CN105282111A - Cloud unified authentication method and system - Google Patents
Cloud unified authentication method and system Download PDFInfo
- Publication number
- CN105282111A CN105282111A CN201410334488.1A CN201410334488A CN105282111A CN 105282111 A CN105282111 A CN 105282111A CN 201410334488 A CN201410334488 A CN 201410334488A CN 105282111 A CN105282111 A CN 105282111A
- Authority
- CN
- China
- Prior art keywords
- token
- certification
- authentication center
- request
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention discloses a cloud unified authentication method. The method comprises the following steps: establishing nodes of an authentication center; determining whether an application access request of a user has a Token; requesting a Token from the nearest node if the application access request has no Token; passing the Token request by the authentication center and making node marks for the returned Token; if the application access request has a Token, initiating a Token verifying request to the nearest node; conducting Token verification by a source node authentication center emitting the Token; and determining whether the user is allowed to access an application according to a verification result. The invention also discloses a cloud unified authentication system. The system comprises a client, an authentication center and an application end. Through the cloud unified authentication method and the system, cloud unified authentication can be achieved for multiple nodes, and a shutdown phenomenon will not occur.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of cloud uniform authentication method and system.
Background technology
Along with the application of the Internet is more and more universal, information security is also more and more important.In current Identity Management field, access security control is a field of very core, and single-sign-on application is modal a kind of login mode during access security controls.Single sign-on application system has following problem, and ERM fully depends on Agent as blocker, and Agent is the access performance bottleneck of client; This system intended for end consumers, can not use for application server; IDP in this system, namely authentication point is all often at a physical location, causes the access at this place very concentrated, thus causes Consumer's Experience to have very big-difference because geographical position is different with network of network position; This system is centralized deployment, even if do, calamity is standby also cannot accomplish dual-active.
Summary of the invention
In view of current field of information security technology above shortcomings, the invention provides a kind of cloud uniform authentication method and system, authentication center can carry out cloud certification nearby, achieve the unified certification of multinode cloud.
For achieving the above object, embodiments of the invention adopt following technical scheme:
A kind of cloud uniform authentication method, described cloud uniform authentication method comprises the following steps:
Set up authentication center's node;
Judge whether the application access request of user has Token;
If there is no Token, to the authentication center request Token of nearest node;
Authentication center is asked by this Token and carries out vertex ticks to the Token returned;
If there is Token, the authentication center to nearest node initiates Token checking request;
Token verification is carried out by the source node authentication center sending this Token;
Determine whether to allow user's access application according to check results.
According to one aspect of the present invention, described authentication center's node of setting up comprises the following steps: set up multiple authentication center's node be made up of certification routing module and access control module.
According to one aspect of the present invention, if described step does not have Token, the authentication center request Token to nearest node specifically can be: the certification routing module request Token being gone to nearest authentication center by the client sending application access request, wrapped by access control module internal layer Jar by certification routing module again, replace requestor requests Token.
According to one aspect of the present invention, when the described client by sending application access request goes certification routing module request Token to perform, need the username and password transmitting user.
According to one aspect of the present invention, described step authentication center asks by this Token and carries out vertex ticks to the Token returned specifically to can be: asked by this Token of access control module certification, by Token being issued certification routing module after certification and being returned after interpolation vertex ticks by certification routing module.
According to one aspect of the present invention, if described step has Token, the authentication center to nearest node initiates Token and verifies that request is specially: initiate Token checking request by accessed application to the certification routing module of its nearest node.
According to one aspect of the present invention, described step is carried out Token verification by the authentication center of the source node sending this Token and is comprised the following steps: carry out source node judgement by certification routing module according to the vertex ticks of this Token, then remove the vertex ticks of this Token, gone by certification routing module the access control module of the authentication center of the source node sending this Token to carry out Token verification afterwards.
According to one aspect of the present invention, described cloud uniform authentication method is further comprising the steps of: adopt ldap server to store all certification billing informations.
According to one aspect of the present invention, described step determines whether allow user's access application comprise the following steps according to check results: the application that user check results returned by authentication center will access, judge that whether this Token is effective by application according to check results, if this Token is effective, then allow user's access and the term of validity of this Token is issued accessed application by authentication center in the lump.
A kind of cloud Centralized Authentication System, described cloud Centralized Authentication System comprises:
Client, for judging whether the application access request of user has Token, sending Token request, sending Token checking and send application access request;
Authentication center's node, comprises certification routing module and access control module, for providing Token and verifying Token;
Application end, for accessed by the user.
Advantage of the invention process: cloud uniform authentication method of the present invention is by setting up the authentication center's node be made up of certification routing module and access control module, client judges whether the application access request of user has Token, if there is no Token, by the authentication center request Token of client to nearest node, authentication center is asked by this Token and carries out vertex ticks to the Token returning to client, if there is Token, by the authentication center initiation Token checking request of accessed application to nearest node, gone the access control module of the source node sending this Token to carry out Token verification by certification routing module, check results is returned accessed application and determines whether to allow the scheme of client-access by accessed application according to check results by authentication center, achieve cloud unified certification, during client application Token everywhere, only need to apply for Token nearby, and without the need to being concerned about authentication center position, during accessed application verification Token, only need and the Token of authentication center's verification nearby, and without the need to know Token actual be where issue, all authentication centers node is all active states, and namely any one authentication center uses because a variety of causes machine of delaying also can not affect any user.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the method schematic diagram of a kind of cloud uniform authentication method embodiment one of the present invention;
Fig. 2 is the structural representation of a kind of cloud Centralized Authentication System of the present invention;
Fig. 3 is the method schematic diagram of a kind of cloud uniform authentication method embodiment two of the present invention.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
A kind of cloud uniform authentication method embodiment one
As shown in Figure 1, a kind of cloud uniform authentication method, described cloud uniform authentication method comprises the following steps:
Step S1: set up authentication center's node;
Described step S1 sets up authentication center's node, and in the specific implementation, be set up several authentication center's nodes be made up of certification routing module and access control module, described authentication center node is connected with application end with client by the Internet.Because divide and built several authentication center's nodes, all authentication centers node is all in active state, when any one authentication center's node goes wrong, also there will not be the situation of all paralysis, thus can not affect any user use.
Step S2: judge whether the application access request of user has Token;
Described step S2 judges that the embodiment whether the application access request of user has a Token can be: when user initiates the request of access application by client, client judges according to the username and password of user, judges whether user has Token.If there is no Token, then perform step S3, if there is Token, then perform step S5.
Step S3: if do not have Token, to the authentication center request Token of nearest node;
If described step S3 does not have Token, the embodiment to the authentication center request Token of nearest node can be: the certification routing module request Token being gone to nearest authentication center by client, wrapped by access control module internal layer Jar by certification routing module again, requesting party's client is replaced to ask Token, wherein, client needs the username and password of transmission user to certification routing module to carry out Token application.
Step S4: authentication center is asked by this Token and carries out vertex ticks to the Token returned;
After step S3 executes, perform step S4 authentication center asked by this Token and carry out vertex ticks to the Token returned, its embodiment can be: asked by this Token of access control module certification, after passing through certification, Token issued certification routing module and add vertex ticks by certification routing module, then returning to client.
Step S5: if there is Token, the authentication center to nearest node initiates Token checking request;
If described step S5 has Token, the embodiment that the authentication center to nearest node initiates Token checking request can be: accessed application initiates Token checking request to the certification routing module of its nearest node, then performs step S6.
Step S6: carry out Token verification by the authentication center of the source node sending this Token;
The embodiment that described step S6 carries out Token verification by the authentication center of the source node sending this Token can be: the granting source node being judged this Token by certification routing module according to the vertex ticks of this Token, then go the access control module of the authentication center of the source node of this Token to carry out this Token verification, carry out Token verification by this authentication center.
Wherein, after judging that the granting source node of this Token executes by certification routing module according to the vertex ticks of this Token, following steps need be performed: the vertex ticks being removed this Token by certification routing module.
Step S7: determine whether to allow user's access application according to check results;
Described step S7 determines whether allow the embodiment of user's access application can be according to check results: after access control module has carried out Token verification, by check results return authentication routing module, then by certification routing module check results turned back to the accessed application initiated Token and verify, then determined whether to allow the user access of client by accessed application according to check results.
Wherein, if to be Token effective for check results, namely allow user access, then by the access control module of authentication center, the term of validity of this Token is issued accessed application in the lump.
In actual applications, the storage of all certification billing informations is undertaken by ldap server, and namely all Token and the data etc. of user are all stored in ldap server.
A kind of cloud uniform authentication method embodiment two
In actual applications, if client is server, certificate also can be adopted to carry out certification, and wherein authentication center need increase third party's cert services center, come with third party's cert services center requests certificate by access control module and carry out certificate verification; Its specific embodiments is as follows:
A kind of cloud uniform authentication method, described cloud uniform authentication method comprises the following steps:
Step S21: set up authentication center's node;
Described step S21 sets up authentication center's node, in the specific implementation, be set up several authentication center's nodes be made up of certification routing module, access control module and third party's cert services center, described authentication center node is connected with application end with client by the Internet.Because divide and built several authentication center's nodes, all authentication centers node is all in active state, when any one authentication center's node goes wrong, also there will not be the situation of all paralysis, thus can not affect any user use.
Step S22: judge whether the application access request of user has certificate;
Described step S22 judges that the embodiment whether the application access request of user has a certificate can be: when user initiates the request of access application by client, client judges according to the username and password of user, judges whether user has certificate.If there is no certificate, then perform step S23, if there is certificate, then perform step S25.
Step S23: if do not have certificate, asks certificate by the authentication center to nearest node;
If described step S23 does not have certificate, the embodiment to authentication center's request certificate of nearest node can be: the certification routing module request certificate being gone to nearest authentication center by client, requesting party is replaced to remove third party's cert services center requests certificate by certification routing module by access control module again, wherein, client needs the username and password of transmission user to certification routing module to carry out certificate request.
Step S24: authentication center is by this certificate request and carry out vertex ticks to the certificate returned;
After step S23 executes, perform step S24 authentication center and by this certificate request vertex ticks is carried out to the certificate returned, its embodiment can be: by this certificate request of third party's cert services center certification, after passing through certification, certificate is issued access control module, then issue certification routing module and add vertex ticks by certification routing module, finally returning to client.
Step S25: if there is certificate, the authentication center to nearest node initiates certification verification request;
If described step S25 has certificate, the embodiment that the authentication center to nearest node initiates certification verification request can be: accessed application initiates certification verification request to the certification routing module of its nearest node, then performs step S26.
Step S26: carry out certificate verification by the authentication center of the source node sending this certificate;
The embodiment that described step S26 carries out certificate verification by the authentication center of the source node sending this certificate can be: the granting source node being judged this certificate by certification routing module according to the vertex ticks of this certificate, then go the access control module of the authentication center of the source node of this certificate to carry out this certificate verification, then carry out certificate by access control module to third party's cert services center and verify acquisition check results.
Wherein, after judging that the granting source node of this certificate executes by certification routing module according to the vertex ticks of this certificate, following steps need be performed: the vertex ticks being removed this certificate by certification routing module.
Step S27: determine whether allow client access apply according to check results;
Described step S27 determines whether allow the embodiment of user's access application can be according to check results: after certificate verification has been carried out at third party's cert services center, by check results backward reference control module, issue certification routing module again, then by certification routing module check results turned back to the accessed application initiated certificate and verify, then determined whether to allow the user access of client by accessed application according to check results.
Wherein, if to be certificate effective for check results, namely allow user access, then the term of validity of this certificate is issued accessed application in the lump.
In actual applications, the storage of all certification billing informations is undertaken by ldap server, and namely all certificates and the data etc. of user are all stored in ldap server.
A kind of cloud Centralized Authentication System embodiment
A kind of cloud Centralized Authentication System, described cloud Centralized Authentication System comprises:
Client 1, for judging whether the application access request of user has Token, sending Token request, sending Token checking and send application access request;
Authentication center's node 2, comprises certification routing module 21 and access control module 22, for providing Token and verifying Token;
Application end 3, for accessed by the user.
Wherein, described cloud Centralized Authentication System also can comprise ldap server, and described ldap server is used for authentication storage billing information.
Advantage of the invention process: cloud uniform authentication method of the present invention is by setting up the authentication center's node be made up of certification routing module and access control module, client judges whether the application access request of user has Token, if there is no Token, by the authentication center request Token of client to nearest node, authentication center is asked by this Token and carries out vertex ticks to the Token returning to client, if there is Token, by the authentication center initiation Token checking request of accessed application to nearest node, gone the access control module of the source node sending this Token to carry out Token verification by certification routing module, check results is returned accessed application and determines whether to allow the scheme of client-access by accessed application according to check results by authentication center, achieve cloud unified certification, during client application Token everywhere, only need to apply for Token nearby, and without the need to being concerned about authentication center position, during accessed application verification Token, only need and the Token of authentication center's verification nearby, and without the need to know Token actual be where issue, all authentication centers node is all active states, and namely any one authentication center uses because a variety of causes machine of delaying also can not affect any user.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited thereto, the technical staff of any skilled is in technical scope disclosed by the invention; the change that can expect easily or replacement, all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection range of described claim.
Claims (10)
1. a cloud uniform authentication method, is characterized in that, described cloud uniform authentication method comprises the following steps:
Set up authentication center's node;
Judge whether the application access request of user has Token;
If there is no Token, to the authentication center request Token of nearest node;
Authentication center is asked by this Token and carries out vertex ticks to the Token returned;
If there is Token, the authentication center to nearest node initiates Token checking request;
Token verification is carried out by the source node authentication center sending this Token;
Determine whether to allow user's access application according to check results.
2. cloud uniform authentication method according to claim 1, is characterized in that, described authentication center's node of setting up comprises the following steps: set up multiple authentication center's node be made up of certification routing module and access control module.
3. cloud uniform authentication method according to claim 2, it is characterized in that, if described step does not have Token, the authentication center request Token to nearest node specifically can be: the certification routing module request Token being gone to nearest authentication center by the client sending application access request, wrapped by access control module internal layer Jar by certification routing module again, replace requestor requests Token.
4. cloud uniform authentication method according to claim 3, is characterized in that, when the described client by sending application access request goes certification routing module request Token to perform, needs the username and password transmitting user.
5. cloud uniform authentication method according to claim 2, it is characterized in that, described step authentication center asks by this Token and carries out vertex ticks to the Token returned specifically to can be: asked by this Token of access control module certification, by Token being issued certification routing module after certification and being returned after interpolation vertex ticks by certification routing module.
6. cloud uniform authentication method according to claim 2, it is characterized in that, if described step has Token, the authentication center to nearest node initiates Token and verifies that request is specially: initiate Token checking request by accessed application to the certification routing module of its nearest node.
7. cloud uniform authentication method according to claim 2, it is characterized in that, described step is carried out Token verification by the authentication center of the source node sending this Token and is comprised the following steps: carry out source node judgement by certification routing module according to the vertex ticks of this Token, then remove the vertex ticks of this Token, gone by certification routing module the access control module of the authentication center of the source node sending this Token to carry out Token verification afterwards.
8. according to the cloud uniform authentication method one of claim 2 to 7 Suo Shu, it is characterized in that, described cloud uniform authentication method is further comprising the steps of: adopt ldap server to store all certification billing informations.
9. cloud uniform authentication method according to claim 8, it is characterized in that, described step determines whether allow user's access application comprise the following steps according to check results: the application that user check results returned by authentication center will access, judge that whether this Token is effective by application according to check results, if this Token is effective, then allow user's access and the term of validity of this Token is issued accessed application by authentication center in the lump.
10. a cloud Centralized Authentication System, is characterized in that, described cloud Centralized Authentication System comprises:
Client, for judging whether the application access request of user has Token, sending Token request, sending Token checking and send application access request;
Authentication center's node, comprises certification routing module and access control module, for providing Token and verifying Token;
Application end, for accessed by the user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410334488.1A CN105282111A (en) | 2014-07-14 | 2014-07-14 | Cloud unified authentication method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410334488.1A CN105282111A (en) | 2014-07-14 | 2014-07-14 | Cloud unified authentication method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105282111A true CN105282111A (en) | 2016-01-27 |
Family
ID=55150450
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410334488.1A Pending CN105282111A (en) | 2014-07-14 | 2014-07-14 | Cloud unified authentication method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105282111A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109150862A (en) * | 2018-08-03 | 2019-01-04 | 福建天泉教育科技有限公司 | A kind of method and server-side for realizing token roaming |
| CN110008691A (en) * | 2019-04-16 | 2019-07-12 | 苏州浪潮智能科技有限公司 | A kind of method, system and the equipment of open interface service call |
| CN110866243A (en) * | 2019-10-25 | 2020-03-06 | 北京达佳互联信息技术有限公司 | Login authority verification method, device, server and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
| CN101771537A (en) * | 2008-12-26 | 2010-07-07 | 中国移动通信集团公司 | Processing method and certificating method for distribution type certificating system and certificates of certification thereof |
-
2014
- 2014-07-14 CN CN201410334488.1A patent/CN105282111A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
| CN101771537A (en) * | 2008-12-26 | 2010-07-07 | 中国移动通信集团公司 | Processing method and certificating method for distribution type certificating system and certificates of certification thereof |
Non-Patent Citations (1)
| Title |
|---|
| 李广晨编著: "《Linux企业应用案例精解 第2版》", 31 March 2014, 北京:清华大学出版社 * |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109150862A (en) * | 2018-08-03 | 2019-01-04 | 福建天泉教育科技有限公司 | A kind of method and server-side for realizing token roaming |
| CN109150862B (en) * | 2018-08-03 | 2021-06-08 | 福建天泉教育科技有限公司 | Method and server for realizing token roaming |
| CN110008691A (en) * | 2019-04-16 | 2019-07-12 | 苏州浪潮智能科技有限公司 | A kind of method, system and the equipment of open interface service call |
| CN110866243A (en) * | 2019-10-25 | 2020-03-06 | 北京达佳互联信息技术有限公司 | Login authority verification method, device, server and storage medium |
| CN110866243B (en) * | 2019-10-25 | 2022-11-22 | 北京达佳互联信息技术有限公司 | Login authority verification method, device, server and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106209749B (en) | Single sign-on method and device, and related equipment and application processing method and device | |
| CN105007280B (en) | A kind of application login method and device | |
| CN103428696B (en) | Virtual SIM card achieving method and system and relevant device | |
| CN110365695A (en) | The block chain data interactive method and device of changeable common recognition algorithm | |
| CN105450582B (en) | Method for processing business, terminal, server and system | |
| CN101335626B (en) | Multi-stage authentication method and multi-stage authentication system | |
| CN113285807B (en) | Network access authentication method and system for intelligent equipment | |
| CN108833369A (en) | A kind of method, device and equipment accessing file system | |
| US20130007867A1 (en) | Network Identity for Software-as-a-Service Authentication | |
| CN105991614B (en) | It is a kind of it is open authorization, resource access method and device, server | |
| US9401905B1 (en) | Transferring soft token authentication capabilities to a new device | |
| CN110933084B (en) | Cross-domain shared login state method, device, terminal and storage medium | |
| US9954839B2 (en) | Systems and methods for providing distributed authentication of service requests by identity management components | |
| CN110569638B (en) | API authentication method and device, storage medium and computing equipment | |
| EP1869822A1 (en) | System and method for multi-session establishment | |
| CN109347864B (en) | Single sign-on method and device based on virtual private network | |
| CN105592003A (en) | Cross-domain single sign-on method and system based on notification | |
| US10521581B1 (en) | Web client authentication and authorization | |
| CN105337967A (en) | Method and system for achieving target server logging by user and central server | |
| CN106210058B (en) | A kind of reverse proxy method of multi-core parallel concurrent | |
| US9118487B1 (en) | Asymmetric encryption scheme with expiring revocable certificates having a predefined validity period | |
| CN105282111A (en) | Cloud unified authentication method and system | |
| CN106021375B (en) | Data bank access method and database broker node | |
| CN109802927B (en) | Security service providing method and device | |
| CN104104683A (en) | Security system implementation method for multiple data centers |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160127 |
|
| RJ01 | Rejection of invention patent application after publication |