CN111404921B - Webpage application access method, device, equipment, system and storage medium - Google Patents
Webpage application access method, device, equipment, system and storage medium Download PDFInfo
- Publication number
- CN111404921B CN111404921B CN202010170531.0A CN202010170531A CN111404921B CN 111404921 B CN111404921 B CN 111404921B CN 202010170531 A CN202010170531 A CN 202010170531A CN 111404921 B CN111404921 B CN 111404921B
- Authority
- CN
- China
- Prior art keywords
- authentication
- browser
- address
- network request
- authentication server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 238000012795 verification Methods 0.000 claims description 35
- 238000004590 computer program Methods 0.000 claims description 10
- 238000013507 mapping Methods 0.000 abstract description 6
- 235000014510 cooky Nutrition 0.000 description 17
- 239000002609 medium Substances 0.000 description 11
- 238000010586 diagram Methods 0.000 description 10
- 230000008569 process Effects 0.000 description 7
- 230000006870 function Effects 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000012120 mounting media Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Abstract
The embodiment of the invention discloses a method, a device, equipment, a system and a storage medium for accessing a webpage application. The method comprises the following steps: receiving a first network request sent by a browser; generating a corresponding second network request according to the first address and the first bill information; and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server. The technical scheme provided by the embodiment of the invention can support many-to-one mapping of the webpage application and the authentication forwarding service equipment which are independent from each other and have different destination addresses, and login authentication is carried out on the single-point login authentication server through the authentication forwarding service equipment, so that the white list management of the single-point login authentication server is easy to manage and maintain, the convenience of login operation of different webpage applications is improved, and the safety of the login operation is ensured.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment, a system and a storage medium for accessing webpage applications.
Background
Single Sign On (SSO) is one of the popular solutions for enterprise business integration at present, and is defined that in multiple application systems, a user only needs to log On once to access all mutually trusted application systems.
Currently, the usage scenario mainly addressed by the single sign-on function is web service sign-on with a unique domain name, in which different domain names represent different web applications (web applications). However, for those web services that provide similar functions and are independent of each other while having different destination addresses, the white list management of the single sign-on authentication server becomes very complicated and difficult to maintain, making it very difficult to access the single sign-on authentication, and thus, improvements are needed.
Disclosure of Invention
The embodiment of the invention provides a method, a device, equipment, a system and a storage medium for accessing a webpage application, which can optimize the existing webpage application access scheme based on single sign-on.
In a first aspect, an embodiment of the present invention provides a method for accessing a web application, where the method includes:
receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application;
generating a corresponding second network request according to the first address and the first bill information;
and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server.
In a second aspect, an embodiment of the present invention provides a method for accessing a web application, where the method includes:
when a first webpage application receives a first access request sent by a browser, the browser is indicated to initiate a single sign-on verification request to an authentication server, wherein a first service address contained in the single sign-on verification request is an address corresponding to authentication forwarding service equipment, and the first service address also contains a first address corresponding to the first webpage application;
after detecting that the single sign-on verification is successful, the authentication server returns first bill information and first sign-on bill identification information to the browser and instructs the browser to send a first network request to the authentication forwarding service device, wherein the first network request comprises the first bill information and a first address;
the authentication forwarding service equipment generates a corresponding second network request according to the first address and the first bill information, and sends the second network request to the first webpage application;
and the first webpage application initiates authentication to the authentication server according to the first bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server.
In a third aspect, an embodiment of the present invention provides a web application access apparatus, where the apparatus includes:
the network request receiving module is used for receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in the single sign-on system and a first address corresponding to a first webpage application;
the network request generating module is used for generating a corresponding second network request according to the first address and the first bill information;
and the second network request sending module is used for sending a second network request to the first webpage application, instructing the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide access service for the browser according to an authentication result returned by the authentication server.
In a fourth aspect, an embodiment of the present invention provides an authentication forwarding service device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the web application access method provided in the first aspect of the embodiment of the present invention.
In a fifth aspect, an embodiment of the present invention provides a single sign-on system, which includes an authentication server, an authentication forwarding service device, and at least two web applications, and is configured to execute the web application access method provided in the second aspect of the embodiment of the present invention.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements a web application access method as provided in any embodiment of the present invention.
According to the webpage application access scheme provided by the embodiment of the invention, a first network request sent by a browser is received, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application; generating a corresponding second network request according to the first address and the first bill information; and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server. By adopting the technical scheme, the forwarding service is additionally arranged in the single sign-on system, after the forwarding service receives the bill information issued by the single sign-on system server, the corresponding webpage application can successfully obtain the bill information and verify the bill information to the single sign-on system server by utilizing the mode of forwarding authentication, and the many-to-one mapping of the webpage application and the forwarding service which are independent of each other and have different destination addresses can be supported, so that the white list management of the single sign-on authentication server is easy to manage and maintain, the convenience of the login operation of different webpage applications is improved, and the safety of the login operation is ensured.
Drawings
Fig. 1 is a scene framework diagram of an application scene to which the method for accessing a web application according to the embodiment of the present invention is applied;
FIG. 2 is a diagram illustrating an exemplary architecture of a single sign-on system in the prior art;
fig. 3 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 5 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 6 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 7 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention;
fig. 8 is a flowchart illustrating a method for accessing a web application according to an embodiment of the present invention;
fig. 9 is a flowchart illustrating a method for accessing a web application according to an embodiment of the present invention;
fig. 10 is a block diagram illustrating a structure of a web application access apparatus according to an embodiment of the present invention;
fig. 11 is a block diagram illustrating an authentication forwarding service device according to an embodiment of the present invention;
fig. 12 is a block diagram of a single sign-on system according to an embodiment of the present invention.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures. In addition, the embodiments and features of the embodiments in the present invention may be combined with each other without conflict.
Fig. 1 is a scene architecture diagram of an application scene to which the method for accessing a web application according to the embodiment of the present invention is applied. Specifically, referring to fig. 1, the application scenario may include a client 10, a server 11, and a browser 12.
The client 10 may be understood as a client in a single sign-on system, and is configured to send a request parameter to the server 11, so that the server 11 completes login authentication of a specified web application, and meanwhile, the client 10 needs to ensure that the request parameter sent to the server 11 carries an address of the web application initiating the login authentication; the server 11 may be understood as a server in a single sign-on system for providing login authentication, managing an authentication session between the server 11 and the browser 12, and issuing an authentication ticket to the browser 12 to enable the browser 12 to complete access to a target web application.
A single sign-on is understood to mean that, in a plurality of application systems, a user only needs to log on once to access all mutually trusted application systems. A single sign-on system may be understood as a system consisting of a plurality of web applications, a browser and an authentication server, wherein the authentication server is configured to manage authentication sessions of corresponding services and to implement authentication management of applications through ticket authentication.
Fig. 2 is an exemplary diagram of an architecture of a single sign-on system in the prior art, and specifically, referring to fig. 2, the system may include at least one web application 20, a server 21 and a browser 22, where the client 10 may be deployed in the web application 20.
Specifically, a user accesses a protected web application 20 through a browser 22, the web application 20 initiates a login verification process to a server 21, the server 21 creates an authentication session after login verification and writes a login state into the browser 22, and simultaneously sends a message carrying ticket information issued by the authentication session to the browser 22, so that the browser redirects to the web application 20 and sends the ticket information to the web application 20, the web application 20 initiates a secondary authentication process to the server 21 by using the ticket information, verifies the ticket information by using the authentication session of the server 21, and displays the protected content of the web application 20 to the browser 22 after verification is passed. However, the single sign-on system mainly solves the problem that the web application with the unique domain name is logged in, that is, the session created by the server 21 and the login status written in the browser 22 are in a one-to-one mapping relationship with the web application, which causes a great pressure on the white list management of the server 21, and a method for implementing the many-to-one mapping between the web application and the server 21 and reducing the pressure of the server 21 is urgently needed.
Fig. 3 is a flowchart of a method for accessing a web application according to an embodiment of the present invention, where the method may be executed by a web application accessing apparatus, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an authentication forwarding service device. As shown in fig. 3, the method includes:
The first network request can be understood as a message which is sent to the authentication forwarding service equipment by the browser and is used for transmitting a service bill issued by an authentication server in the single-point login system and an address of a webpage application completing login authentication to the authentication forwarding service equipment.
The first webpage application can be understood as a target application accessed by a user, namely an application needing to complete login and realize access.
Specifically, when a user wants to access a first webpage application through a browser, the browser accesses an authentication server in a single sign-on system to complete an authentication process and acquire first bill information issued by the authentication server, and meanwhile, the browser generates a first network request and sends the first network request to authentication forwarding service equipment, wherein the first network request comprises the first bill information and a first address corresponding to the first webpage application.
The first bill information can be understood as a bill issued by the authentication server after the user logs in and used for performing secondary verification on the specified webpage application.
The first address is included in the query parameter of the first network request, and the query parameter can be understood as specific parameter information included in the first network request. The advantage of this is that the first address can be successfully delivered in its entirety using the query parameters.
For example, the single sign-on system may be a Central Authentication Service (CAS) single sign-on system, the Authentication server may be understood as a CAS server in the CAS system, the first Ticket information may be understood as a Service Ticket (ST) in the CAS, and the first web application may be understood as a first web application server, that is, a CAS client in the CAS system, which is generally deployed in the web application server.
And 102, generating a corresponding second network request according to the first address and the first bill information.
The second network request can be understood as information for sending a service ticket issued by an authentication server in the single sign-on system to the target webpage application corresponding to the first address.
Specifically, the authentication forwarding service device generates a second network request for transmitting the first ticket information according to the received first ticket information, and determines a target application to which the second network request should be sent according to the received first address.
For example, when the single sign-on system is a CAS system, the first address received by the authentication forwarding service device may be in the form of an http query parameter. The authentication forwarding service device analyzes a web application address which really initiates CAS authentication in a first network request sent by the browser, namely, whether a query parameter contains a target web application address or not is determined, if yes, the network request is initiated to forward first bill information in the received first network request to the analyzed target web application address, and if not, the flow is determined to be ended by an illegal request and the illegal request is fed back to the browser to prompt that a user fails to log in.
Specifically, the authentication forwarding service device sends a second network request to the first web application according to the first address, and is configured to instruct the first web application to initiate secondary authentication to an authentication server in the single sign-on system according to first ticket information carried in the second network request, perform user login ticket authentication corresponding to the first ticket information at the authentication server, and receive an authentication result returned by the authentication server.
According to the webpage application access scheme provided by the embodiment of the invention, a first network request sent by a browser is received, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application; generating a corresponding second network request according to the first address and the first bill information; and sending a second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server. By adopting the technical scheme, the forwarding service is additionally arranged in the single sign-on system, after the forwarding service receives the bill information issued by the single sign-on system server, the corresponding webpage application can successfully obtain the bill information and verify the bill information to the single sign-on system server by utilizing the mode of forwarding authentication, and the many-to-one mapping of the webpage application and the forwarding service which are independent of each other and have different destination addresses can be supported, so that the white list management of the single sign-on authentication server is easy to manage and maintain, the convenience of the login operation of different webpage applications is improved, and the safety of the login operation is ensured.
Fig. 4 is a schematic flow chart of a web application access method provided in an embodiment of the present invention, and the technical solution in the embodiment of the present invention is further optimized based on the above optional technical solutions, so that cross-domain setting of cookies is implemented, and a problem that only the top domain and the domain where the top domain and the top domain are located can be modified but other domains cannot be modified in a conventional access method is solved.
The method specifically comprises the following steps:
And 204, receiving first session identification information returned by the first webpage application, wherein the first webpage application creates a first session and generates corresponding first session identification information when determining that the authentication result returned by the authentication server is successful.
Wherein the first session identification information may be understood as a cookie generated by the first web application for recording an ID of the first session generated by the first web application, i.e. a short piece of text information for recording the user state.
Specifically, when the first web application receives the second network request, the second authentication is sent to the authentication server in the single sign-on system according to the first ticket information carried in the second network request, when the first web application receives the authentication result which is sent by the authentication server and is successful, the first session is created and written into the cache, meanwhile, a cookie with a content representing the first session ID, namely the first session identification information, is generated, and the first session identification information is returned to the authentication forwarding service device.
Specifically, the authentication forwarding service device sends the first session identification information to the browser, and the browser queries a first address of the first webpage application according to the first session identification information to access the first webpage application, so that the interface jumps to the content in the first webpage application, and the first webpage application can set cookie content in the browser.
Further, sending the first session identification information to the browser includes sending first redirection information to the browser. This has the advantage that the first redirection information can be used to direct the browser to access the target web application and to retrieve the accessed content in the first web application.
Wherein the first redirection information may be understood as orientation information for instructing the browser to access the target web application.
Specifically, the first redirection information includes a first address of the first web application, and the first session identification information is included in the query parameter of the first address.
Illustratively, the CAS single sign-on system solves the problem of setting cookies across domains by setting the CAS client, and realizes storage of an authentication state in a browser, and specifically includes:
after the browser initiates login verification of a target webpage application to a server, the browser is redirected to an authentication forwarding service page by the server, after the login verification is completed, a cookie containing an authentication state needs to be stored in the browser, and a Uniform Resource Locator (URL) of the cookie needs to be an address of the target webpage application, but the browser address is still an address of an authentication forwarding service device at the moment and cross-domain cookie setting cannot be performed.
According to the webpage application access scheme provided by the embodiment of the invention, the webpage application initiates secondary authentication to the authentication server according to the received second network request, creates a first session and generates corresponding first session identification information when the authentication is successful, sends the first session identification information to the authentication forwarding service equipment, writes the first session identification information into the browser by the authentication forwarding service equipment to indicate the browser to access the first webpage application according to the first session identification information, supports the authentication server to access a plurality of webpage applications which are independent from each other and have different destination addresses only by logging in once through accessing the corresponding webpage application through the secondary authentication, ensures the security of single-point login, creates a session between the webpage application and the browser after the authentication is successful, writes the session identification information of the corresponding session into the browser, and realizes the cross-domain setting of cookies, the problem that the traditional login method can only set cookies of the top domain and the domain of the traditional login method but cannot set other domains is solved.
Fig. 5 is a schematic flowchart of a method for accessing a web application according to an embodiment of the present invention, where the method is applicable to a single sign-on system, where the single sign-on system includes at least two web applications, an authentication forwarding service device, and an authentication server.
The method specifically comprises the following steps:
Wherein, the first webpage application can be any one of at least two webpage applications; the single sign-on authentication request can be understood as request information carrying various authentication information such as an application address, a sign-on name, an authentication code and the like of a web page needing to be signed on for authentication. Optionally, the single sign-on verification request at least includes a first service address, where the first service address is an address corresponding to the authentication forwarding service device, and the first service address further includes a first address corresponding to the first web application.
Wherein the first address is included in the query parameters of the first service address.
Specifically, when a user wants to access a first webpage application, a first access request is sent to the first webpage application through a browser, when the first webpage application receives the first access request, the browser jumps to a login interface, if the first webpage application logs in for the first time, login information is input in the login interface, according to the input login information, a single sign-on verification request is generated by a preset authentication forwarding service device address sent to the browser by the first webpage application and a first address corresponding to the first webpage application, and the single sign-on verification request is sent to an authentication server.
The first bill information can be understood as a service bill issued by a user login bill generated after the authentication server successfully logs in and verifies, and the bill information can be used for specifying the secondary authentication of the webpage application in the authentication server.
The user login ticket can be understood as a user login session stored by the authentication server, wherein a cookie and user information corresponding to the cookie are encapsulated.
The first login ticket identification information may be a cookie corresponding to a user login ticket generated after the user login is successful, namely after the authentication server successfully verifies the user login ticket, or may be a user login cookie written by the authentication server to the user browser to identify the user login ticket.
Specifically, when the authentication server detects that the single sign-on verification result is successful, the authentication server issues first ticket information, generates first login ticket identification information, sends the first ticket information and the first login ticket identification information to the browser, and instructs the browser to send the first network request to an address corresponding to the authentication forwarding service device in the single sign-on verification request. The first network request comprises first bill information and a first address of the first webpage application.
Specifically, the authentication forwarding service device generates a second network request for transmitting the first ticket information to the first address according to the received first ticket information and the first address, and sends the second network request to the first web application corresponding to the first address.
Optionally, the authentication forwarding service device may include two main modules, a URL parsing module and a forwarding module.
The URL analysis module is used for analyzing a webpage application address which really initiates login authentication from a received first network request, namely a first address; and the forwarding module is used for forwarding the acquired first bill information issued by the authentication server to the analyzed address based on the address analyzed by the URL analysis module.
And step 304, the first webpage application initiates authentication to the authentication server according to the first bill information, and determines whether to provide corresponding access service for the browser according to an authentication result returned by the authentication server.
Specifically, the first webpage application initiates secondary authentication to an authentication server in the single sign-on system according to the received first bill information, acquires an authentication result returned by the authentication server, provides corresponding access service to the browser when the authentication result is successful, does not provide corresponding access service to the browser when the authentication result is failed, and optionally sends an authentication failure notification to the browser when the authentication result is failed so that the user can perform authentication login again.
According to the webpage application access scheme provided by the embodiment of the invention, when a first access request sent by a browser is received through a first webpage application, the browser is indicated to initiate a single sign-on verification request to an authentication server; after detecting that the single sign-on verification is successful, the authentication server returns first bill information and first sign-on bill identification information to the browser and instructs the browser to send a first network request to the authentication forwarding service equipment; the authentication forwarding service equipment generates a corresponding second network request according to the first address and the first bill information, and sends the second network request to the first webpage application; and the first webpage application initiates authentication to the authentication server according to the first bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server. By adopting the technical scheme, the login verification access operation of the webpage applications with similar functions, which are independent of each other and have different destination addresses can be completed according to the same bill information and different webpage application addresses only by logging in the authentication server of the single sign-on system once, the convenience of the login operation is improved, and the security of the login operation is ensured by secondary authentication.
Fig. 6 is a schematic flow chart of a method for accessing a web application according to an embodiment of the present invention, where the technical solution of the embodiment of the present invention is further detailed on the basis of the above technical solution, and specifically includes the following steps:
Specifically, when the first web application determines that the authentication result returned by the authentication server is successful, a first session is created and written into the cache, and meanwhile, first session identification information is generated according to the first session, that is, a cookie with a first session ID as content, and the first session identification information is returned to the authentication forwarding service device.
Specifically, after receiving the first session identification information sent by the authentication forwarding service device, the browser accesses the first web application according to the acquired address of the first web application carrying the first session identification information, so as to determine whether the first session identification information has a corresponding first session in the first web application.
Specifically, the first web application determines that the first session identification information is valid after determining that the first session identification information exists in a first session corresponding to the first session identification information, provides a corresponding access service to the browser, and makes the browser jump to the access content provided by the first web application.
Furthermore, after the first webpage application provides corresponding access service for the browser, the first webpage application writes the first session identification information into the browser. This has the advantage that the login authentication status of the first web application can be saved in the browser.
Further, when the first webpage application receives a first access request sent by the browser and the first access request is determined not to contain the session identification information, the browser is instructed to initiate a single sign-on verification request to the authentication server. The advantage of this arrangement is that it is possible to directly jump to login authentication without performing other operations when it is determined that the first web application is not performing login authentication.
Specifically, when the first web application receives a first access request sent by the browser, whether the first access request contains session identification information is judged, if the first access request does not contain the session identification information, the first web application logs in for the first time, login verification is required, and at this time, the browser is instructed to initiate a single sign-on verification request to the authentication server. If the first access request contains the session identification information, the first webpage application is not logged in for the first time, at the moment, whether the first webpage application has a session corresponding to the session identification information is searched, and if the first webpage application has the session, corresponding access service is provided for the browser.
Further, fig. 7 provides a flowchart of a method for accessing a web application, where the method is applied to a first web application to initiate authentication to an authentication server according to first ticket information, and after determining whether to provide an access service to a browser according to an authentication result returned by the authentication server, the method specifically includes the following steps:
The second service address contained in the ticket acquiring request is an address corresponding to the authentication forwarding service device, and the second service address contains a second address corresponding to the second web application.
Wherein, the second access request can be understood as the access requirement information of the user to the target webpage application.
Specifically, when the second web application receives a second access request sent by the browser, the second web application means that the user wishes to access the content of the second web application, and at this time, the second web application checks whether the second access request contains the first login bill identification information, if so, the second web application indicates that the existing web applications of the same type complete login in the authentication server in the single sign-on system, and at this time, the second web application instructs the browser to initiate a bill acquisition request to the authentication server to acquire the bill information issued by the authentication server; otherwise, it indicates that no web application of the same type completes login in the authentication server in the single sign-on system, and at this time, the second web application should instruct the browser to initiate a single sign-on verification request to the authentication server.
Wherein, the third network request includes the second bill information and the second address.
Specifically, after the authentication server determines that the first login bill identification information has the user login bill matched with the first login bill identification information, the user login bill signs second bill information for the second webpage application and sends the second bill information back to the browser, and the browser sends the third network request to the authentication forwarding service device according to the address of the authentication forwarding service device acquired by the second access request.
Specifically, the authentication forwarding service device generates a fourth network request for transmitting the second ticket information to the second address according to the received second ticket information and the second address, and sends the fourth network request to the second web application corresponding to the second address.
Specifically, the second web application initiates secondary authentication to an authentication server in the single sign-on system according to the received second bill information, and obtains an authentication result returned by the authentication server, when the authentication result is successful, the second web application provides corresponding access service to the browser, when the authentication result is failed, the second web application does not provide corresponding access service to the browser, optionally, when the authentication result is failed, the second web application may send an authentication failure notification to the browser, so that the user performs authentication login again.
Exemplarily, fig. 8 provides a flowchart of a method for accessing a web application, where the method is applied to a case where a user initiates access for the first time, and specifically includes the following steps:
And step 504, the CAS service end skips the browser to the specified domain name address, and writes the TGC in the browser, wherein the specified domain name address may be an address of the authentication forwarding service device.
And step 505, the browser carries the ST access authentication forwarding service equipment issued by the CAS server, and simultaneously carries the target web application address in the form of http query parameters.
Exemplarily, fig. 9 provides a flowchart of a web application access method, which is applied to a case where other web applications sharing the same authentication forwarding service device with the web application 1 that has completed login verification include the following steps:
Wherein, assuming that n-1 web applications sharing the same authentication forwarding service device with the web application 1, that is, n web applications sharing the same authentication forwarding service device including the web application, 2-n may represent any one of the n web applications except the web application 1.
And step 604, the CAS server side enables the browser to jump to a specified domain name address and carry ST, wherein the specified domain name address can be the address of the authentication forwarding service device.
And step 605, the browser carries the ST access authentication forwarding service equipment issued by the CAS server, and simultaneously carries the target web application address in the form of http query parameters.
According to the webpage application access scheme provided by the embodiment of the invention, the security of single sign-on is ensured through secondary authentication initiated by the webpage application to the authentication server, the browser skips to access the target webpage application when the authentication is successful, a session is created and session identification information is generated and written into the browser, the cross-domain setting of cookies is realized, meanwhile, whether the webpage application carries login bill identification information or not is judged when different webpage applications are accessed, and the login verification process of the authentication server is skipped when the corresponding login bill identification information is provided, and the bill information is directly issued, so that the aim of accessing a plurality of webpage applications which have similar functions, are independent from one another and have different target addresses by logging in the authentication server only once is realized.
Fig. 10 is a block diagram of a web application access apparatus according to an embodiment of the present invention, where the apparatus may be implemented by software and/or hardware, and may be generally integrated in an authentication forwarding service device, and may be implemented by executing a web application access method. As shown in fig. 10, the apparatus includes: a network request receiving module 701, a network request generating module 702 and a second network request sending module 703.
The network request receiving module 701 is configured to receive a first network request sent by a browser, where the first network request includes first ticket information issued by an authentication server in a single sign-on system and a first address corresponding to a first web application; a network request generating module 702, configured to generate a corresponding second network request according to the first address and the first ticket information; the second network request sending module 703 is configured to send a second network request to the first web application, and is configured to instruct the first web application to initiate authentication to the authentication server according to the first ticket information, and determine whether to provide an access service to the browser according to an authentication result returned by the authentication server.
According to the technical scheme of the embodiment of the invention, many-to-one mapping of a plurality of webpage applications with similar functions, independence and different destination addresses and the authentication forwarding service equipment is realized, login authentication is carried out on the single-point login authentication server side through the authentication forwarding service equipment, so that the white list management of the single-point login authentication server side is easy to manage and maintain, the convenience of login operation of different webpage applications is improved, and the safety of login operation is ensured.
Optionally, the apparatus further comprises:
and the identification information receiving module is used for receiving first session identification information returned by the first webpage application, wherein the first webpage application creates a first session and generates corresponding first session identification information when determining that the authentication result returned by the authentication server is successful.
And the identification information sending module is used for sending the first session identification information to the browser and indicating the browser to access the first webpage application according to the first session identification information.
Further, the identification information sending module is specifically configured to send first redirection information to the browser, where the first redirection information includes a first address, and the first session identification information is included in a query parameter of the first address.
The webpage application access device provided by the embodiment of the invention can execute the webpage application access method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
The embodiment of the invention provides authentication forwarding service equipment, wherein the webpage application access device provided by the embodiment of the invention can be integrated in the authentication forwarding service equipment. Fig. 11 is a block diagram of an authentication forwarding service device according to an embodiment of the present invention. The authentication forwarding service apparatus 800 includes a memory 801, a processor 802, and a computer program stored on the memory 801 and operable on the processor 802, and when the processor 802 executes the computer program, the processor 802 implements the web application access method provided by the embodiment of the present invention.
An embodiment of the present invention provides a single sign-on system, and fig. 12 is a block diagram of a single sign-on system according to an embodiment of the present invention. The single sign-on system includes an authentication server 901, an authentication forwarding service device 902, and at least two web applications 903, where fig. 12 illustrates one web application 903 as an example, the single sign-on system is configured to execute the web application access method provided in the embodiment of the present invention.
Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which are used to execute the web application access method provided by the embodiments of the present invention when executed by a computer processor.
Storage medium-any of various types of memory devices or storage devices. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk, or tape devices; computer system memory or random access memory such as DRAM, DDRRAM, SRAM, EDORAM, Lanbas (Rambus) RAM, etc.; non-volatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in a first computer system in which the program is executed, or may be located in a different second computer system connected to the first computer system through a network (such as the internet). The second computer system may provide program instructions to the first computer for execution. The term "storage medium" may include two or more storage media that may reside in different locations, such as in different computer systems that are connected by a network. The storage medium may store program instructions (e.g., embodied as a computer program) that are executable by one or more processors.
The web application access device, the apparatus, the system and the storage medium provided in the above embodiments may execute the web application access method provided in any embodiment of the present invention, and have corresponding functional modules and beneficial effects for executing the method. For technical details that are not described in detail in the foregoing embodiments, reference may be made to a web application access method provided in any embodiment of the present invention.
Note that the above is only a preferred embodiment of the present invention. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in more detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the claims.
Claims (15)
1. A method for accessing a web application, comprising:
receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application;
generating a corresponding second network request according to the first address and the first bill information;
and sending the second network request to the first webpage application, wherein the second network request is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information, and determining whether to provide corresponding access service to the browser according to an authentication result returned by the authentication server.
2. The method of claim 1, wherein the first address is included in a query parameter of the first network request.
3. The method of claim 1, further comprising, after said sending the second web request to the first web application:
receiving first session identification information returned by the first webpage application, wherein the first webpage application creates a first session and generates corresponding first session identification information when determining that an authentication result returned by the authentication server is successful;
and sending the first session identification information to the browser, wherein the first session identification information is used for indicating the browser to access the first webpage application according to the first session identification information.
4. The method of claim 3, wherein sending the first session identification information to the browser comprises:
and sending first redirection information to the browser, wherein the first redirection information comprises the first address, and the first session identification information is contained in a query parameter of the first address.
5. The method according to any of claims 1-4, wherein the single sign-on system comprises a single sign-on system based on a Central Authentication Service (CAS).
6. A web application access method is applied to a single sign-on system and comprises the following steps:
when a first webpage application receives a first access request sent by a browser, the browser is indicated to initiate a single sign-on verification request to an authentication server, wherein a first service address contained in the single sign-on verification request is an address corresponding to authentication forwarding service equipment, and the first service address also contains a first address corresponding to the first webpage application;
after detecting that the single sign-on verification is successful, the authentication server returns first bill information and first sign-on bill identification information to the browser and instructs the browser to send a first network request to the authentication forwarding service device, wherein the first network request comprises the first bill information and the first address;
the authentication forwarding service equipment generates a corresponding second network request according to the first address and the first bill information, and sends the second network request to the first webpage application;
and the first webpage application initiates authentication to the authentication server according to the first bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server.
7. The method of claim 6, wherein the determining, by the first web application, whether to provide the corresponding access service to the browser according to the authentication result returned by the authentication server comprises:
when the first webpage application determines that the authentication result returned by the authentication server is successful, a first session is created, corresponding first session identification information is generated, and the first session identification information is returned to the authentication forwarding service equipment;
the authentication forwarding service equipment sends the first session identification information to the browser, and is used for indicating the browser to access the first webpage application according to the first session identification information;
and when the first webpage application determines that the first session identification information is valid, providing corresponding access service for the browser.
8. The method of claim 7, after the first web application provides the corresponding access service to the browser, further comprising:
and the first webpage application writes the first session identification information into the browser.
9. The method of claim 7, wherein the instructing the browser to initiate a single sign-on verification request to an authentication server when the first web application receives a first access request sent by the browser comprises:
when the first webpage application receives a first access request sent by a browser and when the first access request is determined not to contain session identification information, the browser is instructed to initiate a single sign-on verification request to an authentication server.
10. The method of claim 6, after the first web application initiates authentication to the authentication server according to the first ticket information and determines whether to provide access service to the browser according to an authentication result returned by the authentication server, further comprising:
when a second webpage application receives a second access request sent by the browser and when the second access request is determined to contain first login bill identification information, the browser is indicated to send a bill obtaining request to the authentication server, wherein a second service address contained in the bill obtaining request is an address corresponding to authentication forwarding service equipment, and the second service address contains a second address corresponding to the second webpage application;
after determining that the first login bill identification information is valid, the authentication server returns second bill information to the browser and instructs the browser to send a third network request to the authentication forwarding service device, wherein the third network request comprises the second bill information and the second address;
the authentication forwarding service equipment generates a corresponding fourth network request according to the second address and the second bill information, and sends the fourth network request to the second webpage application;
and the second webpage application initiates authentication to the authentication server according to the second bill information and determines whether to provide corresponding access service for the browser or not according to an authentication result returned by the authentication server.
11. The method of claim 6, wherein the first address is included in a query parameter of the first service address.
12. A web application access apparatus, comprising:
the network request receiving module is used for receiving a first network request sent by a browser, wherein the first network request comprises first bill information issued by an authentication server in a single sign-on system and a first address corresponding to a first webpage application;
the network request generating module is used for generating a corresponding second network request according to the first address and the first bill information;
and the second network request sending module is used for sending the second network request to the first webpage application, and is used for indicating the first webpage application to initiate authentication to the authentication server according to the first bill information and determining whether to provide access service for the browser according to an authentication result returned by the authentication server.
13. An authentication forwarding service device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any one of claims 1-4 when executing the computer program.
14. A single sign-on system comprising an authentication server, an authentication forwarding service device and at least two web applications, the system being adapted to perform the method of any of claims 6 to 11.
15. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1-11.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010170531.0A CN111404921B (en) | 2020-03-12 | 2020-03-12 | Webpage application access method, device, equipment, system and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202010170531.0A CN111404921B (en) | 2020-03-12 | 2020-03-12 | Webpage application access method, device, equipment, system and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111404921A CN111404921A (en) | 2020-07-10 |
CN111404921B true CN111404921B (en) | 2022-05-17 |
Family
ID=71413953
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202010170531.0A Active CN111404921B (en) | 2020-03-12 | 2020-03-12 | Webpage application access method, device, equipment, system and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN111404921B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113765869B (en) * | 2020-08-18 | 2023-06-30 | 北京沃东天骏信息技术有限公司 | Login method, login device, server side and storage medium |
CN112765583A (en) * | 2021-01-27 | 2021-05-07 | 海尔数字科技(青岛)有限公司 | Single sign-on method, device, equipment and medium |
CN114500074B (en) * | 2022-02-11 | 2024-04-12 | 京东科技信息技术有限公司 | Single-point system security access method and device and related equipment |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
CN103414684A (en) * | 2013-06-05 | 2013-11-27 | 华南理工大学 | Single sign-on method and system |
CN109688114A (en) * | 2018-12-10 | 2019-04-26 | 迈普通信技术股份有限公司 | Single-point logging method, certificate server and application server |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8943571B2 (en) * | 2011-10-04 | 2015-01-27 | Qualcomm Incorporated | Method and apparatus for protecting a single sign-on domain from credential leakage |
-
2020
- 2020-03-12 CN CN202010170531.0A patent/CN111404921B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101997685A (en) * | 2009-08-27 | 2011-03-30 | 阿里巴巴集团控股有限公司 | Single sign-on method, single sign-on system and associated equipment |
CN103414684A (en) * | 2013-06-05 | 2013-11-27 | 华南理工大学 | Single sign-on method and system |
CN109688114A (en) * | 2018-12-10 | 2019-04-26 | 迈普通信技术股份有限公司 | Single-point logging method, certificate server and application server |
Also Published As
Publication number | Publication date |
---|---|
CN111404921A (en) | 2020-07-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111404921B (en) | Webpage application access method, device, equipment, system and storage medium | |
US8572691B2 (en) | Selecting a web service from a service registry based on audit and compliance qualities | |
US8844013B2 (en) | Providing third party authentication in an on-demand service environment | |
US9241042B2 (en) | In-server redirection of HTTP requests | |
US9413750B2 (en) | Facilitating single sign-on (SSO) across multiple browser instance | |
US8898765B2 (en) | Signing off from multiple domains accessible using single sign-on | |
JP4729651B2 (en) | Authentication apparatus, authentication method, and authentication program implementing the method | |
US10356153B2 (en) | Transferring session data between network applications accessible via different DNS domains | |
US10182126B2 (en) | Multilevel redirection in a virtual desktop infrastructure environment | |
JPH11212912A (en) | Session management system and method | |
JP2011515767A (en) | Web access using cross-domain cookies | |
CA2677553A1 (en) | Tracking web server | |
CN110032842B (en) | Method and system for simultaneously supporting single sign-on and third party sign-on | |
CN103428179A (en) | Method, system and device for logging into multi-domain-name website | |
JP2019530089A (en) | Method and apparatus for realizing communication between web page and native application, and electronic apparatus | |
CN103220261A (en) | Proxy method, device and system of open authentication application program interface | |
US11582153B2 (en) | Load-balancing establishment of connections among groups of connector servers | |
US9426152B2 (en) | Secure transfer of web application client persistent state information into a new domain | |
CN108900562B (en) | Login state sharing method and device, electronic equipment and medium | |
CN101378407B (en) | Method, system and equipment for pushing information | |
US20210136058A1 (en) | Multiple identity provider authentication system | |
US20220279033A1 (en) | Restore url context for proxies | |
CN107766093B (en) | Function module sharing method and client | |
JP2005157822A (en) | Communication control device, application server, communication control method, and program | |
US20130290830A1 (en) | System and method for managing a viewstate of a web application |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20231016 Address after: 31a, 15 / F, building 30, maple mall, bangrang Road, Brazil, Singapore Patentee after: Baiguoyuan Technology (Singapore) Co.,Ltd. Address before: 5-13 / F, West Tower, building C, 274 Xingtai Road, Shiqiao street, Panyu District, Guangzhou, Guangdong 510000 Patentee before: GUANGZHOU BAIGUOYUAN INFORMATION TECHNOLOGY Co.,Ltd. |