CN107911376A - The WEB systems single-sign-on and access control implementation method of a kind of non-invasive - Google Patents
The WEB systems single-sign-on and access control implementation method of a kind of non-invasive Download PDFInfo
- Publication number
- CN107911376A CN107911376A CN201711221250.8A CN201711221250A CN107911376A CN 107911376 A CN107911376 A CN 107911376A CN 201711221250 A CN201711221250 A CN 201711221250A CN 107911376 A CN107911376 A CN 107911376A
- Authority
- CN
- China
- Prior art keywords
- client
- sign
- reverse proxy
- browser
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The present invention discloses the WEB systems single-sign-on and access control implementation method of a kind of non-invasive, wherein, all requests from client, all first the reverse proxy through Reverse Proxy intercepts filtering, by analyzing HTTP Authorization information, identify whether the request is legal, it is if legal, reverse proxy lets pass and forwards the request to corresponding backend services system, otherwise not let pass, effectively to avoid traditional single-sign-on scheme that there is invasive and complexity, can be in the case where not transforming existed system, realize the automation single-sign-on of information system and the access control of whole station protected mode.
Description
Technical field
The present invention relates to the field of data exchange in network system.
Background technology
Since Internet era, B/S frameworks are propagated its belief on a large scale, and in the application environment of condition of multi-system coexistence, are realized
Single sign on mechanism is a rigid demand, has not only greatly facilitated user and has used system, moreover it is possible to effective to simplify O&M pipe
Reason, at the same can also overall improved system group security, strengthen attack resistance and anti-invasive ability.Due to the client of B/S systems
All it is browser, some security features and session isolation mech isolation test of browser so that single sign on mechanism implements more tired
It is difficult, it is also difficult to reach real slitless connection, unified login, the unified effect nullified.
B/S systems of the prior art realize that the method for single-sign-on has many kinds, and summary is got off, its core mechanism is all
Try every possible means to break through the cross-domain limitation of browser, realize and shared between different Web sites or transmit user information, for example pass through
Cookie, jsonp or URL parameter etc., which transmit mode, the frameworks such as ticket/token, generally two major classes:
The first is based on mutual trust, mutual cooperation, transmission user information between an operation system, is come together common real
Existing single sign on mechanism.
It is for second based on the unified certification service established independent, each operation system and trusted jointly, passes through shared independent
Unified certification service realize single sign on mechanism.
Existing single-sign-on scheme, is all to get around the cross-domain limitation with session isolation of breakthrough browser, passing through
Cookie, jsonp or URL parameter etc. transmit ticket/token between different websites, and this implementation actual implementation rises
Being more complicated, it is necessary to carry out a series of transformations to original system, for example, it is necessary to add unified blocker, reset
To the page, enciphering/deciphering ticket/token etc., not only realize cumbersome, security is low, and final effect is also bad, Er Qieyou
In the born ill-mannered step response of http protocol, usually can the login sessions of unknown cause lose, be chaotic, or can not uniformly,
LoginLogout is synchronously carried out, for the business operation type Web system of user conversation sensitivity, these defects often cause for this
Serious system bug.
Therefore, it is necessary to a kind of new technical solution is to solve the above problems.
The content of the invention
Goal of the invention:There is provided one and cast aside browser limitation, can have higher convenience, compatibility, security and can
The WEB systems single-sign-on and access control implementation method of autgmentability.
Technical solution:To reach above-mentioned purpose, the present invention can adopt the following technical scheme that:
The WEB systems single-sign-on and access control implementation method of a kind of non-invasive, it is characterised in that including:
Operation system is placed in after Reverse Proxy, and all requests from client, all first take through reverse proxy
The reverse proxy of business device intercepts filtering, by analyzing HTTP Authorization information, identifies whether the request is legal, if
Legal, reverse proxy lets pass and forwards the request to corresponding backend services system, otherwise not lets pass;
When user opens browser in client, first during access service system, user is unauthenticated at this time, therefore meeting
Agent intercepts are reversed, the login prompt page that browser is shown, prompts the page to detect whether client is run, is automatically
No to have logged on certification, if being currently running and having logged on, the user that browser gets login by cross-domain request believes
Breath, and the HTTP Authorization with user information are initiated to Reverse Proxy and are asked, Reverse Proxy is cut
After obtaining HTTP Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.
Beneficial effect:Method proposed by the invention possesses good convenience, compatibility, security and scalability,
It is possible to prevente effectively from traditional single-sign-on scheme has invasive and complexity, the situation of existed system can not transformed
Under, realize the automation single-sign-on of information system and the access control of whole station protected mode;Can compatible all mainstreams it is clear
Look at device;It can realize the real time monitoring and kick out of login sessions, nullify login and not only block network access, can also realize
The active kick out of login sessions external progress.
Further, when browser is to client request login user information, method that client is searched by port, instead
The process ID of browser is looked into, while user information is returned, browser process is monitored in real time, once client is nullified
Or exit, all browser process that are monitored will be killed, realize kick out.
Further, there is provided CAS certificate servers, the login authentication process of client itself is by client and CAS certifications
The independent interaction of service is completed.
Further, the operation system is multiple that all operation systems are placed in after Reverse Proxy.
Further, the request of client includes user login information.
Brief description of the drawings
Fig. 1 is the hardware architecture diagram used in the present invention.
Embodiment
The technical term used in the present invention:
Authentication:Authentication is also referred to as " authentication " or " identity discriminating ", refers in computer and computer network
The process of visitor or operator's identity is identified, confirmed in network system.
Single-sign-on:User can share body between application system automatically when accessing multiple independent application systems
Part information.Only need to log in once, before login is not nullified, when accessing one system of any of which again, it is not necessary to use
Family carries out login authentication again.
Access control:Finger system determines the user after access user identity is determined according to certain existing strategy
Whether there is access and the access right to certain resource, prevent attacker from palming off the access rights that validated user obtains resource,
The safety of guarantee system and data.
Embodiment:
Incorporated by reference to shown in Fig. 1, client modules, CAS certificate servers and Reverse Proxy are provided in the present invention, its
Technical Architecture realization principle schematic diagram.On the basis of the hardware facility, the present invention discloses a kind of WEB system single-points of non-invasive
Log in and access control implementation method, its concrete scheme are:All operation systems are all placed in after reverse proxy service 3., institute
There is the request from client, all first intercept and filter through reverse proxy, by analyzing HTTP Authorization information, identification
Whether the request is legal (including user login information), if legal, reverse proxy lets pass and forwards the request to corresponding rear end
Operation system, otherwise not lets pass, and the page of login prompt is exported to browser.
When user opens browser in terminal, first during access service system, user is unauthenticated at this time, therefore can quilt
Reverse proxy intercepts, the login prompt page that browser is shown, prompts the page to detect 1. whether client is run, is automatically
It is no to have logged on certification, if be currently running and have logged on (client 1. the login authentication process of itself by client with
CAS authentication services 2. independently complete by interaction), browser can get the user information of login by cross-domain request, and to anti-
The HTTP Authorization requests with user information are 3. initiated to proxy server, Reverse Proxy intercepts and captures HTTP
After Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.
The principle of browser energy automatic Memory HTTP Authorization is utilized in this scheme, in actual motion, is browsed
Device only needs to obtain login user information from client when first time is by direction agent intercepts, afterwards to the visit of service server
HTTP Authorization (need not each ask to obtain user information from client) can all be carried automatically by asking, therefore non-
Chang Gaoxiao.
Meanwhile browser to client request login user information when, method that client is searched by port, it is counter look into it is clear
Look at the process ID of device, while user information is returned, browser process is monitored in real time, once client is nullified or moved back
Go out, all browser process that are monitored will be killed, realize kick out.
Method proposed by the invention possesses good convenience, compatibility, security and scalability, can effectively keep away
Exempting from traditional single-sign-on scheme has invasive and complexity, can realize information in the case where not transforming existed system
The automation single-sign-on of system and the access control of whole station protected mode;Can compatible all major browsers;Can be real
The real time monitoring and kick out of existing login sessions, nullify login and not only block network access, can also realize login sessions
The active kick out of external progress.
In addition, the concrete methods of realizing and approach of the present invention are very much, the above is only the preferred embodiment of the present invention.
It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, it can also do
Go out some improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.What is be not known in the present embodiment is each
The available prior art of part is realized.
Claims (5)
1. the WEB systems single-sign-on and access control implementation method of a kind of non-invasive, it is characterised in that including:
Operation system is placed in after Reverse Proxy, all requests from client, all first through Reverse Proxy
Reverse proxy intercept filtering, by analyzing HTTP Authorization information, identify whether the request legal, if close
Method, reverse proxy let pass and forward the request to corresponding backend services system, otherwise not let pass;
When user opens browser in client, first during access service system, user is unauthenticated at this time, therefore can be anti-
To agent intercepts, the login prompt page that browser is shown, prompts the page to detect whether client is run, whether automatically
Through login authentication, if being currently running and having logged on, browser gets the user information of login by cross-domain request, and
The HTTP Authorization with user information are initiated to Reverse Proxy to ask, Reverse Proxy intercepts and captures HTTP
After Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.
2. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1, its feature exist
In:When browser is to client request login user information, method that client is searched by port, the anti-process for looking into browser
ID, while user information is returned, monitors browser process in real time, once client is nullified or exited, will kill
All browser process that are monitored, realize kick out.
3. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1 or 2, it is special
Sign is:CAS certificate servers are provided, the login authentication process of client itself is independently handed over by client and CAS authentication services
Mutually complete.
4. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 3, its feature exist
In:The operation system is multiple, and all operation systems are placed in after Reverse Proxy.
5. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1, its feature exist
In:The request of client includes user login information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711221250.8A CN107911376A (en) | 2017-11-29 | 2017-11-29 | The WEB systems single-sign-on and access control implementation method of a kind of non-invasive |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711221250.8A CN107911376A (en) | 2017-11-29 | 2017-11-29 | The WEB systems single-sign-on and access control implementation method of a kind of non-invasive |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107911376A true CN107911376A (en) | 2018-04-13 |
Family
ID=61849180
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711221250.8A Pending CN107911376A (en) | 2017-11-29 | 2017-11-29 | The WEB systems single-sign-on and access control implementation method of a kind of non-invasive |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107911376A (en) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109309684A (en) * | 2018-10-30 | 2019-02-05 | 红芯时代(北京)科技有限公司 | A kind of business access method, apparatus, terminal, server and storage medium |
CN110365680A (en) * | 2019-07-16 | 2019-10-22 | 中国联合网络通信集团有限公司 | Batch based on single-sign-on publishes method and device |
CN110493352A (en) * | 2019-08-30 | 2019-11-22 | 南京联创互联网技术有限公司 | A kind of unified gateway service system and its method of servicing based on WEB middleware |
CN110875899A (en) * | 2018-08-30 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Data processing method, system and network system |
CN111245791A (en) * | 2019-12-31 | 2020-06-05 | 熵加网络科技(北京)有限公司 | Single sign-on method for realizing management and IT service through reverse proxy |
CN111343189A (en) * | 2020-03-05 | 2020-06-26 | 安徽科大国创软件科技有限公司 | Method for realizing unified login of multiple existing web systems |
CN111737723A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Service processing method, device and equipment |
CN113139169A (en) * | 2021-04-23 | 2021-07-20 | 上海中通吉网络技术有限公司 | Non-invasive authority control system |
CN114760349A (en) * | 2022-04-28 | 2022-07-15 | 西门子(中国)有限公司 | Service access method and device, system, equipment and medium |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050198488A1 (en) * | 2003-02-14 | 2005-09-08 | Carl Sandland | System and method for delivering external data to a process running on a virtual machine |
US20060021018A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for enabling trust infrastructure support for federated user lifecycle management |
US20060021017A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for establishing federation relationships through imported configuration files |
CN102387354A (en) * | 2011-11-25 | 2012-03-21 | 中山大学 | Video monitoring system based on embedded web server |
CN102480392A (en) * | 2010-11-23 | 2012-05-30 | 中兴通讯股份有限公司 | Performance test device and working method thereof |
CN102638454A (en) * | 2012-03-14 | 2012-08-15 | 武汉理工大学 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
CN102682009A (en) * | 2011-03-11 | 2012-09-19 | 腾讯科技(北京)有限公司 | Method and system for logging in webpage |
CN102831355A (en) * | 2011-12-30 | 2012-12-19 | 中国科学院软件研究所 | Method for establishing trusted path in secure operating system |
CN105188060A (en) * | 2015-10-12 | 2015-12-23 | 深圳竹云科技有限公司 | Mobile terminal-oriented single sign-on (SSO) authentication method and system |
CN105407102A (en) * | 2015-12-10 | 2016-03-16 | 四川长虹电器股份有限公司 | Http request data reliability verification method |
-
2017
- 2017-11-29 CN CN201711221250.8A patent/CN107911376A/en active Pending
Patent Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050198488A1 (en) * | 2003-02-14 | 2005-09-08 | Carl Sandland | System and method for delivering external data to a process running on a virtual machine |
US20060021018A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for enabling trust infrastructure support for federated user lifecycle management |
US20060021017A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for establishing federation relationships through imported configuration files |
CN102480392A (en) * | 2010-11-23 | 2012-05-30 | 中兴通讯股份有限公司 | Performance test device and working method thereof |
CN102682009A (en) * | 2011-03-11 | 2012-09-19 | 腾讯科技(北京)有限公司 | Method and system for logging in webpage |
CN102387354A (en) * | 2011-11-25 | 2012-03-21 | 中山大学 | Video monitoring system based on embedded web server |
CN102831355A (en) * | 2011-12-30 | 2012-12-19 | 中国科学院软件研究所 | Method for establishing trusted path in secure operating system |
CN102638454A (en) * | 2012-03-14 | 2012-08-15 | 武汉理工大学 | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol |
CN105188060A (en) * | 2015-10-12 | 2015-12-23 | 深圳竹云科技有限公司 | Mobile terminal-oriented single sign-on (SSO) authentication method and system |
CN105407102A (en) * | 2015-12-10 | 2016-03-16 | 四川长虹电器股份有限公司 | Http request data reliability verification method |
Non-Patent Citations (4)
Title |
---|
徐硕: ""统一身份认证系统的设计与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
梁志罡: ""基于Web service的混合架构单点登录的设计"", 《计算机应用》 * |
王琦: ""基于反向代理的网站群单点登录"", 《计算机工程》 * |
褚衍超: ""面向Apache的单点登录系统集成技术研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》 * |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110875899A (en) * | 2018-08-30 | 2020-03-10 | 阿里巴巴集团控股有限公司 | Data processing method, system and network system |
CN110875899B (en) * | 2018-08-30 | 2022-06-28 | 阿里巴巴集团控股有限公司 | Data processing method, system and network system |
CN109309684A (en) * | 2018-10-30 | 2019-02-05 | 红芯时代(北京)科技有限公司 | A kind of business access method, apparatus, terminal, server and storage medium |
CN110365680A (en) * | 2019-07-16 | 2019-10-22 | 中国联合网络通信集团有限公司 | Batch based on single-sign-on publishes method and device |
CN110365680B (en) * | 2019-07-16 | 2022-04-15 | 中国联合网络通信集团有限公司 | Batch logout method and device based on single sign-on |
CN110493352A (en) * | 2019-08-30 | 2019-11-22 | 南京联创互联网技术有限公司 | A kind of unified gateway service system and its method of servicing based on WEB middleware |
CN111245791A (en) * | 2019-12-31 | 2020-06-05 | 熵加网络科技(北京)有限公司 | Single sign-on method for realizing management and IT service through reverse proxy |
CN111245791B (en) * | 2019-12-31 | 2021-11-16 | 北京升鑫网络科技有限公司 | Single sign-on method for realizing management and IT service through reverse proxy |
CN111343189A (en) * | 2020-03-05 | 2020-06-26 | 安徽科大国创软件科技有限公司 | Method for realizing unified login of multiple existing web systems |
CN111737723A (en) * | 2020-08-25 | 2020-10-02 | 杭州海康威视数字技术股份有限公司 | Service processing method, device and equipment |
CN113139169A (en) * | 2021-04-23 | 2021-07-20 | 上海中通吉网络技术有限公司 | Non-invasive authority control system |
CN114760349A (en) * | 2022-04-28 | 2022-07-15 | 西门子(中国)有限公司 | Service access method and device, system, equipment and medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107911376A (en) | The WEB systems single-sign-on and access control implementation method of a kind of non-invasive | |
CN107770171B (en) | Verification method and system for anti-crawler of server | |
EP2849407B1 (en) | Method and system for prevention of malware infections | |
US8904558B2 (en) | Detecting web browser based attacks using browser digest compute tests using digest code provided by a remote source | |
US9455997B2 (en) | System and method for preventing web frauds committed using client-scripting attacks | |
KR101095447B1 (en) | Apparatus and method for preventing distributed denial of service attack | |
WO2016006520A1 (en) | Detection device, detection method and detection program | |
US20110238979A1 (en) | Device for Preventing, Detecting and Responding to Security Threats | |
US20150082460A1 (en) | Gateway-based audit log and method for prevention of data leakage | |
US20150007283A1 (en) | Delegating authentication for a web service | |
CN105939326A (en) | Message processing method and device | |
EP1777907A1 (en) | Method and devices for carrying out cryptographic operations in a client-server network | |
CN107317816A (en) | A kind of method for network access control differentiated based on client application | |
DE102008024783A1 (en) | Secure, browser-based single sign-on with client certificates | |
CN105282095A (en) | Login verification method and device of virtual desktop | |
Ye et al. | Formal analysis of a single sign-on protocol implementation for android | |
CN101222335A (en) | Cascade connection authentication method and device between application systems | |
CN104484823B (en) | E-bank's PKI method of servicing and its system | |
DE102008062984A1 (en) | A process of authenticating a user with a certificate using out-of-band messaging | |
US20220232062A1 (en) | Forced identification with automated post resubmission | |
WO2007078037A1 (en) | Web page protection method employing security appliance and set-top box having the security appliance built therein | |
CN110233825A (en) | Equipment initial methods, internet of things equipment, system, platform device and smart machine | |
Sersemis et al. | A novel cybersecurity architecture for iov communication | |
Saltzman et al. | Active man in the middle attacks | |
JP2021068421A (en) | Remote login processing method, apparatus, device and storage medium for unmanned vehicle |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180413 |
|
RJ01 | Rejection of invention patent application after publication |