CN109379369A - Single-point logging method, device, server and storage medium - Google Patents

Single-point logging method, device, server and storage medium Download PDF

Info

Publication number
CN109379369A
CN109379369A CN201811333618.4A CN201811333618A CN109379369A CN 109379369 A CN109379369 A CN 109379369A CN 201811333618 A CN201811333618 A CN 201811333618A CN 109379369 A CN109379369 A CN 109379369A
Authority
CN
China
Prior art keywords
target
application
spoke
access request
destination address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811333618.4A
Other languages
Chinese (zh)
Inventor
时文涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Life Insurance Company of China Ltd
Original Assignee
Ping An Life Insurance Company of China Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Life Insurance Company of China Ltd filed Critical Ping An Life Insurance Company of China Ltd
Priority to CN201811333618.4A priority Critical patent/CN109379369A/en
Publication of CN109379369A publication Critical patent/CN109379369A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0807Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network
    • H04L63/0815Network architectures or network communication protocols for network security for supporting authentication of entities communicating through a packet data network providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/108Network architectures or network communication protocols for network security for controlling access to network resources when the policy decisions are valid for a limited amount of time

Abstract

A kind of single-point logging method, comprising: receive the logging request for the login gate system that client is sent, wherein the gate system is associated at least one application system;A target spoke is generated, and the validity period of the target spoke is set;Receive the access request of either objective application system at least one application system described in the access that client is sent;Verify the access request;And when the access request passes through verifying, allow to access the target application system.The present invention also provides a kind of single-sign-on device, server and storage mediums.The single-sign-on function of multiple subsystem may be implemented through the invention, be similar to a security tool, without repeatedly inputting username and password in the case where log in any application system in the gate system.

Description

Single-point logging method, device, server and storage medium
Technical field
The present invention relates to mobile communication technology fields, and in particular to a kind of single-point logging method, device, server and storage Medium.
Background technique
Enterprise information portal system is mainly used for realizing existing business greatly as enterprises portal basic platform, one The reasonable aggregation of information (data) is realized in the integration of system, data resource, human resources;By realizing unified user and system One access entrance accesses the relevant information resource integrated in portal platform, really realizes the effective use of resource, bigger hair The use value of enterprise's existing resource is waved, production efficiency is improved.
In the prior art, for user when logging in the application system in the gate system, user needs input to be logged in The authentication informations such as the username and password of application system can just log on in corresponding application system.For example, for one It include application system 1, application system 2 and application system 3 inside enterprise A for enterprise.User logs in application system if necessary 1 just needs to input the corresponding username and password of application system 1, and user just needs to input to answer if necessary to log in application system 2 With the corresponding username and password of system 2, user just needs to input application system 3 corresponding if necessary to login application system 3 Username and password.It is cumbersome, poor user experience.
Summary of the invention
In view of the foregoing, it is necessary to propose a kind of single-point logging method, device, server and storage medium, Ke Yishi The single-sign-on function of existing multiple subsystem, without being logged in the gate system in the case where repeatedly inputting username and password Any application system.
The first aspect of the present invention provides a kind of single-point logging method, which comprises
Receive the logging request for the login gate system that client is sent, wherein the gate system is associated at least one Application system;
A target spoke is generated, and the validity period of the target spoke is set;
Receive the access request of either objective application system at least one application system described in the access that client is sent;
Verify the access request;And
When the access request passes through verifying, allow to access the target application system.
Preferably, the logging request includes the target of the either objective application system at least one described application system Address.
Preferably, it includes target spoke to be certified, the target application system that the access request, which includes: the access request, The destination address for the corresponding API account and the target application system of uniting.
Preferably, by verifying the target of target spoke to be certified, target application system and the target application system The access request is verified in location;
When the destination address of the target spoke to be certified and target application system and the target application system is all verified By when, confirm that the access request is verified;
One in the destination address of the target spoke to be certified and target application system and the target application system When person's verifying does not pass through, confirm that the access request verifying does not pass through.
Preferably, by confirming whether the target spoke to be certified is consistent with the target spoke of generation, and whether having In the effect phase, to verify the target spoke to be certified;
When the target spoke to be certified is consistent with the target spoke of generation, and before the deadline when, confirmation is described wait recognize Card target spoke is verified;
When the target spoke of the target spoke to be certified and generation is inconsistent, or not before the deadline when, described in confirmation Target spoke verifying to be certified does not pass through;
Judge that the corresponding API account of the target application system whether there is in database;
When the corresponding API account of the target application system is present in the database, the target application is confirmed System is verified;
When the corresponding API account of the target application system is not present in the database, confirm that the target is answered Do not passed through with system verifying;
Confirm the target application system in the access request destination address whether in logging request described in The destination address of target application system is consistent;
The mesh in the destination address and the logging request of the target application system in the access request When the destination address of mark application system is consistent, confirm that the destination address of the target application system is verified;
The destination address and the target in the logging request of the target application system in the access request When the destination address of application system is inconsistent, confirm that the destination address verifying of the target application system does not pass through.
Preferably, the method also includes:
One in the destination address of the target spoke to be certified and target application system and the target application system When person's verifying does not pass through, confirm that the access request verifying does not pass through, application system described in denied access.
Preferably, when the logging request passes through verifying, allow the client access the target application system it Afterwards, the method includes removing target spoke.
The second aspect of the present invention provides a kind of single-sign-on device, and described device includes:
Receiving module, the logging request of the login gate system for receiving client transmission, wherein the gate system It is associated at least one application system;
For generating a target spoke, and the validity period of the target spoke is arranged in generation module;
The receiving module is also used to receive either objective at least one application system described in the access of client transmission The access request of application system, wherein the access request includes that target spoke to be certified and the target application system are corresponding API account;
Authentication module, for verifying the access request;And
Processing module, for allowing to access the target application system when the access request passes through verifying.
The third aspect of the present invention provides a kind of server, and the server includes processor and memory, the processing Device is for realizing the single-point logging method when executing the computer program stored in the memory.
The fourth aspect of the present invention provides a kind of computer readable storage medium, deposits on the computer readable storage medium Computer program is contained, the computer program realizes the single-point logging method when being executed by processor.
Single-point logging method, device, system and storage medium of the present invention, the present invention are controlled single by token mechanism Point logs in secure access, and the single-sign-on function of multiple subsystem may be implemented, in the feelings without repeatedly inputting username and password Any application system in the gate system is logged under condition.The anti-replay-attack that ensure that single-sign-on access, further through encryption It ensure that link information is not leaked, greatly reduce the workload of secondary development, shorten the development cycle, ensure that access peace Entirely, reliably, reduce O&M cost, it can be with Quick thread.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this The embodiment of invention for those of ordinary skill in the art without creative efforts, can also basis The attached drawing of offer obtains other attached drawings.
Fig. 1 is the flow chart for the single-point logging method that the embodiment of the present invention one provides.
Fig. 2 is the functional block diagram in single-sign-on device preferred embodiment of the present invention provided by Embodiment 2 of the present invention.
Fig. 3 is the schematic diagram for the server that the embodiment of the present invention three provides.
The present invention that the following detailed description will be further explained with reference to the above drawings.
Specific embodiment
