CN107911376A - The WEB systems single-sign-on and access control implementation method of a kind of non-invasive - Google Patents

The WEB systems single-sign-on and access control implementation method of a kind of non-invasive Download PDF

Info

Publication number
CN107911376A
CN107911376A CN201711221250.8A CN201711221250A CN107911376A CN 107911376 A CN107911376 A CN 107911376A CN 201711221250 A CN201711221250 A CN 201711221250A CN 107911376 A CN107911376 A CN 107911376A
Authority
CN
China
Prior art keywords
sign
client
reverse proxy
access control
browser
Prior art date
Application number
CN201711221250.8A
Other languages
Chinese (zh)
Inventor
苗阳
Original Assignee
南京莱斯信息技术股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 南京莱斯信息技术股份有限公司 filed Critical 南京莱斯信息技术股份有限公司
Priority to CN201711221250.8A priority Critical patent/CN107911376A/en
Publication of CN107911376A publication Critical patent/CN107911376A/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0815Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network-specific arrangements or communication protocols supporting networked applications
    • H04L67/02Network-specific arrangements or communication protocols supporting networked applications involving the use of web-based technology, e.g. hyper text transfer protocol [HTTP]

Abstract

The present invention discloses the WEB systems single-sign-on and access control implementation method of a kind of non-invasive, wherein, all requests from client, all first the reverse proxy through Reverse Proxy intercepts filtering, by analyzing HTTP Authorization information, identify whether the request is legal, it is if legal, reverse proxy lets pass and forwards the request to corresponding backend services system, otherwise not let pass, effectively to avoid traditional single-sign-on scheme that there is invasive and complexity, can be in the case where not transforming existed system, realize the automation single-sign-on of information system and the access control of whole station protected mode.

Description

The WEB systems single-sign-on and access control implementation method of a kind of non-invasive

Technical field

The present invention relates to the field of data exchange in network system.

Background technology

Since Internet era, B/S frameworks are propagated its belief on a large scale, and in the application environment of condition of multi-system coexistence, are realized Single sign on mechanism is a rigid demand, has not only greatly facilitated user and has used system, moreover it is possible to effective to simplify O&M pipe Reason, at the same can also overall improved system group security, strengthen attack resistance and anti-invasive ability.Due to the client of B/S systems All it is browser, some security features and session isolation mech isolation test of browser so that single sign on mechanism implements more tired It is difficult, it is also difficult to reach real slitless connection, unified login, the unified effect nullified.

B/S systems of the prior art realize that the method for single-sign-on has many kinds, and summary is got off, its core mechanism is all Try every possible means to break through the cross-domain limitation of browser, realize and shared between different Web sites or transmit user information, for example pass through Cookie, jsonp or URL parameter etc., which transmit mode, the frameworks such as ticket/token, generally two major classes:

The first is based on mutual trust, mutual cooperation, transmission user information between an operation system, is come together common real Existing single sign on mechanism.

It is for second based on the unified certification service established independent, each operation system and trusted jointly, passes through shared independent Unified certification service realize single sign on mechanism.

Existing single-sign-on scheme, is all to get around the cross-domain limitation with session isolation of breakthrough browser, passing through Cookie, jsonp or URL parameter etc. transmit ticket/token between different websites, and this implementation actual implementation rises Being more complicated, it is necessary to carry out a series of transformations to original system, for example, it is necessary to add unified blocker, reset To the page, enciphering/deciphering ticket/token etc., not only realize cumbersome, security is low, and final effect is also bad, Er Qieyou In the born ill-mannered step response of http protocol, usually can the login sessions of unknown cause lose, be chaotic, or can not uniformly, LoginLogout is synchronously carried out, for the business operation type Web system of user conversation sensitivity, these defects often cause for this Serious system bug.

Therefore, it is necessary to a kind of new technical solution is to solve the above problems.

The content of the invention

Goal of the invention:There is provided one and cast aside browser limitation, can have higher convenience, compatibility, security and can The WEB systems single-sign-on and access control implementation method of autgmentability.

Technical solution:To reach above-mentioned purpose, the present invention can adopt the following technical scheme that:

The WEB systems single-sign-on and access control implementation method of a kind of non-invasive, it is characterised in that including:

Operation system is placed in after Reverse Proxy, and all requests from client, all first take through reverse proxy The reverse proxy of business device intercepts filtering, by analyzing HTTP Authorization information, identifies whether the request is legal, if Legal, reverse proxy lets pass and forwards the request to corresponding backend services system, otherwise not lets pass;

When user opens browser in client, first during access service system, user is unauthenticated at this time, therefore meeting Agent intercepts are reversed, the login prompt page that browser is shown, prompts the page to detect whether client is run, is automatically No to have logged on certification, if being currently running and having logged on, the user that browser gets login by cross-domain request believes Breath, and the HTTP Authorization with user information are initiated to Reverse Proxy and are asked, Reverse Proxy is cut After obtaining HTTP Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.

Beneficial effect:Method proposed by the invention possesses good convenience, compatibility, security and scalability, It is possible to prevente effectively from traditional single-sign-on scheme has invasive and complexity, the situation of existed system can not transformed Under, realize the automation single-sign-on of information system and the access control of whole station protected mode;Can compatible all mainstreams it is clear Look at device;It can realize the real time monitoring and kick out of login sessions, nullify login and not only block network access, can also realize The active kick out of login sessions external progress.

Further, when browser is to client request login user information, method that client is searched by port, instead The process ID of browser is looked into, while user information is returned, browser process is monitored in real time, once client is nullified Or exit, all browser process that are monitored will be killed, realize kick out.

Further, there is provided CAS certificate servers, the login authentication process of client itself is by client and CAS certifications The independent interaction of service is completed.

Further, the operation system is multiple that all operation systems are placed in after Reverse Proxy.

Further, the request of client includes user login information.

Brief description of the drawings

Fig. 1 is the hardware architecture diagram used in the present invention.

Embodiment

The technical term used in the present invention:

Authentication:Authentication is also referred to as " authentication " or " identity discriminating ", refers in computer and computer network The process of visitor or operator's identity is identified, confirmed in network system.

Single-sign-on:User can share body between application system automatically when accessing multiple independent application systems Part information.Only need to log in once, before login is not nullified, when accessing one system of any of which again, it is not necessary to use Family carries out login authentication again.

Access control:Finger system determines the user after access user identity is determined according to certain existing strategy Whether there is access and the access right to certain resource, prevent attacker from palming off the access rights that validated user obtains resource, The safety of guarantee system and data.

Embodiment:

Incorporated by reference to shown in Fig. 1, client modules, CAS certificate servers and Reverse Proxy are provided in the present invention, its Technical Architecture realization principle schematic diagram.On the basis of the hardware facility, the present invention discloses a kind of WEB system single-points of non-invasive Log in and access control implementation method, its concrete scheme are:All operation systems are all placed in after reverse proxy service 3., institute There is the request from client, all first intercept and filter through reverse proxy, by analyzing HTTP Authorization information, identification Whether the request is legal (including user login information), if legal, reverse proxy lets pass and forwards the request to corresponding rear end Operation system, otherwise not lets pass, and the page of login prompt is exported to browser.

When user opens browser in terminal, first during access service system, user is unauthenticated at this time, therefore can quilt Reverse proxy intercepts, the login prompt page that browser is shown, prompts the page to detect 1. whether client is run, is automatically It is no to have logged on certification, if be currently running and have logged on (client 1. the login authentication process of itself by client with CAS authentication services 2. independently complete by interaction), browser can get the user information of login by cross-domain request, and to anti- The HTTP Authorization requests with user information are 3. initiated to proxy server, Reverse Proxy intercepts and captures HTTP After Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.

The principle of browser energy automatic Memory HTTP Authorization is utilized in this scheme, in actual motion, is browsed Device only needs to obtain login user information from client when first time is by direction agent intercepts, afterwards to the visit of service server HTTP Authorization (need not each ask to obtain user information from client) can all be carried automatically by asking, therefore non- Chang Gaoxiao.

Meanwhile browser to client request login user information when, method that client is searched by port, it is counter look into it is clear Look at the process ID of device, while user information is returned, browser process is monitored in real time, once client is nullified or moved back Go out, all browser process that are monitored will be killed, realize kick out.

Method proposed by the invention possesses good convenience, compatibility, security and scalability, can effectively keep away Exempting from traditional single-sign-on scheme has invasive and complexity, can realize information in the case where not transforming existed system The automation single-sign-on of system and the access control of whole station protected mode;Can compatible all major browsers;Can be real The real time monitoring and kick out of existing login sessions, nullify login and not only block network access, can also realize login sessions The active kick out of external progress.

In addition, the concrete methods of realizing and approach of the present invention are very much, the above is only the preferred embodiment of the present invention. It should be pointed out that for those skilled in the art, without departing from the principle of the present invention, it can also do Go out some improvements and modifications, these improvements and modifications also should be regarded as protection scope of the present invention.What is be not known in the present embodiment is each The available prior art of part is realized.

Claims (5)

1. the WEB systems single-sign-on and access control implementation method of a kind of non-invasive, it is characterised in that including:
Operation system is placed in after Reverse Proxy, all requests from client, all first through Reverse Proxy Reverse proxy intercept filtering, by analyzing HTTP Authorization information, identify whether the request legal, if close Method, reverse proxy let pass and forward the request to corresponding backend services system, otherwise not let pass;
When user opens browser in client, first during access service system, user is unauthenticated at this time, therefore can be anti- To agent intercepts, the login prompt page that browser is shown, prompts the page to detect whether client is run, whether automatically Through login authentication, if being currently running and having logged on, browser gets the user information of login by cross-domain request, and The HTTP Authorization with user information are initiated to Reverse Proxy to ask, Reverse Proxy intercepts and captures HTTP After Authorization, it is legal to judge, that is, enters normal request forwarding state, and whole verification process is completed.
2. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1, its feature exist In:When browser is to client request login user information, method that client is searched by port, the anti-process for looking into browser ID, while user information is returned, monitors browser process in real time, once client is nullified or exited, will kill All browser process that are monitored, realize kick out.
3. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1 or 2, it is special Sign is:CAS certificate servers are provided, the login authentication process of client itself is independently handed over by client and CAS authentication services Mutually complete.
4. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 3, its feature exist In:The operation system is multiple, and all operation systems are placed in after Reverse Proxy.
5. the WEB systems single-sign-on and access control implementation method of non-invasive according to claim 1, its feature exist In:The request of client includes user login information.
CN201711221250.8A 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive CN107911376A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711221250.8A CN107911376A (en) 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711221250.8A CN107911376A (en) 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive

Publications (1)

Publication Number Publication Date
CN107911376A true CN107911376A (en) 2018-04-13

Family

ID=61849180

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711221250.8A CN107911376A (en) 2017-11-29 2017-11-29 The WEB systems single-sign-on and access control implementation method of a kind of non-invasive

Country Status (1)

Country Link
CN (1) CN107911376A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493352A (en) * 2019-08-30 2019-11-22 南京联创互联网技术有限公司 A kind of unified gateway service system and its method of servicing based on WEB middleware

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198488A1 (en) * 2003-02-14 2005-09-08 Carl Sandland System and method for delivering external data to a process running on a virtual machine
US20060021017A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for establishing federation relationships through imported configuration files
US20060021018A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for enabling trust infrastructure support for federated user lifecycle management
CN102387354A (en) * 2011-11-25 2012-03-21 中山大学 Video monitoring system based on embedded web server
CN102480392A (en) * 2010-11-23 2012-05-30 中兴通讯股份有限公司 Performance test device and working method thereof
CN102638454A (en) * 2012-03-14 2012-08-15 武汉理工大学 Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN102682009A (en) * 2011-03-11 2012-09-19 腾讯科技(北京)有限公司 Method and system for logging in webpage
CN102831355A (en) * 2011-12-30 2012-12-19 中国科学院软件研究所 Method for establishing trusted path in secure operating system
CN105188060A (en) * 2015-10-12 2015-12-23 深圳竹云科技有限公司 Mobile terminal-oriented single sign-on (SSO) authentication method and system
CN105407102A (en) * 2015-12-10 2016-03-16 四川长虹电器股份有限公司 Http request data reliability verification method

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050198488A1 (en) * 2003-02-14 2005-09-08 Carl Sandland System and method for delivering external data to a process running on a virtual machine
US20060021017A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for establishing federation relationships through imported configuration files
US20060021018A1 (en) * 2004-07-21 2006-01-26 International Business Machines Corporation Method and system for enabling trust infrastructure support for federated user lifecycle management
CN102480392A (en) * 2010-11-23 2012-05-30 中兴通讯股份有限公司 Performance test device and working method thereof
CN102682009A (en) * 2011-03-11 2012-09-19 腾讯科技(北京)有限公司 Method and system for logging in webpage
CN102387354A (en) * 2011-11-25 2012-03-21 中山大学 Video monitoring system based on embedded web server
CN102831355A (en) * 2011-12-30 2012-12-19 中国科学院软件研究所 Method for establishing trusted path in secure operating system
CN102638454A (en) * 2012-03-14 2012-08-15 武汉理工大学 Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN105188060A (en) * 2015-10-12 2015-12-23 深圳竹云科技有限公司 Mobile terminal-oriented single sign-on (SSO) authentication method and system
CN105407102A (en) * 2015-12-10 2016-03-16 四川长虹电器股份有限公司 Http request data reliability verification method

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
徐硕: ""统一身份认证系统的设计与实现"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *
梁志罡: ""基于Web service的混合架构单点登录的设计"", 《计算机应用》 *
王琦: ""基于反向代理的网站群单点登录"", 《计算机工程》 *
褚衍超: ""面向Apache的单点登录系统集成技术研究"", 《中国优秀硕士学位论文全文数据库信息科技辑》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110493352A (en) * 2019-08-30 2019-11-22 南京联创互联网技术有限公司 A kind of unified gateway service system and its method of servicing based on WEB middleware

Similar Documents

Publication Publication Date Title
US9985989B2 (en) Managing dynamic deceptive environments
US9900346B2 (en) Identification of and countermeasures against forged websites
US10182074B2 (en) Techniques for virtual representational state transfer (REST) interfaces
US9565177B2 (en) Network application security utilizing network-provided identities
US8327441B2 (en) System and method for application attestation
US8832782B2 (en) Single sign-on system and method
EP2850770B1 (en) Transport layer security traffic control using service name identification
US9632903B2 (en) Techniques for distributed testing
US8826400B2 (en) System for automated prevention of fraud
EP2307982B1 (en) Method and service integration platform system for providing internet services
US8959650B1 (en) Validating association of client devices with sessions
US8281381B2 (en) Techniques for environment single sign on
CN102844750B (en) Executable code checking in Web browser
KR101861026B1 (en) Secure proxy to protect private data
US8904558B2 (en) Detecting web browser based attacks using browser digest compute tests using digest code provided by a remote source
EP3095225B1 (en) Redirect to inspection proxy using single-sign-on bootstrapping
US7685633B2 (en) Providing consistent application aware firewall traversal
AU784199B2 (en) Method and transaction interface for secure data exchange between distinguishable networks
TWI543574B (en) Method for authenticatiing online transactions using a browser
CN103404103B (en) System and method for combining an access control system with a traffic management system
Ertaul et al. Security Challenges in Cloud Computing.
Armando et al. An authentication flaw in browser-based single sign-on protocols: Impact and remediations
CN102546570B (en) Processing method and system for single sign-on
US8332627B1 (en) Mutual authentication
US8392963B2 (en) Techniques for tracking actual users in web application security systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination