CN111064695A - Authentication method and authentication system - Google Patents

Authentication method and authentication system Download PDF

Info

Publication number
CN111064695A
CN111064695A CN201811207753.4A CN201811207753A CN111064695A CN 111064695 A CN111064695 A CN 111064695A CN 201811207753 A CN201811207753 A CN 201811207753A CN 111064695 A CN111064695 A CN 111064695A
Authority
CN
China
Prior art keywords
server
authentication
service server
authority
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811207753.4A
Other languages
Chinese (zh)
Inventor
李盈超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Lianyi Software Co ltd
Original Assignee
Lianyi Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lianyi Software Co ltd filed Critical Lianyi Software Co ltd
Priority to CN201811207753.4A priority Critical patent/CN111064695A/en
Publication of CN111064695A publication Critical patent/CN111064695A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The disclosure provides an authentication method and an authentication system, relates to the technical field of internet, and can solve the problem of how to manage the authority of a plurality of servers in a centralized manner on the premise of not reconstructing the existing servers. The specific technical scheme is as follows: an authentication method, comprising: the method comprises the steps that terminal equipment sends login information to a service server, wherein the login information comprises a target account and a login password; the service server forwards the login information to an authentication server; the authentication server verifies the login information; and the authentication server sends authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding function operation. The invention is used for realizing unified authentication.

Description

Authentication method and authentication system
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to an authentication method and an authentication system.
Background
At present, for the consideration of information confidentiality and other factors, login authentication is required for entering various servers, as shown in fig. 1, users need to log in and log out one by one in the face of numerous servers, and the login authentication is very tedious. Therefore, centralized management of rights of a plurality of servers is a development trend in the art.
In the prior art, the centralized management of the permissions of a plurality of servers is realized by designing a permission management system standard in advance, and each server realizes the internal permission management of each server according to the designed permission management system standard. All the servers are based on the same standard, and based on the standard, the authority of the servers participating in centralized management can be identified and managed in a uniform mode so as to realize centralized management of the authority of multiple servers.
However, in this way, there is a problem: the plurality of servers participating in centralized management are all built by different manufacturers, and for the built servers, all the manufacturers need to coordinate to reconstruct the respective servers according to the same limited management system standard, so that the cost is huge and the realization is difficult.
Disclosure of Invention
The embodiment of the disclosure provides an authentication method and an authentication system, which can solve the problem how to manage the authority of a plurality of servers in a centralized manner on the premise of not reconstructing the existing servers. The technical scheme is as follows:
according to a first aspect of embodiments of the present disclosure, there is provided an authentication method including: the method comprises the steps that terminal equipment sends login information to a service server, wherein the login information comprises a target account and a login password; the service server forwards the login information to an authentication server; the authentication server verifies the login information; and the authentication server sends authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding function operation.
The disclosed embodiment provides an authentication method, which comprises an authentication server, wherein in the process of man-machine interaction, after a service server is connected with the authentication server, the login authentication and the authority giving work of the service server are completed by the authentication server. Each service server connected with the authentication server does not need to contain a certain standard or need to be reconstructed according to a certain standard, and the conventional service server can be used, so that the authority of a plurality of service servers can be managed in a centralized manner on the premise of not reconstructing the conventional service server.
In addition, the authentication server performs unified authority management, so that the authority of the user can be managed from the whole situation, and the authority is clear at a glance. The security of the server authority distribution is improved. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
In one embodiment, before the authentication server verifies the login information, the method further comprises: the authentication server judges whether the target account logs in the authentication server or not; and if the target account is not logged in the authentication server, the authentication server verifies the login information.
Therefore, as long as one service server performs login information verification through the authentication server, the other service servers do not need to perform repeated authentication. The authentication method provided by the embodiment of the disclosure can realize 'one-time login and seamless roaming' of a plurality of service servers through unified login authentication and authority takeover, so that a user does not need to repeatedly perform login operation, the use process of an information system is simplified, and the efficiency of actual work is improved.
In one embodiment, the authentication method further comprises: the service server applies for joining the management of the authentication server; and under the condition of agreeing to the application of the service server, the authentication server generates a server identifier, and the server identifier corresponds to the IP of the service server.
In this way, because the IP of each service server is unique, the server identifier generated by the service server after authorizing with the authentication server is also unique, the server identifiers generated by the plurality of service servers are not repeated inevitably, the authentication server can accurately send the authorization information to the corresponding service server according to the service server identifier, and the speed and the accuracy are high.
In one embodiment, the authentication method further comprises: and the service server sends an authority identifier to the authentication server, wherein the authority identifier is used for indicating at least one of the function authority and the digital authority of the service server.
In this way, the authentication server obtains the authority identifier with the established corresponding relationship (the corresponding relationship between the authority identifier and the authority), when the authentication server sends the entitlement information to the service server, the authentication server is attached with the server identifier and the authority identifier, which service server the entitlement information is sent to can be identified according to the server identifier, and after receiving the entitlement information, the corresponding service server provides corresponding functional operation according to the authority identifier in the entitlement information. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
In one embodiment, the entitlement information includes the server identification, and the authentication method further includes: and the service server verifies the received authorization information and the IP of the service server.
Therefore, the accuracy between the user purpose and the actual effect can be improved by adding the verification step of the information accuracy in the authentication process, and the effect of unified authentication is further improved.
According to a second aspect of embodiments of the present disclosure, there is provided an authentication system including: the system comprises an authentication server, at least one service server and at least one terminal device; the terminal equipment is used for sending login information to the service server, wherein the login information comprises a target account and a login password; the service server is used for forwarding the login information to an authentication server; the authentication server is used for verifying the login information and sending the authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding function operation.
The embodiment of the disclosure provides an authentication system, which comprises an authentication server, wherein in the process of man-machine interaction, after a service server is connected with the authentication server, the login authentication and the authority giving work of the service server are completed by the authentication server. Each service server connected with the authentication server does not need to contain a certain standard or need to be reconstructed according to a certain standard, and the conventional service server can be used, so that the authority of a plurality of service servers can be managed in a centralized manner on the premise of not reconstructing the conventional service server.
In addition, the authentication server performs unified authority management, so that the authority of the user can be managed from the whole situation, and the authority is clear at a glance. The security of the server authority distribution is improved. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
In one embodiment, the authentication server is specifically configured to: judging whether the target account logs in the authentication server or not; and if the target account is not logged in the authentication server, the authentication server verifies the login information.
Therefore, as long as one service server performs login information verification through the authentication server, the other service servers do not need to perform repeated authentication. The authentication method provided by the embodiment of the disclosure can realize 'one-time login and seamless roaming' of a plurality of service servers through unified login authentication and authority takeover, so that a user does not need to repeatedly perform login operation, the use process of an information system is simplified, and the efficiency of actual work is improved.
In one embodiment, the service server is further configured to apply for joining in management of the authentication server; the authentication server is further used for generating a server identifier; wherein the server identifier corresponds to the IP of the service server.
In this way, because the IP of each service server is unique, the server identifier generated by the service server after authorizing with the authentication server is also unique, the server identifiers generated by the plurality of service servers are not repeated inevitably, the authentication server can accurately send the authorization information to the corresponding service server according to the service server identifier, and the speed and the accuracy are high.
In one embodiment, the service server is further configured to send a permission identifier to the authentication server, where the permission identifier is used to indicate at least one of a functional permission and a digital permission of the service server.
In this way, the authentication server obtains the authority identifier with the established corresponding relationship (the corresponding relationship between the authority identifier and the authority), when the authentication server sends the entitlement information to the service server, the authentication server is attached with the server identifier and the authority identifier, which service server the entitlement information is sent to can be identified according to the server identifier, and after receiving the entitlement information, the corresponding service server provides corresponding functional operation according to the authority identifier in the entitlement information. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
In one embodiment, the entitlement information includes the server identifier, and the service server is further configured to verify the received entitlement information with an IP of the service server.
Therefore, the accuracy between the user purpose and the actual effect can be improved by adding the verification step of the information accuracy in the authentication process, and the effect of unified authentication is further improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
Fig. 1 is a schematic diagram of an interaction process of an authentication method provided by the prior art;
fig. 2 is a schematic flowchart of an authentication method provided by an embodiment of the present disclosure;
fig. 3 is a flowchart illustrating another authentication method provided in an embodiment of the present disclosure.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
The unified authentication service can take over the login authentication process of a plurality of service servers, so that a plurality of independent servers can directly enter other servers in a trusted system only by logging once without secondary authentication, any server logs out, the login states of other servers are destroyed accordingly, and the single-point login function is realized.
An embodiment of the present disclosure provides an authentication method, as shown in fig. 2, the authentication method includes the following steps:
100. and the terminal equipment sends login information to the service server, wherein the login information comprises a target account and a login password.
Various information can be extracted from the login information sent by the terminal equipment: whether the current account has the right to access a service server or not is judged; whether the currently input target account and the login password are matched or not; and thirdly, the authority corresponding to the current account number and the like.
The permissions of the service server are divided into two categories: functional rights and data rights. Menus, buttons, hyperlinks, etc. all belong to the functional right. The right is possessed to enter the corresponding functional module and execute the corresponding operation. The data range in which different roles can operate is the data authority. For example, a provincial administrator may see enterprise information for the entire province, while a downtown administrator may only see enterprise information for a city or a region. The functional rights and data rights are not completely independent, e.g., delete, edit. Namely, functional rights and data rights.
The login password may be, for example, a real-time short message check code, a general password set by the user, CA (Certificate Authority) authentication, or the like.
200. And the service server forwards the login information to the authentication server.
Here, the authentication server can receive the message sent by the service server, and the service server must have agreed with the authentication server (e.g., authorization) so that a connection can be established between the two. Any service server which cannot originally send messages to the authentication server can establish connection with the authentication server without reconstructing the service server as long as the protocol is achieved with the authentication server.
The specific content of the protocol is not limited.
300. The authentication server verifies the login information.
That is, the verification of the login information by any service server connected to the authentication server is performed by the authentication server.
The verification here mainly verifies whether the target account and the login password are matched, whether the target account has the right to access the service server, and the like.
400. The authentication server sends the authorization information to the service server, and the authorization information is used for indicating the service server to provide corresponding functional operation.
Here, the entitlement information is used to instruct the service server to provide the corresponding function operation, and therefore, the entitlement information inevitably carries information indicating which service server operates, so that the entitlement information accurately reaches the corresponding service server. And the entitlement information also needs to carry information indicating what function the service server provides, and certainly, the function provided by the service server corresponds to the authority of the target account sent by the terminal device, so that unauthorized operation is not possible.
The authentication method provided by the embodiment of the disclosure comprises an authentication server, and in the process of man-machine interaction, after the service server establishes connection with the authentication server, login authentication and authority giving work of the service server are completed by the authentication server. Each service server connected with the authentication server does not need to contain a certain standard or need to be reconstructed according to a certain standard, and the conventional service server can be used, so that the authority of a plurality of service servers can be managed in a centralized manner on the premise of not reconstructing the conventional service server.
In addition, the authentication server performs unified authority management, so that the authority of the user can be managed from the whole situation, and the authority is clear at a glance. The security of the server authority distribution is improved. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
In some embodiments, as shown in fig. 3, before the authentication server verifies the login information, the authentication method further includes:
301. the authentication server judges whether the target account logs in the authentication server or not.
For example, after receiving the login information sent by the service server, the authentication server compares the currently received login information with the already received login information, without directly verifying, to determine whether the target account logs in the authentication server.
The received login information may be, for example, login information received within a set time, login information received from the authentication server at the present time, or login information within a certain range set according to a request.
302. And if the target account is not logged in the authentication server, the authentication server verifies the login information.
That is, the authentication server compares the currently received login information with the already received login information, and verifies the currently received login information if it is found that the currently received login information has never been received.
If the login information received next is found to be received, the next step is directly carried out.
Therefore, as long as one service server performs login information verification through the authentication server, the other service servers do not need to perform repeated authentication. The authentication method provided by the embodiment of the disclosure can realize 'one-time login and seamless roaming' of a plurality of service servers through unified login authentication and authority takeover, so that a user does not need to repeatedly perform login operation, the use process of an information system is simplified, and the efficiency of actual work is improved.
In some embodiments, as shown in fig. 3, the authentication method further comprises:
50. the business server applies for joining the management of the authentication server;
51. and under the condition of agreeing to the application of the service server, the authentication server generates a server identifier, and the server identifier and the IP of the service server establish mapping.
This process, i.e. the process in which the service server indicates a willingness to accept the unified management of the authentication server. For example, after a service server is checked through a registration interface provided by an authentication server in a manual registration manner, registration is performed, a unique server identifier is generated after registration, and the server identifier establishes a corresponding relationship with a domain IP (internet protocol) address when the service server is registered. Here, the embodiment of the mapping may be a function, a list, or the like.
In this way, because the IP of each service server is unique, the server identifier generated by the service server after authorizing with the authentication server is also unique, the server identifiers generated by the plurality of service servers are not repeated inevitably, the authentication server can accurately send the authorization information to the corresponding service server according to the service server identifier, and the speed and the accuracy are high.
In some embodiments, as shown in fig. 3, the authentication method further comprises:
350. and the service server sends an authority identifier to the authentication server, wherein the authority identifier is used for indicating at least one of the function authority and the digital authority of the service server.
The service processed by each service server is complex and various, and has a plurality of complex functional authorities and data authorities. Of course, the authority may be a function authority, a data authority, or a combination of a function authority and a data authority.
Here, the authority identifier may be a number, an english, or the like, and only needs to be ensured not to be repeated. The authority identifiers of the plurality of service servers may be the same or different, and the embodiment of the present disclosure is not limited.
TABLE 1 correspondence of rights identification to rights content
Figure BDA0001831633110000081
Figure BDA0001831633110000091
As shown in table 1, an exemplary correspondence relationship between a rights identification and rights content is shown.
In this way, the authentication server obtains the authority identifier with the established corresponding relationship (the corresponding relationship between the authority identifier and the authority), when the authentication server sends the entitlement information to the service server, the authentication server is attached with the server identifier and the authority identifier, which service server the entitlement information is sent to can be identified according to the server identifier, and after receiving the entitlement information, the corresponding service server provides corresponding functional operation according to the authority identifier in the entitlement information. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
Based on this, in some embodiments, the authorization information in the authentication method provided by the embodiments of the present disclosure includes a server identifier and a right identifier.
After receiving the server identifier and the authority identifier sent by a certain service server, the authentication server may, for example, combine the server identifier and the authority identifier, and add one server identifier to each authority identifier to form a unique identifier authority.
The following are exemplary: the server identification of the first service server is A, and the server identification of the second service server is B. The authority identifiers of the first service server and the second service server are the same, as shown in table 1.
The authentication server combines the server identifier and the authority identifier to obtain: a01, A02, A03, A04, A05, B01, B02, B03, B04 and B05. When the entitlement information includes a01, it indicates that the service server provides a daily check function. When the entitlement information includes B04, it indicates that the service server two provides a function of viewing all check records.
When the authentication server generates the authorization information, the authorization management of the entire authorization management work can be performed by using Role-Based Access Control (RBAC for short) with respect to the authority range of the login account (user). Or using RBAC3, a unified rights management model. Three main tables of users, roles and resources are defined, the users are associated with the roles, the roles are associated with the resources, and the users obtain the authorities of the roles by becoming members of proper roles, so that the authority management of the users is simple and flexible.
For example, in a banking application, the borrowing and depositing operation authority is assigned to a receiving role, the loan approving operation authority is assigned to a manager role, and the user can be in which role, namely, the authority of which role can be enjoyed.
In some embodiments, as shown in fig. 3, the entitlement information includes a server identifier, and the authentication method further includes:
500. and the service server verifies the received authorization information and the IP of the service server.
That is, after receiving the entitlement information, the service server performs validity verification on the server identifier, and if the server identifier carried in the entitlement information corresponds to its own IP, executes the entitlement information. If the server identifier does not correspond to the own IP, the authorization information is not executed, an alarm may be given to the authentication server, or other specific operations may be executed.
Therefore, the accuracy between the user purpose and the actual effect can be improved by adding the verification step of the information accuracy in the authentication process, and the effect of unified authentication is further improved.
Based on this, the authentication method provided by the embodiment of the present disclosure is exemplified by a specific embodiment below.
An authentication method, comprising:
the service server grants the self management authority to the authentication server through the authority granting interface provided by the authentication server, after the verification is passed, the service server establishes connection with the authentication server, and generates a unique server identifier.
And repeating the steps until all the service servers which need to be uniformly managed by the authentication server authorize the authentication server to finish the steps.
When a user accesses the service server through the terminal device, login information is input, and the authentication server needs to verify the login information. The login information can be that the user sends the login information to the service server through the terminal equipment, and the service server forwards the login information to the authentication server; the user may send login information to the authentication server through the terminal device.
After receiving the login information, the authentication server judges whether the login information is received within a period of time before the login information is received, and if the same login information is received, the authentication server jumps to a service server which is operated by a user. If the user does not receive the authentication request, the current user is indicated to be not logged in any service server, and the current user needs to be authenticated first. And during verification, jumping to a unified verification page for verification, verifying a short message check code, a common password, a CA (certificate Authority) and the like, and jumping to a service server which is operated by a user after verification is completed.
The service server judges whether the user has authority endowment by judging whether the authority endowment information is received or not, and if the authority endowment information is not received, the service server requests the authentication server to send the authority endowment information to the service server according to the authority of the user; and if the authorization information is received, the service server provides the function operation corresponding to the user authorization according to the authorization information.
After unified authentication, the user enters the service server, and the inside of the service server can distribute internal authority according to the role of personnel, so that the user is limited from performing which operations. The authentication server is connected with a plurality of service servers, but each service server has respective authority design, so that unified authority management of the service servers with different authority is very complicated, and the related range is very wide. The authentication method provided by the embodiment of the disclosure solves the problem by setting the authentication server, so as to reduce the modification amount of the service server and make the service server hardly modified. The core idea of the authentication server is that: the authentication server manages only the entitlement information, instead of directly managing any actual entitlement. The service server obtains the real operation authority through identifying the empowerment information, so that the unified authority authentication is realized, and the method is simple, low in cost and wide in application range.
The embodiment of the disclosure further provides an authentication system, which includes an authentication server, at least one service server, and at least one terminal device.
And the terminal equipment is used for sending login information to the service server, wherein the login information comprises a target account and a login password.
And the service server is used for forwarding the login information to the authentication server.
And the authentication server is used for verifying the login information and sending the authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding functional operation.
That is, a plurality of service servers are collectively managed by the authentication server.
The embodiment of the disclosure provides an authentication system, which comprises an authentication server, wherein in the process of man-machine interaction, after a service server is connected with the authentication server, the login authentication and the authority giving work of the service server are completed by the authentication server. Each service server connected with the authentication server does not need to contain a certain standard or need to be reconstructed according to a certain standard, and the conventional service server can be used, so that the authority of a plurality of service servers can be managed in a centralized manner on the premise of not reconstructing the conventional service server.
In addition, the authentication server performs unified authority management, so that the authority of the user can be managed from the whole situation, and the authority is clear at a glance. The security of the server authority distribution is improved. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
In some embodiments, the authentication server is specifically configured to: judging whether the target account logs in the authentication server or not; and if the target account is not logged in the authentication server, the authentication server verifies the login information.
Therefore, as long as one service server performs login information verification through the authentication server, the other service servers do not need to perform repeated authentication. The authentication method provided by the embodiment of the disclosure can realize 'one-time login and seamless roaming' of a plurality of service servers through unified login authentication and authority takeover, so that a user does not need to repeatedly perform login operation, the use process of an information system is simplified, and the efficiency of actual work is improved.
In some embodiments, the service server is further configured to apply for joining in management of the authentication server; the authentication server is further configured to generate a server identifier, where the server identifier corresponds to the IP of the service server.
In this way, because the IP of each service server is unique, the server identifier generated by the service server after authorizing with the authentication server is also unique, the server identifiers generated by the plurality of service servers are not repeated inevitably, the authentication server can accurately send the authorization information to the corresponding service server according to the service server identifier, and the speed and the accuracy are high.
In some embodiments, the service server is further configured to send a permission identifier to the authentication server, where the permission identifier is used to indicate at least one of a functional permission and a digital permission of the service server.
In this way, the authentication server obtains the authority identifier with the established corresponding relationship (the corresponding relationship between the authority identifier and the authority), when the authentication server sends the entitlement information to the service server, the authentication server is attached with the server identifier and the authority identifier, which service server the entitlement information is sent to can be identified according to the server identifier, and after receiving the entitlement information, the corresponding service server provides corresponding functional operation according to the authority identifier in the entitlement information. The authority distribution is only needed in the authentication server, and the authority distribution is not needed in the respective service servers, so that the authority maintenance work of personnel becomes simple and reliable, and a large amount of manpower and material resources are saved.
In some embodiments, the entitlement information includes the server identifier, and the service server is further configured to verify the received entitlement information with an IP of the service server.
Therefore, the accuracy between the user purpose and the actual effect can be improved by adding the verification step of the information accuracy in the authentication process, and the effect of unified authentication is further improved.
Based on the authentication method described in the embodiment corresponding to fig. 2 and fig. 3, an embodiment of the present disclosure further provides a computer-readable storage medium, for example, the non-transitory computer-readable storage medium may be a Read Only Memory (ROM), a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like. The storage medium stores computer instructions for executing the authentication method described in the embodiment corresponding to fig. 2 and fig. 3, which is not described herein again.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (10)

1. An authentication method, comprising:
the method comprises the steps that terminal equipment sends login information to a service server, wherein the login information comprises a target account and a login password;
the service server forwards the login information to an authentication server;
the authentication server verifies the login information;
and the authentication server sends authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding function operation.
2. The authentication method according to claim 1, wherein before the authentication server verifies the login information, the authentication method further comprises:
the authentication server judges whether the target account logs in the authentication server or not;
and if the target account is not logged in the authentication server, the authentication server verifies the login information.
3. The authentication method according to claim 1, further comprising:
the service server applies for joining the management of the authentication server;
and under the condition of agreeing to the application of the service server, the authentication server generates a server identifier, and the server identifier corresponds to the IP of the service server.
4. The authentication method according to claim 1, further comprising:
and the service server sends an authority identifier to the authentication server, wherein the authority identifier is used for indicating at least one of the function authority and the digital authority of the service server.
5. The authentication method according to claim 3, wherein the entitlement information includes the server identification, the authentication method further comprising:
and the service server verifies the received authorization information and the IP of the service server.
6. An authentication system, characterized in that the authentication system comprises: the system comprises an authentication server, at least one service server and at least one terminal device;
the terminal equipment is used for sending login information to the service server, wherein the login information comprises a target account and a login password;
the service server is used for forwarding the login information to an authentication server;
the authentication server is used for verifying the login information and sending the authorization information to the service server, wherein the authorization information is used for indicating the service server to provide corresponding function operation.
7. The authentication system of claim 6, wherein the authentication server is specifically configured to:
judging whether the target account logs in the authentication server or not; and if the target account is not logged in the authentication server, the authentication server verifies the login information.
8. The authentication system of claim 6, wherein the service server is further configured to apply for joining the management of the authentication server;
the authentication server is further configured to generate a server identifier, where the server identifier corresponds to the IP of the service server.
9. The authentication system of claim 6, wherein the service server is further configured to send a permission identifier to the authentication server, and the permission identifier is configured to indicate at least one of a functional permission and a digital permission of the service server.
10. The authentication system of claim 8, wherein the entitlement information comprises the server identifier, and wherein the service server is further configured to verify the received entitlement information with an IP of the service server.
CN201811207753.4A 2018-10-17 2018-10-17 Authentication method and authentication system Pending CN111064695A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811207753.4A CN111064695A (en) 2018-10-17 2018-10-17 Authentication method and authentication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811207753.4A CN111064695A (en) 2018-10-17 2018-10-17 Authentication method and authentication system

Publications (1)

Publication Number Publication Date
CN111064695A true CN111064695A (en) 2020-04-24

Family

ID=70296960

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811207753.4A Pending CN111064695A (en) 2018-10-17 2018-10-17 Authentication method and authentication system

Country Status (1)

Country Link
CN (1) CN111064695A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116614812A (en) * 2023-07-17 2023-08-18 中国人寿保险股份有限公司上海数据中心 Non-perception authentication intercommunication method for heterogeneous brand wireless equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN101388773A (en) * 2007-09-12 2009-03-18 中国移动通信集团公司 Identity management platform, service server, uniform login system and method
CN102420836A (en) * 2012-01-12 2012-04-18 中国电子科技集团公司第十五研究所 Sign-on method and sign-on management system for service information system
CN102438019A (en) * 2011-12-22 2012-05-02 中国电子科技集团公司第十五研究所 Business information system access authority control method and system thereof
JP2018082244A (en) * 2016-11-14 2018-05-24 ソラミツ株式会社 Login authentication system, service provider and authentication server in login authentication system, and login authentication method and program for service provider, authentication server, computer and mobile terminal in login authentication system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101388773A (en) * 2007-09-12 2009-03-18 中国移动通信集团公司 Identity management platform, service server, uniform login system and method
CN101207482A (en) * 2007-12-13 2008-06-25 深圳市戴文科技有限公司 System and method for implementation of single login
CN102438019A (en) * 2011-12-22 2012-05-02 中国电子科技集团公司第十五研究所 Business information system access authority control method and system thereof
CN102420836A (en) * 2012-01-12 2012-04-18 中国电子科技集团公司第十五研究所 Sign-on method and sign-on management system for service information system
JP2018082244A (en) * 2016-11-14 2018-05-24 ソラミツ株式会社 Login authentication system, service provider and authentication server in login authentication system, and login authentication method and program for service provider, authentication server, computer and mobile terminal in login authentication system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116614812A (en) * 2023-07-17 2023-08-18 中国人寿保险股份有限公司上海数据中心 Non-perception authentication intercommunication method for heterogeneous brand wireless equipment
CN116614812B (en) * 2023-07-17 2023-10-03 中国人寿保险股份有限公司上海数据中心 Non-perception authentication intercommunication method for heterogeneous brand wireless equipment

Similar Documents

Publication Publication Date Title
CN108964885B (en) Authentication method, device, system and storage medium
CN112637214B (en) Resource access method and device and electronic equipment
US20210314312A1 (en) System and method for transferring device identifying information
CN107579958B (en) Data management method, device and system
US8387137B2 (en) Role-based access control utilizing token profiles having predefined roles
US8387136B2 (en) Role-based access control utilizing token profiles
US7010600B1 (en) Method and apparatus for managing network resources for externally authenticated users
CN105530224B (en) The method and apparatus of terminal authentication
CN111314340B (en) Authentication method and authentication platform
RU2676896C2 (en) Method and system related to authentication of users for accessing data networks
CN101582769A (en) Authority setting method of user access network and equipment
CN101321064A (en) Information system access control method and apparatus based on digital certificate technique
CN102571873B (en) Bidirectional security audit method and device in distributed system
CN109413080B (en) Cross-domain dynamic authority control method and system
CN112187800B (en) Attribute-based access control method with anonymous access capability
CN111586021B (en) Remote office business authorization method, terminal and system
CN102571874B (en) On-line audit method and device in distributed system
CN111010396A (en) Internet identity authentication management method
CN110691089B (en) Authentication method applied to cloud service, computer equipment and storage medium
WO2016134482A1 (en) License management for device management system
CN111953491B (en) SSH Certificate and LDAP based two-step authentication auditing method
CN109802927A (en) A kind of security service providing method and device
CN117195177A (en) Unified user management system and method for big data platform
CN110708298A (en) Method and device for centralized management of dynamic instance identity and access
CN111064695A (en) Authentication method and authentication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20200424

RJ01 Rejection of invention patent application after publication