To better understand the objects, features and advantages of the present invention, with reference to the accompanying drawing and specific real Applying example, the present invention will be described in detail.It should be noted that in the absence of conflict, the embodiment of the present invention and embodiment In feature can be combined with each other.
In the following description, numerous specific details are set forth in order to facilitate a full understanding of the present invention, described embodiment is only It is only a part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill Personnel's every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
Unless otherwise defined, all technical and scientific terms used herein and belong to technical field of the invention The normally understood meaning of technical staff is identical.Term as used herein in the specification of the present invention is intended merely to description tool The purpose of the embodiment of body, it is not intended that in the limitation present invention.
Description and claims of this specification and term " first " in above-mentioned attached drawing, " second " and " third " etc. are For distinguishing different objects, not for description particular order.In addition, term " includes " and their any deformations, it is intended that Non-exclusive include in covering.Such as the process, method, system, product or equipment for containing a series of steps or units do not have It is defined in listed step or unit, but optionally further comprising the step of not listing or unit, or optionally further comprising For the intrinsic other step or units of these process, methods, product or equipment.
The single-point logging method of the embodiment of the present invention is applied by least one server and by network and the service In the hardware environment that the client that device is attached is constituted.Network includes but is not limited to: wide area network, Metropolitan Area Network (MAN) or local area network. The single-point logging method of the embodiment of the present invention can be executed by server, can also be executed by client;Can also be by Server and client side executes jointly.The server is that one kind can be automatic to carry out according to the instruction for being previously set or storing Numerical value calculates and/or the equipment of information processing, and hardware includes but is not limited to microprocessor, specific integrated circuit (application program Lication Specific Integrated Circuit, ASIC), programmable gate array (Field-Programmable Gate Array, FPGA), digital processing unit (Digital Signal Processor, DSP), embedded device etc..
The server for needing to carry out single-point logging method, can directly integrate side of the invention on the server Single-sign-on function provided by method, or installation is for realizing the client of method of the invention.For another example, provided by the present invention Method server can also be operated in the form of Software Development Kit (Software Development Kit, SDK) Etc. in equipment, the interface of single-sign-on function, server or other equipment are provided in the form of SDK, the interface that provides are provided Realize single-sign-on function.
Embodiment one
As shown in fig.1, the flow chart for the single-point logging method that the embodiment of the present invention one provides.According to different requirements, Execution sequence in the flow chart can change, and certain steps can be omitted.
S01, the logging request for receiving the login gate system that client is sent, wherein the gate system association is at least One application system.
For example, the gate system can be the enterprise portal that informatization enterprise generally includes, the gate system It is a kind of based on Web, different application, different business process, different back-end systems, different services and information, difference is known The contents such as knowledge are integrated into the powerful soft ware platform in property window one by one.The gate system may be considered One itself manageable resource set is fit.The gate system is associated at least one application system, and the application system is main For providing the types of applications used in routine work for user, such application is related to the action of user, exists for user Application system used in routine work.At least one described application system can be mailing system, the office automation system, specially Industry business application system, archives economy etc., these application systems all pass through unified integrated technology and are associated in gate system.It is existing Have in technology, the gate system can not be shared with the information in each application system, need to realize by different technical solutions Information sharing.
In the present embodiment, the gate system can provide a logentry and an authentication interface and pass through visitor for user Family end logs in the gate system.
The logentry can receive the username and password of user's input.
The authentication interface is api interface.
The logging request includes at least any mesh in the username and password and at least one described application system Mark the destination address of application system.
In the present embodiment, the single-point logging method gate system receive client send logging request it Before, further include the steps that the communication connection established between the gate system and client.The communication connection can be wired Connection, is also possible to be wirelessly connected.
S02, a target spoke is generated, and the validity period of the target spoke is set.
In the present embodiment, the target spoke can be Token token, and the Token token can be set Validity period.
In the present embodiment, the single-point logging method further includes that the local for storing the target spoke to browser is deposited Store up the step in (localstorage).
In the present embodiment, LocalStorage can only store the data of key-value pair (key-value pair) form, And key and value can only be stored as character string type, therefore when storage target spoke being locally stored to browser Afterwards, an available fixed key, such as lops_token.
When the holding time of the target spoke being more than validity period, the target spoke is invalid token.The visitor Family end can not access application system associated by the gate system by the invalid token.
In the present embodiment, the validity period of the target spoke can be set, for example, 6 hours.If the target enables The holding time of board has been more than the validity period, then without carrying out subsequent verifying, directly forbids the target spoke corresponding User accesses application system associated by the gate system.
Preferably, the single-point logging method further includes the steps that encrypting the logging request.
Specifically, it since the data that http protocol is communicated mostly are not encrypted plaintexts, including logging request, returns Value, target spoke, cookie, head etc. data are returned, therefore, the external world is easy by the monitoring to communication channel According to the format of request (client) and response (gate system) both sides, request and response are forged, various information are modified and steal. So we also need to encrypt interactive information involved in each logging request process by Encryption Algorithm, to guarantee Interaction safety.The Encryption Algorithm includes digest algorithm (such as MD5 and SHA1), symmetric encipherment algorithm (such as DES and AES) and non-right Claim Encryption Algorithm (such as RSA).
S03, receive client send access target application system access request, wherein the access request include to Authenticate target spoke and the corresponding API account of the target application system.
The application system is to access the subsystem of gate system certification, and user can give birth to when accessing the application system At an access request, the access request includes obtaining Token value, institute by key lops_token from localStorage Token value is stated to be injected towards in the request header of request.For example, the access request is { " Authorization ": 744e8 8bd3cc9f29e7bbe955f15fa4e6c915bc8eb"}。
In the present embodiment, it in order to improve safety, can also be established at least one described application system corresponding API account.In this way, needing to judge the corresponding API account of the target application system when client access target application system With the presence or absence of in database, being stored with all API accounts pre-established in the database.When the target application system When corresponding API account is present in the database, illustrate that the target application system is legal application system.Pass through foundation Then the corresponding API account of each application system can be determined that accordingly according to these legal API accounts established The legitimacy of application system, so as to avoid some illegal application systems from stealing the data information of legal application system And identity information of user etc., the safety of data can be effectively protected.
It is understood that the access request further includes the destination address of the target application system.
S04, the verifying access request.
In the present embodiment, it is tested by verifying target spoke, target application system and the destination address to be certified Demonstrate,prove the access request;When the target spoke to be certified and target application system and destination address are all verified, confirmation The access request is verified;When the target spoke to be certified and one of target application system and destination address are verified When not passing through, confirm that the access request verifying does not pass through.
Specifically, first by confirming whether the target spoke to be certified is consistent with the target spoke of generation, and whether Before the deadline, the target spoke to be certified is verified.When the target spoke to be certified is consistent with the target spoke of generation, And when before the deadline, confirm that the target spoke to be certified is verified;When the mesh of the target spoke to be certified and generation It is inconsistent to mark token, or not before the deadline when, confirm that the target spoke to be certified verifying does not pass through.
Secondly, judging that the corresponding API account of the target application system whether there is in database, when the target is answered When being present in the database with the corresponding API account of system, confirm that the target application system is verified;When the mesh When the corresponding API account of mark application system is not present in the database, confirm that the target application system verifying does not pass through.
Again, confirm whether the destination address in the access request is consistent with the destination address in the logging request, When the destination address in the access request is consistent with the destination address in the logging request, confirm that the destination address is tested Card passes through;When the destination address in destination address and the logging request in the access request is inconsistent, the mesh is confirmed Mark address validation does not pass through.
S05, when the access request passes through verifying, allow to access the target application system.
In the present embodiment, when the access request passes through verifying, the target is accessed according to the destination address Application system.
In the present embodiment, the single-point logging method further includes allowing institute when the logging request passes through verifying It further comprise the step of removing the target spoke after stating the client access target application system.The same target Token only runs primary login, can not Reusability, avoid illegal user using the target spoke having been used and log in certain A application system ensure that the safety of each application system.
S06, when the access request is not over verifying, application system described in denied access.
In conclusion single-point logging method provided by the invention, which comprises receive the login door that client is sent The logging request of family system, wherein the gate system is associated at least one application system;A target spoke is generated, and is arranged The validity period of the target spoke;Receive either objective application system at least one application system described in the access that client is sent The access request of system, wherein the access request includes target spoke to be certified and the corresponding API account of the target application system Number;Verify the access request;And when the access request passes through verifying, allow to access the target application system.This hair It is bright that single-sign-on secure access is controlled by token mechanism, the single-sign-on function of multiple subsystem may be implemented, without repeating The either objective application system in the gate system is logged in the case where input username and password.It ensure that single-sign-on is visited The anti-replay-attack asked ensure that link information is not leaked further through encryption, greatly reduce the workload of secondary development, Shorten the development cycle, ensure that access safety, reliable, reduce O&M cost, it can be with Quick thread.
The above is only a specific embodiment of the invention, but scope of protection of the present invention is not limited thereto, for For those skilled in the art, without departing from the concept of the premise of the invention, improvement, but these can also be made It all belongs to the scope of protection of the present invention.
Below with reference to the 2nd to 3 figure, respectively to the functional module and hardware of the electronic equipment of the above-mentioned single-point logging method of realization Structure is introduced.
Embodiment two
Fig. 2 is the functional block diagram in single-sign-on device preferred embodiment of the present invention.
In some embodiments, the single-sign-on device 20 is run in terminal device.The single-sign-on device 20 It may include multiple functional modules as composed by program code segments.The journey of each program segment in the single-sign-on device 20 Sequence code can store in memory, and as performed by least one processor, with execution (being detailed in Fig. 1 and its associated description) Single-sign-on function.
In the present embodiment, function of the single-sign-on device 20 according to performed by it can be divided into multiple functions Module.The functional module may include: receiving module 201, generation module 202, authentication module 203 and processing module 204.This Inventing so-called module and referring to a kind of performed by least one processor and can complete a series of of fixed function Computer program code segments, storage is in memory.It in some embodiments, will be in subsequent embodiment about the function of each module Middle detailed description.
The receiving module 201 is used to receive the logging request of the login gate system of client transmission, wherein the door At least one application system of family system relationship.
For example, the gate system can be the enterprise portal that informatization enterprise generally includes, the gate system It is a kind of based on Web, different application, different business process, different back-end systems, different services and information, difference is known The contents such as knowledge are integrated into the powerful soft ware platform in property window one by one.The gate system may be considered One itself manageable resource set is fit.The gate system is associated at least one application system, and the application system is main For providing the types of applications used in routine work for user, such application is related to the action of user, exists for user Application system used in routine work.At least one described application system can be mailing system, the office automation system, specially Industry business application system, archives economy etc., these application systems all pass through unified integrated technology and are associated in gate system.It is existing Have in technology, the gate system can not be shared with the information in each application system, need to realize by different technical solutions Information sharing.
In the present embodiment, the gate system can provide a logentry and an authentication interface and pass through visitor for user Family end logs in the gate system.
The logentry can receive the username and password of user's input.
The authentication interface is api interface.
The logging request includes at least any mesh in the username and password and at least one described application system Mark the destination address of application system.
In the present embodiment, the single-point logging method gate system receive client send logging request it Before, further include the steps that the communication connection established between the gate system and client.The communication connection can be wired Connection, is also possible to be wirelessly connected.
The validity period of the target spoke is arranged for generating a target spoke in the generation module 202.
In the present embodiment, the target spoke can be Token token, and the Token token can be set Validity period.
In the present embodiment, the single-point logging method further includes that the local for storing the target spoke to browser is deposited Store up the step in (localstorage).
In the present embodiment, LocalStorage can only store the data of key-value pair (key-value pair) form, And key and value can only be stored as character string type, therefore when storage target spoke being locally stored to browser Afterwards, an available fixed key, such as lops_token.
When the holding time of the target spoke being more than validity period, the target spoke is invalid token.The visitor Family end can not access application system associated by the gate system by the invalid token.
In the present embodiment, the validity period of the target spoke can be set, for example, 6 hours.If the target enables The holding time of board has been more than the validity period, then without carrying out subsequent verifying, directly forbids the target spoke corresponding User accesses application system associated by the gate system.
Preferably, the single-point logging method further includes the steps that encrypting the logging request.
Specifically, it since the data that http protocol is communicated mostly are not encrypted plaintexts, including logging request, returns Value, target spoke, cookie, head etc. data are returned, therefore, the external world is easy by the monitoring to communication channel According to the format of request (client) and response (gate system) both sides, request and response are forged, various information are modified and steal. So we also need to encrypt interactive information involved in each logging request process by Encryption Algorithm, to guarantee Interaction safety.The Encryption Algorithm includes digest algorithm (such as MD5 and SHA1), symmetric encipherment algorithm (such as DES and AES) and non-right Claim Encryption Algorithm (such as RSA).
The receiving module 201 is also used to receive the access request of the access target application system of client transmission, wherein The access request includes target spoke to be certified and the corresponding API account of the target application system.
The application system is to access the subsystem of gate system certification, and user can give birth to when accessing the application system At an access request, the access request includes obtaining Token value, institute by key lops_token from localStorage Token value is stated to be injected towards in the request header of request.For example, the access request is { " Authorization ": 744e8 8bd3cc9f29e7bbe955f15fa4e6c915bc8eb"}。
In the present embodiment, it in order to improve safety, can also be established at least one described application system corresponding API account.In this way, needing to judge the corresponding API account of the target application system when client access target application system With the presence or absence of in database, being stored with all API accounts pre-established in the database.When the target application system When corresponding API account is present in the database, illustrate that the target application system is legal application system.Pass through foundation Then the corresponding API account of each application system can be determined that accordingly according to these legal API accounts established The legitimacy of application system, so as to avoid some illegal application systems from stealing the data information of legal application system And identity information of user etc., the safety of data can be effectively protected.
It is understood that the access request further includes the destination address of the target application system.
The authentication module 203 is for verifying the access request.
In the present embodiment, it is tested by verifying target spoke, target application system and the destination address to be certified Demonstrate,prove the access request;When the target spoke to be certified and target application system and destination address are all verified, confirmation The access request is verified;When the target spoke to be certified and one of target application system and destination address are verified When not passing through, confirm that the access request verifying does not pass through.
Specifically, first by confirming whether the target spoke to be certified is consistent with the target spoke of generation, and whether Before the deadline, the target spoke to be certified is verified.When the target spoke to be certified is consistent with the target spoke of generation, And when before the deadline, confirm that the target spoke to be certified is verified;When the mesh of the target spoke to be certified and generation It is inconsistent to mark token, or not before the deadline when, confirm that the target spoke to be certified verifying does not pass through.
Secondly, judging that the corresponding API account of the target application system whether there is in database, when the target is answered When being present in the database with the corresponding API account of system, confirm that the target application system is verified;When the mesh When the corresponding API account of mark application system is not present in the database, confirm that the target application system verifying does not pass through.
Again, confirm whether the destination address in the access request is consistent with the destination address in the logging request, When the destination address in the access request is consistent with the destination address in the logging request, confirm that the destination address is tested Card passes through;When the destination address in destination address and the logging request in the access request is inconsistent, the mesh is confirmed Mark address validation does not pass through.
The processing module 204 is used for when the access request passes through verifying, allows to access the target application system.
In the present embodiment, when the access request passes through verifying, the target is accessed according to the destination address Application system.
In the present embodiment, the single-point logging method further includes allowing institute when the logging request passes through verifying It further comprise the step of removing the target spoke after stating the client access target application system.The same target Token only runs primary login, can not Reusability, avoid illegal user using the target spoke having been used and log in certain A application system ensure that the safety of each application system.
The processing module 204 is also used to when the access request is not over verifying, using being described in denied access System.
In conclusion single-sign-on device 20 provided by the invention includes receiving module 201, generation module 202, verifying mould Block 203 and processing module 204.The receiving module 201 is used to receive the logging request of the login gate system of client transmission, Wherein, the gate system is associated at least one application system;The generation module 202 is set for generating a target spoke Set the validity period of the target spoke;The receiving module 201 is also used to receive at least one described in the access of client transmission The access request of either objective application system in application system, wherein the access request includes target spoke to be certified and described The corresponding API account of target application system;The authentication module 203 is for verifying the access request;And the processing module 204 for allowing to access the target application system when the access request passes through verifying.The present invention passes through token mechanism control Single-sign-on secure access processed, may be implemented the single-sign-on function of multiple subsystem, without repeatedly inputting username and password In the case where log in either objective application system in the gate system.It ensure that the anti-replay-attack of single-sign-on access, It ensure that link information is not leaked further through encryption, greatly reduce the workload of secondary development, shorten the development cycle, protect Access safety, reliable has been demonstrate,proved, O&M cost is reduced, it can be with Quick thread.
The above-mentioned integrated unit realized in the form of software function module, can store and computer-readable deposit at one In storage media.Above-mentioned software function module is stored in a storage medium, including some instructions are used so that a computer It is each that equipment (can be personal computer, double screen equipment or the network equipment etc.) or processor (processor) execute the present invention The part of a embodiment the method.
Embodiment three
Fig. 3 is the schematic diagram for the server that the embodiment of the present invention three provides.
The server 3 includes: database 31, memory 32, at least one processor 33, is stored in the memory 32 In and the computer program 34 and at least one communication bus 35 that can be run at least one described processor 33.
At least one described processor 33 realizes above-mentioned single-point logging method embodiment when executing the computer program 34 In step.
Illustratively, the computer program 34 can be divided into one or more module/units, it is one or Multiple module/units are stored in the memory 32, and are executed by least one described processor 33, to complete this hair It is bright.One or more of module/units can be the series of computation machine program instruction section that can complete specific function, described Instruction segment is for describing implementation procedure of the computer program 34 in the server 3.
The server 3 is that one kind can be automatic to carry out numerical value calculating and/or letter according to the instruction for being previously set or storing The equipment of processing is ceased, hardware includes but is not limited to microprocessor, specific integrated circuit (application program lication Specific Integrated Circuit, ASIC), programmable gate array (Field-Programmable Gate Array, FPGA), digital processing unit (Digital Signal Processor, DSP), embedded device etc..Art technology Personnel are appreciated that the schematic diagram 3 is only the example of server 3, do not constitute the restriction to server 3, may include Than illustrating more or fewer components, certain components or different components are perhaps combined, such as the server 3 can be with Including input-output equipment, network access equipment, bus etc..
The database (Database) 41 is to carry out the foundation of tissue, storage and management data according to data structure described Warehouse on server 3.Database is generally divided into hierarchical database, network database and three kinds of relational database.? In present embodiment, the database 31 is used for the API account of storage application system.
At least one described processor 33 can be central processing unit (Central Processing Unit, CPU), It can also be other general processors, digital signal processor (Digital Signal Processor, DSP), dedicated integrated Circuit (Application Specific Integrated Circuit, ASIC), ready-made programmable gate array (Field- Programmable Gate Array, FPGA) either other programmable logic device, discrete gate or transistor logic, Discrete hardware components etc..The processor 33 can be microprocessor or the processor 33 is also possible to any conventional place Device etc. is managed, the processor 33 is the control centre of the server 3, utilizes various interfaces and the entire server 3 of connection Various pieces.
The memory 32 can be used for storing the computer program 34 and/or module/unit, and the processor 33 passes through Operation executes the computer program and/or module/unit being stored in the memory 32, and calls and be stored in memory Data in 32 realize the various functions of the server 3.The memory 32 can mainly include storing program area and storage number According to area, wherein storing program area can application program needed for storage program area, at least one function (for example sound plays function Energy, image player function etc.) etc.;Storage data area, which can be stored, uses created data (such as audio number according to server 3 According to, phone directory etc.) etc..In addition, memory 32 may include high-speed random access memory, it can also include non-volatile memories Device, such as hard disk, memory, plug-in type hard disk, intelligent memory card (Smart Media Card, SMC), secure digital (Secure Digital, SD) card, flash card (Flash Card), at least one disk memory, flush memory device or other volatibility are solid State memory device.
Program code is stored in the memory 32, and at least one described processor 33 can call the memory 32 The program code of middle storage is to execute relevant function.For example, modules described in Fig. 3 are stored in the memory 32 In program code, and as performed by least one described processor 33, to realize the function of the modules to reach The purpose of single-sign-on.
If the integrated module/unit of the server 3 is realized in the form of SFU software functional unit and as independent production Product when selling or using, can store in a computer readable storage medium.Based on this understanding, the present invention realizes All or part of the process in above-described embodiment method can also instruct relevant hardware to complete by computer program, The computer program can be stored in a computer readable storage medium, and the computer program is being executed by processor When, it can be achieved that the step of above-mentioned each embodiment of the method.Wherein, the computer program includes computer program code, described Computer program code can be source code form, object identification code form, executable file or certain intermediate forms etc..The meter Calculation machine readable medium may include: can carry the computer program code any entity or device, recording medium, USB flash disk, Mobile hard disk, magnetic disk, CD, computer storage, read-only memory (ROM, Read-Only Memory), random access memory Device (RAM, Random Access Memory), electric carrier signal, telecommunication signal and software distribution medium etc..It needs to illustrate It is that the content that the computer-readable medium includes can be fitted according to the requirement made laws in jurisdiction with patent practice When increase and decrease, such as in certain jurisdictions, according to legislation and patent practice, computer-readable medium does not include electric carrier wave letter Number and telecommunication signal.
Although being not shown, the server 3 can also include the power supply (such as battery) powered to all parts, preferably , power supply can be logically contiguous by power-supply management system and at least one described processor 33, to pass through power management system System realizes the functions such as management charging, electric discharge and power managed.Power supply can also include one or more direct current or friendship Galvanic electricity source, recharging system, power failure detection circuit, power adapter or inverter, power supply status indicator etc. are any Component.The server 3 can also include bluetooth module, Wi-Fi module etc., and details are not described herein.
It should be understood that the embodiment is only purposes of discussion, do not limited by this structure in patent claim.
In several embodiments provided by the present invention, it should be understood that arriving, disclosed electronic equipment and method can be with It realizes by another way.For example, electronic equipment embodiment described above is only schematical, for example, the list The division of member, only a kind of logical function partition, there may be another division manner in actual implementation.
It, can also be in addition, each functional unit in each embodiment of the present invention can integrate in same treatment unit It is that each unit physically exists alone, can also be integrated in same unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of hardware adds software function module.
It is obvious to a person skilled in the art that invention is not limited to the details of the above exemplary embodiments, Er Qie In the case where without departing substantially from spirit or essential attributes of the invention, the present invention can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and the scope of the present invention is by appended power Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims Variation is included in the present invention.Any reference signs in the claims should not be construed as limiting the involved claims.This Outside, it is clear that one word of " comprising " is not excluded for other units or, odd number is not excluded for plural number.The multiple units stated in system claims Or device can also be implemented through software or hardware by a unit or device.The first, the second equal words are used to indicate name Claim, and does not indicate any particular order.
Finally it should be noted that the above examples are only used to illustrate the technical scheme of the present invention and are not limiting, although reference Preferred embodiment describes the invention in detail, those skilled in the art should understand that, it can be to of the invention Technical solution is modified or equivalent replacement, without departing from the spirit of the technical scheme of the invention range.

Claims (10)

1. a kind of single-point logging method is applied in server, which is characterized in that the described method includes:
Receive the logging request for the login gate system that client is sent, wherein the gate system is associated at least one application System;
A target spoke is generated, and the validity period of the target spoke is set;
Receive the access request of either objective application system at least one application system described in the access that client is sent;
Verify the access request;And
When the access request passes through verifying, allow to access the target application system.
2. single-point logging method as described in claim 1, which is characterized in that the logging request include it is described at least one answer With the destination address of the either objective application system in system.
3. single-point logging method as claimed in claim 2, which is characterized in that the access request includes: the access request Destination address including target spoke to be certified, the target application system corresponding API account and the target application system.
4. single-point logging method as claimed in claim 3, which is characterized in that answered by verifying target spoke to be certified, target The access request is verified with the destination address of system and the target application system;
When the destination address of the target spoke to be certified and target application system and the target application system is all verified When, confirm that the access request is verified;
When one of the destination address of the target spoke to be certified and target application system and the target application system is tested When card does not pass through, confirm that the access request verifying does not pass through.
5. single-point logging method as claimed in claim 4, it is characterised in that:
By confirming whether the target spoke to be certified is consistent with the target spoke of generation, and whether before the deadline, to test Demonstrate,prove the target spoke to be certified;
When the target spoke to be certified is consistent with the target spoke of generation, and before the deadline when, confirm the mesh to be certified Mark token authentication passes through;
When the target spoke of the target spoke to be certified and generation is inconsistent, or not before the deadline when, confirmation is described wait recognize Card target spoke verifying does not pass through;
Judge that the corresponding API account of the target application system whether there is in database;
When the corresponding API account of the target application system is present in the database, the target application system is confirmed It is verified;
When the corresponding API account of the target application system is not present in the database, the target application system is confirmed System verifying does not pass through;
Confirm the target application system in the access request destination address whether with the target in logging request The destination address of application system is consistent;
When the destination address of the target application system in the access request is answered with the target in the logging request When consistent with the destination address of system, confirm that the destination address of the target application system is verified;
The destination address and the target application in the logging request of the target application system in the access request When the destination address of system is inconsistent, confirm that the destination address verifying of the target application system does not pass through.
6. single-point logging method as claimed in claim 4, which is characterized in that the method also includes:
When one of the destination address of the target spoke to be certified and target application system and the target application system is tested When card does not pass through, confirm that the access request verifying does not pass through, application system described in denied access.
7. single-point logging method as described in claim 1, which is characterized in that when the logging request passes through verifying, allow After the client accesses the target application system, the method includes removing target spoke.
8. a kind of mobile terminal single-sign-on device, which is characterized in that described device includes:
Receiving module, the logging request of the login gate system for receiving client transmission, wherein the gate system association At least one application system;
For generating a target spoke, and the validity period of the target spoke is arranged in generation module;
The receiving module is also used to receive either objective application at least one application system described in the access of client transmission The access request of system;
Authentication module, for verifying the access request;And
Processing module, for allowing to access the target application system when the access request passes through verifying.
9. a kind of server, which is characterized in that the server includes processor and memory, and the processor is for executing institute Single-point logging method as claimed in any of claims 1 to 7 in one of claims is realized when stating the computer program stored in memory.
10. a kind of computer readable storage medium, computer program, feature are stored on the computer readable storage medium It is, the computer program realizes single-sign-on side as claimed in any of claims 1 to 7 in one of claims when being executed by processor Method.
CN201811333618.4A 2018-11-09 2018-11-09 Single-point logging method, device, server and storage medium Pending CN109379369A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811333618.4A CN109379369A (en) 2018-11-09 2018-11-09 Single-point logging method, device, server and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811333618.4A CN109379369A (en) 2018-11-09 2018-11-09 Single-point logging method, device, server and storage medium

Publications (1)

Publication Number Publication Date
CN109379369A true CN109379369A (en) 2019-02-22

Family

ID=65384211

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811333618.4A Pending CN109379369A (en) 2018-11-09 2018-11-09 Single-point logging method, device, server and storage medium

Country Status (1)

Country Link
CN (1) CN109379369A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109936579A (en) * 2019-03-21 2019-06-25 广东瑞恩科技有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN109960924A (en) * 2019-03-04 2019-07-02 珠海格力电器股份有限公司 One subsystem login method, device, system and electronic equipment
CN110636057A (en) * 2019-09-10 2019-12-31 腾讯科技(深圳)有限公司 Application access method and device and computer readable storage medium
CN110704820A (en) * 2019-09-30 2020-01-17 北京金山云网络技术有限公司 Login processing method and device, electronic equipment and computer readable storage medium
CN110781485A (en) * 2019-11-07 2020-02-11 北京推想科技有限公司 Single sign-on method and device
CN110830493A (en) * 2019-11-14 2020-02-21 北京京航计算通讯研究所 Single sign-on implementation method based on intelligent enterprise portal
CN110826049A (en) * 2019-11-14 2020-02-21 北京京航计算通讯研究所 Single sign-on implementation system based on intelligent enterprise portal

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109960924A (en) * 2019-03-04 2019-07-02 珠海格力电器股份有限公司 One subsystem login method, device, system and electronic equipment
CN109936579A (en) * 2019-03-21 2019-06-25 广东瑞恩科技有限公司 Single-point logging method, device, equipment and computer readable storage medium
CN110636057A (en) * 2019-09-10 2019-12-31 腾讯科技(深圳)有限公司 Application access method and device and computer readable storage medium
CN110704820A (en) * 2019-09-30 2020-01-17 北京金山云网络技术有限公司 Login processing method and device, electronic equipment and computer readable storage medium
CN110781485A (en) * 2019-11-07 2020-02-11 北京推想科技有限公司 Single sign-on method and device
CN110830493A (en) * 2019-11-14 2020-02-21 北京京航计算通讯研究所 Single sign-on implementation method based on intelligent enterprise portal
CN110826049A (en) * 2019-11-14 2020-02-21 北京京航计算通讯研究所 Single sign-on implementation system based on intelligent enterprise portal

Similar Documents

Publication Publication Date Title
CN109379369A (en) Single-point logging method, device, server and storage medium
US11057366B2 (en) Federated identity management with decentralized computing platforms
US20180218454A1 (en) Managing participation in a monitored system using blockchain technology
CN106875518B (en) Control method and device of intelligent lock and intelligent lock
WO2019214311A1 (en) Blockchain-based information supervision method and device
CN104869175B (en) Cross-platform account resource-sharing implementation method, apparatus and system
CN102281286A (en) Flexible end-point compliance and strong authentication for distributed hybrid enterprises
CN106452772B (en) Terminal authentication method and device
CN106850699B (en) A kind of mobile terminal login authentication method and system
CN108989024A (en) Control method, apparatus, equipment, storage medium and the corresponding vehicle communicated between electronic control unit in the car
CN106209734A (en) The identity identifying method of process and device
CN109361508A (en) Data transmission method, electronic equipment and computer readable storage medium
CN109815659A (en) Safety certifying method, device, electronic equipment and storage medium based on WEB project
CN111383021A (en) Node management method, device, equipment and medium based on block chain network
CN109741068A (en) Internetbank inter-bank contracting method, apparatus and system
CN109802927B (en) Security service providing method and device
CN108540335A (en) The management method and managing device of device analysis report
CN106302334A (en) Access role acquisition methods, Apparatus and system
CN106097600B (en) Device management method, system and financial self-service equipment based on ATL
CN109587100A (en) A kind of cloud computing platform user authentication process method and system
CN111292174A (en) Tax payment information processing method and device and computer readable storage medium
CN110266653A (en) A kind of method for authenticating, system and terminal device
CN105471579B (en) A kind of trust login method and device
CN103559430B (en) application account management method and device based on Android system
CN110708162A (en) Resource acquisition method and device, computer readable medium and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination