CN106330829A - Method and system for realizing single signing on by using middleware - Google Patents
Method and system for realizing single signing on by using middleware Download PDFInfo
- Publication number
- CN106330829A CN106330829A CN201510362857.2A CN201510362857A CN106330829A CN 106330829 A CN106330829 A CN 106330829A CN 201510362857 A CN201510362857 A CN 201510362857A CN 106330829 A CN106330829 A CN 106330829A
- Authority
- CN
- China
- Prior art keywords
- parameter
- sign
- middleware
- user
- login
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention, which relates to the technical field of single signing on, discloses a method for realizing single signing on by using middleware. The method comprises: when a phenomenon that a user wants to enter an application system through a portal system by a browser is determined, first middleware of the portal system obtains a user parameter, carries out dynamic encryption on the user parameter, and sends the encrypted parameter to a server of an application system corresponding to a target address; second middleware on the server of the application system carries out decryption on the user parameter and carries out validity verification on the parameter, and whether a logging-in user number in the parameter is used for logging in is verified after successful validity verification; and if not, unified AD authentication is carried out on the user; and when the logging-in user number is determined to be used for logging in, the target address and the parameter are assigned to a single signing on parameter, so that logging in of the application system is realized by means of single signing on. Because the single signing on is realized by using the middleware, the data security is guaranteed.
Description
Technical field
The present invention relates to Single Sign-On Technology Used field, particularly relate to a kind of method and system using Middleware implementation single-sign-on.
Background technology
Single-sign-on (Single Sign On), referred to as SSO, is the solution party of the most popular business event integration
One of case.The definition of SSO refers in multiple application systems, and user has only to log in and the most just can access all mutual trusts
Application system.
Existing application system uses BS structure mostly, application system is deployed in WEB server, and client is on a web browser
Being conducted interviews by http or https, http agreement sends content with clear-text way, if assailant has intercepted web browsing
Transmission message between device and server, it is possible to directly understand information therein, therefore the information of http transmission be easily compromised,
Steal;Comparatively speaking, using https-secure more more reliable, but must obtain certificate, certificate also needs to enter in a browser
Row is installed or registration, and this relates to safety and alerts with certificate, once has certificate simultaneously and can forge and crack https transmission
Content.Additionally https need specific tcp port (being defaulted as 433), when relate to inter-network or cross-domain wait access time,
This port may be disabled, thus causes this kind of access mode to lose efficacy.
In existing patent application, the patent application of Application No. CN201310174917.9 discloses a kind of based on many application
Systematic unity user manages and the implementation method of single-sign-on platform, and it includes Union user management step and single-sign-on step,
When the user profile of platform changes, automatically send user profile to each application system;When clicking on application system link,
As at platform by checking, then directly enter without inputting password.The present invention can integrate enterprise, and each is self-existent existing
Application system, but such method is still difficult to ensure that the safety of data.The patent Shen of Application No. CN201110162876.2
Please disclose a kind of single-point logging method, including: client according to time string, random code and is total to service end after the user logs
The shared key enjoyed generates glyphed, and will go here and there the time, random code and glyphed are sent to service end;Service end is according to the institute received
State time string, random code and shared key and generate checking string, so that user to be authenticated, and process user's according to authenticating result
Logging request.Present invention also offers corresponding system.
After the user logs, like this, that client just optionally can generate time string, random code according to rule to client.
Shared key is this simultaneously is the most unsafe mechanism, and the method is not directed to the log-on message of user, thus means
As long as arbitrary user, arbitrary client just can utilize time string, random code to generate ciphertext, simultaneously from it by enjoying key
Statement can be seen that, although have ciphertext, but its time string, random code send in the lump with ciphertext, thus exist and passing
During defeated, time string, random code are easy to be trapped, thus forge time string, random code, ciphertext are carried out spoofs services end and are reached
Logging request, so that the method lost efficacy.
Summary of the invention
When there is, for single-point logging method of the prior art or system, the login realizing between cross-domain cross-system, pass in data
May be stolen by lawless person during defeated, distort, and then the technical problem of illegal sign-on access, the invention discloses one and adopt
Method by Middleware implementation single-sign-on.The invention also discloses a kind of system using Middleware implementation single-sign-on.
The specific implementation of the present invention is as follows:
A kind of method using Middleware implementation single-sign-on, it specifically includes below step: when judging that user wants by clear
Looking at device when gate system enters application system, the first middleware on gate system obtains the parameter of user, and the ginseng to user
Number is sent to the server of application system corresponding to destination address after carrying out dynamic encryption;In on the server of application system second
Between part the parameter of user is decrypted and parameter is carried out validation verification, if invalid, then return login failure information;If having
Effect, then the login user number in certificate parameter logs in the most, if logging in, then returns log-on message;If being not logged in, then
To AD certificate server application AD certification, if AD authentification failure, then return login failure information, if AD certification success, then
Return logins successfully information;When judging that login user number logs in, destination address is assigned to single-sign-on destination address, mesh
Mark address additional parameter is assigned to single-point single-sign-on parameter attribute, and login user is assigned to single-sign-on user number, thus passes through
Single-sign-on realizes the login of application system.
Further, the parameter of above-mentioned user at least includes login user number, login user AD authentication code, the target that forwards to
Address and destination address additional parameter.
Further, above-mentioned first middleware generates and accesses random code, carries out by accessing random code code true to AD certification
Encryption, generates login user AD authentication code.
Further, the parameter of above-mentioned user is attached by command character and encodes, it is thus achieved that single sign-on authentication code.
Further, the first above-mentioned middleware generates dynamic encrypting code, the parameter of user is added by dynamic encrypting code
Close, the server being then sent to application system is decrypted checking.
Further, joining day stamp in above-mentioned parameter, and set effective duration of timestamp.
Further, the parameter of user is decrypted by above-mentioned second middleware, and it is specially the second middleware use and dynamically adds
Ciphertext is become in plain text by password by deciphering, and its decipherment algorithm is: differentiate its parity, then uses dynamic encrypting code successively for even
Content of parameter is carried out add operation successively by binary system byte, otherwise carries out reducing, then using separator as separating also Radix Scrophulariae
Number content.
Further, the above-mentioned validation verification that carries out parameter includes at least one aspect following, in terms of any of which
The result is invalid, then the result that parameter carries out validation verification is invalid:
Certificate parameter classification and content are enough, if enough, the most effectively;
Certificate parameter type is the most correct, if correctly, the most effectively;
After parameter is attached by command character and is encoded, it is judged that it is the most consistent with described single sign-on authentication code, if
Unanimously, the most effectively;
Verify that described request time stabs whether in effective duration, the most effective;
Verify whether described source application system coding has the right to log in, if having the right, the most effectively.
Further, when the result is invalid, returning login failure information, this login failure information first returns to application
The second middleware on the server of system, the first centre being then sent on the server of gate system by the second middleware
Part, reinforms portal system user login failure, forbids logging in.
The invention also discloses a kind of system using Middleware implementation single-sign-on, its specifically include gate system server,
The server of application system and AD authentication server, described browser passes through to carry out data exchange between http agreement and server,
Run the first middleware on the server of described gate system, the server of described application system runs the second middleware, described
AD authentication server is used for carrying out authentication;Described first middleware is for judging that user wants by browser from door system
When system enters application system, obtain the parameter of user, and it is corresponding to be sent to destination address after the parameter of user is carried out dynamic encryption
The server of application system;The parameter of user is decrypted and to parameter by the second middleware on described application system server
Carry out validation verification, if invalid, then return login failure information;If effectively, then, whether the login user number in certificate parameter
Logging in, if logging in, then returning log-on message;If being not logged in, then to AD certificate server application AD certification, if AD
Authentification failure, then return login failure information, if AD certification success, then returns and logins successfully information;When judging login user number
When logging in, destination address being assigned to single-sign-on destination address, destination address additional parameter is assigned to single-point single-sign-on ginseng
Number attribute, login user is assigned to single-sign-on user number, thus is realized the login of application system by single-sign-on.
By using above technical scheme, the present invention has following beneficial effect: the present invention is by carrying out customer parameter
Encryption and decryption makes to carry out safe transmission by http agreement, improves the safety of single-sign-on between cross-domain cross-system simultaneously
Property, may determine that whether transmission data are obtained by the misfortune of illegal molecule or distort by Verification, and then stop illegal sign-on access.
Single-sign-on in the application is to realize at server end rather than (be thus possible to prevent client pseudo-in client
Make the information such as time string, random code).Gate system server end by the time of server cut, random code be have essence district
Other.Secondly, the single-point that the application ultimately generates is stepped on all of parameter information and is become an entirety to carry out by dynamic encryption post package
Send, also will not be decrypted even if information is intercepted, be not as existing, corresponding parameter to be directly transmitted, the 3rd,
Herein described single-sign-on, not only processes the logging request of user, the most also realizes user's effectiveness, ageing carries out
Authentication, in the destination address that authentication is accessed to its needs by rear steering, thus realizes single-sign-on.
Accompanying drawing explanation
In order to be illustrated more clearly that the technical scheme of the embodiment of the present invention, the accompanying drawing used required in embodiment will be made letter below
Singly introduce, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, be therefore not construed as scope
Limit, for those of ordinary skill in the art, on the premise of not paying creative work, it is also possible to according to these accompanying drawings
Obtain other relevant accompanying drawings.
Fig. 1 is the flow chart of the method using Middleware implementation single-sign-on of the present invention.
Fig. 2 is the structural representation being separately operable middleware on the server of gate system and application system.
Detailed description of the invention
For making the purpose of the embodiment of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing in the embodiment of the present invention,
Technical scheme in the embodiment of the present invention is clearly and completely described, it is obvious that embodiment described below is only
The a part of embodiment of the present invention rather than whole embodiments.Generally herein described in accompanying drawing and the embodiment of the present invention that illustrates
Assembly can arrange with various different configurations and design, the second system in the such as present invention can be one or many
Individual, run middleware can be gate system, it is also possible to be other system etc.Therefore, below in the accompanying drawings
The detailed description of the embodiments of the invention provided is not intended to limit the scope of claimed invention, but is merely representative of this
The selected embodiment of invention.Based on embodiments of the invention, those skilled in the art are not on the premise of making creative work
The every other embodiment obtained, broadly falls into the scope of protection of the invention.
In the present embodiment, the first system is that user passes through log-on message, by what input account number and password directly logged in is such as
System, its checking can be verified by the server that WEB is corresponding, it is also possible to is authenticated by special AD certificate server,
This belongs to existing conventional scheme, is not belonging to the emphasis of the present invention, is not described here in detail.
In order to meet the use habit of user, its first system can be the gate system of company, the web portal pages of such as company,
Second system is then other application systems trusted by gate system logged in by single-sign-on mode, in actual applications, the
Two system can be one or more, the list that signal transmission relation between each second system and the first system is identical, concrete
Point login mode is the most identical, for the ease of describing, the most only illustrates as a example by a second system.
The flow chart of the method using Middleware implementation single-sign-on of the present invention as shown in Figure 1.The invention discloses one to adopt
By the method for Middleware implementation single-sign-on, it specifically includes below step: when judging that user wants by browser from door
When system enters application system, the first middleware on gate system obtains the parameter of user, and carries out the parameter of user dynamically
The server of application corresponding to destination address it is sent to after encryption;The ginseng to user of the second middleware on the server of application system
Number is decrypted and parameter is carried out validation verification, if invalid, then returns login failure information;If effectively, then certificate parameter
In login user number the most log in, if logging in, then return log-on message;If being not logged in, then to AD certificate server
Application AD certification, if AD authentification failure, then returns login failure information, if AD certification success, then returns and logins successfully information;
When being judged as that login user number logs in, destination address being assigned to single-sign-on destination address, destination address additional parameter is composed
Value is to single-point single-sign-on parameter attribute, and login user is assigned to single-sign-on user number, thus realizes application by single-sign-on
The login of system.
Step S11, user input the log-on message of user in the first system, and by the server of the first system to logging in letter
Breath is verified, passes through, then return and login successfully information, and enter the page after login, otherwise, returns login failure information;
Step S12, the destination address provided according to user judge that whether destination address is the system that the first system is trusted, and are, start the
On the server of one system, the first middleware, otherwise terminates;Step S13, first middleware obtain user parameter, and to
The parameter at family is sent to the server of second system corresponding to destination address after carrying out dynamic encryption;Step S14, second system
The parameter of user is decrypted and parameter is carried out validation verification by the second middleware on server, if invalid, then return and steps on
Record failure information;If effectively, then, the login user number in certificate parameter logs in the most, if logging in, then returns and has logged in letter
Breath;If being not logged in, then to AD certificate server application AD certification, if AD authentification failure, then return login failure information, if AD
Certification success, then return and login successfully information;Step S15, destination address is assigned to single-sign-on destination address, target ground
Location additional parameter is assigned to single-point single-sign-on parameter attribute, and login user is assigned to single-sign-on user number, thus realizes second
The single-sign-on of system.The present invention makes to carry out safe biography by http agreement by customer parameter carries out encryption and decryption
Defeated, improve the safety of single-sign-on between cross-domain cross-system simultaneously, by Verification may determine that transmission data whether by
Illegal molecule is robbed and is obtained or distort, and then stops illegal sign-on access.
Wherein, can on the server that the first system is corresponding directly to the checking of the log-on message of the user of input in the first system
Verify, it would however also be possible to employ AD certificate server is verified.
It should be noted that in above-mentioned specific embodiment, the first middleware operates on the server of gate system, is used for
Extract user parameter and and be encrypted, the second middleware operates on the server that application system is corresponding, is used for deciphering and testing
Card.By the middleware integration packaging of both functions on same middleware, and this middleware can certainly be operated in institute
On each server trusted, run different functions as required, thus realize the single-sign-on of all mutual trust systems.
More specifically, the parameter that above-mentioned first middleware obtains user is as shown in table 1 below, the referred to as first single-sign-on parameter group.
First middleware gets above 7 customer parameter, and generates dynamic encrypting code and access by the first middleware simultaneously
Random code (sequence number 7,8 in table 2), by accessing random code to the true code of AD certification in described first single-sign-on parameter group
It is encrypted, generates login user AD authentication code (table 2 sequence number 5), i.e. obtain such as table 2 below, the referred to as second single-sign-on parameter group.
In order to prevent expired access from occurring, such as: some accesses, and the most pending, it is effective property, such as 3 minutes
Or the shorter time, just forbid accessing.Even if or had access to it, also it is an out-of-date information.When this can pass through
Between stab and realize.Following table is to the addition of the parameter list of timestamp, the referred to as the 3rd single-sign-on parameter group.
First middleware by above-mentioned 9 parameters in addition to dynamic encrypting code by command character be attached (" r n "+
dstAppNo+"\r\n"+srcAppNo+"\r\n"+userNo+"\r\n"+requestMinutes+"\r\n"
+loginNo+"\r\n"+visitRandomNo+"\r\n"+userCertAD+"\r\n"+gotoURL+"\r\n"
+ urlParams) after, then after carrying out encoding (such as coded system can be MD5), it is thus achieved that single sign-on authentication code, will be single
Point login authentication code joins in above-mentioned parameter list.And then obtain table 4 below, the referred to as the 4th single-sign-on parameter group.
When user clicks on corresponding application system icon in portal website, i.e. get the 4th above-mentioned single-point in the middle of first and step on
Record parameter group, and this parameter group is sent on the server corresponding to this application system, i.e. second described in the present embodiment
The server that system is corresponding.
It should be noted that the 4th single-sign-on parameter group of this specific embodiment contains 11 parameters, but in different reality
Under conditions of demand, the quantity of described parameter, classification and content are all it may happen that change, as long as the method provided according to the present invention
Carry out encryption and decryption, regardless of the number of parameters before and after encryption and decryption and content, all within protection scope of the present invention.
More specifically, the parameter of user is decrypted by the second middleware on the server of second system in above-mentioned steps S14,
It is specially the second middleware and uses dynamic encrypting code ciphertext to be become in plain text by deciphering, and its decipherment algorithm is: differentiate its odd even
Property, then use dynamic encrypting code successively by binary system byte, content of parameter to be carried out add operation successively for even, otherwise carry out reducing,
Then using separator " r n " as separating Reduction parameter content.
Then the parameter after deciphering being carried out validation verification, after all of Verification all passes through, checking login user number is
No login, is then to return log-on message and carry out the assignment of single-sign-on and redirect, the most also needing to AD certificate server Shen
Please AD certification.If AD authentification failure, then the second middleware access authentication failure information, is then back to login failure information, then leads to
Know portal system user login failure, forbid logging in.If AD certification success, then the second middleware access authentication successful information, so
Rear notice portal sub-system user logins successfully, and is jumped to the destination address page by acting on behalf of URL.
Single-sign-on the most next time, after AD certification success, returns the login user in described 4th single-sign-on parameter group
Number, the destination address that forwards to and destination address additional parameter, by its assignment to the 4th single-sign-on parameter group.
Further, it is contemplated that in the transmitting procedure of data, lawless person robs in the case of obtaining and decode transmission information, this
Bright middle addition request time stamp parameter, to carry out ageing management, leads to prevent the clock encrypting end and decrypting end inconsistent
The differentiation causing timestamp processes inefficacy, in addition it is also necessary to introduces clock management by synchronization mechanism, makes the second middleware add with described single-sign-on
Encryption end that is first middleware of close parameter keeps clock consistent.
For the checking of parameter, clock rate, content with parameter group validity check can be carried out according to the actual requirements, including
At least one aspect below, can set the result in terms of any of which as invalid, then parameter be carried out validation verification
Result be invalid:
Certificate parameter classification and content are enough, if enough, the most effectively;
Certificate parameter type is the most correct, if correctly, the most effectively;
After parameter is attached by command character and carries out MD5 coding, it is judged that it is the most consistent with described single sign-on authentication code,
If it is consistent, the most effectively;
Verify that described request time stabs whether in effective duration, the most effective;
Verify whether described source application system coding has the right to log in, if having the right, the most effectively.
Still as a example by the preferred specific embodiment that the invention described above provides, obtaining parameter after decryption, it is entered by the second middleware
Row validity check is as follows:
Verify that the parameter in the 4th single-sign-on parameter group is whether enough, including parameter classification the most enough, the quantity of parameter be
The validation verification of multiple subitems such as no enough and parameter contents are enough, if there being any one subitem to be insufficient to, then should
Validation verification result is invalid, now returns login failure information, and this login failure information first returns to application system server
On the second middleware, the first middleware being then sent on gate system server by the second middleware, reinform door
Subsystem subscribers login failure, forbids logging in.If all the validation verification result of subitem is all effectively, then this validation verification
Result is effectively, can carry out other steps.
Verify whether the parameter type in the 4th single-sign-on parameter group mates, the most each parameter type whether with preset or about
Fixed parameter type matches, and any of which item parameter is not mated, and illustrates that parameter exists the possibility being tampered, has potential safety hazard,
The result is invalid, now returns login failure information, and this login failure information is first returned to second by the second middleware and calls
Module, then the second calling module sends it to the first calling module again, gate system notify login failed for user, forbids
Log in.If all the type of parameter is all mated, then this validation verification result is effectively, can carry out other steps.
The present invention can realize implementing when in the way of URL is acted on behalf of in employing, first, carrys out origin url in gate system
Call the first middleware being deployed in gate system the single-sign-on parameter group of predetermined kind is processed and encrypted, then,
Come origin url will after encryption the single-sign-on encryption parameter that obtain be transferred to be deployed in operation system act on behalf of URL, this acts on behalf of URL tune
Carry out validation verification and login authentication after being decrypted with the second middleware being deployed in operation system, thus realize single-point and step on
Record, efficiently solves traditional problem that use username and password carries out being susceptible to divulge a secret during single-sign-on and account is stolen.
Use the mode acting on behalf of URL, after the login, the interface that user sees and the original interface complete individually logging in application system
Cause, meet the use habit of user.
It is to say, present invention introduces " EIP single-sign-on middleware " (the hereinafter letter being deployed in WEB server
Claim middleware), use the mode of middleware that parameter is encrypted package, decryption verification, this middleware calls simply, disposes
Conveniently, and this middleware is deployed in the WEB server of each operation system, and corresponding code runs the most on the server, and
Compatible improve the safety of information in various browser versions, in the case of using http mode to carry out information transmission,
For guaranteeing the safety of information, the information that http transmits being encrypted, each operation system provides single-sign-on to act on behalf of URL, should
Act on behalf of URL and access middleware, and by the user number currently logged in and access this information acting on behalf of URL with parameter (single sign-on authentication
Parameter) mode pass to middleware, the encryption of middleware and decrypting process are enclosed, it is ensured that safety.
The invention also discloses a kind of system using Middleware implementation single-sign-on, it specifically includes and includes at least one door
System and at least one service sub-system, user passes through portal sub-system registering service subsystem, and this portal sub-system includes using
The first middleware that the present invention provides, this service sub-system includes the second middleware using the present invention to provide;This portal sub-system
Also include the first calling module, be properly termed as origin url, be used for obtaining single-sign-on parameter group, calling described first middleware
Be encrypted and and described service sub-system between transmit signal, described service sub-system also includes the second calling module, and this is second years old
Calling module is deployed in service sub-system, is properly termed as acting on behalf of URL, is used for and transmits signal between portal sub-system and call institute
State the second middleware and be decrypted checking.
Fig. 2 is the structural representation being separately operable middleware on the server of gate system and application system.Wherein first is middle
Part operates on the server of gate system, and the second middleware operates on the server of application system.In actual applications, appoint
The system what is trusted can be as the gate system described in the present embodiment or the first system, and other system is as this reality
Execute the second system in example.On gate system run first middleware obtain customer parameter, and by customer parameter through encryption and
The second middleware being sent to after coding on application system server is decrypted checking.
The dynamic encrypting code that encryption and decryption in the present embodiment uses the first middleware to generate realizes, and encrypted code dynamically changes, it is ensured that
The effect of encryption.
Another embodiment of the presently claimed invention, has logged out after user does not logs in portal website or logs in, this
Time when clicking the icon of application system in portal website, at checking login user number whether now the first middleware also starts, but
During login, it is judged that result, for being not logged in, now needs to carry out AD certification.
Login user number in single-sign-on parameter group described in certification logs in the most, if AD authentification failure, then returns login failure
Information, if AD certification success, then returns and logins successfully information.
The present invention uses the mode of middleware to realize single-sign-on, does not change the existing gate system existed or application system
Framework, it is achieved low cost, on the middleware of gate system, use the mode of dynamic encryption to realize the encryption of parameter, should
With carrying out decryption verification on the middleware of system, it is ensured that the safety of data and being not tampered with, improve the safety of whole system.
The another one specific embodiment of the present invention
In an initial condition, single-sign-on destination address, the value of single-sign-on parameter attribute the two parameter are empty, so that it is guaranteed that
The safety of system.Only in the case of being had logged on by Verification and login user number, the two parameter is just composed
Value, thus realize single-sign-on and carry out page jump.
The further embodiment of the present invention
A kind of decryption verification method for single-sign-on and a kind of parameter for single-sign-on that the embodiment of the present invention provides add
Decryption method, provides a kind of safer solution for Single Sign-On Technology Used, and two kinds of methods are based on common technical scheme
And work in coordination and use, its common technical scheme is: first, carry out origin url and call and be deployed in door system in gate system
The single-sign-on parameter group of predetermined kind is processed and encrypts by the first middleware in system, then, carrys out origin url by after encryption
What the single-sign-on encryption parameter obtained was transferred to be deployed in operation system acts on behalf of URL, and this is acted on behalf of URL and calls and be deployed in operation system
The second middleware be decrypted after carry out validation verification and login authentication, thus realize single-sign-on, efficiently solve biography
The problem that use username and password carries out being susceptible to divulge a secret during single-sign-on and account is stolen of system.
It is to say, present invention introduces " EIP single-sign-on middleware " (the hereinafter letter being deployed in WEB server
Claim middleware), use Middle-ware that parameter is encrypted package, decryption verification, this middleware calls simply, deployment side
Just, and this middleware is deployed in the WEB server of each operation system, and corresponding code runs the most on the server, and can
It is compatible with various browser version, improves the safety of information, in the case of using http mode to carry out information transmission, for
Guaranteeing the safety of information, the information that http transmits be encrypted, each operation system provides single-sign-on to act on behalf of URL, this generation
Reason URL access middleware, and by the user number currently logged in and access this information acting on behalf of URL with parameter (single sign-on authentication join
Number) mode pass to middleware, the encryption of middleware and decrypting process are enclosed, it is ensured that safety.
In order to make it easy to understand, first tentatively introduce in a preferred specific embodiment disclosed by the invention at this, the present invention
Preferably specific embodiment is a single-node login system, including at least one portal sub-system and at least one service sub-system, uses
Portal sub-system registering service subsystem is passed through at family, and this portal sub-system includes that the one using the present invention to provide is for single-sign-on
Parameter encryption method encapsulation the first middleware, this service sub-system include use the present invention provide one for single-point
Second middleware of the decryption verification method encapsulation logged in;This portal sub-system also includes the first calling module, is properly termed as
Carry out origin url, for obtain the first single-sign-on parameter group, call described first middleware be encrypted and with described business son
Transmitting signal between system, described service sub-system also includes the second calling module, and this second calling module is deployed in service sub-system,
Be properly termed as acting on behalf of URL, for and portal sub-system between transmit signal and call described second middleware and be decrypted checking.
It should be noted that in above-mentioned preferred specific embodiment, described first middleware and described second middleware can also
It is same middleware, encapsulates a kind of parameter encryption method for single-sign-on and a kind of use that the present invention provides the most simultaneously
In the decryption verification method of single-sign-on, simply need to use different methods according to different, clear in order to describe, hereinafter
Will the first middleware and the difference statement of the second middleware.
Below embodiments of the invention are described in detail one by one.
A kind of decryption verification method for single-sign-on, the method comprising the steps of S101-S104, specific as follows:
Step S101: obtain single-sign-on encryption parameter;
This step obtains single-sign-on encryption parameter, and traditional single-sign-on needs to send user name and password carries out AD certification with reality
Existing single-sign-on, such username and password is easily trapped during network data transmission, steals, especially at http
During protocol transmission, in consideration of it, before this step, first single-point is stepped in the request end (portal sub-system) of single-sign-on
Record parameter is encrypted, even if in the transmission of http agreement, still can be prevented effectively from the leakage of username and password.This step is just
The single-sign-on parameter after obtaining encryption, i.e. single-sign-on encryption parameter.
In the preferred specific embodiment of the present invention, the first calling module in portal sub-system by single-sign-on encryption parameter with
Http host-host protocol is sent to the second calling module of service sub-system, and described single-sign-on encryption parameter is sent out by the second calling module
Deliver to the second middleware, it is achieved that the second middleware obtains the step of single-sign-on encryption parameter, and wherein the second calling module is permissible
It is to act on behalf of URL.
Step S102: above-mentioned single-sign-on encryption parameter is decrypted, it is thus achieved that the first single-sign-on parameter group;
Single-sign-on encryption parameter has been obtained, it follows that need described single-sign-on encryption parameter is solved according to step S101
Close, the method for deciphering is corresponding with the method for encryption, such as, use dynamic encrypting code to enter described single-sign-on encryption parameter
Row deciphering, it is thus achieved that the first single-sign-on parameter group.
Step S103: above-mentioned first single-sign-on parameter group is carried out validation verification, if invalid, then perform step S122 and returns
Login failure information;
By step S102, obtain the first single-sign-on parameter group through deciphering, it follows that need this first single-sign-on
Parameter group carries out validation verification, verifies described first single-sign-on parameter group from many aspects, can diagnose described
Whether one single-sign-on parameter group is stolen, reveals or distorts in transmitting procedure, if effectiveness the result is invalid, then returns
Return and log in invalid information, forbid logging in, thus improve the safety of the decryption verification method for single-sign-on that the present invention provides.
For the first single-sign-on parameter group, clock rate, content with parameter group effectiveness inspection can be carried out according to the actual requirements
Test, be invalid including the result in terms of at least one aspect following, any of which, then to this first single-sign-on parameter
It is invalid that group carries out the result of validation verification:
Verify that the clock rate in described first single-sign-on parameter group and content are enough, if enough, the most effectively;
Verify that the parameter type in described first single-sign-on parameter group is the most correct, if correctly, the most effectively;
It is attached going forward side by side by command character by parameter in addition to single sign-on authentication code in described first single-sign-on parameter group
After row MD5 coding, it is judged that it is the most consistent with the single sign-on authentication code in described first single-sign-on parameter group, if unanimously,
The most effective;
Verify that the request time in described first single-sign-on parameter group stabs whether in effective duration, the most effective;
Verify whether the source application system coding in described first single-sign-on parameter group has the right to log in, if having the right, the most effectively.
Still as a example by the preferred specific embodiment that the invention described above provides, after obtaining the first single-sign-on parameter group after decryption,
It is as follows that second middleware carries out validity check to it:
Verify that the parameter in the first single-sign-on parameter group is whether enough, including parameter classification the most enough, the quantity of parameter be
The validation verification of multiple subitems such as no enough and parameter contents are enough, if there being any one subitem to be insufficient to, then should
Validation verification result is invalid, now returns login failure information, and this login failure information is first returned to the by the second middleware
Two calling modules, then the second calling module sends it to the first calling module again, notifies portal sub-system login failed for user,
Forbid logging in.If all the validation verification result of subitem is all effectively, then this validation verification result is effectively, can carry out
Other steps.
Verify whether the parameter type in the first single-sign-on parameter group mates, the most each parameter type whether with preset or about
Fixed parameter type matches, and any of which item parameter is not mated, and illustrates that parameter exists the possibility being tampered, has potential safety hazard,
The result is invalid, now returns login failure information, and this login failure information is first returned to second by the second middleware and calls
Module, then the second calling module sends it to the first calling module again, gate system notify login failed for user, forbids
Log in.If all the type of parameter is all mated, then this validation verification result is effectively, can carry out other steps.
Parameter in addition to single sign-on authentication code in described first single-sign-on parameter group is attached by command character
("\r\n"+dstAppNo+"\r\n"+srcAppNo+"\r\n"+userNo+"\r\n"+requestMinutes
+"\r\n"+loginNo+"\r\n"+visitRandomNo+"\r\n"+userCertAD+"\r\n"+gotoURL
+ " r n "+urlParams), then after carrying out MD5 coding, enter with the single sign-on authentication code in the first single-sign-on parameter group
Row comparison, if consistent, think that content of parameter is not modified, can carry out other steps, otherwise it is assumed that parameter is modified, test
Card result is invalid, now returns login failure information, and first returned to second by the second middleware calls mould to this login failure information
Block, then the second calling module sends it to the first calling module again, notifies portal system user login failure, forbids logging in.
Verify that the request time in described first single-sign-on parameter group stabs whether in effective duration, as exceeded effectively request
Duration then the result is invalid, now returns login failure information, and this login failure information is first returned to the by the second middleware
Two calling modules, then the second calling module sends it to the first calling module again, notifies portal sub-system login failed for user,
Forbid logging in.Otherwise the result is effectively, can carry out other steps.Verified by timestamp, ageing pipe can be strengthened
Reason, prevent expired access from occurring, such as: some access, the most pending, it is effective property, more than 5 minutes or
The shorter time, it will forbid accessing.Even if or had access to it, also it is an out-of-date information.Therefore must pass through
Timestamp realizes, thus accesses concrete target URL, and this target URL is the URL in service sub-system,
Can be limited by the out-of-date timeliness of timestamp.
In addition, it is necessary to it is emphasized that owing to using http mode to carry out the transmission of data, client can intercept the number of transmission
According to, then forge access, carry out access agent URL, now, this timestamp is the most useful, otherwise it is possible to there will be length
Time access exist, thus further improve the safety of single-sign-on.
Verify whether the source application system coding in described first single-sign-on parameter group has the right to log in, if the result is nothing
Effect, now returns login failure information, and this login failure information is first returned to the second calling module by the second middleware, and then the
Two calling modules send it to the first calling module again, notify portal sub-system login failed for user, forbid logging in.Otherwise test
Card result is effectively, can carry out other steps.
It should be noted that the validation verification of this specific embodiment includes the checking of above-mentioned many aspects, but in different reality
Under conditions of demand, the project of required checking, content are all it may happen that change, but as long as it is able to verify that the first single-sign-on parameter
The effectiveness of group, it is judged that whether it is stolen or distorts, and just within technical scheme, is all protected by the present invention.
Step S104: if effectively, then verifying that the login user number in described first single-sign-on parameter group logs in, the most if
Log in, then perform step S123 and return log-on message;
Still as a example by above-mentioned preferred specific embodiment, by step S103, described first single-sign-on parameter group is carried out
Validation verification, it follows that need to verify that the login user number in described first single-sign-on parameter group logs in the most, including
Verify that the login user number in described first single-sign-on parameter group is the most consistent with current sessions login user number, this current sessions
Login user number is to act on behalf of the current sessions accession number acting on behalf of URL place system that URL transmits, if unanimously, then the result is
Described login user number logs in, and first by the second middleware, the result is returned to the second calling module, then second calls
Module sends it to the first calling module again, and notice portal sub-system user logs in, and and jumped to target by acting on behalf of URL
The address page.It is not logged in if it is inconsistent, the result is described login user number, AD certification need to be carried out.
Step S105: if being not logged in, then use described first single-sign-on parameter group to AD certificate server application AD certification, if
AD authentification failure, then perform step S124 and return login failure information, if AD certification success, then performs the return of step S125 and logs in
Successful information.
By step S104, have verified that the login user number in described first single-sign-on parameter group logs in the most, if being not logged in,
Then using described first single-sign-on parameter group to AD certificate server application AD certification, it specifically includes:
Use the access random code in described first single-sign-on parameter group that the login in described first single-sign-on parameter group is used
Family AD authentication number is decoded, and obtains the true code of AD certification;
Use the login user number in described first single-sign-on parameter group with the described true code of AD certification to AD certificate server Shen
Please AD certification.
Still as a example by above-mentioned preferred specific embodiment, in order to further enhance the safety of data transmission, this first single-sign-on
Login user AD authentication number in parameter group is that pre-first passing through encrypts generation, is equal to be become through encryption by decodement in advance
Cryptographic secret, in this step, cryptographic secret is become decodement by deciphering by the second middleware again, then takes to AD certification
Business device application AD certification.If AD authentification failure, then the second middleware access authentication failure information, then returns to the second calling module
Returning login failure information, the second calling module sends it to the first calling module again, notifies portal system user login failure,
Forbid logging in.If AD certification success, then the second middleware access authentication successful information, then think that the second calling module returns and log in
Successful information, the second calling module sends it to the first calling module again, and notice portal sub-system user logins successfully, and by
Act on behalf of URL and jump to the destination address page.
Single-sign-on the most next time, after AD certification success, returns the login user in described first single-sign-on parameter group
Number, the destination address that forwards to and destination address additional parameter, by its assignment to the first single-sign-on parameter group.
Further, it is contemplated that in the transmitting procedure of data, lawless person robs in the case of obtaining and decode transmission information, this
Bright middle addition request time stamp parameter, to carry out ageing management, leads to prevent the clock encrypting end and decrypting end inconsistent
The differentiation causing timestamp processes inefficacy, in addition it is also necessary to introduces clock management by synchronization mechanism, makes the second middleware add with described single-sign-on
Encryption end that is first middleware of close parameter keeps clock consistent.
To sum up, the method carries out validation verification to multiple parameters, and uses dynamic encrypting code to be decrypted, and improves
The safety of single-sign-on between cross-domain cross-system, it can be determined that go out to transmit whether data are obtained by the misfortune of illegal molecule or distort, and then resistance
Only illegal sign-on access.Further, checking request time stamp parameter, to carry out ageing management, further adds again
The safety of single-sign-on.
Above-mentioned decrypting process is described in detail, it follows that the ciphering process of single-sign-on parameter will be introduced,
This encryption method mainly includes step S201-S204, specific as follows:
Step S201: obtain the second single-sign-on parameter group of predefined type;
First this step obtains the second single-sign-on parameter group of predefined type, and this second single-sign-on parameter group at least includes ginseng
Number: login user number, the true code of AD certification, the destination address forwarded to and destination address additional parameter.
As a example by the preferred specific embodiment of the invention described above, the first calling module in gate system obtains the of predefined type
Two single-sign-on parameter group, and send it to the first middleware.
Step S202: generate dynamic encrypting code and access random code, described dynamic encrypting code and access random code are stepped on the second single-point
Record parameter group collectively constitutes the 3rd single-sign-on parameter group;
Still as a example by above-mentioned preferred specific embodiment, by step S201, obtain the second single-sign-on parameter of predefined type
Group, in order to be encrypted, also needs generate dynamic encrypting code and access random code, and by itself and the second single-sign-on parameter group composition
3rd single-sign-on parameter group.
Step S203: after using predetermined method to process described 3rd single-sign-on parameter group, it is thus achieved that the 4th single-sign-on parameter
Group;
Described by after method process predetermined for described 3rd single-sign-on parameter group use, it is thus achieved that the 4th single-sign-on parameter group, be
At least one mode following is used to realize:
Use described access random code that the true code of AD certification in described 3rd single-sign-on parameter group is encrypted, generate and log in
User's AD authentication code, by described login user AD authentication code and described 3rd single-sign-on parameter except the described true code of AD certification
Outside parameter collectively constitute the 4th single-sign-on parameter group;
Parameters in described 3rd single-sign-on parameter group is attached by command character and carries out MD5 coding, it is thus achieved that be single
Point login authentication code, collectively constitutes the 4th single-sign-on ginseng by described single sign-on authentication code and described 3rd single-sign-on parameter group
Array;
Generation request time stabs, and with described 3rd single-sign-on parameter group, described request time stamp is collectively constituted the 4th single-sign-on
Parameter group.
Still as a example by the preferred specific embodiment of the present invention, by step S202, generate dynamic encrypting code and accessed random code
And obtain the 3rd single-sign-on parameter group, obtain the 4th single-sign-on parameter group the most in accordance with the following steps.
Use described access random code that the true code of AD certification in described 3rd single-sign-on parameter group is encrypted, generate and log in
User's AD authentication code, by described login user AD authentication code and described 3rd single-sign-on parameter except the described true code of AD certification
Outside parameter collectively constitute the 4th single-sign-on parameter group, the algorithm of encryption is industry general-purpose algorithm, does not repeats them here;
By the parameter in the 3rd single-sign-on parameter group by command character be attached (" r n "+dstAppNo+ " r n "+
srcAppNo+"\r\n"+userNo+"\r\n"+requestMinutes+"\r\n"+loginNo+"\r\n"
+visitRandomNo+"\r\n"+userCertAD+"\r\n"+gotoURL+"\r\n"+urlParams)
After, then after carrying out MD5 coding, it is thus achieved that single sign-on authentication code, by described single sign-on authentication code and described 3rd single-sign-on
Parameter group collectively constitutes the 4th single-sign-on parameter group;
Generation request time stabs, described timestamp be the first middleware deduct according to system time obtain after 1 day January calendar year 2001 point
Clock number, collectively constitutes the 4th single-sign-on parameter group by described request time stamp with described 3rd single-sign-on parameter group.
Step S204: use described dynamic encrypting code that described 4th single-sign-on parameter group is encrypted, it is thus achieved that single-sign-on adds
Close parameter;
By step S203, after using predetermined method to process described 3rd single-sign-on parameter group, it is thus achieved that the 4th single-point is stepped on
Record parameter group, next needs to use dynamic encrypting code to be encrypted described 4th single-sign-on parameter group, it is thus achieved that single-sign-on
Encryption parameter.
As a example by the preferred specific embodiment of the present invention, the parameter in the 4th single-sign-on parameter group is carried out even with " r n "
Connect as character string, and transfer binary string to, with dynamic encrypting code parameter is encrypted (decipherment algorithm is, it determines its parity,
Then use dynamic password successively by binary system byte, content of parameter to be carried out reducing successively for even, otherwise carry out add operation) formed
Parameter encryption string, i.e. single-sign-on encryption parameter.
It should be noted that one of mode that said method is only use dynamic encrypting code to be encrypted, in addition other make
The mode being encrypted with dynamic encrypting code is also within protection scope of the present invention.
To sum up, the method uses the mode of middleware, disposes middleware, add single-sign-on parameter in WEB server
Close and use dynamic encrypting code, improve the safety of data transmission, and joining day stamp when adding sealed bundle, prevent lawless person
Target network address is accessed after decoding.
The embodiment of the present invention additionally provides a kind of decryption verification device 30 for single-sign-on, and the primary structure of this device includes:
Acquisition module 301, is used for obtaining single-sign-on encryption parameter;
Deciphering module 302, for being decrypted described single-sign-on encryption parameter, it is thus achieved that the first single-sign-on parameter group;
Validation verification module 303, for carrying out validation verification to described first single-sign-on parameter group, if the result is
Invalid, then return login failure information;
Login authentication module 304, for verifying that the login user number in described first single-sign-on parameter group logs in the most,
If the result is for log in, then return log-on message;
Request AD authentication module 305, be used for using described first single-sign-on parameter group to AD certificate server application AD certification,
If AD authentification failure, then return login failure information, if AD certification success, then return and login successfully information.
Above-mentioned deciphering module 302 includes:
Decryption unit, is used for using dynamic encrypting code to be decrypted described single-sign-on encryption parameter, it is thus achieved that the first single-sign-on
Parameter group.
Above-mentioned validation verification module 303 includes at least one unit following, when the result of any of which unit is invalid,
The result of the most described validation verification module is invalid:
Clock rate and content verification unit, for verifying whether are the clock rate in described first single-sign-on parameter group and content
Enough, if enough, then the result is effective;
Parameter type authentication unit, the most correct for verifying the parameter type in described first single-sign-on parameter group, if correctly,
Then the result is effective;
MD5 encoding verification unit, for leading to parameter in addition to single sign-on authentication code in described first single-sign-on parameter group
Cross after command character is attached and carries out MD5 coding, it is judged that its whether with the single-sign-on in described first single-sign-on parameter group
Identifying code is consistent, if unanimously, then the result is effective;
Request time stamp authentication unit, for verifying that the request time in described first single-sign-on parameter group stabs whether when effective
In long, the most then the result is effective;
Source application system encoding verification unit, for verifying the source application system coding in described first single-sign-on parameter group
Whether have the right to log in, if having the right, then the result is effective.
The above-mentioned module of login authentication 304 includes:
Login authentication unit, uses for verifying that the login user number in described first single-sign-on parameter group logs in current sessions
Family number is the most consistent, if unanimously, then the result is for log in, and otherwise the result is for for being not logged in.
Above-mentioned request AD authentication module 305 includes:
Decoding unit, for using the access random code in described first single-sign-on parameter group to described first single-sign-on parameter
Login user AD authentication number in group is decoded, and obtains the true code of AD certification;
Request AD authentication ' unit, for using the login user number in described first single-sign-on parameter group true with described AD certification
Code carries out AD certification.
Said apparatus also includes: clock synchronization module, is used for using clock management by synchronization mechanism, with described single-sign-on encryption ginseng
The encryption end of number keeps clock consistent.
Said apparatus also includes: parameter returns module, after AD certification success, returns in described first single-sign-on parameter group
Login user number, the destination address forwarded to and destination address additional parameter.
To sum up, this device carries out validation verification to multiple parameters, improves the safety of single-sign-on between cross-domain cross-system
Property, it can be determined that whether by illegal molecule misfortune obtained or distort, and then stop illegal sign-on access if going out to transmit data.Further,
Checking request time stamp parameter, to carry out ageing management, further adds the safety of single-sign-on again.
The embodiment of the present invention additionally provides a kind of parameter encryption device 40 for single-sign-on, and the primary structure of this device includes:
Acquisition module 401, for obtaining the second single-sign-on parameter group of predefined type;
Dynamic encrypting code and access random code generation module 402, is used for generating dynamic encrypting code and accesses random code, described dynamically
Encrypted code and access random code collectively constitute the 3rd single-sign-on parameter group with the second single-sign-on parameter group;
Processing module 403, after using predetermined method to process described 3rd single-sign-on parameter group, it is thus achieved that the 4th single-point
Login parameters group;
Encrypting module 404, is used for using described dynamic encrypting code to be encrypted described 4th single-sign-on parameter group, it is thus achieved that single
Point logs in encryption parameter;
Above-mentioned processing module 403 at least includes following a kind of unit:
Access random code processing unit, for using described access random code to the AD certification in described 3rd single-sign-on parameter group
True code is encrypted, and generates login user AD authentication code, by described login user AD authentication code and described 3rd single-sign-on ginseng
The parameter in addition to the described true code of AD certification in number collectively constitutes the 4th single-sign-on parameter group;
MD5 coding processing unit, for being attached the parameters in described 3rd single-sign-on parameter group by command character
And carry out MD5 coding, it is thus achieved that and single sign-on authentication code, by described single sign-on authentication code and described 3rd single-sign-on parameter group
Collectively constitute the 4th single-sign-on parameter group;
Request time stamp processing unit, is used for generating request time stamp, by described request time stamp and described 3rd single-sign-on ginseng
Array collectively constitutes the 4th single-sign-on parameter group.
Said apparatus also includes: clock synchronization module, is used for using clock management by synchronization mechanism, with described single-sign-on encryption ginseng
The encryption end of number keeps clock consistent.
To sum up, this device transmits after being encrypted single-sign-on parameter, and the method using dynamic encryption in ciphering process,
Adding again request time stamp, the safety for data transmission procedure provides support.
The embodiment of the present invention additionally provides a kind of single-node login system, and this system at least includes two subsystems, wherein the first subsystems
System 51 includes the first calling device 511 and the above-mentioned parameter encryption device 40 for single-sign-on, and the second subsystem 52 includes the
Two calling devices 521 and the above-mentioned decryption verification device 30 for single-sign-on;
Above-mentioned first calling device 511, for obtaining the second single-sign-on parameter group of predefined type, calls the embodiment of the present invention
Described second single-sign-on parameter group is processed and encrypts by the parameter encryption device 40 for single-sign-on provided, it is thus achieved that single
Point logs in encryption parameter, and described single-sign-on encryption parameter is sent to the second calling device 521;
Above-mentioned second calling device 521, for receiving the single-sign-on encryption parameter that described first calling device 511 sends, calls
It is decrypted and single sign-on authentication by the decryption verification device 30 for single-sign-on that the embodiment of the present invention provides, and works as certification
When result is for logining successfully or logging in, jump to target login page.
In sum, single-node login system calls in the middle of first be deployed in gate system by carrying out origin url in gate system
The single-sign-on parameter group of predetermined kind is processed and encrypts by part, and the method for this encryption can be above-mentioned for single-sign-on
Parameter encryption method, then, carrying out origin url will the single-sign-on encryption parameter that obtain be transferred to be deployed in operation system after encryption
Act on behalf of URL, this is acted on behalf of URL and calls to be deployed in after the second middleware of operation system is decrypted and carry out validation verification and stepped on
Record checking, the method for this decryption verification can be the above-mentioned decryption verification method for single-sign-on, thus realize single-sign-on,
This improves the safety of single-sign-on between cross-domain cross-system, prevent illegal molecule from transmission data being distorted, stop illegal
Sign-on access.
Those skilled in the art is it can be understood that arrive, for convenience and simplicity of description, and the system of foregoing description and device
Specific works process, be referred to the corresponding process in preceding method embodiment, do not repeat them here.
It is last it is noted that the detailed description of the invention of embodiment described above, the only present invention, in order to the skill of the present invention to be described
Art scheme, is not intended to limit, and protection scope of the present invention is not limited thereto, although entering the present invention with reference to previous embodiment
Go detailed description, it will be understood by those within the art that: any those familiar with the art is at this
In the technical scope of bright exposure, the technical scheme described in previous embodiment still can be modified by it maybe can readily occur in change
Change, or wherein portion of techniques feature is carried out equivalent;And these are revised, change or replace, do not make relevant art
The essence of scheme departs from the spirit and scope of embodiment of the present invention technical scheme.All should contain within protection scope of the present invention.
Therefore, protection scope of the present invention should described be as the criterion with scope of the claims.
Claims (10)
1. the method using Middleware implementation single-sign-on, it specifically includes below step: when judging that user wants to enter application system by browser from gate system, the first middleware on gate system obtains the parameter of user, and is sent to the server of application system corresponding to destination address after the parameter of user is carried out dynamic encryption;The parameter of user is decrypted and parameter is carried out validation verification by the second middleware on the server of application system, if invalid, then returns login failure information;If effectively, then, the login user number in certificate parameter logs in the most, if logging in, then returns log-on message;If being not logged in, then to AD certificate server application AD certification, if AD authentification failure, then returning login failure information, if AD certification success, then returning and logining successfully information;When judging that login user number logs in, destination address is assigned to single-sign-on destination address, destination address additional parameter is assigned to single-point single-sign-on parameter attribute, and login user is assigned to single-sign-on user number, thus is realized the login of application system by single-sign-on.
2. the method using Middleware implementation single-sign-on as claimed in claim 1, it is characterised in that the parameter of described user at least includes login user number, login user AD authentication code, the destination address forwarded to and destination address additional parameter.
3. the method using Middleware implementation single-sign-on as described in claim 1 or 2, it is characterised in that described first middleware generates and accesses random code, is encrypted by accessing random code code true to AD certification, generates login user AD authentication code.
4. the method using Middleware implementation single-sign-on as claimed in claim 1, it is characterised in that the parameter of described user is attached by command character and encodes, it is thus achieved that single sign-on authentication code.
5. the method using Middleware implementation single-sign-on as claimed in claim 1, it is characterized in that the first described middleware generates dynamic encrypting code, the parameter of user being encrypted by dynamic encrypting code, the server being then sent to application system is decrypted checking.
6. the method using Middleware implementation single-sign-on as claimed in claim 1, it is characterised in that joining day stamp in described parameter, and set effective duration of timestamp.
7. the method using Middleware implementation single-sign-on as claimed in claim 1, it is characterized in that the parameter of user is decrypted by described second middleware, it is specially the second middleware and uses dynamic encrypting code to become in plain text by deciphering by ciphertext, its decipherment algorithm is: differentiate its parity, the most then use dynamic encrypting code that content of parameter is carried out successively add operation successively by binary system byte for even, otherwise carry out reducing, then using separator as separating Reduction parameter content.
8. the method using Middleware implementation single-sign-on as claimed in claim 1, it is characterized in that the described validation verification that carries out parameter includes at least one aspect following, the result in terms of any of which is invalid, then the result that parameter carries out validation verification is invalid:
Certificate parameter classification and content are enough, if enough, the most effectively;
Certificate parameter type is the most correct, if correctly, the most effectively;
After parameter is attached by command character and is encoded, it is judged that it is the most consistent with described single sign-on authentication code, if unanimously, the most effectively;
Verify that described request time stabs whether in effective duration, the most effective;
Verify whether described source application system coding has the right to log in, if having the right, the most effectively.
9. the method using Middleware implementation single-sign-on as claimed in claim 8, it is characterized in that described checking completes in the second middleware, when the result is invalid, return login failure information, this login failure information directly notifies application system by the second middleware on the server of application system, forbids logging in.
10. the system using Middleware implementation single-sign-on, it is characterized in that specifically including the server of gate system, the server of application system and AD authentication server, described browser is by carrying out data exchange between http agreement and server, the first middleware is run on the server of described gate system, running the second middleware on the server of described application system, described AD authentication server is used for carrying out authentication;Described first middleware for when judging that user wants to enter application system by browser from gate system, the parameter of acquisition user, and be sent to the server of application system corresponding to destination address after the parameter of user is carried out dynamic encryption;The parameter of user is decrypted and parameter is carried out validation verification by the second middleware on described application system server, if invalid, then returns login failure information;If effectively, then, the login user number in certificate parameter logs in the most, if logging in, then returns log-on message;If being not logged in, then to AD certificate server application AD certification, if AD authentification failure, then returning login failure information, if AD certification success, then returning and logining successfully information;When judging that login user number logs in, destination address is assigned to single-sign-on destination address, destination address additional parameter is assigned to single-point single-sign-on parameter attribute, and login user is assigned to single-sign-on user number, thus is realized the login of application system by single-sign-on.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510362857.2A CN106330829A (en) | 2015-06-26 | 2015-06-26 | Method and system for realizing single signing on by using middleware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510362857.2A CN106330829A (en) | 2015-06-26 | 2015-06-26 | Method and system for realizing single signing on by using middleware |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106330829A true CN106330829A (en) | 2017-01-11 |
Family
ID=57723257
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510362857.2A Pending CN106330829A (en) | 2015-06-26 | 2015-06-26 | Method and system for realizing single signing on by using middleware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106330829A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105554098A (en) * | 2015-12-14 | 2016-05-04 | 瑞斯康达科技发展股份有限公司 | Device configuration method, server and system |
| CN106685998A (en) * | 2017-02-24 | 2017-05-17 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN108040090A (en) * | 2017-11-27 | 2018-05-15 | 上海上实龙创智慧能源科技股份有限公司 | A kind of system combination method of more Web |
| CN108881153A (en) * | 2017-05-10 | 2018-11-23 | 周宏建 | Authentication method for login |
| CN109492375A (en) * | 2018-11-01 | 2019-03-19 | 北京京航计算通讯研究所 | SAP ERP single-node login system based on JAVA middleware intergration model |
| CN110034926A (en) * | 2019-03-08 | 2019-07-19 | 平安科技(深圳)有限公司 | The generation and verification method of Internet of Things dynamic password, system and computer equipment |
| CN110266640A (en) * | 2019-05-13 | 2019-09-20 | 平安科技(深圳)有限公司 | Single-sign-on tamper resistant method, device, computer equipment and storage medium |
| CN110493352A (en) * | 2019-08-30 | 2019-11-22 | 南京联创互联网技术有限公司 | A kind of unified gateway service system and its method of servicing based on WEB middleware |
| CN114297598A (en) * | 2022-02-23 | 2022-04-08 | 阿里云计算有限公司 | User permission processing method and device |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
| CN101075875A (en) * | 2007-06-14 | 2007-11-21 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN101373499A (en) * | 2007-08-24 | 2009-02-25 | 上海全成通信技术有限公司 | Method for integrating single point login page |
| CN102202067A (en) * | 2011-07-15 | 2011-09-28 | 席勇良 | Dynamic random cipher registration method |
| CN102377788B (en) * | 2011-12-13 | 2014-06-25 | 方正国际软件有限公司 | Single sign-on (SSO) system and single sign-on (SSO) method |
-
2015
- 2015-06-26 CN CN201510362857.2A patent/CN106330829A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101060520A (en) * | 2006-04-21 | 2007-10-24 | 盛趣信息技术(上海)有限公司 | Token-based SSO authentication system |
| CN101075875A (en) * | 2007-06-14 | 2007-11-21 | 中国电信股份有限公司 | Method and system for realizing monopoint login between gate and system |
| CN101373499A (en) * | 2007-08-24 | 2009-02-25 | 上海全成通信技术有限公司 | Method for integrating single point login page |
| CN102202067A (en) * | 2011-07-15 | 2011-09-28 | 席勇良 | Dynamic random cipher registration method |
| CN102377788B (en) * | 2011-12-13 | 2014-06-25 | 方正国际软件有限公司 | Single sign-on (SSO) system and single sign-on (SSO) method |
Non-Patent Citations (1)
| Title |
|---|
| 吴开贵: "动态DES加密算法", 《第三届中国信息安全和通信安全学术会议》 * |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105554098B (en) * | 2015-12-14 | 2019-01-25 | 瑞斯康达科技发展股份有限公司 | A kind of equipment configuration method, server and system |
| CN105554098A (en) * | 2015-12-14 | 2016-05-04 | 瑞斯康达科技发展股份有限公司 | Device configuration method, server and system |
| CN106685998A (en) * | 2017-02-24 | 2017-05-17 | 浙江仟和网络科技有限公司 | SSO authentication method based on CAS unified authentication service middleware |
| CN108881153A (en) * | 2017-05-10 | 2018-11-23 | 周宏建 | Authentication method for login |
| CN108881153B (en) * | 2017-05-10 | 2021-06-08 | 周宏建 | Authentication method for login |
| CN108040090A (en) * | 2017-11-27 | 2018-05-15 | 上海上实龙创智慧能源科技股份有限公司 | A kind of system combination method of more Web |
| CN109492375B (en) * | 2018-11-01 | 2021-07-16 | 北京京航计算通讯研究所 | SAP ERP single sign-on system based on JAVA middleware integration mode |
| CN109492375A (en) * | 2018-11-01 | 2019-03-19 | 北京京航计算通讯研究所 | SAP ERP single-node login system based on JAVA middleware intergration model |
| CN110034926A (en) * | 2019-03-08 | 2019-07-19 | 平安科技(深圳)有限公司 | The generation and verification method of Internet of Things dynamic password, system and computer equipment |
| CN110034926B (en) * | 2019-03-08 | 2021-11-05 | 平安科技(深圳)有限公司 | Internet of things dynamic password generation and verification method and system and computer equipment |
| WO2020181826A1 (en) * | 2019-03-08 | 2020-09-17 | 平安科技(深圳)有限公司 | Internet of things dynamic password generation and verification methods, system, and computer device |
| CN110266640B (en) * | 2019-05-13 | 2021-11-05 | 平安科技(深圳)有限公司 | Single sign-on tamper-proof method and device, computer equipment and storage medium |
| CN110266640A (en) * | 2019-05-13 | 2019-09-20 | 平安科技(深圳)有限公司 | Single-sign-on tamper resistant method, device, computer equipment and storage medium |
| CN110493352A (en) * | 2019-08-30 | 2019-11-22 | 南京联创互联网技术有限公司 | A kind of unified gateway service system and its method of servicing based on WEB middleware |
| CN114297598A (en) * | 2022-02-23 | 2022-04-08 | 阿里云计算有限公司 | User permission processing method and device |
| CN114297598B (en) * | 2022-02-23 | 2022-07-05 | 阿里云计算有限公司 | User permission processing method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106330829A (en) | Method and system for realizing single signing on by using middleware | |
| Georgiev et al. | The most dangerous code in the world: validating SSL certificates in non-browser software | |
| CN101183932B (en) | Security identification system of wireless application service and login and entry method thereof | |
| US8321924B2 (en) | Method for protecting software accessible over a network using a key device | |
| CN108600203A (en) | Secure Single Sign-on method based on Cookie and its unified certification service system | |
| US20090235349A1 (en) | Method and apparatus for securely invoking a rest api | |
| CN112333198A (en) | Secure cross-domain login method, system and server | |
| CN103179134A (en) | Single sign on method and system based on Cookie and application server thereof | |
| CN103067338A (en) | Third party application centralized safety management method and system and corresponding communication system | |
| CN101257489A (en) | Method for protecting account number safety | |
| CN102164141A (en) | Method for protecting security of account | |
| CN103117998B (en) | A kind of safety encryption based on JavaEE application system | |
| CN107295011A (en) | The safety certifying method and device of webpage | |
| CN108810003B (en) | Safety verification scheme for multi-service party message access | |
| CN102868702B (en) | System login device and system login method | |
| CN105430014A (en) | Single sign on method and system | |
| CN111818088A (en) | Authorization mode management method and device, computer equipment and readable storage medium | |
| CN109672675A (en) | A kind of WEB authentication method of the cryptographic service middleware based on OAuth2.0 | |
| CN104683306A (en) | Safe and controllable internet real-name certification mechanism | |
| CN113949566B (en) | Resource access method, device, electronic equipment and medium | |
| CN109218334B (en) | Data processing method, device, access control equipment, authentication server and system | |
| CN110519304A (en) | HTTPS mutual authentication method based on TEE | |
| CN102045329B (en) | Single point login method, login initiating terminal, target terminal and verification center | |
| CN112600674A (en) | User security authentication method and device for front-end and back-end separation system and storage medium | |
| Kim et al. | Geo-location based QR-Code authentication scheme to defeat active real-time phishing attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170111 |