CN106790063A - A kind of method of isomery WEB system single-sign-ons - Google Patents
A kind of method of isomery WEB system single-sign-ons Download PDFInfo
- Publication number
- CN106790063A CN106790063A CN201611186989.5A CN201611186989A CN106790063A CN 106790063 A CN106790063 A CN 106790063A CN 201611186989 A CN201611186989 A CN 201611186989A CN 106790063 A CN106790063 A CN 106790063A
- Authority
- CN
- China
- Prior art keywords
- sign
- client
- tgt
- services end
- certification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The present invention relates to a kind of method of isomery WEB system single-sign-ons, comprise the following steps:Step S1:Single sign-on client-side reads ST information from user's request URL, if reading successfully, performs step S5;If reading failure, step S2 is performed;Step S2:Single sign-on client-side reads TGT information from browser Cookie, if in the presence of execution step S4;If not existing, step S3 is performed;Step S3:Verify user's ID authentication information and generate TGT in single-sign-on services end;Step S4:Certification TGT in single-sign-on services end simultaneously generates ST;Step S5:Single-sign-on services end certification ST and loading page content.Single sign-on client-side implementation method based on Javascript technologies proposed by the present invention, can simply realize the login control of page level;CAS clients can easily under integrated various Technical Architectures WEB systems, while the access control of page level can easily be realized by way of introducing script.
Description
Technical field
The present invention relates to Internet technical field, more particularly to a kind of method of isomery WEB system single-sign-ons.
Background technology
With the development of computer technology, each enterprise is to computer and the degree of dependence more and more higher of information system.Respectively
Enterprise develops multiple Office Information WEB systems, such as OA systems, financial system, work in the different phase of IT application process
Make streaming system etc..However, due to historical reasons, each system manages the account and encrypted message of user independently, this considerably increases
Enterprise to the government pressure of user profile, while also bringing hidden danger safely to system.Therefore, single-node login system meet the tendency of and
It is raw.
Single-node login system based on CAS (Central Authentication Service) technology is currently a popular
Single-sign-on of increasing income solution, however, the existing single-node login system based on CAS technologies still comes with some shortcomings.
In most of enterprise, each operation system is probably to be developed in different time phases, and the system of such as early stage is probably to use
What ASP technologies were realized, new system is probably to be realized by Java EE, ASP.NET or PHP technology.Therefore, by these
Heterogeneous system is integrated in an independent login system, it is necessary to for each Technical Architecture develops its exclusive CAS client.Though
So active CAS communities realize CAS clients under most of mainstream technology framework, but part CAS clients stability compared with
Difference, will cause the logging status of multiple operation systems inconsistent, and this influences in the close operation system Integrated Solution of the degree of coupling
It is even more serious.And for the operation system using ASP etc. out-of-date technology realization, it is necessary to oneself realize CAS clients.Together
When, CAS FTP client FTPs with the integrated of operation system are realized by filter technology, if system needs to do finer grain
Control (for example system home page need not be logged in, and some important service pages must be logged in), it is necessary in configuration file increase
A plurality of record, reduces its legibility.
At present, the single-sign-on of isomery WEB systems is integrated is realized by the way that single sign-on client-side is implemented separately.This
Considerably increase single-sign-on realizes difficulty, while can also reduce the stability of system.
The content of the invention
In view of above-mentioned analysis, the present invention is intended to provide a kind of method of isomery WEB system single-sign-ons, is used to solve now
Have that isomery WEB system single-sign-on difficulty is high, the problem that the stability of a system is poor.
The purpose of the present invention is mainly achieved through the following technical solutions:
A kind of method of isomery WEB system single-sign-ons, comprises the following steps:
Step S1:Single sign-on client-side reads ST information from user's request URL, if reading successfully, performs step S5;
If reading failure, step S2 is performed;
The ST, Service Ticket, are service ticket, are that single-sign-on services end is user's request according to TGT
The user identity voucher of application service generation;
The TGT, Ticket Granting Ticket, are user identity bill, are that authenticating user identification is successfully weighed
Evidence is wanted, the Main Basiss of single-sign-on are realized;
Step S2:Single sign-on client-side reads TGT information from browser Cookie, if in the presence of execution step S4;If
Do not exist, perform step S3;
Step S3:Verify user's ID authentication information and generate TGT in single-sign-on services end;
Step S4:Certification TGT in single-sign-on services end simultaneously generates ST;
Step S5:Single-sign-on services end certification ST and loading page content.
