CN111404921B - Webpage application access method, device, equipment, system and storage medium - Google Patents

Webpage application access method, device, equipment, system and storage medium Download PDF

Info

Publication number
CN111404921B
CN111404921B CN202010170531.0A CN202010170531A CN111404921B CN 111404921 B CN111404921 B CN 111404921B CN 202010170531 A CN202010170531 A CN 202010170531A CN 111404921 B CN111404921 B CN 111404921B
Authority
CN
China
Prior art keywords
authentication
browser
address
network request
authentication server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010170531.0A
Other languages
Chinese (zh)
Other versions
CN111404921A (en
Inventor
李晨阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bigo Technology Singapore Pte Ltd
Original Assignee
Guangzhou Baiguoyuan Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Baiguoyuan Information Technology Co Ltd filed Critical Guangzhou Baiguoyuan Information Technology Co Ltd
Priority to CN202010170531.0A priority Critical patent/CN111404921B/en
Publication of CN111404921A publication Critical patent/CN111404921A/en
Application granted granted Critical
Publication of CN111404921B publication Critical patent/CN111404921B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The embodiment of the invention discloses a method, a device, equipment, a system and a storage medium for accessing a webpage application. The method comprises the following steps: receiving a first network request sent by a browser; generating a corresponding second network request according to the first address and the first bill information; and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server. The technical scheme provided by the embodiment of the invention can support many-to-one mapping of the webpage application and the authentication forwarding service equipment which are independent from each other and have different destination addresses, and login authentication is carried out on the single-point login authentication server through the authentication forwarding service equipment, so that the white list management of the single-point login authentication server is easy to manage and maintain, the convenience of login operation of different webpage applications is improved, and the safety of the login operation is ensured.

Description

Webpage application access method, device, equipment, system and storage medium
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment, a system and a storage medium for accessing webpage applications.
Background
Single Sign On (SSO) is one of the popular solutions for enterprise business integration at present, and is defined that in multiple application systems, a user only needs to log On once to access all mutually trusted application systems.
Currently, the usage scenario mainly addressed by the single sign-on function is web service sign-on with a unique domain name, in which different domain names represent different web applications (web applications). However, for those web services that provide similar functions and are independent of each other while having different destination addresses, the white list management of the single sign-on authentication server becomes very complicated and difficult to maintain, making it very difficult to access the single sign-on authentication, and thus, improvements are needed.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment, a system and a storage medium for accessing a webpage application, which can optimize the existing webpage application access scheme based on single sign-on.
In a first aspect, an embodiment of the present invention provides a method for accessing a web application, where the method includes:
receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application;
generating a corresponding second network request according to the first address and the first bill information;
and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server.
In a second aspect, an embodiment of the present invention provides a method for accessing a web application, where the method includes:
when a first webpage application receives a first access request sent by a browser, the browser is indicated to initiate a single sign-on verification request to an authentication server, wherein a first service address contained in the single sign-on verification request is an address corresponding to authentication forwarding service equipment, and the first service address also contains a first address corresponding to the first webpage application;
after detecting that the single sign-on verification is successful, the authentication server returns first bill information and first sign-on bill identification information to the browser and instructs the browser to send a first network request to the authentication forwarding service device, wherein the first network request comprises the first bill information and a first address;
the authentication forwarding service equipment generates a corresponding second network request according to the first address and the first bill information, and sends the second network request to the first webpage application;
and the first webpage application initiates authentication to the authentication server according to the first bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server.
In a third aspect, an embodiment of the present invention provides a web application access apparatus, where the apparatus includes:
the network request receiving module is used for receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in the single sign-on system and a first address corresponding to a first webpage application;
the network request generating module is used for generating a corresponding second network request according to the first address and the first bill information;
and the second network request sending module is used for sending a second network request to the first webpage application, instructing the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide access service for the browser according to an authentication result returned by the authentication server.
In a fourth aspect, an embodiment of the present invention provides an authentication forwarding service device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the web application access method provided in the first aspect of the embodiment of the present invention.
In a fifth aspect, an embodiment of the present invention provides a single sign-on system, which includes an authentication server, an authentication forwarding service device, and at least two web applications, and is configured to execute the web application access method provided in the second aspect of the embodiment of the present invention.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a web application access method as provided in any embodiment of the present invention.
According to the webpage application access scheme provided by the embodiment of the invention, a first network request sent by a browser is received, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application; generating a corresponding second network request according to the first address and the first bill information; and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server. By adopting the technical scheme, the forwarding service is additionally arranged in the single sign-on system, after the forwarding service receives the bill information issued by the single sign-on system server, the corresponding webpage application can successfully obtain the bill information and verify the bill information to the single sign-on system server by utilizing the mode of forwarding authentication, and the many-to-one mapping of the webpage application and the forwarding service which are independent of each other and have different destination addresses can be supported, so that the white list management of the single sign-on authentication server is easy to manage and maintain, the convenience of the login operation of different webpage applications is improved, and the safety of the login operation is ensured.
Drawings
Fig. 1 is a scene framework diagram of an application scene to which the method for accessing a web application according to the embodiment of the present invention is applied;
FIG. 2 is a diagram illustrating an exemplary architecture of a single sign-on system in the prior art;
fig. 3 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 6 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 8 is a flowchart illustrating a method for accessing a web application according to an embodiment of the present invention;
fig. 9 is a flowchart illustrating a method for accessing a web application according to an embodiment of the present invention;
fig. 10 is a block diagram illustrating a structure of a web application access apparatus according to an embodiment of the present invention;
fig. 11 is a block diagram illustrating an authentication forwarding service device according to an embodiment of the present invention;
fig. 12 is a block diagram of a single sign-on system according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures. In addition, the embodiments and features of the embodiments in the present invention may be combined with each other without conflict.
Fig. 1 is a scene architecture diagram of an application scene to which the method for accessing a web application according to the embodiment of the present invention is applied. Specifically, referring to fig. 1, the application scenario may include a client 10, a server 11, and a browser 12.
The client 10 may be understood as a client in a single sign-on system, and is configured to send a request parameter to the server 11, so that the server 11 completes login authentication of a specified web application, and meanwhile, the client 10 needs to ensure that the request parameter sent to the server 11 carries an address of the web application initiating the login authentication; the server 11 may be understood as a server in a single sign-on system for providing login authentication, managing an authentication session between the server 11 and the browser 12, and issuing an authentication ticket to the browser 12 to enable the browser 12 to complete access to a target web application.
A single sign-on is understood to mean that, in a plurality of application systems, a user only needs to log on once to access all mutually trusted application systems. A single sign-on system may be understood as a system consisting of a plurality of web applications, a browser and an authentication server, wherein the authentication server is configured to manage authentication sessions of corresponding services and to implement authentication management of applications through ticket authentication.
Fig. 2 is an exemplary diagram of an architecture of a single sign-on system in the prior art, and specifically, referring to fig. 2, the system may include at least one web application 20, a server 21 and a browser 22, where the client 10 may be deployed in the web application 20.
Specifically, a user accesses a protected web application 20 through a browser 22, the web application 20 initiates a login verification process to a server 21, the server 21 creates an authentication session after login verification and writes a login state into the browser 22, and simultaneously sends a message carrying ticket information issued by the authentication session to the browser 22, so that the browser redirects to the web application 20 and sends the ticket information to the web application 20, the web application 20 initiates a secondary authentication process to the server 21 by using the ticket information, verifies the ticket information by using the authentication session of the server 21, and displays the protected content of the web application 20 to the browser 22 after verification is passed. However, the single sign-on system mainly solves the problem that the web application with the unique domain name is logged in, that is, the session created by the server 21 and the login status written in the browser 22 are in a one-to-one mapping relationship with the web application, which causes a great pressure on the white list management of the server 21, and a method for implementing the many-to-one mapping between the web application and the server 21 and reducing the pressure of the server 21 is urgently needed.
Fig. 3 is a flowchart of a method for accessing a web application according to an embodiment of the present invention, where the method may be executed by a web application accessing apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an authentication forwarding service device. As shown in fig. 3, the method includes:
step 101, receiving a first network request sent by a browser, wherein the first network request includes first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first web application.
The first network request can be understood as a message which is sent to the authentication forwarding service equipment by the browser and is used for transmitting a service bill issued by an authentication server in the single-point login system and an address of a webpage application completing login authentication to the authentication forwarding service equipment.
The first webpage application can be understood as a target application accessed by a user, namely an application needing to complete login and realize access.
Specifically, when a user wants to access a first webpage application through a browser, the browser accesses an authentication server in a single sign-on system to complete an authentication process and acquire first bill information issued by the authentication server, and meanwhile, the browser generates a first network request and sends the first network request to authentication forwarding service equipment, wherein the first network request comprises the first bill information and a first address corresponding to the first webpage application.
The first bill information can be understood as a bill issued by the authentication server after the user logs in and used for performing secondary verification on the specified webpage application.
The first address is included in the query parameter of the first network request, and the query parameter can be understood as specific parameter information included in the first network request. The advantage of this is that the first address can be successfully delivered in its entirety using the query parameters.
For example, the single sign-on system may be a Central Authentication Service (CAS) single sign-on system, the Authentication server may be understood as a CAS server in the CAS system, the first Ticket information may be understood as a Service Ticket (ST) in the CAS, and the first web application may be understood as a first web application server, that is, a CAS client in the CAS system, which is generally deployed in the web application server.
And 102, generating a corresponding second network request according to the first address and the first bill information.
The second network request can be understood as information for sending a service ticket issued by an authentication server in the single sign-on system to the target webpage application corresponding to the first address.
Specifically, the authentication forwarding service device generates a second network request for transmitting the first ticket information according to the received first ticket information, and determines a target application to which the second network request should be sent according to the received first address.
For example, when the single sign-on system is a CAS system, the first address received by the authentication forwarding service device may be in the form of an http query parameter. The authentication forwarding service device analyzes a web application address which really initiates CAS authentication in a first network request sent by the browser, namely, whether a query parameter contains a target web application address or not is determined, if yes, the network request is initiated to forward first bill information in the received first network request to the analyzed target web application address, and if not, the flow is determined to be ended by an illegal request and the illegal request is fed back to the browser to prompt that a user fails to log in.
Step 103, sending a second network request to the first web application, for instructing the first web application to initiate authentication to the authentication server according to the first ticket information, and determining whether to provide corresponding access service to the browser according to an authentication result returned by the authentication server.
Specifically, the authentication forwarding service device sends a second network request to the first web application according to the first address, and is configured to instruct the first web application to initiate secondary authentication to an authentication server in the single sign-on system according to first ticket information carried in the second network request, perform user login ticket authentication corresponding to the first ticket information at the authentication server, and receive an authentication result returned by the authentication server.
According to the webpage application access scheme provided by the embodiment of the invention, a first network request sent by a browser is received, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application; generating a corresponding second network request according to the first address and the first bill information; and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server. By adopting the technical scheme, the forwarding service is additionally arranged in the single sign-on system, after the forwarding service receives the bill information issued by the single sign-on system server, the corresponding webpage application can successfully obtain the bill information and verify the bill information to the single sign-on system server by utilizing the mode of forwarding authentication, and the many-to-one mapping of the webpage application and the forwarding service which are independent of each other and have different destination addresses can be supported, so that the white list management of the single sign-on authentication server is easy to manage and maintain, the convenience of the login operation of different webpage applications is improved, and the safety of the login operation is ensured.
Fig. 4 is a schematic flow chart of a web application access method provided in an embodiment of the present invention, and the technical solution in the embodiment of the present invention is further optimized based on the above optional technical solutions, so that cross-domain setting of cookies is implemented, and a problem that only the top domain and the domain where the top domain and the top domain are located can be modified but other domains cannot be modified in a conventional access method is solved.
The method specifically comprises the following steps:
step 201, receiving a first network request sent by a browser, where the first network request includes first ticket information issued by an authentication server in a single sign-on system and a first address corresponding to a first web application.
Step 202, generating a corresponding second network request according to the first address and the first bill information.
Step 203, sending a second network request to the first web application, for instructing the first web application to initiate authentication to the authentication server according to the first ticket information, and determining whether to provide corresponding access service to the browser according to an authentication result returned by the authentication server.
And 204, receiving first session identification information returned by the first webpage application, wherein the first webpage application creates a first session and generates corresponding first session identification information when determining that the authentication result returned by the authentication server is successful.
Wherein the first session identification information may be understood as a cookie generated by the first web application for recording an ID of the first session generated by the first web application, i.e. a short piece of text information for recording the user state.
Specifically, when the first web application receives the second network request, the second authentication is sent to the authentication server in the single sign-on system according to the first ticket information carried in the second network request, when the first web application receives the authentication result which is sent by the authentication server and is successful, the first session is created and written into the cache, meanwhile, a cookie with a content representing the first session ID, namely the first session identification information, is generated, and the first session identification information is returned to the authentication forwarding service device.
Step 205, sending the first session identification information to the browser, for instructing the browser to access the first web application according to the first session identification information.
Specifically, the authentication forwarding service device sends the first session identification information to the browser, and the browser queries a first address of the first webpage application according to the first session identification information to access the first webpage application, so that the interface jumps to the content in the first webpage application, and the first webpage application can set cookie content in the browser.
Further, sending the first session identification information to the browser includes sending first redirection information to the browser. This has the advantage that the first redirection information can be used to direct the browser to access the target web application and to retrieve the accessed content in the first web application.
Wherein the first redirection information may be understood as orientation information for instructing the browser to access the target web application.
Specifically, the first redirection information includes a first address of the first web application, and the first session identification information is included in the query parameter of the first address.
Illustratively, the CAS single sign-on system solves the problem of setting cookies across domains by setting the CAS client, and realizes storage of an authentication state in a browser, and specifically includes:
after the browser initiates login verification of a target webpage application to a server, the browser is redirected to an authentication forwarding service page by the server, after the login verification is completed, a cookie containing an authentication state needs to be stored in the browser, and a Uniform Resource Locator (URL) of the cookie needs to be an address of the target webpage application, but the browser address is still an address of an authentication forwarding service device at the moment and cross-domain cookie setting cannot be performed.
According to the webpage application access scheme provided by the embodiment of the invention, the webpage application initiates secondary authentication to the authentication server according to the received second network request, creates a first session and generates corresponding first session identification information when the authentication is successful, sends the first session identification information to the authentication forwarding service equipment, writes the first session identification information into the browser by the authentication forwarding service equipment to indicate the browser to access the first webpage application according to the first session identification information, supports the authentication server to access a plurality of webpage applications which are independent from each other and have different destination addresses only by logging in once through accessing the corresponding webpage application through the secondary authentication, ensures the security of single-point login, creates a session between the webpage application and the browser after the authentication is successful, writes the session identification information of the corresponding session into the browser, and realizes the cross-domain setting of cookies, the problem that the traditional login method can only set cookies of the top domain and the domain of the traditional login method but cannot set other domains is solved.
Fig. 5 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention, where the method is applicable to a single sign-on system, where the single sign-on system includes at least two web applications, an authentication forwarding service device, and an authentication server.
The method specifically comprises the following steps:
step 301, when receiving a first access request sent by a browser, a first web application instructs the browser to initiate a single sign-on verification request to an authentication server, where a first service address included in the single sign-on verification request is an address corresponding to an authentication forwarding service device, and the first service address also includes a first address corresponding to the first web application.
Wherein, the first webpage application can be any one of at least two webpage applications; the single sign-on authentication request can be understood as request information carrying various authentication information such as an application address, a sign-on name, an authentication code and the like of a web page needing to be signed on for authentication. Optionally, the single sign-on verification request at least includes a first service address, where the first service address is an address corresponding to the authentication forwarding service device, and the first service address further includes a first address corresponding to the first web application.
Wherein the first address is included in the query parameters of the first service address.
Specifically, when a user wants to access a first webpage application, a first access request is sent to the first webpage application through a browser, when the first webpage application receives the first access request, the browser jumps to a login interface, if the first webpage application logs in for the first time, login information is input in the login interface, according to the input login information, a single sign-on verification request is generated by a preset authentication forwarding service device address sent to the browser by the first webpage application and a first address corresponding to the first webpage application, and the single sign-on verification request is sent to an authentication server.
Step 302, after detecting that the single sign-on verification is successful, the authentication server returns the first ticket information and the first sign-on ticket identification information to the browser, and instructs the browser to send a first network request to the authentication forwarding service device, where the first network request includes the first ticket information and the first address.
The first bill information can be understood as a service bill issued by a user login bill generated after the authentication server successfully logs in and verifies, and the bill information can be used for specifying the secondary authentication of the webpage application in the authentication server.
The user login ticket can be understood as a user login session stored by the authentication server, wherein a cookie and user information corresponding to the cookie are encapsulated.
The first login ticket identification information may be a cookie corresponding to a user login ticket generated after the user login is successful, namely after the authentication server successfully verifies the user login ticket, or may be a user login cookie written by the authentication server to the user browser to identify the user login ticket.
Specifically, when the authentication server detects that the single sign-on verification result is successful, the authentication server issues first ticket information, generates first login ticket identification information, sends the first ticket information and the first login ticket identification information to the browser, and instructs the browser to send the first network request to an address corresponding to the authentication forwarding service device in the single sign-on verification request. The first network request comprises first bill information and a first address of the first webpage application.
Step 303, the authentication forwarding service device generates a corresponding second network request according to the first address and the first ticket information, and sends the second network request to the first web application.
Specifically, the authentication forwarding service device generates a second network request for transmitting the first ticket information to the first address according to the received first ticket information and the first address, and sends the second network request to the first web application corresponding to the first address.
Optionally, the authentication forwarding service device may include two main modules, a URL parsing module and a forwarding module.
The URL analysis module is used for analyzing a webpage application address which really initiates login authentication from a received first network request, namely a first address; and the forwarding module is used for forwarding the acquired first bill information issued by the authentication server to the analyzed address based on the address analyzed by the URL analysis module.
And step 304, the first webpage application initiates authentication to the authentication server according to the first bill information, and determines whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server.
Specifically, the first webpage application initiates secondary authentication to an authentication server in the single sign-on system according to the received first bill information, acquires an authentication result returned by the authentication server, provides corresponding access service to the browser when the authentication result is successful, does not provide corresponding access service to the browser when the authentication result is failed, and optionally sends an authentication failure notification to the browser when the authentication result is failed so that the user can perform authentication login again.
According to the webpage application access scheme provided by the embodiment of the invention, when a first access request sent by a browser is received through a first webpage application, the browser is indicated to initiate a single sign-on verification request to an authentication server; after detecting that the single sign-on verification is successful, the authentication server returns first bill information and first sign-on bill identification information to the browser and instructs the browser to send a first network request to the authentication forwarding service equipment; the authentication forwarding service equipment generates a corresponding second network request according to the first address and the first bill information, and sends the second network request to the first webpage application; and the first webpage application initiates authentication to the authentication server according to the first bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server. By adopting the technical scheme, the login verification access operation of the webpage applications with similar functions, which are independent of each other and have different destination addresses can be completed according to the same bill information and different webpage application addresses only by logging in the authentication server of the single sign-on system once, the convenience of the login operation is improved, and the security of the login operation is ensured by secondary authentication.
Fig. 6 is a schematic flow chart of a method for accessing a web application according to an embodiment of the present invention, where the technical solution of the embodiment of the present invention is further detailed on the basis of the above technical solution, and specifically includes the following steps:
step 401, when receiving a first access request sent by a browser, a first web application instructs the browser to initiate a single sign-on verification request to an authentication server, where a first service address included in the single sign-on verification request is an address corresponding to an authentication forwarding service device, and the first service address also includes a first address corresponding to the first web application.
Step 402, after detecting that the single sign-on verification is successful, the authentication server returns the first ticket information and the first sign-on ticket identification information to the browser, and instructs the browser to send a first network request to the authentication forwarding service device, wherein the first network request includes the first ticket information and the first address.
Step 403, the authentication forwarding service device generates a corresponding second network request according to the first address and the first ticket information, and sends the second network request to the first web application.
Step 404, when the first web application determines that the authentication result returned by the authentication server is successful, the first web application creates a first session and generates corresponding first session identification information, and returns the first session identification information to the authentication forwarding service device.
Specifically, when the first web application determines that the authentication result returned by the authentication server is successful, a first session is created and written into the cache, and meanwhile, first session identification information is generated according to the first session, that is, a cookie with a first session ID as content, and the first session identification information is returned to the authentication forwarding service device.
Step 405, the authentication forwarding service device sends the first session identification information to the browser, for instructing the browser to access the first web application according to the first session identification information.
Specifically, after receiving the first session identification information sent by the authentication forwarding service device, the browser accesses the first web application according to the acquired address of the first web application carrying the first session identification information, so as to determine whether the first session identification information has a corresponding first session in the first web application.
Step 406, the first web application provides a corresponding access service to the browser when determining that the first session identification information is valid.
Specifically, the first web application determines that the first session identification information is valid after determining that the first session identification information exists in a first session corresponding to the first session identification information, provides a corresponding access service to the browser, and makes the browser jump to the access content provided by the first web application.
Furthermore, after the first webpage application provides corresponding access service for the browser, the first webpage application writes the first session identification information into the browser. This has the advantage that the login authentication status of the first web application can be saved in the browser.
Further, when the first webpage application receives a first access request sent by the browser and the first access request is determined not to contain the session identification information, the browser is instructed to initiate a single sign-on verification request to the authentication server. The advantage of this arrangement is that it is possible to directly jump to login authentication without performing other operations when it is determined that the first web application is not performing login authentication.
Specifically, when the first web application receives a first access request sent by the browser, whether the first access request contains session identification information is judged, if the first access request does not contain the session identification information, the first web application logs in for the first time, login verification is required, and at this time, the browser is instructed to initiate a single sign-on verification request to the authentication server. If the first access request contains the session identification information, the first webpage application is not logged in for the first time, at the moment, whether the first webpage application has a session corresponding to the session identification information is searched, and if the first webpage application has the session, corresponding access service is provided for the browser.
Further, fig. 7 provides a flowchart of a method for accessing a web application, where the method is applied to a first web application to initiate authentication to an authentication server according to first ticket information, and after determining whether to provide an access service to a browser according to an authentication result returned by the authentication server, the method specifically includes the following steps:
step 4061, when the second web application receives the second access request sent by the browser and it is determined that the second access request includes the first login ticket identification information, the browser is instructed to initiate a ticket acquisition request to the authentication server.
The second service address contained in the ticket acquiring request is an address corresponding to the authentication forwarding service device, and the second service address contains a second address corresponding to the second web application.
Wherein, the second access request can be understood as the access requirement information of the user to the target webpage application.
Specifically, when the second web application receives a second access request sent by the browser, the second web application means that the user wishes to access the content of the second web application, and at this time, the second web application checks whether the second access request contains the first login bill identification information, if so, the second web application indicates that the existing web applications of the same type complete login in the authentication server in the single sign-on system, and at this time, the second web application instructs the browser to initiate a bill acquisition request to the authentication server to acquire the bill information issued by the authentication server; otherwise, it indicates that no web application of the same type completes login in the authentication server in the single sign-on system, and at this time, the second web application should instruct the browser to initiate a single sign-on verification request to the authentication server.
Step 4062, after determining that the first login ticket identification information is valid, the authentication server returns the second ticket information to the browser, and instructs the browser to send the third network request to the authentication forwarding service device.
Wherein, the third network request includes the second bill information and the second address.
Specifically, after the authentication server determines that the first login bill identification information has the user login bill matched with the first login bill identification information, the user login bill signs second bill information for the second webpage application and sends the second bill information back to the browser, and the browser sends the third network request to the authentication forwarding service device according to the address of the authentication forwarding service device acquired by the second access request.
Step 4063, the authentication forwarding service device generates a corresponding fourth network request according to the second address and the second ticket information, and sends the fourth network request to the second web application.
Specifically, the authentication forwarding service device generates a fourth network request for transmitting the second ticket information to the second address according to the received second ticket information and the second address, and sends the fourth network request to the second web application corresponding to the second address.
Step 4064, the second web application initiates authentication to the authentication server according to the second ticket information, and determines whether to provide corresponding access service to the browser according to the authentication result returned by the authentication server.
Specifically, the second web application initiates secondary authentication to an authentication server in the single sign-on system according to the received second bill information, and obtains an authentication result returned by the authentication server, when the authentication result is successful, the second web application provides corresponding access service to the browser, when the authentication result is failed, the second web application does not provide corresponding access service to the browser, optionally, when the authentication result is failed, the second web application may send an authentication failure notification to the browser, so that the user performs authentication login again.
Exemplarily, fig. 8 provides a flowchart of a method for accessing a web application, where the method is applied to a case where a user initiates access for the first time, and specifically includes the following steps:
step 501, a user initiates access to the web application 1 through a browser.
Step 502, the browser jumps to the CAS authentication interface to initiate an authentication process to the CAS server.
Step 503, when the CAS server determines that the user logs in successfully, the CAS server generates an authentication session (TGT), and issues an ST from the TGT and generates a user login Cookie (TGC).
And step 504, the CAS service end skips the browser to the specified domain name address, and writes the TGC in the browser, wherein the specified domain name address may be an address of the authentication forwarding service device.
And step 505, the browser carries the ST access authentication forwarding service equipment issued by the CAS server, and simultaneously carries the target web application address in the form of http query parameters.
Step 506, the authentication forwarding service device forwards the request to the target webpage application according to the target web application address in the parameters, and carries the ST issued by the CAS service terminal.
Step 507, the web application 1 initiates a secondary authentication process according to the ST, verifies the ST and the TGT at the CAS service end, returns an authentication result, and provides application access to the browser when the result is successful.
Exemplarily, fig. 9 provides a flowchart of a web application access method, which is applied to a case where other web applications sharing the same authentication forwarding service device with the web application 1 that has completed login verification include the following steps:
step 601, the user initiates access to a web application 2-n sharing the same authentication forwarding service device with web application 1 through a browser.
Wherein, assuming that n-1 web applications sharing the same authentication forwarding service device with the web application 1, that is, n web applications sharing the same authentication forwarding service device including the web application, 2-n may represent any one of the n web applications except the web application 1.
Step 602, the browser jumps to the CAS authentication interface, and since the browser already contains the TGC, the browser initiates verification to the CAS server with the TGC.
Step 603, accessing the TGT corresponding to the TGC of the CAS server, and issuing the ST by the TGT.
And step 604, the CAS server side enables the browser to jump to a specified domain name address and carry ST, wherein the specified domain name address can be the address of the authentication forwarding service device.
And step 605, the browser carries the ST access authentication forwarding service equipment issued by the CAS server, and simultaneously carries the target web application address in the form of http query parameters.
Step 606, the authentication forwarding service device forwards the request to the target web application according to the target web application address in the parameters, and carries the ST issued by the CAS service end.
Step 607, the target web application initiates a secondary authentication process according to the ST, verifies the ST and the TGT at the CAS service end, returns an authentication result, and provides application access to the browser when the result is successful.
According to the webpage application access scheme provided by the embodiment of the invention, the security of single sign-on is ensured through secondary authentication initiated by the webpage application to the authentication server, the browser skips to access the target webpage application when the authentication is successful, a session is created and session identification information is generated and written into the browser, the cross-domain setting of cookies is realized, meanwhile, whether the webpage application carries login bill identification information or not is judged when different webpage applications are accessed, and the login verification process of the authentication server is skipped when the corresponding login bill identification information is provided, and the bill information is directly issued, so that the aim of accessing a plurality of webpage applications which have similar functions, are independent from one another and have different target addresses by logging in the authentication server only once is realized.
Fig. 10 is a block diagram of a web application access apparatus according to an embodiment of the present invention, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an authentication forwarding service device, and may be implemented by executing a web application access method. As shown in fig. 10, the apparatus includes: a network request receiving module 701, a network request generating module 702 and a second network request sending module 703.
The network request receiving module 701 is configured to receive a first network request sent by a browser, where the first network request includes first ticket information issued by an authentication server in a single sign-on system and a first address corresponding to a first web application; a network request generating module 702, configured to generate a corresponding second network request according to the first address and the first ticket information; the second network request sending module 703 is configured to send a second network request to the first web application, and is configured to instruct the first web application to initiate authentication to the authentication server according to the first ticket information, and determine whether to provide an access service to the browser according to an authentication result returned by the authentication server.
According to the technical scheme of the embodiment of the invention, many-to-one mapping of a plurality of webpage applications with similar functions, independence and different destination addresses and the authentication forwarding service equipment is realized, login authentication is carried out on the single-point login authentication server side through the authentication forwarding service equipment, so that the white list management of the single-point login authentication server side is easy to manage and maintain, the convenience of login operation of different webpage applications is improved, and the safety of login operation is ensured.
Optionally, the apparatus further comprises:
and the identification information receiving module is used for receiving first session identification information returned by the first webpage application, wherein the first webpage application creates a first session and generates corresponding first session identification information when determining that the authentication result returned by the authentication server is successful.
And the identification information sending module is used for sending the first session identification information to the browser and indicating the browser to access the first webpage application according to the first session identification information.
Further, the identification information sending module is specifically configured to send first redirection information to the browser, where the first redirection information includes a first address, and the first session identification information is included in a query parameter of the first address.
The webpage application access device provided by the embodiment of the invention can execute the webpage application access method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
The embodiment of the invention provides authentication forwarding service equipment, wherein the webpage application access device provided by the embodiment of the invention can be integrated in the authentication forwarding service equipment. Fig. 11 is a block diagram of an authentication forwarding service device according to an embodiment of the present invention. The authentication forwarding service apparatus 800 includes a memory 801, a processor 802, and a computer program stored on the memory 801 and operable on the processor 802, and when the processor 802 executes the computer program, the processor 802 implements the web application access method provided by the embodiment of the present invention.
An embodiment of the present invention provides a single sign-on system, and fig. 12 is a block diagram of a single sign-on system according to an embodiment of the present invention. The single sign-on system includes an authentication server 901, an authentication forwarding service device 902, and at least two web applications 903, where fig. 12 illustrates one web application 903 as an example, the single sign-on system is configured to execute the web application access method provided in the embodiment of the present invention.
Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which are used to execute the web application access method provided by the embodiments of the present invention when executed by a computer processor.
Storage medium-any of various types of memory devices or storage devices. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk, or tape devices; computer system memory or random access memory such as DRAM, DDRRAM, SRAM, EDORAM, Lanbas (Rambus) RAM, etc.; non-volatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in a first computer system in which the program is executed, or may be located in a different second computer system connected to the first computer system through a network (such as the internet). The second computer system may provide program instructions to the first computer for execution. The term "storage medium" may include two or more storage media that may reside in different locations, such as in different computer systems that are connected by a network. The storage medium may store program instructions (e.g., embodied as a computer program) that are executable by one or more processors.
The web application access device, the apparatus, the system and the storage medium provided in the above embodiments may execute the web application access method provided in any embodiment of the present invention, and have corresponding functional modules and beneficial effects for executing the method. For technical details that are not described in detail in the foregoing embodiments, reference may be made to a web application access method provided in any embodiment of the present invention.
Note that the above is only a preferred embodiment of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in more detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the claims.

Claims (15)

1. A method for accessing a web application, comprising:
receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application;
generating a corresponding second network request according to the first address and the first bill information;
and sending the second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service to the browser according to an authentication result returned by the authentication server.
2. The method of claim 1, wherein the first address is included in a query parameter of the first network request.
3. The method of claim 1, further comprising, after said sending the second web request to the first web application:
receiving first session identification information returned by the first webpage application, wherein the first webpage application creates a first session and generates corresponding first session identification information when determining that an authentication result returned by the authentication server is successful;
and sending the first session identification information to the browser, wherein the first session identification information is used for indicating the browser to access the first webpage application according to the first session identification information.
4. The method of claim 3, wherein sending the first session identification information to the browser comprises:
and sending first redirection information to the browser, wherein the first redirection information comprises the first address, and the first session identification information is contained in a query parameter of the first address.
5. The method according to any of claims 1-4, wherein the single sign-on system comprises a single sign-on system based on a Central Authentication Service (CAS).
6. A web application access method is applied to a single sign-on system and comprises the following steps:
when a first webpage application receives a first access request sent by a browser, the browser is indicated to initiate a single sign-on verification request to an authentication server, wherein a first service address contained in the single sign-on verification request is an address corresponding to authentication forwarding service equipment, and the first service address also contains a first address corresponding to the first webpage application;
after detecting that the single sign-on verification is successful, the authentication server returns first bill information and first sign-on bill identification information to the browser and instructs the browser to send a first network request to the authentication forwarding service device, wherein the first network request comprises the first bill information and the first address;
the authentication forwarding service equipment generates a corresponding second network request according to the first address and the first bill information, and sends the second network request to the first webpage application;
and the first webpage application initiates authentication to the authentication server according to the first bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server.
7. The method of claim 6, wherein the determining, by the first web application, whether to provide the corresponding access service to the browser according to the authentication result returned by the authentication server comprises:
when the first webpage application determines that the authentication result returned by the authentication server is successful, a first session is created, corresponding first session identification information is generated, and the first session identification information is returned to the authentication forwarding service equipment;
the authentication forwarding service equipment sends the first session identification information to the browser, and is used for indicating the browser to access the first webpage application according to the first session identification information;
and when the first webpage application determines that the first session identification information is valid, providing corresponding access service for the browser.
8. The method of claim 7, after the first web application provides the corresponding access service to the browser, further comprising:
and the first webpage application writes the first session identification information into the browser.
9. The method of claim 7, wherein the instructing the browser to initiate a single sign-on verification request to an authentication server when the first web application receives a first access request sent by the browser comprises:
when the first webpage application receives a first access request sent by a browser and when the first access request is determined not to contain session identification information, the browser is instructed to initiate a single sign-on verification request to an authentication server.
10. The method of claim 6, after the first web application initiates authentication to the authentication server according to the first ticket information and determines whether to provide access service to the browser according to an authentication result returned by the authentication server, further comprising:
when a second webpage application receives a second access request sent by the browser and when the second access request is determined to contain first login bill identification information, the browser is indicated to send a bill obtaining request to the authentication server, wherein a second service address contained in the bill obtaining request is an address corresponding to authentication forwarding service equipment, and the second service address contains a second address corresponding to the second webpage application;
after determining that the first login bill identification information is valid, the authentication server returns second bill information to the browser and instructs the browser to send a third network request to the authentication forwarding service device, wherein the third network request comprises the second bill information and the second address;
the authentication forwarding service equipment generates a corresponding fourth network request according to the second address and the second bill information, and sends the fourth network request to the second webpage application;
and the second webpage application initiates authentication to the authentication server according to the second bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server.
11. The method of claim 6, wherein the first address is included in a query parameter of the first service address.
12. A web application access apparatus, comprising:
the network request receiving module is used for receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application;
the network request generating module is used for generating a corresponding second network request according to the first address and the first bill information;
and the second network request sending module is used for sending the second network request to the first webpage application, and is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information and determining whether to provide access service for the browser according to an authentication result returned by the authentication server.
13. An authentication forwarding service device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1-4 when executing the computer program.
14. A single sign-on system comprising an authentication server, an authentication forwarding service device and at least two web applications, the system being adapted to perform the method of any of claims 6 to 11.
15. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-11.
CN202010170531.0A 2020-03-12 2020-03-12 Webpage application access method, device, equipment, system and storage medium Active CN111404921B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010170531.0A CN111404921B (en) 2020-03-12 2020-03-12 Webpage application access method, device, equipment, system and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010170531.0A CN111404921B (en) 2020-03-12 2020-03-12 Webpage application access method, device, equipment, system and storage medium

Publications (2)

Publication Number Publication Date
CN111404921A CN111404921A (en) 2020-07-10
CN111404921B true CN111404921B (en) 2022-05-17

Family

ID=71413953

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010170531.0A Active CN111404921B (en) 2020-03-12 2020-03-12 Webpage application access method, device, equipment, system and storage medium

Country Status (1)

Country Link
CN (1) CN111404921B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113765869B (en) * 2020-08-18 2023-06-30 北京沃东天骏信息技术有限公司 Login method, login device, server side and storage medium
CN112765583A (en) * 2021-01-27 2021-05-07 海尔数字科技(青岛)有限公司 Single sign-on method, device, equipment and medium
CN114500074B (en) * 2022-02-11 2024-04-12 京东科技信息技术有限公司 Single-point system security access method and device and related equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997685A (en) * 2009-08-27 2011-03-30 阿里巴巴集团控股有限公司 Single sign-on method, single sign-on system and associated equipment
CN103414684A (en) * 2013-06-05 2013-11-27 华南理工大学 Single sign-on method and system
CN109688114A (en) * 2018-12-10 2019-04-26 迈普通信技术股份有限公司 Single-point logging method, certificate server and application server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8943571B2 (en) * 2011-10-04 2015-01-27 Qualcomm Incorporated Method and apparatus for protecting a single sign-on domain from credential leakage

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101997685A (en) * 2009-08-27 2011-03-30 阿里巴巴集团控股有限公司 Single sign-on method, single sign-on system and associated equipment
CN103414684A (en) * 2013-06-05 2013-11-27 华南理工大学 Single sign-on method and system
CN109688114A (en) * 2018-12-10 2019-04-26 迈普通信技术股份有限公司 Single-point logging method, certificate server and application server

Also Published As

Publication number Publication date
CN111404921A (en) 2020-07-10

Similar Documents

Publication Publication Date Title
CN111404921B (en) Webpage application access method, device, equipment, system and storage medium
US8572691B2 (en) Selecting a web service from a service registry based on audit and compliance qualities
US8844013B2 (en) Providing third party authentication in an on-demand service environment
US9241042B2 (en) In-server redirection of HTTP requests
US9413750B2 (en) Facilitating single sign-on (SSO) across multiple browser instance
US8898765B2 (en) Signing off from multiple domains accessible using single sign-on
JP4729651B2 (en) Authentication apparatus, authentication method, and authentication program implementing the method
US10356153B2 (en) Transferring session data between network applications accessible via different DNS domains
US10182126B2 (en) Multilevel redirection in a virtual desktop infrastructure environment
JPH11212912A (en) Session management system and method
JP2011515767A (en) Web access using cross-domain cookies
CA2677553A1 (en) Tracking web server
CN110032842B (en) Method and system for simultaneously supporting single sign-on and third party sign-on
CN103428179A (en) Method, system and device for logging into multi-domain-name website
JP2019530089A (en) Method and apparatus for realizing communication between web page and native application, and electronic apparatus
CN103220261A (en) Proxy method, device and system of open authentication application program interface
US11582153B2 (en) Load-balancing establishment of connections among groups of connector servers
US9426152B2 (en) Secure transfer of web application client persistent state information into a new domain
CN108900562B (en) Login state sharing method and device, electronic equipment and medium
CN101378407B (en) Method, system and equipment for pushing information
US20210136058A1 (en) Multiple identity provider authentication system
US20220279033A1 (en) Restore url context for proxies
CN107766093B (en) Function module sharing method and client
JP2005157822A (en) Communication control device, application server, communication control method, and program
US20130290830A1 (en) System and method for managing a viewstate of a web application

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20231016

Address after: 31a, 15 / F, building 30, maple mall, bangrang Road, Brazil, Singapore

Patentee after: Baiguoyuan Technology (Singapore) Co.,Ltd.

Address before: 5-13 / F, West Tower, building C, 274 Xingtai Road, Shiqiao street, Panyu District, Guangzhou, Guangdong 510000

Patentee before: GUANGZHOU BAIGUOYUAN INFORMATION TECHNOLOGY Co.,Ltd.