CN107911376A - The WEB systems single-sign-on and access control implementation method of a kind of non-invasive - Google Patents

The WEB systems single-sign-on and access control implementation method of a kind of non-invasive Download PDF

Info

Publication number
CN107911376A
CN107911376A CN201711221250.8A CN201711221250A CN107911376A CN 107911376 A CN107911376 A CN 107911376A CN 201711221250 A CN201711221250 A CN 201711221250A CN 107911376 A CN107911376 A CN 107911376A
Authority
CN
China
Prior art keywords
client
sign
reverse proxy
browser
access control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711221250.8A
Other languages
Chinese (zh)
Inventor
苗阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing LES Information Technology Co. Ltd
Original Assignee
Nanjing LES Information Technology Co. Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing LES Information Technology Co. Ltd filed Critical Nanjing LES Information Technology Co. Ltd
Priority to CN201711221250.8A priority Critical patent/CN107911376A/en
Publication of CN107911376A publication Critical patent/CN107911376A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The present invention discloses the WEB systems single-sign-on and access control implementation method of a kind of non-invasive, wherein, all requests from client, all first the reverse proxy through Reverse Proxy intercepts filtering, by analyzing HTTP Authorization information, identify whether the request is legal, it is if legal, reverse proxy lets pass and forwards the request to corresponding backend services system, otherwise not let pass, effectively to avoid traditional single-sign-on scheme that there is invasive and complexity, can be in the case where not transforming existed system, realize the automation single-sign-on of information system and the access control of whole station protected mode.

Description

The WEB systems single-sign-on and access control implementation method of a kind of non-invasive
Technical field
The present invention relates to the field of data exchange in network system.
Background technology
Since Internet era, B/S frameworks are propagated its belief on a large scale, and in the application environment of condition of multi-system coexistence, are realized Single sign on mechanism is a rigid demand, has not only greatly facilitated user and has used system, moreover it is possible to effective to simplify O&M pipe Reason, at the same can also overall improved system group security, strengthen attack resistance and anti-invasive ability.Due to the client of B/S systems All it is browser, some security features and session isolation mech isolation test of browser so that single sign on mechanism implements more tired It is difficult, it is also difficult to reach real slitless connection, unified login, the unified effect nullified.
B/S systems of the prior art realize that the method for single-sign-on has many kinds, and summary is got off, its core mechanism is all Try every possible means to break through the cross-domain limitation of browser, realize and shared between different Web sites or transmit user information, for example pass through Cookie, jsonp or URL parameter etc., which transmit mode, the frameworks such as ticket/token, generally two major classes:
The first is based on mutual trust, mutual cooperation, transmission user information between an operation system, is come together common real Existing single sign on mechanism.
It is for second based on the unified certification service established independent, each operation system and trusted jointly, passes through shared independent Unified certification service realize single sign on mechanism.
Existing single-sign-on scheme, is all to get around the cross-domain limitation with session isolation of breakthrough browser, passing through Cookie, jsonp or URL parameter etc. transmit ticket/token between different websites, and this implementation actual implementation rises Being more complicated, it is necessary to carry out a series of transformations to original system, for example, it is necessary to add unified blocker, reset To the page, enciphering/deciphering ticket/token etc., not only realize cumbersome, security is low, and final effect is also bad, Er Qieyou In the born ill-mannered step response of http protocol, usually can the login sessions of unknown cause lose, be chaotic, or can not uniformly, LoginLogout is synchronously carried out, for the business operation type Web system of user conversation sensitivity, these defects often cause for this Serious system bug.
Therefore, it is necessary to a kind of new technical solution is to solve the above problems.
The content of the invention
Goal of the invention:There is provided one and cast aside browser limitation, can have higher convenience, compatibility, security and can The WEB systems single-sign-on and access control implementation method of autgmentability.
Technical solution:To reach above-mentioned purpose, the present invention can adopt the following technical scheme that:
The WEB systems single-sign-on and access control implementation method of a kind of non-invasive, it is characterised in that including:
Operation system is placed in after Reverse Proxy, and all requests from client, all first take through reverse proxy The reverse proxy of business device intercepts filtering, by analyzing HTTP Authorization information, identifies whether the request is legal, if Legal, reverse proxy lets pass and forwards the request to corresponding backend services system, otherwise not lets pass;
When user opens browser in client, first during access service system, user is unauthenticated at this time, therefore meeting Agent intercepts are reversed, the login prompt page that browser is shown, prompts the page to detect whether client is run, is automatically No to have logged on certification, if being currently running and having logged on, the user that browser gets login by cross-domain request believes Breath, and the HTTP Authorization with user information are initiated to Reverse Proxy and are asked, Reverse Proxy is cut After obtaining HTTP Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.
Beneficial effect:Method proposed by the invention possesses good convenience, compatibility, security and scalability, It is possible to prevente effectively from traditional single-sign-on scheme has invasive and complexity, the situation of existed system can not transformed Under, realize the automation single-sign-on of information system and the access control of whole station protected mode;Can compatible all mainstreams it is clear Look at device;It can realize the real time monitoring and kick out of login sessions, nullify login and not only block network access, can also realize The active kick out of login sessions external progress.
Further, when browser is to client request login user information, method that client is searched by port, instead The process ID of browser is looked into, while user information is returned, browser process is monitored in real time, once client is nullified Or exit, all browser process that are monitored will be killed, realize kick out.
Further, there is provided CAS certificate servers, the login authentication process of client itself is by client and CAS certifications The independent interaction of service is completed.
Further, the operation system is multiple that all operation systems are placed in after Reverse Proxy.
Further, the request of client includes user login information.
Brief description of the drawings
Fig. 1 is the hardware architecture diagram used in the present invention.
Embodiment
The technical term used in the present invention:
Authentication:Authentication is also referred to as " authentication " or " identity discriminating ", refers in computer and computer network The process of visitor or operator's identity is identified, confirmed in network system.
Single-sign-on:User can share body between application system automatically when accessing multiple independent application systems Part information.Only need to log in once, before login is not nullified, when accessing one system of any of which again, it is not necessary to use Family carries out login authentication again.
Access control:Finger system determines the user after access user identity is determined according to certain existing strategy Whether there is access and the access right to certain resource, prevent attacker from palming off the access rights that validated user obtains resource, The safety of guarantee system and data.
Embodiment:
Incorporated by reference to shown in Fig. 1, client modules, CAS certificate servers and Reverse Proxy are provided in the present invention, its Technical Architecture realization principle schematic diagram.On the basis of the hardware facility, the present invention discloses a kind of WEB system single-points of non-invasive Log in and access control implementation method, its concrete scheme are:All operation systems are all placed in after reverse proxy service 3., institute There is the request from client, all first intercept and filter through reverse proxy, by analyzing HTTP Authorization information, identification Whether the request is legal (including user login information), if legal, reverse proxy lets pass and forwards the request to corresponding rear end Operation system, otherwise not lets pass, and the page of login prompt is exported to browser.
When user opens browser in terminal, first during access service system, user is unauthenticated at this time, therefore can quilt Reverse proxy intercepts, the login prompt page that browser is shown, prompts the page to detect 1. whether client is run, is automatically It is no to have logged on certification, if be currently running and have logged on (client 1. the login authentication process of itself by client with CAS authentication services 2. independently complete by interaction), browser can get the user information of login by cross-domain request, and to anti- The HTTP Authorization requests with user information are 3. initiated to proxy server, Reverse Proxy intercepts and captures HTTP After Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.
The principle of browser energy automatic Memory HTTP Authorization is utilized in this scheme, in actual motion, is browsed Device only needs to obtain login user information from client when first time is by direction agent intercepts, afterwards to the visit of service server HTTP Authorization (need not each ask to obtain user information from client) can all be carried automatically by asking, therefore non- Chang Gaoxiao.
Meanwhile browser to client request login user information when, method that client is searched by port, it is counter look into it is clear Look at the process ID of device, while user information is returned, browser process is monitored in real time, once client is nullified or moved back Go out, all browser process that are monitored will be killed, realize kick out.
Method proposed by the invention possesses good convenience, compatibility, security and scalability, can effectively keep away Exempting from traditional single-sign-on scheme has invasive and complexity, can realize information in the case where not transforming existed system The automation single-sign-on of system and the access control of whole station protected mode;Can compatible all major browsers;Can be real The real time monitoring and kick out of existing login sessions, nullify login and not only block network access, can also realize login sessions The active kick out of external progress.
In addition, the concrete methods of realizing and approach of the present invention are very much, the above is only the preferred embodiment of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, it can also do Go out some improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.What is be not known in the present embodiment is each The available prior art of part is realized.

Claims (5)

1. the WEB systems single-sign-on and access control implementation method of a kind of non-invasive, it is characterised in that including:
Operation system is placed in after Reverse Proxy, all requests from client, all first through Reverse Proxy Reverse proxy intercept filtering, by analyzing HTTP Authorization information, identify whether the request legal, if close Method, reverse proxy let pass and forward the request to corresponding backend services system, otherwise not let pass;
When user opens browser in client, first during access service system, user is unauthenticated at this time, therefore can be anti- To agent intercepts, the login prompt page that browser is shown, prompts the page to detect whether client is run, whether automatically Through login authentication, if being currently running and having logged on, browser gets the user information of login by cross-domain request, and The HTTP Authorization with user information are initiated to Reverse Proxy to ask, Reverse Proxy intercepts and captures HTTP After Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.
2. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1, its feature exist In:When browser is to client request login user information, method that client is searched by port, the anti-process for looking into browser ID, while user information is returned, monitors browser process in real time, once client is nullified or exited, will kill All browser process that are monitored, realize kick out.
3. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1 or 2, it is special Sign is:CAS certificate servers are provided, the login authentication process of client itself is independently handed over by client and CAS authentication services Mutually complete.
4. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 3, its feature exist In:The operation system is multiple, and all operation systems are placed in after Reverse Proxy.
5. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1, its feature exist In:The request of client includes user login information.
CN201711221250.8A 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive Pending CN107911376A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711221250.8A CN107911376A (en) 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711221250.8A CN107911376A (en) 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive

Publications (1)

Publication Number Publication Date
CN107911376A true CN107911376A (en) 2018-04-13

Family

ID=61849180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711221250.8A Pending CN107911376A (en) 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive

Country Status (1)

Country Link
CN (1) CN107911376A (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109309684A (en) * 2018-10-30 2019-02-05 红芯时代(北京)科技有限公司 A kind of business access method, apparatus, terminal, server and storage medium
CN110365680A (en) * 2019-07-16 2019-10-22 中国联合网络通信集团有限公司 Batch based on single-sign-on publishes method and device
CN110493352A (en) * 2019-08-30 2019-11-22 南京联创互联网技术有限公司 A kind of unified gateway service system and its method of servicing based on WEB middleware
CN110875899A (en) * 2018-08-30 2020-03-10 阿里巴巴集团控股有限公司 Data processing method, system and network system
CN111245791A (en) * 2019-12-31 2020-06-05 熵加网络科技(北京)有限公司 Single sign-on method for realizing management and IT service through reverse proxy
CN111343189A (en) * 2020-03-05 2020-06-26 安徽科大国创软件科技有限公司 Method for realizing unified login of multiple existing web systems
CN111737723A (en) * 2020-08-25 2020-10-02 杭州海康威视数字技术股份有限公司 Service processing method, device and equipment
CN113139169A (en) * 2021-04-23 2021-07-20 上海中通吉网络技术有限公司 Non-invasive authority control system
CN114760349A (en) * 2022-04-28 2022-07-15 西门子(中国)有限公司 Service access method and device, system, equipment and medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198488A1 (en) * 2003-02-14 2005-09-08 Carl Sandland System and method for delivering external data to a process running on a virtual machine
US20060021018A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for enabling trust infrastructure support for federated user lifecycle management
US20060021017A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for establishing federation relationships through imported configuration files
CN102387354A (en) * 2011-11-25 2012-03-21 中山大学 Video monitoring system based on embedded web server
CN102480392A (en) * 2010-11-23 2012-05-30 中兴通讯股份有限公司 Performance test device and working method thereof
CN102638454A (en) * 2012-03-14 2012-08-15 武汉理工大学 Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN102682009A (en) * 2011-03-11 2012-09-19 腾讯科技(北京)有限公司 Method and system for logging in webpage
CN102831355A (en) * 2011-12-30 2012-12-19 中国科学院软件研究所 Method for establishing trusted path in secure operating system
CN105188060A (en) * 2015-10-12 2015-12-23 深圳竹云科技有限公司 Mobile terminal-oriented single sign-on (SSO) authentication method and system
CN105407102A (en) * 2015-12-10 2016-03-16 四川长虹电器股份有限公司 Http request data reliability verification method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198488A1 (en) * 2003-02-14 2005-09-08 Carl Sandland System and method for delivering external data to a process running on a virtual machine
US20060021018A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for enabling trust infrastructure support for federated user lifecycle management
US20060021017A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for establishing federation relationships through imported configuration files
CN102480392A (en) * 2010-11-23 2012-05-30 中兴通讯股份有限公司 Performance test device and working method thereof
CN102682009A (en) * 2011-03-11 2012-09-19 腾讯科技(北京)有限公司 Method and system for logging in webpage
CN102387354A (en) * 2011-11-25 2012-03-21 中山大学 Video monitoring system based on embedded web server
CN102831355A (en) * 2011-12-30 2012-12-19 中国科学院软件研究所 Method for establishing trusted path in secure operating system
CN102638454A (en) * 2012-03-14 2012-08-15 武汉理工大学 Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN105188060A (en) * 2015-10-12 2015-12-23 深圳竹云科技有限公司 Mobile terminal-oriented single sign-on (SSO) authentication method and system
CN105407102A (en) * 2015-12-10 2016-03-16 四川长虹电器股份有限公司 Http request data reliability verification method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
徐硕: ""统一身份认证系统的设计与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
梁志罡: ""基于Web service的混合架构单点登录的设计"", 《计算机应用》 *
王琦: ""基于反向代理的网站群单点登录"", 《计算机工程》 *
褚衍超: ""面向Apache的单点登录系统集成技术研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110875899A (en) * 2018-08-30 2020-03-10 阿里巴巴集团控股有限公司 Data processing method, system and network system
CN110875899B (en) * 2018-08-30 2022-06-28 阿里巴巴集团控股有限公司 Data processing method, system and network system
CN109309684A (en) * 2018-10-30 2019-02-05 红芯时代(北京)科技有限公司 A kind of business access method, apparatus, terminal, server and storage medium
CN110365680A (en) * 2019-07-16 2019-10-22 中国联合网络通信集团有限公司 Batch based on single-sign-on publishes method and device
CN110365680B (en) * 2019-07-16 2022-04-15 中国联合网络通信集团有限公司 Batch logout method and device based on single sign-on
CN110493352A (en) * 2019-08-30 2019-11-22 南京联创互联网技术有限公司 A kind of unified gateway service system and its method of servicing based on WEB middleware
CN111245791A (en) * 2019-12-31 2020-06-05 熵加网络科技(北京)有限公司 Single sign-on method for realizing management and IT service through reverse proxy
CN111245791B (en) * 2019-12-31 2021-11-16 北京升鑫网络科技有限公司 Single sign-on method for realizing management and IT service through reverse proxy
CN111343189A (en) * 2020-03-05 2020-06-26 安徽科大国创软件科技有限公司 Method for realizing unified login of multiple existing web systems
CN111737723A (en) * 2020-08-25 2020-10-02 杭州海康威视数字技术股份有限公司 Service processing method, device and equipment
CN113139169A (en) * 2021-04-23 2021-07-20 上海中通吉网络技术有限公司 Non-invasive authority control system
CN114760349A (en) * 2022-04-28 2022-07-15 西门子(中国)有限公司 Service access method and device, system, equipment and medium

Similar Documents

Publication Publication Date Title
CN107911376A (en) The WEB systems single-sign-on and access control implementation method of a kind of non-invasive
CN107770171B (en) Verification method and system for anti-crawler of server
EP2849407B1 (en) Method and system for prevention of malware infections
US8904558B2 (en) Detecting web browser based attacks using browser digest compute tests using digest code provided by a remote source
US9455997B2 (en) System and method for preventing web frauds committed using client-scripting attacks
KR101095447B1 (en) Apparatus and method for preventing distributed denial of service attack
WO2016006520A1 (en) Detection device, detection method and detection program
US20110238979A1 (en) Device for Preventing, Detecting and Responding to Security Threats
US20150082460A1 (en) Gateway-based audit log and method for prevention of data leakage
US20150007283A1 (en) Delegating authentication for a web service
CN105939326A (en) Message processing method and device
EP1777907A1 (en) Method and devices for carrying out cryptographic operations in a client-server network
CN107317816A (en) A kind of method for network access control differentiated based on client application
DE102008024783A1 (en) Secure, browser-based single sign-on with client certificates
CN105282095A (en) Login verification method and device of virtual desktop
Ye et al. Formal analysis of a single sign-on protocol implementation for android
CN101222335A (en) Cascade connection authentication method and device between application systems
CN104484823B (en) E-bank's PKI method of servicing and its system
DE102008062984A1 (en) A process of authenticating a user with a certificate using out-of-band messaging
US20220232062A1 (en) Forced identification with automated post resubmission
WO2007078037A1 (en) Web page protection method employing security appliance and set-top box having the security appliance built therein
CN110233825A (en) Equipment initial methods, internet of things equipment, system, platform device and smart machine
Sersemis et al. A novel cybersecurity architecture for iov communication
Saltzman et al. Active man in the middle attacks
JP2021068421A (en) Remote login processing method, apparatus, device and storage medium for unmanned vehicle

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20180413

RJ01 Rejection of invention patent application after publication