The step S3 also includes following sub-step:
Step S301:Single-sign-on services end receives the authentication information of user input;
Step S302:Single-sign-on services end certification user's ID authentication information, if certification success, performs step
S303;If authentification failure, return to step S301;
Step S303:Single-sign-on services end generates TGT according to user's ID authentication information, and is sent to single-sign-on visitor
Family end.
In the step S301, user sends authenticating user identification by single sign-on client-side to single-sign-on services end
Request, single-sign-on services end receives the ID authentication request of user, is redirected to the authentication control at single-sign-on services end
The authentication informations such as the page processed, guiding user input user name, password, identifying code simultaneously receive the authentication information.
Single sign-on client-side receives the TGT that single-sign-on services end sends, and TGT is stored in into Cookie.
The step S4 also includes following sub-step:
Step S401:Single sign-on client-side sends certification TGT and asks to single-sign-on services end;
Step S402:Single-sign-on services end receives the certification TGT requests that single sign-on client-side sends, and extracts certification
The TGT carried in TGT requests, is authenticated to TGT, if certification success, the TGT after certification success is packaged into json data hair
Single sign-on client-side is given, step S403 is performed;If authentification failure, authentication failure message is sent to single sign-on client-side,
And return to step S3;
Step S403:Single-sign-on services end generates ST and is sent to single sign-on client-side.
It is to ensure security, ST regenerates in user's request application service each time, and once after certification was
Phase.
Single sign-on client-side receives the ST that single-sign-on services end sends, and ST is stored in the ST variables of Javascript
In.
Single-sign-on services end carries out the generation and certification of TGT and ST using CAS.
The step S5 also includes following sub-step:
Step S501:Single sign-on client-side sends certification ST and asks to single-sign-on services end;
Step S502:Single-sign-on services end receives the certification ST requests that single sign-on client-side sends, and extracts certification
The ST carried in ST requests, is authenticated to ST, if certification success, the ST after certification success is packaged into json data is activations extremely
Single sign-on client-side, performs step S503;If authentification failure, authentication failure message to single sign-on client-side is sent, returned
Step S3;
Step S503:Loading page content.
Single sign-on client-side is realized with the interactive mode at single-sign-on services end based on json technologies.
The present invention has the beneficial effect that:
The WEB system single-sign-on integrated approach unrelated with backstage Technical Architecture proposed by the present invention, to single-sign-on system
The complicated WEB systems of leaving of system integrated technology framework have reference value;Single-sign-on client based on Javascript technologies
End implementation method, can simply realize the login control of page level;CAS clients can convenient integrated various technology framves
WEB systems under structure, while the access control of page level can easily be realized by way of introducing script.
Other features and advantages of the present invention will be illustrated in the following description, also, the partial change from specification
Obtain it is clear that or being understood by implementing the present invention.The purpose of the present invention and other advantages can be by the explanations write
Specifically noted structure is realized and obtained in book, claims and accompanying drawing.
Brief description of the drawings
Accompanying drawing is only used for showing the purpose of specific embodiment, and is not considered as limitation of the present invention, in whole accompanying drawing
In, identical reference symbol represents identical part.
Fig. 1 is client operation schematic flow sheet;
Fig. 2 is login process schematic flow sheet;
Fig. 3 is certification TGT schematic flow sheets;
Fig. 4 is certification ST schematic flow sheets;
Fig. 5 is that client service end interacts schematic diagram.
Specific embodiment
The preferred embodiments of the present invention are specifically described below in conjunction with the accompanying drawings, wherein, accompanying drawing constitutes the application part, and
It is used to explain principle of the invention together with embodiments of the present invention.
A kind of method of isomery WEB system single-sign-ons is the embodiment of the invention provides, is comprised the following steps:
Step S1:Single sign-on client-side reads ST information from user's request URL, if reading successfully, performs step S5;
If reading failure, step S2 is performed.
Specifically, the single sign-on client-side is based on browser, in running on user's webpage to be accessed.
Step S2:Single sign-on client-side reads TGT information from browser Cookie, if in the presence of execution step S4;If
Do not exist, perform step S3.
The step S1, step S2 client operation flow charts are shown in Fig. 1.
Step S3:As shown in Fig. 2 single-sign-on services end verifies user's ID authentication information and generates TGT.
Specifically, the step S3 also includes following sub-step:
Step S301:Single-sign-on services end receives the authentication information of user input.
Specifically, user sends authenticating user identification and asks by single sign-on client-side to single-sign-on services end, single
Point login service end receives the ID authentication request of user, is redirected to the authentication control page at single-sign-on services end,
The authentication informations such as guiding user input user name, password, identifying code simultaneously receive the authentication information;
Specifically, the authentication controls the page for login page, and the authentication information is log-on message;
Preferably, single sign-on client-side Javascript script files are introduced in the page, authentication is controlled into page
Face is integrated into single-node login system;
Preferably, the single sign-on client-side is realized by Javascript scripts, it is adaptable to all WEB systems
System.
Step S302:Single-sign-on services end certification user's ID authentication information, if certification success, performs step
S303;If authentification failure, return to step S301.
Preferably, after authentification failure, before return to step S301, authentication control is redirected at single-sign-on services end
The page, and authentication failure message is shown, or carry out customized operation;
Preferably, the customized operation can be used to limit user input wrong username, number of times of password etc..
Preferably, single sign-on client-side is based on json (JavaScript with the interactive mode at single-sign-on services end
Object Notation) technology realization, client service end interacts schematic diagram and sees Fig. 5.
Step S303:Single-sign-on services end generates TGT according to user's ID authentication information, and is sent to single-sign-on visitor
Family end.
Further, single sign-on client-side receives the TGT that single-sign-on services end sends, and TGT is stored in into Cookie;
Specifically, the TGT (Ticket Granting Ticket) is user identity bill, be authenticating user identification into
The important evidence of work(, realizes the Main Basiss of single-sign-on.
Step S4:As shown in figure 3, single-sign-on services end certification TGT and generating ST.
Specifically, the step S4 also includes following sub-step:
Step S401:Single sign-on client-side sends certification TGT and asks to single-sign-on services end.
Specifically, TGT of the single sign-on client-side in Cookie, sending certification TGT to single-sign-on services end please
Ask;
Step S402:Single-sign-on services end receives the certification TGT requests that single sign-on client-side sends, and extracts certification
The TGT carried in TGT requests, is authenticated to TGT, if certification success, the TGT after certification success is packaged into json data hair
Single sign-on client-side is given, step S403 is performed;If authentification failure, authentication failure message is sent to single sign-on client-side,
And return to step S3;
Preferably, after TGT authentification failures, before return to step S3, authentication control is redirected at single-sign-on services end
The page processed, and show authentication failure message.
Step S403:Single-sign-on services end generates ST and is sent to single sign-on client-side.
Further, single sign-on client-side receives the ST that single-sign-on services end sends, and ST is stored in into Javascript
ST variables in;
Specifically, the ST (Service Ticket) is service ticket, is that single-sign-on services end is user according to TGT
The user identity voucher of the application service generation of request;
Preferably, to ensure security, ST is regenerated in user's request application service each time, and once certification
It is i.e. expired afterwards.
Step S5:As shown in figure 4, single-sign-on services end certification ST and loading page content.
Specifically, the step S5 also includes following sub-step:
Step S501:Single sign-on client-side sends certification ST and asks to single-sign-on services end.
Specifically, ST of the single sign-on client-side in the ST variables of Javascript, sends out to single-sign-on services end
Certification ST is sent to ask.
Step S502:Single-sign-on services end receives the certification ST requests that single sign-on client-side sends, and extracts certification
The ST carried in ST requests, is authenticated to ST, if certification success, the ST after certification success is packaged into json data is activations extremely
Single sign-on client-side, performs step S503;If authentification failure, authentication failure message to single sign-on client-side is sent, returned
Step S3;
Preferably, after ST authentification failures, before return to step S3, authentication control is redirected at single-sign-on services end
The page, and show authentication failure message.
Preferably, single-sign-on services end using CAS (Central Authentication Service) carry out TGT and
The generation and certification of ST.
Step S503:Loading page content.
Specifically, the page of loading is the corresponding pages of user's request URL in step S1.
In sum, a kind of method of isomery WEB system single-sign-ons is the embodiment of the invention provides, by TGT, ST bill
The generation and checking of information are split in different flows, are that C/S (client/server) framework is integrated into based on CAS technologies
Single-node login system provide reference.
1st, a kind of single-sign-on integrated approach of the isomery WEB systems based on CAS technologies is proposed.Application service system without
Single sign-on client-side need to be implemented separately according to the Technical Architecture of itself, each application service system can be by simple introducing
Javascript script files are integrated into single-node login system.
2nd, a kind of single sign-on client-side implementation method based on Javascript technologies is proposed.Obtained by front-end technology
Take certification bill and authentication result, can the self-defined action related to the page after certification success or failure, increased access
The flexibility of control.Meanwhile, Javascript can apply to any WEB systems as a kind of front-end technology.
It will be understood by those skilled in the art that all or part of flow of above-described embodiment method is realized, can be by meter
Calculation machine program is completed to instruct the hardware of correlation, and described program can be stored in computer-readable recording medium.Wherein, institute
It is disk, CD, read-only memory or random access memory etc. to state computer-readable recording medium.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto,
Any one skilled in the art the invention discloses technical scope in, the change or replacement that can be readily occurred in,
Should all be included within the scope of the present invention.
Claims (10)
1. a kind of method of isomery WEB system single-sign-ons, it is characterised in that comprise the following steps:
Step S1:Single sign-on client-side reads ST information from user's request URL, if reading successfully, performs step S5;If reading
Failure is taken, step S2 is performed;
The ST, Service Ticket, are service ticket, are that single-sign-on services end is the application of user's request according to TGT
The user identity voucher of service creation;
The TGT, Ticket Granting Ticket, are user identity bill, are authenticating user identification successfully important cards
According to realizing the Main Basiss of single-sign-on;
Step S2:Single sign-on client-side reads TGT information from browser Cookie, if in the presence of execution step S4;If not depositing
Performing step S3;
Step S3:Verify user's ID authentication information and generate TGT in single-sign-on services end;
Step S4:Certification TGT in single-sign-on services end simultaneously generates ST;
Step S5:Single-sign-on services end certification ST and loading page content.
2. method according to claim 1, it is characterised in that the step S3 also includes following sub-step:
Step S301:Single-sign-on services end receives the authentication information of user input;
Step S302:Single-sign-on services end certification user's ID authentication information, if certification success, performs step S303;If
Authentification failure, then return to step S301;
Step S303:Single-sign-on services end generates TGT according to user's ID authentication information, and is sent to single-sign-on client
End.
3. method according to claim 2, it is characterised in that in the step S301, user passes through single-sign-on client
Hold and send authenticating user identification request to single-sign-on services end, single-sign-on services end receives the ID authentication request of user,
It is redirected to the identity such as the authentication control page at single-sign-on services end, guiding user input user name, password, identifying code
Authentication information simultaneously receives the authentication information.
4. method according to claim 2, it is characterised in that single sign-on client-side receives single-sign-on services end and sends
TGT, TGT is stored in Cookie.
5. method according to claim 1, it is characterised in that the step S4 also includes following sub-step:
Step S401:Single sign-on client-side sends certification TGT and asks to single-sign-on services end;
Step S402:Single-sign-on services end receives the certification TGT requests that single sign-on client-side sends, and extracts certification TGT
The TGT carried in request, is authenticated to TGT, if certification success, the TGT after certification success is packaged into json data is activations
To single sign-on client-side, step S403 is performed;If authentification failure, authentication failure message is sent to single sign-on client-side, and
Return to step S3;
Step S403:Single-sign-on services end generates ST and is sent to single sign-on client-side.
6. method according to claim 5, it is characterised in that be to ensure security, ST is in user's request application each time
All regenerated during service, and it is once i.e. expired after certification.
7. the method according to claim 5 or 6, it is characterised in that single sign-on client-side receives single-sign-on services end
The ST of transmission, ST is stored in the ST variables of Javascript.
8. method according to claim 1, it is characterised in that single-sign-on services end carries out the life of TGT and ST using CAS
Into and certification.
9. method according to claim 1, it is characterised in that the step S5 also includes following sub-step:
Step S501:Single sign-on client-side sends certification ST and asks to single-sign-on services end;
Step S502:Single-sign-on services end receive single sign-on client-side send certification ST request, and extract certification ST please
The ST of middle carrying is sought, ST is authenticated, if certification success, the ST after certification success is packaged into json data is activations to single-point
Client is logged in, step S503 is performed;If authentification failure, authentication failure message to single sign-on client-side, return to step is sent
S3;
Step S503:Loading page content.
10. method according to claim 1, it is characterised in that the friendship at single sign-on client-side and single-sign-on services end
Mutual mode is realized based on json technologies.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611186989.5A CN106790063B (en) | 2016-12-20 | 2016-12-20 | Method for single sign-on of heterogeneous WEB system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611186989.5A CN106790063B (en) | 2016-12-20 | 2016-12-20 | Method for single sign-on of heterogeneous WEB system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106790063A true CN106790063A (en) | 2017-05-31 |
| CN106790063B CN106790063B (en) | 2020-07-17 |
Family
ID=58896334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611186989.5A Active CN106790063B (en) | 2016-12-20 | 2016-12-20 | Method for single sign-on of heterogeneous WEB system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790063B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN108600203A (en) * | 2018-04-11 | 2018-09-28 | 四川长虹电器股份有限公司 | Secure Single Sign-on method based on Cookie and its unified certification service system |
| CN109472123A (en) * | 2018-11-05 | 2019-03-15 | 用友网络科技股份有限公司 | A kind of cloud service integrates the method and system of third party's single-sign-on customer center |
| CN109600342A (en) * | 2017-09-30 | 2019-04-09 | 广东亿迅科技有限公司 | Uniform authentication method and device based on one-point technique |
| CN110891060A (en) * | 2019-11-26 | 2020-03-17 | 昆明能讯科技有限责任公司 | Unified authentication system based on multi-service system integration |
| CN112446015A (en) * | 2020-12-01 | 2021-03-05 | 山东健康医疗大数据有限公司 | User login authentication method based on two-stage deployment |
| CN112929391A (en) * | 2021-03-15 | 2021-06-08 | 浪潮云信息技术股份公司 | Method for realizing cross-platform identity authentication based on single sign-on |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102469075A (en) * | 2010-11-09 | 2012-05-23 | 中科正阳信息安全技术有限公司 | Integration authentication method based on WEB single sign on |
| CN104052746A (en) * | 2014-06-18 | 2014-09-17 | 华为技术有限公司 | Heterogeneous application single sign-on system and method |
-
2016
- 2016-12-20 CN CN201611186989.5A patent/CN106790063B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102469075A (en) * | 2010-11-09 | 2012-05-23 | 中科正阳信息安全技术有限公司 | Integration authentication method based on WEB single sign on |
| CN104052746A (en) * | 2014-06-18 | 2014-09-17 | 华为技术有限公司 | Heterogeneous application single sign-on system and method |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109600342A (en) * | 2017-09-30 | 2019-04-09 | 广东亿迅科技有限公司 | Uniform authentication method and device based on one-point technique |
| CN109600342B (en) * | 2017-09-30 | 2021-12-24 | 广东亿迅科技有限公司 | Unified authentication method and device based on single-point technology |
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN108600203A (en) * | 2018-04-11 | 2018-09-28 | 四川长虹电器股份有限公司 | Secure Single Sign-on method based on Cookie and its unified certification service system |
| CN109472123A (en) * | 2018-11-05 | 2019-03-15 | 用友网络科技股份有限公司 | A kind of cloud service integrates the method and system of third party's single-sign-on customer center |
| CN110891060A (en) * | 2019-11-26 | 2020-03-17 | 昆明能讯科技有限责任公司 | Unified authentication system based on multi-service system integration |
| CN112446015A (en) * | 2020-12-01 | 2021-03-05 | 山东健康医疗大数据有限公司 | User login authentication method based on two-stage deployment |
| CN112929391A (en) * | 2021-03-15 | 2021-06-08 | 浪潮云信息技术股份公司 | Method for realizing cross-platform identity authentication based on single sign-on |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106790063B (en) | 2020-07-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790063A (en) | A kind of method of isomery WEB system single-sign-ons | |
| CA3047568C (en) | Aggregation platform portal | |
| CA3004338C (en) | Distributed, decentralized data aggregation | |
| CN101764819B (en) | For detecting the method and system of man-in-the-browser attacks | |
| CN104065616B (en) | Single-point logging method and system | |
| CN110177120A (en) | A kind of method, apparatus and computer readable storage medium of single-sign-on | |
| CN105072123B (en) | A kind of single sign-on under cluster environment exits method and system | |
| CN110069909A (en) | It is a kind of to exempt from the close method and device for logging in third party system | |
| CN107682321B (en) | A kind of method and device of SDN controller cluster single-sign-on | |
| US20220350877A1 (en) | Multi-core account processing system support | |
| US20220350896A1 (en) | Risk assessment based data access | |
| AU2022211879A1 (en) | Risk assessment based data access | |
| CA3175981A1 (en) | Multi-core account processing system support | |
| WO2022232703A1 (en) | Multi-core account migration | |
| EP4122156A1 (en) | Multi-core account migration |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |