CN106790063B - Method for single sign-on of heterogeneous WEB system - Google Patents
Method for single sign-on of heterogeneous WEB system Download PDFInfo
- Publication number
- CN106790063B CN106790063B CN201611186989.5A CN201611186989A CN106790063B CN 106790063 B CN106790063 B CN 106790063B CN 201611186989 A CN201611186989 A CN 201611186989A CN 106790063 B CN106790063 B CN 106790063B
- Authority
- CN
- China
- Prior art keywords
- single sign
- authentication
- client
- tgt
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention relates to a method for single sign-on of a heterogeneous WEB system, which comprises the following steps of S1, reading ST information from a user request UR L by a single sign-on client, executing S5 if the ST information is successfully read, executing S2 if the ST information is unsuccessfully read, executing S4 if the TGT information is read from a browser Cookie by the single sign-on client, executing S3 if the TGT information is not read, verifying user identity authentication information and generating TGT by the single sign-on server, executing S4, authenticating the TGT by the single sign-on server and generating ST, executing S5, authenticating the ST and loading page content by the single sign-on server, wherein the single sign-on client based on Javascript technology can simply realize page-level login control, and a CAS client can conveniently integrate WEB systems under various technical frameworks and can easily realize page-level access control by introducing scripts.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a single sign-on method for a heterogeneous WEB system.
Background
With the development of computer technology, the dependence of each enterprise on computers and information systems is higher and higher. In different stages of the informatization process, various enterprises develop a plurality of office information WEB systems, such as an OA system, a financial system, a workflow system and the like. However, due to historical reasons, each system independently manages the account and password information of the user, which greatly increases the management pressure of enterprises on the user information and brings hidden danger to the system safety. Therefore, single sign-on systems have been produced.
The single sign-on system based on CAS (central Authentication service) technology is a popular solution for open source single sign-on at present, however, the existing single sign-on system based on CAS technology still has some disadvantages. In most enterprises, the service systems may be developed at different time stages, for example, earlier systems may be implemented using ASP technology and new systems may be implemented by Java EE, ASP. Therefore, to integrate these heterogeneous systems into a single login system, unique CAS clients must be developed for each technology architecture. Although the active CAS community implements the CAS client under most mainstream technical architectures, the stability of part of the CAS clients is poor, which may cause the login states of multiple service systems to be inconsistent, and this may have a more serious impact in a service system integration scheme with a tight coupling. For a service system implemented by using an outdated technology such as ASP, the CAS client needs to be implemented by itself. Meanwhile, the integration of the CAS client system and the business system is realized through a filter technology, and if the system needs to perform fine-grained control (for example, a system home page does not need to be logged in, and some important business pages need to be logged in), a plurality of records need to be added in a configuration file, so that the readability of the system is reduced.
At present, the single sign-on integration of heterogeneous WEB systems is mostly realized by independently realizing a single sign-on client. This greatly increases the difficulty of implementing single sign-on, and also reduces the stability of the system.
Disclosure of Invention
In view of the foregoing analysis, the present invention aims to provide a method for single sign-on of a heterogeneous WEB system, so as to solve the problems of high single sign-on difficulty and poor system stability of the existing heterogeneous WEB system.
The purpose of the invention is mainly realized by the following technical scheme:
a method for single sign-on of a heterogeneous WEB system comprises the following steps:
step S1, the single sign-on client end reads ST information from the UR L requested by the user, if the ST information is successfully read, the step S5 is executed, if the ST information is failed to be read, the step S2 is executed;
the ST, Service Ticket is a Service bill and is a user identity certificate generated by the single sign-on server for the application Service requested by the user according to the TGT;
the TGT and the Ticket grading Ticket are user identity tickets, are important evidences for successful user identity authentication, and are main basis for realizing single sign-on;
step S2: the single sign-on client reads the TGT information from the browser Cookie, and if the TGT information exists, the step S4 is executed; if not, go to step S3;
step S3: the single sign-on server side verifies the user identity authentication information and generates a TGT;
step S4: the single sign-on server side authenticates the TGT and generates an ST;
step S5: the single sign-on server authenticates the ST and loads the page content.
The step S3 further includes the following sub-steps:
step S301: the single sign-on server receives identity authentication information input by a user;
step S302: the single sign-on server side authenticates the identity authentication information of the user, and if the authentication is successful, the step S303 is executed; if the authentication fails, returning to the step S301;
step S303: and the single sign-on server generates the TGT according to the user identity authentication information and sends the TGT to the single sign-on client.
In step S301, a user sends a user identity authentication request to the single sign-on server through the single sign-on client, and the single sign-on server receives the user identity authentication request, redirects to an identity authentication control page of the single sign-on server, and guides the user to input identity authentication information such as a user name, a password, and a verification code and receive the identity authentication information.
And the single sign-on client receives the TGT sent by the single sign-on server and stores the TGT into the Cookie.
The step S4 further includes the following sub-steps:
step S401: the single sign-on client sends an authentication TGT request to the single sign-on server;
step S402: the single sign-on server receives an authentication TGT request sent by the single sign-on client, extracts the TGT carried in the authentication TGT request, authenticates the TGT, packs the TGT after the authentication is successful into json data and sends the json data to the single sign-on client if the authentication is successful, and executes the step S403; if the authentication fails, sending authentication failure information to the single sign-on client, and returning to the step S3;
step S403: the single sign-on server generates the ST and sends the ST to the single sign-on client.
To ensure security, the ST is regenerated each time a user requests an application service and expires after one authentication.
And the single sign-on client receives the ST sent by the single sign-on server and stores the ST into the ST variable of the Javascript.
The single sign-on server uses the CAS to generate and authenticate the TGT and the ST.
The step S5 further includes the following sub-steps:
step S501: the single sign-on client sends an authentication ST request to the single sign-on server;
step S502: the single sign-on server receives an authentication ST request sent by the single sign-on client, extracts the ST carried in the authentication ST request, authenticates the ST, packages the ST after the authentication is successful into json data and sends the json data to the single sign-on client if the authentication is successful, and executes the step S503; if the authentication fails, sending authentication failure information to the single sign-on client, and returning to the step S3;
step S503: the page content is loaded.
The interaction mode of the single sign-on client and the single sign-on server is realized based on the json technology.
The invention has the following beneficial effects:
the WEB system single sign-on integration method irrelevant to the background technical architecture has reference value for the legacy WEB system with the complex integrated technical architecture of the single sign-on system; the method for realizing the single sign-on client based on the Javascript technology can simply realize the sign-on control at the page level; the CAS client can conveniently integrate WEB systems under various technical frameworks, and can easily realize access control at a page level by introducing scripts.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The drawings are only for purposes of illustrating particular embodiments and are not to be construed as limiting the invention, wherein like reference numerals are used to designate like parts throughout.
FIG. 1 is a schematic diagram of a client workflow;
FIG. 2 is a schematic flow chart of a login process;
FIG. 3 is a schematic diagram of an authentication TGT flow;
FIG. 4 is a schematic diagram of an authentication ST process;
FIG. 5 is a diagram illustrating client-server interaction.
Detailed Description
The preferred embodiments of the present invention will now be described in detail with reference to the accompanying drawings, which form a part hereof, and which together with the embodiments of the invention serve to explain the principles of the invention.
The embodiment of the invention provides a method for single sign-on of a heterogeneous WEB system, which comprises the following steps:
step S1, the single sign-on client reads ST information from UR L requested by the user, if the reading is successful, step S5 is executed, and if the reading is failed, step S2 is executed.
Specifically, the single sign-on client runs in a webpage to be accessed by the user based on a browser.
Step S2: the single sign-on client reads the TGT information from the browser Cookie, and if the TGT information exists, the step S4 is executed; if not, go to step S3.
The working flow charts of the step S1 and the step S2 are shown in FIG. 1.
Step S3: as shown in fig. 2, the single sign-on server verifies the user authentication information and generates a TGT.
Specifically, the step S3 further includes the following sub-steps:
step S301: the single sign-on server receives the identity authentication information input by the user.
Specifically, a user sends a user identity authentication request to a single sign-on server through a single sign-on client, the single sign-on server receives the user identity authentication request, redirects the user identity authentication request to an identity authentication control page of the single sign-on server, guides the user to input identity authentication information such as a user name, a password and a verification code and receives the identity authentication information;
specifically, the identity authentication control page is a login page, and the identity authentication information is login information;
preferably, a single sign-on client Javascript file is introduced into the page, and the identity authentication control page is integrated into the single sign-on system;
preferably, the single sign-on client is implemented by a Javascript script language, and is applicable to all WEB systems.
Step S302: the single sign-on server side authenticates the identity authentication information of the user, and if the authentication is successful, the step S303 is executed; if the authentication fails, the process returns to step S301.
Preferably, after the authentication fails, before returning to step S301, the single sign-on server redirects to an identity authentication control page, and displays authentication failure information, or performs a custom operation;
preferably, the customized operation can be used to limit the number of times the user enters an incorrect user name, password, etc.
Preferably, the interaction mode between the single sign-on client and the single sign-on server is implemented based on json (javascript object notification) technology, and the interaction diagram of the client and the server is shown in fig. 5.
Step S303: and the single sign-on server generates the TGT according to the user identity authentication information and sends the TGT to the single sign-on client.
Further, the single sign-on client receives the TGT sent by the single sign-on server and stores the TGT into the Cookie;
specifically, the tgt (ticket grading ticket) is a user identity ticket, is an important evidence for successful user identity authentication, and is a main basis for realizing single sign-on.
Step S4: as shown in fig. 3, the single sign-on server authenticates the TGT and generates the ST.
Specifically, the step S4 further includes the following sub-steps:
step S401: the single sign-on client sends an authentication TGT request to the single sign-on server.
Specifically, the single sign-on client sends an authentication TGT request to the single sign-on server according to the TGT in the Cookie;
step S402: the single sign-on server receives an authentication TGT request sent by the single sign-on client, extracts the TGT carried in the authentication TGT request, authenticates the TGT, packs the TGT after the authentication is successful into json data and sends the json data to the single sign-on client if the authentication is successful, and executes the step S403; if the authentication fails, sending authentication failure information to the single sign-on client, and returning to the step S3;
preferably, after the TGT authentication fails and before returning to step S3, the single sign-on server redirects to the identity authentication control page and displays the authentication failure information.
Step S403: the single sign-on server generates the ST and sends the ST to the single sign-on client.
Further, the single sign-on client receives the ST sent by the single sign-on server and stores the ST into the ST variable of the Javascript;
specifically, the st (service ticket) is a service ticket, which is a user identity credential generated by the single sign-on server for the application service requested by the user according to the TGT;
preferably, to ensure security, the ST is regenerated each time the user requests an application service and expires after one authentication.
Step S5: as shown in FIG. 4, the single sign-on server authenticates the ST and loads the page content.
Specifically, the step S5 further includes the following sub-steps:
step S501: the single sign-on client sends an authentication ST request to the single sign-on server.
Specifically, the single sign-on client sends an authentication ST request to the single sign-on server according to ST in the ST variables of Javascript.
Step S502: the single sign-on server receives an authentication ST request sent by the single sign-on client, extracts the ST carried in the authentication ST request, authenticates the ST, packages the ST after the authentication is successful into json data and sends the json data to the single sign-on client if the authentication is successful, and executes the step S503; if the authentication fails, sending authentication failure information to the single sign-on client, and returning to the step S3;
preferably, after the ST authentication fails, before returning to step S3, the single sign-on server redirects to the identity authentication control page and displays the authentication failure information.
Preferably, the single sign-on service uses cas (central Authentication service) to generate and authenticate TGT and ST.
Step S503: the page content is loaded.
Specifically, the loaded page is the page corresponding to the user request UR L in step S1.
In summary, the embodiments of the present invention provide a method for single sign-on of a heterogeneous WEB system, which splits the generation and verification of TGT and ST ticket information into different processes, and provides a reference for integrating a C/S (client/server) architecture into a single sign-on system based on a CAS technology.
1. A single sign-on integration method of a heterogeneous WEB system based on a CAS technology is provided. The application service system does not need to independently realize a single sign-on client according to the own technical architecture, and each application service system can be integrated into the single sign-on system by simply introducing Javascript files.
2. A single sign-on client implementation method based on Javascript technology is provided. The authentication bill and the authentication result are obtained through the front-end technology, actions related to the page can be defined after authentication is successful or failed, and the flexibility of access control is improved. Meanwhile, the Javascript is used as a front-end technology and can be applied to any WEB system.
Those skilled in the art will appreciate that all or part of the flow of the method implementing the above embodiments may be implemented by a computer program, which is stored in a computer readable storage medium, to instruct related hardware. The computer readable storage medium is a magnetic disk, an optical disk, a read-only memory or a random access memory.
The above description is only for the preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention.
Claims (8)
1. A method for single sign-on of a heterogeneous WEB system is characterized by comprising the following steps:
step S1, the single sign-on client end reads ST information from the UR L requested by the user, if the ST information is successfully read, the step S5 is executed, if the ST information is failed to be read, the step S2 is executed;
the ST, Service Ticket is a Service bill and is a user identity certificate generated by the single sign-on server for the application Service requested by the user according to the TGT;
the TGT and the Ticket grading Ticket are user identity tickets, are important evidences for successful user identity authentication, and are main basis for realizing single sign-on;
step S2: the single sign-on client reads the TGT information from the browser Cookie, and if the TGT information exists, the step S4 is executed; if not, go to step S3;
step S3: the single sign-on server side verifies the user identity authentication information and generates a TGT;
the step S3 further includes the following sub-steps:
step S301: the single sign-on server receives identity authentication information input by a user; in the step S301, a user sends a user identity authentication request to a single sign-on server through a single sign-on client, and the single sign-on server receives the user identity authentication request, redirects the user identity authentication request to an identity authentication control page of the single sign-on server, guides the user to input identity authentication information such as a user name, a password, a verification code, and the like, and receives the identity authentication information;
the identity authentication control page is a login page, and the identity authentication information is login information;
introducing a single sign-on client Javascript file into a page, and integrating an identity authentication control page into a single sign-on system;
step S302: the single sign-on server side authenticates the identity authentication information of the user, and if the authentication is successful, the step S303 is executed; if the authentication fails, returning to the step S301;
step S303: the single sign-on server side generates TGT according to the user identity authentication information and sends the TGT to the single sign-on client side;
step S4: the single sign-on server side authenticates the TGT and generates an ST;
and step S5, the single sign-on server side authenticates ST and loads page content, wherein the loaded page is the page corresponding to the user request UR L in the step S1.
2. The method of claim 1, wherein the single sign-on client receives the TGT sent by the single sign-on server and stores the TGT in the Cookie.
3. The method according to claim 1, wherein the step S4 further comprises the sub-steps of:
step S401: the single sign-on client sends an authentication TGT request to the single sign-on server;
step S402: the single sign-on server receives an authentication TGT request sent by the single sign-on client, extracts the TGT carried in the authentication TGT request, authenticates the TGT, packs the TGT after the authentication is successful into json data and sends the json data to the single sign-on client if the authentication is successful, and executes the step S403; if the authentication fails, sending authentication failure information to the single sign-on client, and returning to the step S3;
step S403: the single sign-on server generates the ST and sends the ST to the single sign-on client.
4. The method of claim 3, wherein the ST is regenerated each time the user requests the application service for security, and expires after an authentication.
5. The method according to claim 3 or 4, wherein the single sign-on client receives the ST sent by the single sign-on server and stores the ST into the ST variable of Javascript.
6. The method of claim 1, wherein the single sign-on server uses CAS for TGT and ST generation and authentication.
7. The method according to claim 1, wherein the step S5 further comprises the sub-steps of:
step S501: the single sign-on client sends an authentication ST request to the single sign-on server;
step S502: the single sign-on server receives an authentication ST request sent by the single sign-on client, extracts the ST carried in the authentication ST request, authenticates the ST, packages the ST after the authentication is successful into json data and sends the json data to the single sign-on client if the authentication is successful, and executes the step S503; if the authentication fails, sending authentication failure information to the single sign-on client, and returning to the step S3;
step S503: the page content is loaded.
8. The method of claim 1, wherein the interaction between the single sign-on client and the single sign-on server is implemented based on json technology.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611186989.5A CN106790063B (en) | 2016-12-20 | 2016-12-20 | Method for single sign-on of heterogeneous WEB system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611186989.5A CN106790063B (en) | 2016-12-20 | 2016-12-20 | Method for single sign-on of heterogeneous WEB system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106790063A CN106790063A (en) | 2017-05-31 |
| CN106790063B true CN106790063B (en) | 2020-07-17 |
Family
ID=58896334
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611186989.5A Active CN106790063B (en) | 2016-12-20 | 2016-12-20 | Method for single sign-on of heterogeneous WEB system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106790063B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109600342B (en) * | 2017-09-30 | 2021-12-24 | 广东亿迅科技有限公司 | Unified authentication method and device based on single-point technology |
| CN107707570A (en) * | 2017-11-13 | 2018-02-16 | 山东省农村信用社联合社 | Cross-domain single logs in integrated approach and system |
| CN108600203B (en) * | 2018-04-11 | 2021-05-14 | 四川长虹电器股份有限公司 | Cookie-based safe single sign-on method and unified authentication service system thereof |
| CN109472123A (en) * | 2018-11-05 | 2019-03-15 | 用友网络科技股份有限公司 | A kind of cloud service integrates the method and system of third party's single-sign-on customer center |
| CN110891060A (en) * | 2019-11-26 | 2020-03-17 | 昆明能讯科技有限责任公司 | Unified authentication system based on multi-service system integration |
| CN112446015A (en) * | 2020-12-01 | 2021-03-05 | 山东健康医疗大数据有限公司 | User login authentication method based on two-stage deployment |
| CN112929391B (en) * | 2021-03-15 | 2023-03-31 | 浪潮云信息技术股份公司 | Method for realizing cross-platform identity authentication based on single sign-on |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102469075A (en) * | 2010-11-09 | 2012-05-23 | 中科正阳信息安全技术有限公司 | Integration authentication method based on WEB single sign on |
| CN104052746A (en) * | 2014-06-18 | 2014-09-17 | 华为技术有限公司 | Heterogeneous application single sign-on system and method |
-
2016
- 2016-12-20 CN CN201611186989.5A patent/CN106790063B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102469075A (en) * | 2010-11-09 | 2012-05-23 | 中科正阳信息安全技术有限公司 | Integration authentication method based on WEB single sign on |
| CN104052746A (en) * | 2014-06-18 | 2014-09-17 | 华为技术有限公司 | Heterogeneous application single sign-on system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106790063A (en) | 2017-05-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106790063B (en) | Method for single sign-on of heterogeneous WEB system | |
| US10158479B2 (en) | Systems and methods for generating, uploading and executing code blocks within distributed network nodes | |
| CN107948167B (en) | Single sign-on method and device | |
| US10567381B1 (en) | Refresh token for credential renewal | |
| US11122035B2 (en) | Secure delegation of a refresh token for long-running operations | |
| US10484385B2 (en) | Accessing an application through application clients and web browsers | |
| US9088414B2 (en) | Asynchronous identity establishment through a web-based application | |
| US9444824B1 (en) | Methods, systems, and articles of manufacture for implementing adaptive levels of assurance in a financial management system | |
| EP4014141A1 (en) | System and method linking to accounts using credential-less authentication | |
| EP3396576A1 (en) | Client apparatus, server apparatus and access control system for authorized access | |
| US8973123B2 (en) | Multifactor authentication | |
| US11973787B2 (en) | Detecting web application vulnerabilities | |
| WO2018063167A1 (en) | Distributed electronic record and transaction history | |
| US20080083017A1 (en) | Methods and apparatus for securely signing on to a website via a security website | |
| CN103455749B (en) | Cooperative system, its collaboration method and information processing system | |
| CN104025505A (en) | Method, Device, And System For Managing User Authentication | |
| US8869234B2 (en) | System and method for policy based privileged user access management | |
| CN111475795A (en) | Method and device for unified authentication and authorization facing to multiple applications | |
| CN110069909A (en) | It is a kind of to exempt from the close method and device for logging in third party system | |
| Spilca | Spring security in action | |
| US11595375B2 (en) | Single sign-on for token-based and web-based applications | |
| Klieme et al. | FIDOnuous: a FIDO2/WebAuthn extension to support continuous web authentication | |
| CN113347163A (en) | Single sign-on method, device, equipment and medium | |
| US20190089541A1 (en) | Configuration updates for access-restricted hosts | |
| US20230129631A1 (en) | Detecting and protecting against inconsistent use of cross-site request forgery mitigation features |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |