CN108289101B - Information processing method and device - Google Patents

Information processing method and device Download PDF

Info

Publication number
CN108289101B
CN108289101B CN201810074673.XA CN201810074673A CN108289101B CN 108289101 B CN108289101 B CN 108289101B CN 201810074673 A CN201810074673 A CN 201810074673A CN 108289101 B CN108289101 B CN 108289101B
Authority
CN
China
Prior art keywords
application
information
user terminal
applications
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810074673.XA
Other languages
Chinese (zh)
Other versions
CN108289101A (en
Inventor
童健
张雨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Enterprise Power Technology Co ltd
Original Assignee
China Enterprise Power Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Enterprise Power Technology Co ltd filed Critical China Enterprise Power Technology Co ltd
Priority to CN201810074673.XA priority Critical patent/CN108289101B/en
Publication of CN108289101A publication Critical patent/CN108289101A/en
Application granted granted Critical
Publication of CN108289101B publication Critical patent/CN108289101B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/957Browsing optimisation, e.g. caching or content distillation
    • G06F16/9574Browsing optimisation, e.g. caching or content distillation of access to content, e.g. by caching
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/958Organisation or management of web site content, e.g. publishing, maintaining pages or automatic linking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • G06F21/6263Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations

Abstract

The embodiment of the invention provides an information processing method and device, and relates to the technical field of Internet. The method comprises the following steps: when a user terminal accesses a first application of a plurality of applications for the first time and does not access other applications, the first application receives user login information returned by an authentication server, stores the user login information to a cache server, and generates identification information uniquely corresponding to the user login information; the cookie information is generated according to the identification information and is sent to the browser for storage, the path of the cookie information is set to be a preset path, so that when the user terminal accesses the first application and then accesses any one of the plurality of applications through the browser, any one of the applications obtains the cookie information according to the preset path, and then the user login information is obtained according to the identification information in the cookie information, the authentication server does not need to be accessed every time to verify the user login state, the phenomenon that the system jumps for multiple times to refresh a page is avoided, and the user experience is improved.

Description

Information processing method and device
Technical Field
The invention relates to the technical field of internet, in particular to an information processing method and device.
Background
In order to meet the requirements of various increasingly developed user groups, many enterprises realize a system for building a website by randomly combining a plurality of applications, the plurality of applications are deployed in a cluster, and Single Sign On (SSO) is one of the solutions for the currently popular business integration of the enterprises. For example, existing single sign-on techniques are typically implemented as follows: when a user accesses the application 1 for the first time, the user is guided to a login server side to log in because the user does not log in; the login server performs identity verification according to login information provided by a user, if the login information passes the verification, an authentication credential is returned to the user, the user accesses the application 1 after taking the authentication credential, the application 1 sends the authentication credential to the login server for verification, the legality of the authentication credential is checked, if the authentication is passed, the user can access resources on the application 1, and as the user logs in the login server for authentication, when accessing the application 2 and the application 3, only the login server needs to acquire the authentication credential, and the application 2 and the application 3 are accessed through the authentication credential, so that the user can access all applications only by inputting the login information once.
In the existing scheme, although a user does not need to input login information again to log in authentication on a login server, when each application is visited for the first time, authentication credentials need to be acquired after the login server verifies the user login state once, and the page jumps once every time the login server verifies the user login state, so that the system jumps many times to refresh the page, and the user experience is greatly reduced.
Disclosure of Invention
The embodiment of the invention provides an information processing method and device.
The technical scheme adopted by the embodiment of the invention is as follows:
in a first aspect, an embodiment of the present invention provides an information processing method applied to an application server, where the application server communicates with a user terminal and an authentication server, the user terminal is installed with a browser, and a plurality of applications on the application server are accessible through the browser, and the method includes: when the user terminal accesses a first application in the plurality of applications for the first time and does not access other applications except the first application in the plurality of applications, the first application receives user login information returned by the authentication server, so that the user terminal accesses the first application through the user login information; storing the user login information to a cache server, and generating identification information uniquely corresponding to the user login information; generating cookie information according to the identification information, sending the cookie information to the browser for storage, and setting a path of the cookie information as a predetermined path, so that after the user terminal accesses the first application, when the browser accesses any one of the plurality of applications, the cookie information can be obtained by the any one application according to the predetermined path, and then the user login information is obtained from the cache server according to the identification information in the cookie information, so that the user terminal accesses the any one application through the user login information.
In a second aspect, an embodiment of the present invention further provides an information processing apparatus applied to an application server, where the application server communicates with a user terminal and an authentication server, the user terminal is installed with a browser, and a plurality of applications on the application server are accessible through the browser, the apparatus including: a receiving module, configured to receive user login information returned by the authentication server when the user terminal accesses a first application of the multiple applications for the first time and does not access other applications of the multiple applications except the first application, so that the user terminal accesses the first application through the user login information; the cache module is used for storing the user login information to a cache server and generating identification information uniquely corresponding to the user login information; and the cookie information generating module is used for generating cookie information according to the identification information, sending the cookie information to the browser for storage, and setting a path of the cookie information as a predetermined path, so that when the user terminal accesses the first application and then accesses any one of the plurality of applications through the browser, the any one application can be obtained according to the predetermined path, and then the corresponding user login information is obtained from the cache server according to the identification information in the cookie information, so that the user terminal accesses the any one application through the user login information.
Compared with the prior art, in the embodiment of the invention, when the user terminal accesses the first application for the first time and does not access other applications, the first application receives the user login information returned by the authentication server, so that the user terminal successfully accesses the first application; the first application caches the user login information, generates identification information uniquely corresponding to the user login information, generates cookie information according to the identification information, and then sends the cookie information to the browser for storage, and the path of the cookie information is set to be a preset path, so that the cookie information can be shared among a plurality of applications, and the user login information can be shared among the plurality of applications. That is to say, after the user terminal accesses the first application, when the browser accesses any one of the applications, any one of the applications can read cookie information of the browser through the predetermined path to obtain the identification information, and then corresponding user login information is obtained from the cache server through the identification information, so that when the user terminal accesses the first application and then accesses other application resources, the user login information can be directly obtained according to the identification information in the cookie information, the technical effect that the authentication server is not required to be accessed to verify the user login state every time is achieved, the phenomenon that the system jumps and refreshes pages for many times is avoided, and the user experience is improved.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the embodiments of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 is a schematic diagram illustrating an application environment of an information processing method and apparatus according to an embodiment of the present invention.
Fig. 2 shows a block diagram of an application server provided in an embodiment of the present invention.
Fig. 3 is a flowchart illustrating an information processing method according to an embodiment of the present invention.
Fig. 4 is a flowchart illustrating an information processing method according to another embodiment of the present invention.
Fig. 5 is a schematic diagram showing functional modules of an information processing apparatus according to an embodiment of the present invention.
Icon: 100-an application server; 200-a user terminal; 300-an authentication server; 400-a network; 500-an information processing apparatus; 110-a memory; 120-a processor; 130-a communication interface; 510-a judgment module; 520-request processing module; 530-a sending module; 540-a receiving module; 550-a cache module; 560-cookie information generation module; 570-logout processing module.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
The information processing method and apparatus provided by the embodiment of the invention can be applied to the application environment shown in fig. 1. The application server 100, the user terminal 200 and the authentication server 300 are located in the network 400, and the application server 100, the user terminal 200 and the authentication server 300 can communicate with each other through the network 400, so as to realize data communication or interaction between the application server 100 and the user terminal 200, between the application server 100 and the authentication server 300 and between the user terminal 200 and the authentication server 300. Among them, a plurality of applications (e.g., the first application, the second application …) are installed in the application server 100, a browser is installed in the user terminal 200, the user terminal 200 can access the plurality of applications on the application server 100 through the browser, and the user inputs user login information (e.g., a user name and a password) through the user terminal 200 and transmits the user login information to the authentication server 300, thereby performing login authentication on the authentication server 300.
In this embodiment, the user terminal 200 may be, but is not limited to, a smart phone, a Personal Computer (PC), a tablet PC, a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), and the like.
It should be noted that, in practice, the number of the application servers 100 may be one or more, and the multiple applications may be deployed on one application server 100 or may be deployed on different application servers 100.
Fig. 2 is a block diagram of the application server 100 shown in fig. 1. The application server 100 may include: the memory 110, the processor 120 and the communication interface 130 are electrically connected directly or indirectly, and the memory 110, the processor 120 and the communication interface 130 are electrically connected to realize data transmission or interaction. For example, the components may be electrically connected to each other via one or more communication buses or signal lines. The processor 120 is used to execute executable modules, such as computer programs, stored in the memory 110.
The Memory 110 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 110 may be used to store software programs and modules, and the information processing apparatus 500 includes at least one software function module that may be stored in the memory 110 in the form of software or firmware (firmware) or solidified in an Operating System (OS) in the application server 100. The processor 120 executes one or more programs to implement the data processing method disclosed in the embodiment of the present application after receiving the execution instruction. The communication interface 130 may be used for communicating signaling or data with other node devices.
The processor 120 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 120. The Processor 120 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components.
Fig. 3 is a flowchart illustrating an information processing method according to an embodiment of the present invention. It should be noted that, the information processing method according to the embodiment of the present invention is not limited by the specific sequence shown in fig. 3 and described below, and it should be understood that, in other embodiments, the sequence of some steps in the information processing method according to the present invention may be interchanged according to actual needs, or some steps in the information processing method may be omitted or deleted. The information processing method can be applied to the application server 100 described above, and the specific flow shown in fig. 3 will be described in detail below.
Step S101, when receiving the access request sent by the user terminal 200, the first application determines whether the user terminal 200 accesses the first application for the first time and whether other applications except the first application among the plurality of applications have been accessed.
In this embodiment, the plurality of applications are used as an application system, when a first application receives an access request, a user login state of the user terminal 200 is verified according to the access request, that is, whether a user logs in the application system is verified, when the first application cannot acquire cookie information and a service ticket according to the access request, and the cookie information includes identification information uniquely corresponding to the user login information, it is determined that the user terminal 200 accesses the first application for the first time and does not access other applications except the first application among the plurality of applications, that is, the user accesses the application system for the first time; wherein, the service ticket is returned to the application server 100 by the authentication server 300 after the user terminal 200 passes the authentication. When the first application can obtain the cookie information, determining that the user terminal 200 has accessed at least one of the plurality of applications; when the first application can obtain the service ticket but cannot obtain the cookie information, it is determined that the user terminal 200 has successfully logged in the authentication server 300, and the first application needs to verify whether the service ticket is legal or not on the authentication server 300, and when the authentication server 300 verifies that the service ticket is legal, the user login information associated with the service ticket is returned to the application server 100.
Step S102, when it is determined that the user terminal 200 accesses the first application for the first time and does not access other applications except the first application among the plurality of applications, the first application redirects the access request to the authentication server 300 through the browser, so that the authentication server 300 performs login authentication on the user terminal 200, generates a service ticket associated with the user login information acquired from the user terminal 200, and returns the service ticket to the first application through the user terminal 200.
In this embodiment, when receiving an access request, the authentication server 300 verifies the user login state according to the access request, and when it is determined that the user has not logged in, the authentication server 300 directly returns a login page to the user terminal 200, so that the user fills in user login information, and performs login authentication on the user terminal 200 according to the obtained user login information, that is, whether the user is valid is verified, if so, the user terminal 200 succeeds in authentication, and the user is allowed to log in, otherwise, the user is not allowed to log in. After the user terminal 200 successfully authenticates, the authentication server 300 generates a TGT (socket-grading Cookie) object according to the acquired user login information, puts the TGT object into its cache, and simultaneously generates a unique identification TGC (socket-grading Cookie) corresponding to the TGT object and writes the unique identification TGC into the browser, when a browser http request comes again, if the unique identification TGC generated by the authentication server 300 comes, the authentication server 300 may query whether the TGT object exists in the cache by using the unique identification TGC as a key, if so, it indicates that the user has logged in before, and if not, the user needs to log in again. In this embodiment, after the user terminal 200 successfully authenticates, the authentication server 300 further issues a Service Ticket (ST) according to the TGT object and returns the Service Ticket to the user terminal 200, so that the user terminal 200 accesses the first application by using the Service Ticket.
It is easy to understand that, since the user terminal 200 accesses the first application for the first time and does not access other applications of the plurality of applications except the first application, the access request redirected by the first application to the authentication server 300 through the browser does not carry the unique identifier TGC, and the authentication server 300 does not query the cached TGT object, and directly returns a login page to the user terminal 200 so that the user fills in the user login information. After the user terminal 200 successfully authenticates, the authentication server 300 generates a TGT object record cache and writes a unique identifier TGC corresponding to the TGT object into a browser; and issuing a service bill for the first application according to the TGT object, informing the browser to redirect to the first application, and transmitting the service bill as a URL parameter so that the user terminal 200 accesses the first application by means of the service bill.
Step S103, the first application sends the service ticket to the authentication server 300 to verify whether the service ticket is valid through the authentication server 300.
For example, after receiving the service ticket, the first application brings the service ticket to the authentication server 300 and then accesses the authentication server 300, and the authentication server 300 verifies the validity of the service ticket.
Step S104, when the user terminal 200 accesses a first application of the plurality of applications for the first time and does not access other applications of the plurality of applications except the first application, the first application receives the user login information returned by the authentication server 300, so that the user terminal 200 accesses the first application through the user login information.
Specifically, the step S104 includes: when the authentication server 300 verifies that the service ticket is valid, the first application receives the user login information associated with the service ticket returned by the authentication server 300.
In this embodiment, since the service ticket is associated with the TGT object and the TGT object is associated with the user login information, when the authentication server 300 verifies that the service ticket is legal, the user login information associated with the service ticket is returned to the first application, and the first application allows the user to access the resource of the first application when obtaining the user login information.
Step S105, storing the user login information to a cache server, and generating identification information uniquely corresponding to the user login information.
In this embodiment, the application server 100 may further be in communication connection with a cache server, and when obtaining the user login information returned by the authentication server 300, the first application allows the user to access a resource of the first application, and at the same time creates a session, stores the user login information in the session, generates an identification information session id uniquely corresponding to the user login information, and then stores the session in the cache server (for example, a redis cache mechanism may be adopted), so that the application can obtain the session from the cache server according to the identification information session id, and further obtain the user login information.
Step S106, generating cookie information according to the identification information, sending the cookie information to the browser for storage, and setting a path of the cookie information as a predetermined path, so that when the user terminal 200 accesses the first application and then accesses any one of the applications through the browser, the cookie information can be obtained by the any one application according to the predetermined path, and then the user login information is obtained from the cache server according to the identification information in the cookie information, so that the user terminal 200 accesses the any one application through the user login information.
In this embodiment, after the first application generates the identification information session id uniquely corresponding to the user login information, cookie information is created according to the identification information session id and written in the browser, and meanwhile, by setting the path of the cookie information to be a predetermined path, when the user terminal 200 accesses any application in the application system through the browser, the browser sends an access request to any application (which may still be the first application, or may be other applications except the first application, such as the second application, the third application, etc.) to carry the cookie information, any application can obtain the cookie information according to the predetermined path to further obtain the identification information session, and then the identification information session is used as a keyword key to access the cache server to obtain the user login information cached in the cache server, when any application obtains the user login information, the user may be allowed to access the corresponding application resource.
For example, the sharing of cookie information among multiple applications may be achieved by: setpath ("/"), that is, the predetermined path is set to "/", and in fact, the predetermined path of the cookie information determines that when the browser accesses a plurality of applications on the application server 100, the cookie information should be transmitted to under the root directory of the application server 100, so that whenever the browser accesses any application again, the cookie information can be obtained from under the predetermined path "/", without regenerating the cookie information. It should be noted that, in the present application, if all applications on the application server 100 generate cookie information, paths of the cookie information should be set to be the same, for example, all paths are "/", so that sharing of the cookie information (that is, sharing of user login information) is achieved, and the applications do not need to acquire the user login information from the authentication server 300.
Therefore, in this embodiment, when a user accesses a plurality of applications in the application system, the single sign-on can be realized only by requesting a verification operation at the authentication server 300, and the authentication server 300 is not required to verify whether to log in when accessing the resource of each application for the first time, and then the corresponding service ticket is acquired and the user login information is exchanged to realize the access of each application; after the user successfully accesses the first application, the first application shares the obtained user login information among all applications in the application system, after the user terminal 200 accesses the first application, when the user terminal accesses any one of the plurality of applications through the browser, the user terminal does not need to go to the authentication server 300 to obtain a service bill, but directly accesses the path "/" to obtain the identification information in the cookie information, and then obtains the user login information according to the identification information, so that a page which is refreshed by skipping for many times in the system is avoided, and the user experience is greatly improved.
Fig. 4 is a schematic flow chart of an information processing method according to another embodiment of the present invention. Compared with the information processing method described in the previous embodiment, the information processing method provided in this embodiment not only realizes user login information sharing among applications, so that the applications do not need to go to the authentication server 300 to obtain a service ticket to replace the user login information after receiving an access request of a user, but also can realize single sign-off, that is, a log-off state is realized. In this embodiment, the information processing method further includes:
step S107, when the first application receives the logout request sent by the authentication server 300, the first application deletes the service ticket and the user login information corresponding to the service ticket.
In this embodiment, a user may initiate a logout request on any application, and any application forwards the logout request to the authentication server 300, and then the authentication server 300 sends the logout request to all applications in the application system in a broadcast manner, because other applications in the application system do not acquire a service ticket from the authentication server 300, that is, there is no corresponding relationship between the service ticket and the identification information session id, and the first application acquires the service ticket from the authentication server 300, acquires the user login information from the authentication server 300 according to the service ticket, and generates the identification information session id according to the user login information, the first application records a unique corresponding relationship between the service ticket and the identification information session id, that is, only the first application can perform a logout operation, and none of the other applications can perform the logout operation. When the first application receives a logout request, the corresponding identification information session id is obtained according to the service ticket, then the user login information corresponding to the identification information session id is deleted from the cache server, and the service ticket is deleted at the same time, so that single-point logout can be realized.
It should be noted that, in this embodiment, after receiving the logout request, the authentication server 300 further clears the TGT object cached on the authentication server 300, the issued service ticket, and the unique identifier TGC written in the browser.
Further, in this embodiment, when each of the plurality of applications is a cluster, that is, when each of the plurality of applications includes at least one application node, for example, an application cluster a (including the application a node 1, the application a node 2, and the application a node 3 …), and an application cluster b (including the application b node 1, the application b node 2, and the application b node 3 …), the authentication server 300 sends the logout request to one of the application nodes in each of the applications.
For example, the first application includes a first application node and a second application node, step S107 may include:
when the service ticket and the unique corresponding relationship are stored in the first application node and the first application node receives the logout request sent by the authentication server 300, the first application node deletes the service ticket and the user login information corresponding to the service ticket. That is, the authentication server 300 sends a logout request to one of the application nodes in all the applications in a broadcast manner, when a first application node in the first application receives the logout request and the service ticket and the unique corresponding relationship are stored in the first application node, the first application node can directly obtain the corresponding identification information session id according to the service ticket, then find the corresponding user login information according to the identification information session id, delete the user login information from the cache server, and delete the service ticket cached in the first application node at the same time, so that the first application node realizes the logout operation.
When the service ticket and the unique correspondence relationship are saved in the first application node and the second application node receives the logout request sent by the authentication server 300, the second application node forwards the logout request to the first application node; and the first application node deletes the service ticket and the user login information corresponding to the service ticket according to the logout request. That is, when the service ticket and the unique correspondence relationship are stored in the first application node, but the authentication server 300 does not send the logout request to the first application node but sends the logout request to the second application node, since the second application node does not store the service ticket and the unique correspondence relationship between the service ticket and the identification information, and the logout operation cannot be performed, the logout request needs to be broadcast to other nodes in the first application to send the logout request, and the first application node performs the logout operation after receiving the logout request sent by the second application node.
In the prior art, if single-point logout is implemented under the condition that each application includes at least one application node, the unique corresponding relationship between the service ticket and the identification information needs to be shared among the application nodes, so that the application server 100 also needs to maintain the address of the cache device caching the unique corresponding relationship, and the operation and maintenance cost and complexity are increased to a certain extent. In this embodiment, a single-point logout mode is implemented, a user may apply for logout on any application, after receiving a logout request, the authentication server 300 randomly sends a logout request to a certain application node of all applications in a broadcast mode, when a request sent to a first application is routed to a second application node of the first application, the second application node cannot find a unique corresponding relationship between a service ticket and identification information, and cannot execute a logout operation, and sends the logout request to other application nodes of the first application in a broadcast mode, and finally the first application node executes the logout operation according to the logout request. Therefore, compared with the prior art, the single sign-out implementation method of the application does not need the application node storing the unique corresponding relationship between the service ticket and the identification information to share the unique corresponding relationship with other application nodes, the application server 100 does not need to maintain the address of the cache device, and the operation and maintenance cost and complexity are reduced.
Fig. 5 is a schematic functional block diagram of an information processing apparatus 500 according to an embodiment of the present invention. It should be noted that the basic principle and the technical effect of the information processing apparatus 500 provided in the present embodiment are the same as those of the foregoing method embodiments, and for a brief description, reference may be made to corresponding contents in the foregoing embodiments for a part not mentioned in the present embodiment. The information processing apparatus 500 is applied to the application server 100, and includes a determining module 510, a request processing module 520, a sending module 530, a receiving module 540, a caching module 550, a cookie information generating module 560, and a logout processing module 570.
The determining module 510 is configured to determine, when receiving an access request sent by the user terminal 200, whether the user terminal 200 accesses the first application for the first time and whether other applications except the first application among the plurality of applications have been accessed.
In this embodiment, the determining module 510 is specifically configured to determine that the user terminal 200 accesses the first application for the first time and does not access other applications except the first application among the multiple applications when the cookie information and the service ticket cannot be acquired according to the access request.
It is understood that the determining module 510 can execute the above step S101.
The request processing module 520 is configured to redirect the access request to the authentication server 300 through the browser when it is determined that the user terminal 200 accesses the first application for the first time and does not access other applications except the first application among the plurality of applications, so that the authentication server 300 performs login authentication on the user terminal 200, generates a service ticket associated with user login information acquired from the user terminal 200, and returns the service ticket to the first application through the user terminal 200.
It is understood that the request processing module 520 may execute the step S102.
The sending module 530 is configured to send the service ticket to the authentication server 300 to verify whether the service ticket is valid through the authentication server 300.
It is understood that the sending module 530 can execute the step S103.
The receiving module 540 is configured to receive the user login information returned by the authentication server 300 when the user terminal 200 accesses a first application of the multiple applications for the first time and does not access other applications of the multiple applications except the first application, so that the user terminal 200 accesses the first application through the user login information.
The receiving module 540 is specifically configured to receive the user login information associated with the service ticket returned by the authentication server 300 when the authentication server 300 verifies that the service ticket is valid.
It is understood that the receiving module 540 may perform the step S104.
The cache module 550 is configured to store the user login information to a cache server, and generate identification information uniquely corresponding to the user login information.
It is understood that the caching module 550 may perform the step S105.
The cookie information generating module 560 is configured to generate cookie information according to the identification information, send the cookie information to the browser for storage, and set a path of the cookie information as a predetermined path, so that when the user terminal 200 accesses the first application and then accesses any one of the applications through the browser, the any one application may obtain the cookie information according to the predetermined path, and further obtain the user login information from the cache server according to the identification information in the cookie information, so that the user terminal 200 accesses the any one application through the user login information.
It is understood that the cookie information generating module 560 may perform the above step S106.
The logout processing module 570 is configured to delete the service ticket and the user login information corresponding to the service ticket by the first application when the first application receives the logout request sent by the authentication server 300.
In this embodiment, when each of the applications includes at least one application node, the authentication server 300 sends the logout request to one of the application nodes in each of the applications, where the first application includes a first application node and a second application node, and when the service ticket and the unique correspondence are stored in the first application node and the first application node receives the logout request sent by the authentication server 300, the logout processing module 570 of the first application node is configured to delete the service ticket and the user login information corresponding to the service ticket; when the service ticket and the unique correspondence relationship are saved in the first application node and the second application node receives the logout request sent by the authentication server 300, the logout processing module 570 of the second application node is configured to forward the logout request to the first application node; the logout processing module 570 of the first application node is configured to delete the service ticket and the user login information corresponding to the service ticket according to the logout request.
It should be understood that when each of the plurality of applications includes at least one application node, the functional modules and units included on each application node are the same.
It is understood that the logout processing module 570 may perform the step S107 described above.
In summary, the information processing method and apparatus provided in the embodiments of the present invention are applied to an application server, where the application server is in communication with a user terminal and an authentication server, the user terminal is installed with a browser, and can access a plurality of applications on the application server through the browser, and when the user terminal accesses a first application of the plurality of applications for the first time and does not access other applications except the first application of the plurality of applications, the first application receives user login information returned by the authentication server, so that the user terminal accesses the first application through the user login information; storing the user login information to a cache server, and generating identification information uniquely corresponding to the user login information; generating cookie information according to the identification information, sending the cookie information to the browser for storage, and setting a path of the cookie information as a predetermined path, so that after the user terminal accesses the first application, when the browser accesses any one of the plurality of applications, the cookie information can be obtained by the any one application according to the predetermined path, and then the user login information is obtained from the cache server according to the identification information in the cookie information, so that the user terminal accesses the any one application through the user login information. That is, when the user terminal accesses the first application and then accesses other application resources, any application can read cookie information of the browser through the predetermined path so as to obtain the identification information, and then corresponding user login information is obtained from the cache server through the identification information, the authentication server does not need to be accessed to verify the user login state each time, so that the phenomenon that the system jumps many times to refresh a page is avoided, and the user experience is improved.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, apparatus, device or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus, devices and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus and method embodiments described above are illustrative only, as the flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
In addition, the functional modules in the embodiments of the present invention may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The above description is only an alternative embodiment of the present invention and is not intended to limit the present invention, and various modifications and variations of the present invention may occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

Claims (6)

1. An information processing method applied to an application server, the application server communicating with a user terminal and an authentication server, the user terminal being installed with a browser through which a plurality of applications on the application server are accessible, the method comprising:
when the user terminal accesses a first application in the plurality of applications for the first time and does not access other applications except the first application in the plurality of applications, the first application receives user login information returned by the authentication server, so that the user terminal accesses the first application through the user login information; the user login information is associated with the service bill generated by the authentication server;
storing the user login information to a cache server, and generating identification information uniquely corresponding to the user login information; the unique corresponding relation between the service bill and the identification information is recorded in the first application;
generating cookie information according to the identification information, sending the cookie information to the browser for storage, and setting a path of the cookie information to be a predetermined path, so that after the user terminal accesses the first application, when the browser accesses any one of the plurality of applications, the cookie information can be obtained by the any one application according to the predetermined path, and then the user login information is obtained from the cache server according to the identification information in the cookie information, so that the user terminal accesses the any one application through the user login information;
when the first application comprises a first application node and a second application node, if the service bill and the unique corresponding relation are stored in the first application node and the first application node receives a log-out request sent by the authentication server, the first application node deletes the service bill and the user login information corresponding to the service bill;
if the service bill and the unique corresponding relation are stored in the first application node and the second application node receives a logout request sent by the authentication server, the second application node forwards the logout request to the first application node; and the first application node deletes the service ticket and the user login information corresponding to the service ticket according to the logout request.
2. The information processing method according to claim 1, wherein before the first application receives user login information returned by the authentication server when the user terminal accesses the first application among the plurality of applications for the first time and does not access the other applications except the first application among the plurality of applications, the method further comprises:
when the first application receives an access request sent by the user terminal, judging whether the user terminal accesses the first application for the first time and whether other applications except the first application in the plurality of applications are accessed;
when the user terminal is determined to access the first application for the first time and does not access other applications except the first application in the plurality of applications, the first application redirects the access request to the authentication server through the browser so that the authentication server can perform login authentication on the user terminal, generate a service bill associated with user login information acquired from the user terminal, and return the service bill to the first application through the user terminal;
the first application sends the service ticket to the authentication server to verify whether the service ticket is valid by the authentication server;
the first application receives user login information returned by the authentication server, and the user login information comprises:
and when the authentication server verifies that the service ticket is valid, receiving the user login information which is returned by the authentication server and is associated with the service ticket.
3. The information processing method according to claim 2, wherein the determining, by the first application, whether the user terminal accesses the first application for the first time and whether other applications than the first application among the plurality of applications are accessed when receiving the access request sent by the user terminal, comprises:
and when the first application cannot acquire the cookie information and the service ticket according to the access request, judging that the user terminal accesses the first application for the first time and does not access other applications except the first application in the plurality of applications.
4. An information processing apparatus applied to an application server which communicates with a user terminal having a browser installed therein and an authentication server through which a plurality of applications on the application server are accessible, the apparatus comprising:
a receiving module, configured to receive user login information returned by the authentication server when the user terminal accesses a first application of the multiple applications for the first time and does not access other applications of the multiple applications except the first application, so that the user terminal accesses the first application through the user login information; the user login information is associated with the service bill generated by the authentication server;
the cache module is used for storing the user login information to a cache server and generating identification information uniquely corresponding to the user login information; the unique corresponding relation between the service bill and the identification information is recorded in the first application;
a cookie information generating module, configured to generate cookie information according to the identification information, send the cookie information to the browser for storage, and set a path of the cookie information as a predetermined path, so that when the user terminal accesses the first application and then accesses any one of the applications through the browser, the any one application may obtain the cookie information according to the predetermined path, and further obtain the user login information from the cache server according to the identification information in the cookie information, so that the user terminal accesses the any one application through the user login information;
the device further comprises a logout processing module, when the first application comprises a first application node and a second application node, if the service bill and the unique corresponding relation are stored in the first application node and the first application node receives a logout request sent by the authentication server, the logout processing module of the first application node is used for deleting the service bill and the user login information corresponding to the service bill;
if the service bill and the unique corresponding relation are stored in the first application node and the second application node receives a logout request sent by the authentication server, a logout processing module of the second application node is used for forwarding the logout request to the first application node; and the logout processing module of the first application node is used for deleting the service ticket and the user login information corresponding to the service ticket according to the logout request.
5. The information processing apparatus according to claim 4, wherein the apparatus further comprises:
a determining module, configured to determine, when receiving an access request sent by the user terminal, whether the user terminal accesses the first application for the first time and whether the user terminal has accessed other applications except the first application among the multiple applications;
a request processing module, configured to redirect, by the browser, the access request to the authentication server when it is determined that the user terminal accesses the first application for the first time and does not access other applications, except the first application, of the multiple applications, so that the authentication server performs login authentication on the user terminal, generates a service ticket associated with user login information acquired from the user terminal, and returns the service ticket to the first application through the user terminal;
a sending module, configured to send the service ticket to the authentication server to verify whether the service ticket is valid through the authentication server;
the receiving module is used for receiving the user login information which is returned by the authentication server and is associated with the service bill when the authentication server verifies that the service bill is valid.
6. The information processing apparatus of claim 5, wherein the determining module is configured to determine that the user terminal accessed the first application for the first time and did not access other applications of the plurality of applications except the first application when the cookie information and the service ticket could not be acquired according to the access request.
CN201810074673.XA 2018-01-25 2018-01-25 Information processing method and device Active CN108289101B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810074673.XA CN108289101B (en) 2018-01-25 2018-01-25 Information processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810074673.XA CN108289101B (en) 2018-01-25 2018-01-25 Information processing method and device

Publications (2)

Publication Number Publication Date
CN108289101A CN108289101A (en) 2018-07-17
CN108289101B true CN108289101B (en) 2021-02-12

Family

ID=62835943

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810074673.XA Active CN108289101B (en) 2018-01-25 2018-01-25 Information processing method and device

Country Status (1)

Country Link
CN (1) CN108289101B (en)

Families Citing this family (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108769083A (en) * 2018-08-01 2018-11-06 北京奇虎科技有限公司 Login method, apparatus and system based on distributed server
CN109246076B (en) * 2018-08-01 2022-11-04 北京奇虎科技有限公司 Method and device for single sign-on to multiple systems
CN109831408A (en) * 2018-12-13 2019-05-31 平安万家医疗投资管理有限责任公司 Single-sign-on subsystem publishes method and system
CN111181977B (en) * 2019-12-31 2021-06-04 瑞庭网络技术(上海)有限公司 Login method, device, electronic equipment and medium
CN112491890A (en) * 2020-11-27 2021-03-12 中国农业银行股份有限公司 Access method and device
CN112765583A (en) * 2021-01-27 2021-05-07 海尔数字科技(青岛)有限公司 Single sign-on method, device, equipment and medium
CN114285650A (en) * 2021-12-27 2022-04-05 中国电信股份有限公司 Communication system, method and device based on cookie authentication
CN114338634B (en) * 2021-12-29 2023-12-01 杭州盈高科技有限公司 Data processing method and device
CN117319087B (en) * 2023-11-28 2024-02-27 北京车与车科技有限公司 Single sign-on method, device and storage medium based on centralized authentication service

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098158A (en) * 2009-12-10 2011-06-15 北大方正集团有限公司 Cross-domain name single sign on and off method and system as well as corresponding equipment
CN103179134A (en) * 2013-04-19 2013-06-26 中国建设银行股份有限公司 Single sign on method and system based on Cookie and application server thereof
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
CN104158818A (en) * 2014-08-25 2014-11-19 中国联合网络通信集团有限公司 Single sign-on method and system
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
CN105072123A (en) * 2015-08-21 2015-11-18 广州博鳌纵横网络科技有限公司 Single sign on log-out method and system under cluster environment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9965614B2 (en) * 2011-09-29 2018-05-08 Oracle International Corporation Mobile application, resource management advice
CN104301316A (en) * 2014-10-13 2015-01-21 中国电子科技集团公司第二十八研究所 Single sign-on system and implementation method thereof
CN104320423B (en) * 2014-11-19 2018-12-28 重庆邮电大学 Single-sign-on lightweight implementation method based on Cookie

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102098158A (en) * 2009-12-10 2011-06-15 北大方正集团有限公司 Cross-domain name single sign on and off method and system as well as corresponding equipment
CN103188248A (en) * 2011-12-31 2013-07-03 卓望数码技术(深圳)有限公司 Identity authentication system and method based on single sign-on
CN103179134A (en) * 2013-04-19 2013-06-26 中国建设银行股份有限公司 Single sign on method and system based on Cookie and application server thereof
CN104158818A (en) * 2014-08-25 2014-11-19 中国联合网络通信集团有限公司 Single sign-on method and system
CN104378376A (en) * 2014-11-18 2015-02-25 深圳中兴网信科技有限公司 SOA-based single-point login method, authentication server and browser
CN105072123A (en) * 2015-08-21 2015-11-18 广州博鳌纵横网络科技有限公司 Single sign on log-out method and system under cluster environment

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
"【No.2】CAS单点登录的原理分析";Readiay;《CSDN》;20161019;正文第1-5页 *
"redis缓存和cookie实现Session共享";hchhan89;《CSDN》;20171030;正文第1-4页 *
CAS实现单点登录(sso)原理;yljava;《简书》;20170609;正文第1-4页 *

Also Published As

Publication number Publication date
CN108289101A (en) 2018-07-17

Similar Documents

Publication Publication Date Title
CN108289101B (en) Information processing method and device
CN107948167B (en) Single sign-on method and device
CN103023918B (en) The mthods, systems and devices logged in are provided for multiple network services are unified
US8935757B2 (en) OAuth framework
CN112564916A (en) Access client authentication system applied to micro-service architecture
CN112597472B (en) Single sign-on method, device and storage medium
CN112613010A (en) Authentication service method, device, server and authentication service system
CN111698250B (en) Access request processing method and device, electronic equipment and computer storage medium
CN103716326A (en) Resource access method and URG
CN110535971B (en) Interface configuration processing method, device, equipment and storage medium based on block chain
CN104378376A (en) SOA-based single-point login method, authentication server and browser
CN103428179B (en) A kind of log in the method for many domain names website, system and device
US9916308B2 (en) Information processing system, document managing server, document managing method, and storage medium
CN105007280A (en) Application sign-on method and device
CN105430102A (en) Integration method and system of SaaS (Software as a Service) website and third-party system and device thereof
US10659516B2 (en) Data caching and resource request response
CN102710640A (en) Authorization requesting method, device and system
CN110213223A (en) Business management method, device, system, computer equipment and storage medium
AU2016349477A1 (en) Systems and methods for controlling sign-on to web applications
CN110032842B (en) Method and system for simultaneously supporting single sign-on and third party sign-on
CN102316080A (en) Function for supporting anonymous verification of central authentication service in same master domain
CN104158818A (en) Single sign-on method and system
CN110519240A (en) A kind of single-point logging method, apparatus and system
CN111818088A (en) Authorization mode management method and device, computer equipment and readable storage medium
CN109450890B (en) Single sign-on method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant