the target web server login interface, the bastion machine determines that the path information of the target web server login interface carried in the target web server access request is correct.
5. The method of claim 4, wherein when the path information of the destination web server login interface carried in the destination web server access request is different from the queried path information of the destination web server login interface, the method further comprises:
and the bastion machine sends the response data packet to the client.
6. The utility model provides a realize web single sign on's device, is applied to the system architecture based on fort machine, its characterized in that, fort machine based system includes client, purpose web server, the device includes:
the receiving unit is used for receiving a target web server access request sent by a client; the target web server access request carries cross-domain access cookie information and a target web server identifier, the cross-domain access cookie information is generated according to server information of a target web server preset in a management interface of the target web server and is sent to the client, and the client is instructed to generate the target web server access request according to the cross-domain access cookie information; the client is a client which takes the local as a proxy server;
a sending unit, configured to forward the destination web server access request to a destination web server according to the cross-domain access cookie information, and notify the destination web server to generate a response data packet according to the destination web server access request;
the adding unit is used for adding the user information of the target web server logged by the client in the response data packet when the path information of the login interface of the target web server carried in the target web server access request is determined to be correct;
and the sending unit is also used for sending the response data packet added with the user information to the client and indicating the client to log in the target web server according to the response data packet added with the user information in a single point mode.
7. The apparatus of claim 6, further comprising a cross-domain access cookie information generating unit to:
receiving an accessible domain request sent by a client, and acquiring a cookie information character string contained in a Uniform Resource Locator (URL) according to the URL carried in the accessible domain request; acquiring at least one accessible domain name corresponding to the target web server identification from a database according to the target web server identification; the database stores server information of the target web server preset in a management interface of the target web server, wherein the server information comprises a corresponding relation between a target web server identifier and an accessible domain name and a server login interface; respectively generating a designated label corresponding to each accessible domain name based on the cookie information character string; generating a response message containing all designated labels according to the designated labels corresponding to the accessible domain names, sending the response message to the client, and indicating the client to generate a cross-domain access setting request corresponding to the corresponding accessible domain names according to the designated labels; and when a cross-domain access setting request sent by the client is received, performing cross-domain access setting according to the cookie information character string, and generating cross-domain access cookie information.
8. The apparatus as claimed in claim 7, wherein the cross-domain access cookie information generating unit is specifically configured to:
acquiring corresponding cookie information according to the cookie information character string, and taking the cookie information as cross-domain access cookie information; the cookie information comprises an identification of a destination web server, primary account information and secondary account information.
9. The apparatus according to any of claims 6-8, further comprising a determining unit for:
acquiring login interface path information of a target web server and a target web server identifier carried in the target web server access request; according to the target web server identification, inquiring path information of a login interface of the target web server in a database; and when the path information of the target web server login interface carried in the target web server access request is the same as the queried path information of the target web server login interface, determining that the path information of the target web server login interface carried in the target web server access request is correct.
10. The apparatus of claim 9, wherein the sending unit is further configured to:
and when the target web server login interface path information carried in the target web server access request is different from the queried target web server login interface path information, sending the response data packet to the client.
CN201410855128.6A 2014-12-31 2014-12-31 A kind of method and device for realizing web single-sign-ons Active CN104618449B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410855128.6A CN104618449B (en) 2014-12-31 2014-12-31 A kind of method and device for realizing web single-sign-ons

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410855128.6A CN104618449B (en) 2014-12-31 2014-12-31 A kind of method and device for realizing web single-sign-ons

Publications (2)

Publication Number Publication Date
CN104618449A CN104618449A (en) 2015-05-13
CN104618449B true CN104618449B (en) 2018-02-16

Family

ID=53152724

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410855128.6A Active CN104618449B (en) 2014-12-31 2014-12-31 A kind of method and device for realizing web single-sign-ons

Country Status (1)

Country Link
CN (1) CN104618449B (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108667863B (en) * 2017-03-29 2020-04-14 中国科学院声学研究所 WEB service adaptation system and method based on local agent
WO2018207674A1 (en) * 2017-05-08 2018-11-15 株式会社Nttドコモ Communication control method and communication system
CN108737540A (en) * 2018-05-18 2018-11-02 北京车和家信息技术有限公司 The unified login method and device of server
CN109600416B (en) * 2018-10-29 2022-03-11 珠海豹趣科技有限公司 Remote login method and device for service server, electronic equipment and storage medium
CN111125039B (en) * 2018-10-30 2022-06-10 华为技术有限公司 Method and device for generating operation log
CN110830436B (en) * 2019-09-17 2021-11-19 网宿科技股份有限公司 User login method and springboard machine
CN113079164B (en) * 2021-04-02 2023-03-24 江苏保旺达软件技术有限公司 Remote control method and device for bastion machine resources, storage medium and terminal equipment
CN114095483A (en) * 2021-10-26 2022-02-25 深信服科技股份有限公司 Password substitution filling method and device, electronic equipment and storage medium
CN114756530B (en) * 2022-06-15 2022-08-19 北京安华金和科技有限公司 Client information processing method based on bastion machine
CN117118799B (en) * 2023-10-20 2024-02-27 杭州优云科技有限公司 Out-of-band management method and device for server cluster and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102325183A (en) * 2011-09-09 2012-01-18 深圳市络道科技有限公司 WEB terminal login method based on single site login mode and system thereof
CN102571762A (en) * 2011-12-21 2012-07-11 深信服网络科技(深圳)有限公司 Method and device for single sign-on
CN102739603A (en) * 2011-03-31 2012-10-17 国际商业机器公司 Method and device for single sign-on
CN104219330A (en) * 2014-09-29 2014-12-17 北京神州绿盟信息安全科技股份有限公司 Method and system for auditing screen record based on WEB proxy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102739603A (en) * 2011-03-31 2012-10-17 国际商业机器公司 Method and device for single sign-on
CN102325183A (en) * 2011-09-09 2012-01-18 深圳市络道科技有限公司 WEB terminal login method based on single site login mode and system thereof
CN102571762A (en) * 2011-12-21 2012-07-11 深信服网络科技(深圳)有限公司 Method and device for single sign-on
CN104219330A (en) * 2014-09-29 2014-12-17 北京神州绿盟信息安全科技股份有限公司 Method and system for auditing screen record based on WEB proxy

Also Published As

Publication number Publication date
CN104618449A (en) 2015-05-13

Similar Documents

Publication Publication Date Title
CN104618449B (en) A kind of method and device for realizing web single-sign-ons
US9438565B2 (en) Cloud service security broker and proxy
US11144667B2 (en) Machine-driven crowd-disambiguation of data resources
US11126749B2 (en) Apparatus and method for securing web application server source code
US20230328071A1 (en) Method and device for securely accessing intranet application
CN109218368B (en) Method, device, electronic equipment and readable medium for realizing Http reverse proxy
US9426171B1 (en) Detecting network attacks based on network records
US10536446B2 (en) Single authentication to a multi-tenancy single-page cloud application
CN104301316A (en) Single sign-on system and implementation method thereof
WO2013111027A1 (en) Dynamically scanning a web application through use of web traffic information
CN103634399B (en) Method and device for realizing cross-domain data transmission
CN104394227B (en) User data transmission method, system and the browser of browser
WO2010106303A1 (en) Web application access
US20180205705A1 (en) Network request proxy system and method
US8713088B2 (en) Identifying users of remote sessions
CN112260988B (en) Abnormal request processing method and device
CN103701779A (en) Method and device for accessing website for second time and firewall equipment
CN109889379B (en) Data acquisition method, data acquisition device, management equipment and storage medium
US10003630B2 (en) Method, apparatus and computer program product for managing static uniform resource locator access
US9621632B2 (en) Scaling of stateful enterprise services
US9866614B2 (en) Methods for website version control using bucket cookies
US20190222582A1 (en) Decentralized method of tracking user login status
US11397795B2 (en) Mechanism for providing obfuscated code to web application clients
JP2003162449A (en) Integrated access management system, integrated access management device and its method and program
EP2760183A1 (en) System for detecting hyperlink faults

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee after: NSFOCUS Technologies Group Co.,Ltd.

Patentee after: NSFOCUS TECHNOLOGIES Inc.

Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building

Patentee before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd.

Patentee before: NSFOCUS TECHNOLOGIES Inc.