CN108989276B - Inter-system secure pseudo login method - Google Patents
Inter-system secure pseudo login method Download PDFInfo
- Publication number
- CN108989276B CN108989276B CN201810256417.2A CN201810256417A CN108989276B CN 108989276 B CN108989276 B CN 108989276B CN 201810256417 A CN201810256417 A CN 201810256417A CN 108989276 B CN108989276 B CN 108989276B
- Authority
- CN
- China
- Prior art keywords
- url
- request
- parameter
- target system
- random
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention provides a method for safe pseudo login between systems, wherein a user triggers to access a target system website in a source system, and the target system website is transmitted to a URL authorization identification system in the target system through a URL conversion system and a central signature generation and verification server in the source system, so that the safe pseudo login between systems is realized. The invention can realize cross-system access of the specified type page without registering an account number and a binding role in a background system in advance or mapping with a certain authorized account, and meanwhile, the URL authorization and identification system in the scheme can realize overtime failure of the link and prevent the URL from being abused by different equipment, thereby being a safe and efficient cross-system access mechanism.
Description
Technical Field
The invention relates to the field of internet, in particular to a background system architecture with login authorization verification and a method thereof.
Background
The service background system generally relates to user login, an unauthorized login user does not allow to access specified webpage content, and a system function module can be authorized only to a user account with a specified role. Each background system can independently maintain the own account number authority system, so that a login user can complete a service operation closed loop in the system. Account information can be shared among different systems, and an SSO (single sign-on) scheme based on Oauth can realize that a user account maintains a login state among a plurality of associated systems after one-place login authentication. Because different background system service modules have differences, the role is difficult to realize, and the unified management of the resource set which can be used by the role is difficult to realize. In a service scene with more function interaction among systems, a background system user can be involved, and the condition that the information of another background system module needs to be checked can be met. Because each system has different authority control logics, one common way is that each system opens the same account under a unified SSO mode, and gives the account the authority of a certain specific module of the other system, thereby realizing page access between systems. The method has great limitation, once the mutual authentication and authorization requirements exist among the systems, the same account needs to be set in each independent system in advance, and the corresponding account role authority setting is carried out at the same time, so that the method is not flexible, and the complexity of the login function is increased for the system which does not adopt SSO authentication.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a lightweight intersystem secure pseudo login architecture and method easy for cross-system webpage access aiming at the problems of the existing intersystem page authorization access processing mode, when a source system triggers and accesses a target system website (hereinafter referred to as URL), a user accesses to a URL authorization identification system in the target system through a URL conversion system in the source system, a central signature generation and verification server, and realizes intersystem secure pseudo login.
In order to solve the above problems, the technical solution of the present invention is as follows:
an inter-system secure pseudo-logon architecture comprising: the system comprises visual terminal equipment, a source website system host physical machine, a signature generation and verification service host physical machine and a target website system host physical machine; the visual terminal equipment is in network connection with a host physical machine of a source website system, the host physical machine of the source website system is in network connection with a host physical machine of a signature generation and verification service, and the host physical machine of the signature generation and verification service is in network connection with a host physical machine of a target website system; the host physical machine of the target website system is connected with the visual terminal equipment through a network;
a user initiates a network request to a host physical machine of a source website system through visual terminal equipment to obtain a converted website, and initiates a network request to a host physical machine of a target website system through the converted website, and both the host physical machine of the source website system and the host physical machine of the target website system need to physically interact with a signature generation and verification service host, so that safe pseudo login is realized.
The method for secure pseudo login between systems comprises the following steps:
a user triggers and accesses a target system URL at a source system, the source system takes the URL as a request parameter, and initiates a request to a signature generation and verification server to obtain a final request URL';
the signature generation and verification server adds random parameters and signature fields to the original URL fields to generate URL', wherein the random parameter fields contain original request time information;
the source system initiates a network request with URL';
the target system analyzes the URL' parameter, extracts the random parameter and the signature field, and carries out the following verification:
1) the target system verifies whether the link is overtime and invalid or not by combining the current time of the server and the original time information;
2) the target system takes URL 'as a request parameter, initiates a request to a signature generation and verification server, and verifies the validity of the URL';
3) the target system identifies the consistency of the access request source according to the combined identification of the user IP and the initial request time;
after the three items of verification pass, the target system authorizes the display of the webpage content, and overtime invalidation and safe login are realized.
The method for converting the URL of the signature generation and verification server is as follows:
1) the random parameter is used for obtaining the current time of the server or the encrypted coding value thereof, and if the encrypted coding value is obtained, a symmetric encryption algorithm is used;
2) the signature parameter is generated by an encryption algorithm which can not reversely decrypt based on the random parameter value and the source system identification information in the step 1);
3) the original URL is followed by the random parameters in step 1) and the signature parameters field in step 2).
The signature generation and verification server centrally controls the generation and verification of random parameters, shields algorithm details from a source system and a target system, avoids URL forgery, and facilitates the upgrade and maintenance of the algorithm.
The inter-system secure pseudo login framework and the inter-system secure pseudo login method have the advantages that cross-system access to a specified type page can be achieved, account numbers and binding roles do not need to be registered in a background system in advance or mapped with a certain authorized account, meanwhile, the URL authorization and identification system in the scheme can achieve link overtime invalidation and prevent URL from being abused by different devices, and the inter-system secure pseudo login framework and the inter-system secure pseudo login method are a secure and efficient cross-system access mechanism.
Drawings
The invention is described in detail below with reference to the drawings and the detailed description;
fig. 1 is a schematic view of a secure pseudo login process according to the present invention.
FIG. 2 is a diagram of a secure pseudo-logon hardware architecture according to the present invention.
Detailed Description
In order to make the technical means, the creation characteristics, the achievement purposes and the effects of the invention easy to understand, the invention is further explained below by combining the specific drawings.
Referring to fig. 1, when there is an HTTP request event initiated with a target URL, the source system initiates a request to the signature generation and verification server with the URL as a request parameter, obtaining the final request URL'. And the signature generation and verification server adds a random parameter and a signature field after the original URL field to generate URL', wherein the random parameter field contains original request time information. The source system initiates a network request with URL'. The target system analyzes the URL' parameter, extracts the random parameter and the signature field, and carries out the following three verification:
1) and the target system verifies whether the link is overtime and invalid or not by combining the current time of the server and the original time information.
2) And the target system takes the URL 'as a request parameter, initiates a request to the signature generation and verification server, and verifies the validity of the URL'.
3) The target system identifies the consistency of the access request source according to the combined identification of the user IP and the initial request time.
After the three items of verification pass, the target system authorizes the display of the webpage content, and overtime invalidation and safe login are realized.
The URL conversion algorithm of the signature generation and verification server is as follows:
1) the random parameter is used for obtaining the current time of the server or the encrypted coding value thereof, and if the encrypted coding value is obtained, a symmetric encryption algorithm is used;
2) the signature parameter is generated by an encryption algorithm which can not reversely decrypt based on the random parameter value and the source system identification information in the step 1);
3) the random parameter in the step 1) and the signature parameter field in the step 2) are added after the original URL;
the signature generation and verification server centrally controls the generation and verification of random parameters, can shield algorithm details from a source system and a target system, avoids URL forgery risks, and is convenient for algorithm upgrading and maintenance.
Referring to fig. 2, which is a schematic diagram of the hardware architecture connection of the present invention, a user initiates a network request to a host physical machine of a source website system through a visual terminal, the host physical machine of the source website initiates a network request to a host physical machine of a signature generation and verification service by relying on a URL conversion system, and a converted website is obtained and returned to the user terminal. And the user terminal initiates a network request to a host physical machine of the target website system by the converted website. And the target website host physical machine initiates a network request to the signature generation and verification service host physical machine by relying on the URL authorization authentication system to determine whether to return specified webpage content to the user terminal.
Further:
the link address of the source system can appear in an A label of an HTML (5) webpage, after a source system user clicks a certain URL, a front-end javascript script of the system performs the following processing, and pseudo codes and descriptions are as follows:
URL' is returned by the signature generation and verification server, the URL conversion algorithm takes PHP language as an example, and the pseudo code and description are as follows:
the URL authorization authentication system realizes the safety verification of pseudo login, the overtime invalidation and the prevention of URL abuse by different devices, and by taking PHP language as an example, pseudo codes and descriptions are as follows:
it can be seen that according to the process of the scheme, a random _ key (value after initial request time base64_ encode) and a sign parameter are added behind a source system URL to initiate an HTTP request to a target system, the target system uses the difference between the current time and the initial request time to verify whether the time difference is overtime, meanwhile, the sign is verified according to a sign generation algorithm, the access consistency is identified by combining the combined identification of the user IP and the initial request time, URL abuse is strictly prevented, and the inter-system secure pseudo-login function is realized. According to the scheme, the account and the bound role do not need to be registered in a background system in advance, and the access of the specified URL page can be authorized after the safety pseudo login process is verified.
The foregoing shows and describes the general principles, essential features, and advantages of the invention. It will be understood by those skilled in the art that the present invention is not limited to the embodiments described above, which are given by way of illustration of the principles of the present invention, and that various changes and modifications may be made without departing from the spirit and scope of the invention as defined by the appended claims. The scope of the invention patent claims is defined by the appended claims and their equivalents.
Claims (1)
1. A method for secure pseudo login between systems is characterized by comprising the following steps:
a user triggers and accesses a target system URL at a source system, the source system takes the URL as a request parameter, and initiates a request to a signature generation and verification server to obtain a final request URL';
the signature generation and verification server adds random parameters and signature fields to the original URL fields to generate URL', wherein the random parameter fields contain original request time information;
the method for generating the URL' by converting the URL of the signature generation and verification server is as follows:
1) the random parameter is used for obtaining the current time of the server or the encrypted coding value thereof, and if the encrypted coding value is obtained, a symmetric encryption algorithm is used;
2) the signature parameter is generated by an encryption algorithm which can not reversely decrypt based on the random parameter value and the source system identification information in the step 1);
3) the random parameter in the step 1) and the signature parameter field in the step 2) are added after the original URL;
the source system initiates a network request with URL';
the target system analyzes the URL' parameter, extracts the random parameter and the signature field, and carries out the following verification:
1) the target system verifies whether the link is overtime and invalid or not by combining the current time of the server and the original time information; adding random _ key and sign parameters behind the original URL to initiate an HTTP request to a target system, wherein the target system uses the difference between the current time and the initial request time to verify whether the time difference is overtime, and the random _ key is a value behind the initial request time base64_ encode;
2) the target system takes URL 'as a request parameter, initiates a request to a signature generation and verification server, and verifies the validity of the URL';
3) the target system identifies the consistency of the access request source according to the combined identification of the user IP and the initial request time;
after the three items of verification pass, the target system authorizes the display of the webpage content, and realizes overtime invalidation and safe login;
and the signature generation and verification server is used for intensively controlling the generation and verification of random parameters, shielding the algorithm details from a source system and a target system and avoiding URL forgery.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810256417.2A CN108989276B (en) | 2018-03-27 | 2018-03-27 | Inter-system secure pseudo login method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810256417.2A CN108989276B (en) | 2018-03-27 | 2018-03-27 | Inter-system secure pseudo login method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108989276A CN108989276A (en) | 2018-12-11 |
| CN108989276B true CN108989276B (en) | 2021-09-28 |
Family
ID=64541764
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810256417.2A Active CN108989276B (en) | 2018-03-27 | 2018-03-27 | Inter-system secure pseudo login method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108989276B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1368722A2 (en) * | 2000-11-09 | 2003-12-10 | International Business Machines Corporation | Method and system for web-based cross-domain single-sign-on authentication |
| CN1308870C (en) * | 1999-09-24 | 2007-04-04 | 城市集团发展中心有限公司 | Method and system for visiting several servers in www network by a user for registration once only |
| CN102006271A (en) * | 2008-09-02 | 2011-04-06 | F2威尔股份有限公司 | IP address secure multi-channel authentication for online transactions |
| CN102420808A (en) * | 2011-06-30 | 2012-04-18 | 南京中兴软创科技股份有限公司 | Method for realizing single signon on telecom on-line business hall |
| CN103023933A (en) * | 2011-09-22 | 2013-04-03 | 北京尚良楷诚网络技术有限公司 | Login information integrated processing system and method |
| CN105656926A (en) * | 2016-02-23 | 2016-06-08 | 浪潮通用软件有限公司 | System integration method based on token ring security certification technology |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4604253B2 (en) * | 2007-12-21 | 2011-01-05 | Necビッグローブ株式会社 | Web page safety judgment system |
| US10348730B2 (en) * | 2015-12-28 | 2019-07-09 | International Business Machines Corporation | Reducing complexities of authentication and authorization for enterprise web-based social applications |
-
2018
- 2018-03-27 CN CN201810256417.2A patent/CN108989276B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1308870C (en) * | 1999-09-24 | 2007-04-04 | 城市集团发展中心有限公司 | Method and system for visiting several servers in www network by a user for registration once only |
| EP1368722A2 (en) * | 2000-11-09 | 2003-12-10 | International Business Machines Corporation | Method and system for web-based cross-domain single-sign-on authentication |
| CN102006271A (en) * | 2008-09-02 | 2011-04-06 | F2威尔股份有限公司 | IP address secure multi-channel authentication for online transactions |
| CN102420808A (en) * | 2011-06-30 | 2012-04-18 | 南京中兴软创科技股份有限公司 | Method for realizing single signon on telecom on-line business hall |
| CN103023933A (en) * | 2011-09-22 | 2013-04-03 | 北京尚良楷诚网络技术有限公司 | Login information integrated processing system and method |
| CN105656926A (en) * | 2016-02-23 | 2016-06-08 | 浪潮通用软件有限公司 | System integration method based on token ring security certification technology |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108989276A (en) | 2018-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108092776B (en) | System based on identity authentication server and identity authentication token | |
| CN102638454B (en) | Plug-in type SSO (single signon) integration method oriented to HTTP (hypertext transfer protocol) identity authentication protocol | |
| US10225260B2 (en) | Enhanced authentication security | |
| US8527762B2 (en) | Method for realizing an authentication center and an authentication system thereof | |
| CN110689332B (en) | Resource account binding method, storage medium and electronic device | |
| CN109413039B (en) | Safe single sign-on method based on block chain zero-knowledge proof | |
| CN113079175A (en) | Authorization system and method based on oauth2 protocol enhancement | |
| CN104541475A (en) | Abstracted and randomized one-time passwords for transactional authentication | |
| CN106330829A (en) | Method and system for realizing single signing on by using middleware | |
| CN103944913A (en) | Server-oriented safe firmware designing method | |
| CN109995776A (en) | A kind of internet data verification method and system | |
| CN105075219A (en) | Network system comprising a security management server and a home network, and method for including a device in the network system | |
| CN109962892A (en) | A kind of authentication method and client, server logging in application | |
| CN107819570A (en) | A kind of cross-domain single login method based on variable C ookie | |
| Marian et al. | Experimenting with digital signatures over a DNP3 protocol in a multitenant cloud-based SCADA architecture | |
| US20150244697A1 (en) | Method for Secure Servicing of a Field Device | |
| CN103428161A (en) | Phone authentication service system | |
| WO2007078037A1 (en) | Web page protection method employing security appliance and set-top box having the security appliance built therein | |
| CN102412969B (en) | Method for carrying out authentication by remotely using certificate and secret key, apparatus and system thereof | |
| CN102255904A (en) | Communication network and terminal authentication method thereof | |
| CN106992964A (en) | A kind of micro services safety proxy system suitable for mixed cloud | |
| CN102694776A (en) | Authentication system and method based on dependable computing | |
| CN108989276B (en) | Inter-system secure pseudo login method | |
| CN113792301A (en) | Block chain-based Internet of things data access method and device | |
| CN104243488A (en) | Login authentication method of cross-website server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |