CN108989276A - Safe puppet logs in framework and method between a kind of system - Google Patents

Safe puppet logs in framework and method between a kind of system Download PDF

Info

Publication number
CN108989276A
CN108989276A CN201810256417.2A CN201810256417A CN108989276A CN 108989276 A CN108989276 A CN 108989276A CN 201810256417 A CN201810256417 A CN 201810256417A CN 108989276 A CN108989276 A CN 108989276A
Authority
CN
China
Prior art keywords
url
signature
physical machine
source
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201810256417.2A
Other languages
Chinese (zh)
Other versions
CN108989276B (en
Inventor
张金柱
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenzhen Small Win Information Technology Co Ltd
Original Assignee
Shenzhen Small Win Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenzhen Small Win Information Technology Co Ltd filed Critical Shenzhen Small Win Information Technology Co Ltd
Priority to CN201810256417.2A priority Critical patent/CN108989276B/en
Publication of CN108989276A publication Critical patent/CN108989276A/en
Application granted granted Critical
Publication of CN108989276B publication Critical patent/CN108989276B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

Safe puppet logs in framework and method between the present invention provides a kind of system, user is in source system trigger access target system network address, and via the URL converting system in the system of source, center signature generates and authentication server, URL in goal systems authorizes identification system, and safety is pseudo- between realization system logs in.The cross-system access specified type page can be achieved in the present invention, without in advance in background system register account number and binding role or with a certain account with power of attorney map, the URL authorization identification system in the program is able to achieve the failure of link time-out and prevents URL from being abused by distinct device simultaneously, is a kind of safe and efficient cross-system access mechanism.

Description

Safe puppet logs in framework and method between a kind of system
Technical field
The present invention relates to internet areas, more particularly to the background system framework and method for logging in authority checking.
Background technique
Business background system, generally can all be related to user's login, and unauthorized login user does not allow to access specified net Page content is, it can be achieved that system function module only licenses to the user account with assigned role.Each background system can be independent The account permission system for safeguarding oneself makes login user finishing service in system operate closed loop.It can not shared between homologous ray Account information, SSO (single-sign-on) scheme based on Oauth may be implemented at user account one after login authentication, in multiple passes It maintains to log in state between connection system.Since different background system business modules can be variant, it is more difficult to realize role and role institute energy Use the unified management of resource collection.Between system in the more business scenario of function interaction, one background system use can be related to Family, it would be desirable to be able to the case where checking another background system module information.It is a kind of since respective system has different permission control logics General way is that under unified SSO mode, respective system opens same account, and it is specific to give the account another system The permission of module, page access between realization system.Such method has greater limitations, once there is mutual Certificate Authority to need between system It when asking, is both needed to open up identical account in each autonomous system in advance, while doing corresponding account roles priority assignation, do not have spirit It is living, and for the system for not taking SSO to authenticate, login function complexity but will be increased.
Summary of the invention
Technical problem to be solved by the present invention lies in for existing for page authorization access process mode between existing system Problem provides a kind of lightweight, is easy to the pseudo- login architecture and method of safety between the system of cross-system web page access, user is in source When system trigger access target system network address (hereafter referred to collectively as URL), via the URL converting system in the system of source, center signature Generation and authentication server, until the URL in goal systems authorizes identification system, safety is pseudo- between realization system is logged in.
It is to solve the above-mentioned problems the technical scheme is that such:
Safe puppet logs in framework between a kind of system, comprising: visualization terminal device, source web station system host physical machine, label Name generates and service for checking credentials host physical machine, targeted website system host's physical machine;Visualize terminal device and source web station system The network connection of host's physical machine, source web station system host physical machine and signature are generated to be connected with service for checking credentials host physical machine network It connects, signature is generated to be connected to the network with service for checking credentials host physical machine and targeted website system host's physical machine;Targeted website system Host's physical machine and visualization terminal device network connection;
User initiates network request to source web station system host's physical machine by visualization terminal device and obtains conversion network address, And network request, source web station system host physical machine and target are initiated to targeted website system host's physical machine with network address after conversion Web station system host physical machine must be generated with signature and be interacted with service for checking credentials host's physics, realize that safe puppet logs in.
Safety puppet login method, includes the following steps: between system
User in source system trigger access target system URL, source system using URL as required parameter, to signature generate with Authentication server initiates request, obtains final request URL `;
Signature generates and authentication server additional random parameter and signature field after original url field generate URL`, It include raw requests temporal information in middle random parameter field;
Source system initiates network request with URL`;
Goal systems parses URL` parameter, extracts random parameter and signature field, and do following verifying:
1) goal systems combination server current time and original time information, whether time-out fails verified link;
2) goal systems is generated to signature using URL` as required parameter and is initiated to request with authentication server, authentication URL ` Legitimacy;
3) goal systems is identified according to the combination of User IP and initial request time simultaneously, identifies the one of access request source Cause property;
After above three are verified, goal systems authorization displayed web page content realizes time-out failure, secure log.
It is as follows that signature generates the method converted with the URL of authentication server:
1) random parameter takes the current time or its scrambled value of server, if scrambled value is taken, using symmetrical Encryption Algorithm;
2) signature parameter is based on random parameter value and source system identification information in step 1), adds via what can not inversely be decrypted Close algorithm generates;
3) random parameter in step 1) and the signature parameter field in step 2) are added behind original URL.
Signature generates and authentication server, the generation and verifying of centralized control random parameter, to source system and goal systems Algorithm details is shielded, URL is avoided to forge, while being convenient for the upgrade maintenance of algorithm.
Beneficial effect, the pseudo- framework and method of logging in of safety is, it can be achieved that cross-system access between a kind of system of the present invention The specified type page, without in advance in background system register account number and binding role or with a certain account with power of attorney mapping, together When the program in URL authorization identification system be able to achieve link time-out failure and prevent URL from being abused by distinct device, be a kind of peace Complete efficient cross-system access mechanism.
Detailed description of the invention
The following describes the present invention in detail with reference to the accompanying drawings and specific embodiments;
Fig. 1 is that safe puppet of the present invention logs in flow diagram.
Fig. 2 is that safe puppet of the present invention logs in hardware structure schematic diagram.
Specific embodiment
In order to be easy to understand the technical means, the creative features, the aims and the efficiencies achieved by the present invention, tie below Conjunction is specifically illustrating, and the present invention is further explained.
Referring to Fig. 1, when there is the HTTP request event initiated with target URL, source system using URL as required parameter, It is generated to signature and initiates to request with authentication server, obtain final request URL `.Signature generates and authentication server is original Additional random parameter and signature field generate URL` after url field, wherein believe in random parameter field comprising the raw requests time Breath.Source system initiates network request with URL`.Goal systems parses URL` parameter, extracts random parameter and signature field, and do Three verifyings below:
1) goal systems combination server current time and original time information, whether time-out fails verified link.
2) goal systems is generated to signature using URL` as required parameter and is initiated to request with authentication server, authentication URL ` Legitimacy.
3) goal systems is identified according to the combination of User IP and initial request time simultaneously, identifies the one of access request source Cause property.
After above three are verified, goal systems just authorizes displayed web page content, realizes time-out failure, secure log.
Signature generates the URL transfer algorithm with authentication server are as follows:
1) random parameter takes the current time or its scrambled value of server, if scrambled value is taken, using symmetrical Encryption Algorithm;
2) signature parameter is based on random parameter value and source system identification information in step 1), adds via what can not inversely be decrypted Close algorithm generates;
3) random parameter in step 1) and the signature parameter field in step 2) are added behind original URL;
Signature generates and authentication server, and the generation and verifying of centralized control random parameter can be to source systems and target system System shielding algorithm details, avoids URL from forging risk, while being convenient for algorithm upgrade maintenance.
Referring to Fig. 2, this is hardware structure connection schematic diagram of the present invention, and user is by visualizing terminal to source web station system place Primary physical machine initiates network request, and source website host's physical machine relies on URL converting system, generates and service for checking credentials host to signature Physical machine initiates network request, and the network address after acquisition is converted is returned to user terminal.User terminal is again with network address after conversion to mesh It marks web station system host physical machine and initiates network request.Targeted website host's physical machine relies on URL to authorize identification system, to signature It generates and initiates network request with service for checking credentials host physical machine, decide whether to return to named web page content to user terminal.
It is further:
Source systematic connection address can appear in inside the A label of HTML (5) webpage, and source system user clicks a certain URL Afterwards, system front end javascript script does following processing, pseudocode and is described as follows:
URL` is generated by signature and is returned with authentication server, URL transfer algorithm, using PHP language as example, pseudocode And it is described as follows:
URL authorization identification system realizes pseudo- login safety verification, and time-out fails and prevents URL from being abused by distinct device, with PHP language pseudocode and is described as follows as example:
As can be seen that passing through random_key (the initial request time additional after the system URL of source according to this programme process Value after base64_encode) with sign parameter HTTP request is initiated to goal systems, goal systems current time and initial Request time makes the difference, and whether verification time difference is overtime, while verifying sign according to sign generating algorithm, in conjunction with User IP and initially The combination mark of request time identifies access consistency, prevents that URL is abused, the pseudo- login function of safety between realization system.This programme Specified URL can be authorized after safety puppet login process is verified without register account number and binding role in background system in advance The access of the page.
The basic principles, main features and advantages of the present invention have been shown and described above.The technology of the industry Personnel are it should be appreciated that the present invention is not limited to the above embodiments, and the above embodiments and description only describe this The principle of invention, various changes and improvements may be made to the invention without departing from the spirit and scope of the present invention, these changes Change and improvement all fall within the protetion scope of the claimed invention.The claimed range of the invention patent is by the attached claims Book and its equivalent define.

Claims (4)

1. safe puppet logs in framework between a kind of system, characterized in that include: visualization terminal device, source web station system host's object Reason machine, signature generate and service for checking credentials host physical machine, targeted website system host's physical machine;Visualize terminal device and source net The network connection of system of standing host's physical machine, source web station system host physical machine and signature generate and service for checking credentials host physical machine net Network connection, signature is generated to be connected to the network with service for checking credentials host physical machine and targeted website system host's physical machine;Targeted website System host physical machine and visualization terminal device network connection;
User is obtained to source web station system host's physical machine initiation network request by visualization terminal device and converts network address, and with Network address initiates network request, source web station system host physical machine and targeted website to targeted website system host's physical machine after conversion System host physical machine must be generated with signature and be interacted with service for checking credentials host's physical machine, realize that safe puppet logs in.
2. safety puppet login method between a kind of system, characterized in that include the following steps:
In source system trigger access target system URL, source system is generated to signature and is verified using URL as required parameter user Server initiates request, obtains final request URL `;
Signature generates and authentication server additional random parameter and signature field after original url field generate URL`, wherein with It include raw requests temporal information in machine parameter field;
Source system initiates network request with URL`;
Goal systems parses URL` parameter, extracts random parameter and signature field, and do following verifying:
1) goal systems combination server current time and original time information, whether time-out fails verified link;
2) goal systems is generated to signature using URL` as required parameter and is initiated to request with authentication server, the conjunction of authentication URL ` Method;
3) goal systems is identified according to the combination of User IP and initial request time simultaneously, identifies the consistent of access request source Property;
After above three are verified, goal systems authorization displayed web page content realizes time-out failure, secure log.
3. safety puppet login method between a kind of system according to claim 2, characterized in that signature generates and the service for checking credentials The method of the URL conversion of device is as follows:
1) random parameter takes the current time of server or its scrambled value if taking scrambled value to use symmetric cryptography Algorithm;
2) signature parameter is based on random parameter value and source system identification information in step 1), calculates via the encryption that can not inversely decrypt Method generates;
3) random parameter in step 1) and the signature parameter field in step 2) are added behind original URL.
4. safety puppet login method between a kind of system according to claim 3, characterized in that signature generates and the service for checking credentials Device, the generation and verifying of centralized control random parameter shield algorithm details to source system and goal systems, URL are avoided to forge.
CN201810256417.2A 2018-03-27 2018-03-27 Inter-system secure pseudo login method Active CN108989276B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810256417.2A CN108989276B (en) 2018-03-27 2018-03-27 Inter-system secure pseudo login method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810256417.2A CN108989276B (en) 2018-03-27 2018-03-27 Inter-system secure pseudo login method

Publications (2)

Publication Number Publication Date
CN108989276A true CN108989276A (en) 2018-12-11
CN108989276B CN108989276B (en) 2021-09-28

Family

ID=64541764

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810256417.2A Active CN108989276B (en) 2018-03-27 2018-03-27 Inter-system secure pseudo login method

Country Status (1)

Country Link
CN (1) CN108989276B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1368722A2 (en) * 2000-11-09 2003-12-10 International Business Machines Corporation Method and system for web-based cross-domain single-sign-on authentication
CN1308870C (en) * 1999-09-24 2007-04-04 城市集团发展中心有限公司 Method and system for visiting several servers in www network by a user for registration once only
US20090165100A1 (en) * 2007-12-21 2009-06-25 Naoki Sasamura Web page safety judgment system
CN102006271A (en) * 2008-09-02 2011-04-06 F2威尔股份有限公司 IP address secure multi-channel authentication for online transactions
CN102420808A (en) * 2011-06-30 2012-04-18 南京中兴软创科技股份有限公司 Method for realizing single signon on telecom on-line business hall
CN103023933A (en) * 2011-09-22 2013-04-03 北京尚良楷诚网络技术有限公司 Login information integrated processing system and method
CN105656926A (en) * 2016-02-23 2016-06-08 浪潮通用软件有限公司 System integration method based on token ring security certification technology
US20170187714A1 (en) * 2015-12-28 2017-06-29 International Business Machines Corporation Reducing complexities of authentication and authorization for enterprise web-based social applications

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1308870C (en) * 1999-09-24 2007-04-04 城市集团发展中心有限公司 Method and system for visiting several servers in www network by a user for registration once only
EP1368722A2 (en) * 2000-11-09 2003-12-10 International Business Machines Corporation Method and system for web-based cross-domain single-sign-on authentication
US20090165100A1 (en) * 2007-12-21 2009-06-25 Naoki Sasamura Web page safety judgment system
CN102006271A (en) * 2008-09-02 2011-04-06 F2威尔股份有限公司 IP address secure multi-channel authentication for online transactions
CN102420808A (en) * 2011-06-30 2012-04-18 南京中兴软创科技股份有限公司 Method for realizing single signon on telecom on-line business hall
CN103023933A (en) * 2011-09-22 2013-04-03 北京尚良楷诚网络技术有限公司 Login information integrated processing system and method
US20170187714A1 (en) * 2015-12-28 2017-06-29 International Business Machines Corporation Reducing complexities of authentication and authorization for enterprise web-based social applications
CN105656926A (en) * 2016-02-23 2016-06-08 浪潮通用软件有限公司 System integration method based on token ring security certification technology

Also Published As

Publication number Publication date
CN108989276B (en) 2021-09-28

Similar Documents

Publication Publication Date Title
CN102457507B (en) Cloud computing resources secure sharing method, Apparatus and system
CN1835438B (en) Method of realizing single time accession between websites and website thereof
CN107846405B (en) Control system for internal and external network file mutual access and implementation method
DE60312911T2 (en) Mobile authentication system with reduced authentication delay
CN102638454B (en) Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol
CN105554098B (en) A kind of equipment configuration method, server and system
CN101938473B (en) Single-point login system and single-point login method
CN107425983A (en) A kind of unified identity authentication method and system platform based on WEB service
CN102946314B (en) A kind of client-side user identity authentication method based on browser plug-in
EP2567503B1 (en) Method and apparatus of tamper-resistant provision of a key certificate
CN107508837A (en) A kind of cross-platform heterogeneous system login method based on intelligent code key certification
CN103179134A (en) Single sign on method and system based on Cookie and application server thereof
CN103414684A (en) Single sign-on method and system
CN102685086A (en) File access method and system
CN104394172A (en) Single sign-on device and method
CN105592003A (en) Cross-domain single sign-on method and system based on notification
CN102170354A (en) Centralized account password authenticating and generating system
CN102025495A (en) SAML2.0-based identity authentication and management
CN102209046A (en) Network resource integration system and method
CN113515756B (en) High-credibility digital identity management method and system based on block chain
CN109587100A (en) A kind of cloud computing platform user authentication process method and system
CN105187406A (en) Man in the middle monitoring system adopting configurable way for HTTPS (Hypertext Transfer Protocol over Secure Socket Layer)
CN109962892A (en) A kind of authentication method and client, server logging in application
Marian et al. Experimenting with digital signatures over a DNP3 protocol in a multitenant cloud-based SCADA architecture
Luhach et al. Desiging a logical security framework for e-commerce system based on soa

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant