CN113381978B - Safe login method and device - Google Patents

Safe login method and device Download PDF

Info

Publication number
CN113381978B
CN113381978B CN202110515972.4A CN202110515972A CN113381978B CN 113381978 B CN113381978 B CN 113381978B CN 202110515972 A CN202110515972 A CN 202110515972A CN 113381978 B CN113381978 B CN 113381978B
Authority
CN
China
Prior art keywords
login
target
address
dynamic
management server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110515972.4A
Other languages
Chinese (zh)
Other versions
CN113381978A (en
Inventor
林俊洪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN202110515972.4A priority Critical patent/CN113381978B/en
Publication of CN113381978A publication Critical patent/CN113381978A/en
Application granted granted Critical
Publication of CN113381978B publication Critical patent/CN113381978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a secure login method, which comprises the following steps: receiving a target user login request forwarded by an information transfer platform; generating a target dynamic login address based on the proxy server address; and sending the target dynamic login address to the information transfer platform and the proxy server, so that the information transfer platform forwards the target dynamic login address to the target user, and the proxy server performs authentication management on the target user based on the target dynamic login address when the target user accesses the target dynamic login address. According to the technical scheme, under the condition that the real address of the intranet login system is not exposed, a user can directly log in the service system in the enterprise through the login page.

Description

Safe login method and device
Technical Field
The invention relates to the technical field of Internet, in particular to a secure login method and device.
Background
As business progresses, businesses deploy various service systems (e.g., OA, ERP, etc.) within an internal network to meet business needs. Meanwhile, in order to improve the collaborative efficiency of each system, various service systems in an enterprise are often connected with each other through Web services and integrated application programs, and then authentication management is provided for a user to log in an internal system through an intranet login system.
In practical use, to improve the overall security level of the network, enterprises often control intranet access through webvpn. Under the scene, if the webvpn is used for logging in by using a login inlet of the webvpn, a user needs to input verification information for many times to log in a service system in an enterprise, and the operation is complex; if the entrance of the intranet login system is directly used for login, the real address of the intranet login system is exposed in the public network, and the network security cannot be ensured.
In view of this, it is necessary to provide a new secure login method and apparatus to solve the above-mentioned drawbacks.
Disclosure of Invention
The invention aims to provide a novel safe login method and a novel safe login device, which can enable a user to log in a service system in an enterprise directly through a login page under the condition that the real address of an intranet login system is not exposed.
In order to achieve the above object, an aspect of the present application provides a secure login method, where the method is applied to an address management server, and the address management server stores a proxy server address, and the method includes: receiving a target user login request forwarded by an information transfer platform, wherein the target user login request is generated by the information transfer platform based on login request information sent by a target user; generating a target dynamic login address based on a proxy server address, wherein the target dynamic login address points to the proxy server; and sending the target dynamic login address to the information transfer platform and the proxy server, so that the information transfer platform forwards the target dynamic login address to the target user, and the proxy server performs authentication management on the target user based on the target dynamic login address when the target user accesses the target dynamic login address.
In order to achieve the above object, another aspect of the present application further provides a secure login device, where the secure login device includes a memory and a processor, and the memory is configured to store a computer program, and when the computer program is executed by the processor, implement the method of secure login.
Therefore, according to the technical scheme provided by the application, when a target user needs to log in a service system (namely the target login management server) in an enterprise, the target user can send login request information to the information transfer platform, the information transfer platform can generate a target user login request after receiving the login request information and forwards the target user login request to the address management server, so that the address management server can generate a target dynamic login address based on the proxy server address, and then the target dynamic login address is sent to the information transfer platform and the proxy server, so that the user can receive the target dynamic login address forwarded by the information transfer platform, and the proxy server stores the target dynamic login address. Because the target dynamic login address carries the address of the proxy server, the request of the target user for accessing the target dynamic login address is led to the proxy server, and the proxy server can compare the stored target dynamic login address with the dynamic login address carried in the request sent by the user, thereby carrying out authentication management on the user. When the proxy server judges that the target user has the access right, the proxy server can guide the request to the target login management server, so that the target user can log in directly through a login page fed back by the target login management server. Therefore, by issuing the target dynamic login address to the target user, the risk of exposing the real address of the target login management server is avoided, and the target user can complete the login of the service system in the enterprise by only inputting verification information once.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a secure login system according to an embodiment of the present application;
FIG. 2 is a flow chart of a secure login method according to a first embodiment of the present application;
FIG. 3 is a timing diagram of a secure login method in an embodiment of the present application;
FIG. 4 is a schematic diagram of functional modules of a secure login device according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a secure login device according to an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
With the rapid development of enterprise business, enterprises may deploy various service systems (e.g., OA, ERP, etc.) within internal networks to meet business needs. Meanwhile, in order to improve the collaborative efficiency of each service system, various service systems inside an enterprise are often connected to each other through Web services and integrated application programs. In order to perform login management on each service system, an enterprise generally constructs an intranet login system in a single sign-on system mode, and then accesses each service system into the intranet login system, so that unified authentication management is provided for a user to login an internal system through the intranet login system.
In practical use, to improve the overall security level of the network, enterprises often control intranet access through webvpn. In this scenario, if the webvpn is used to log in, the real address of the intranet login system can be prevented from being exposed in the public network, but when the user logs in the internal service system, the user also needs to input verification information again at the login interface of the intranet login system, and the operation is complex; if the intranet login system is in butt joint with the webvpn, a user directly uses an inlet of the intranet login system to log in when logging in, then the real address of the intranet login system is exposed in the public network, and the network security cannot be guaranteed.
Therefore, how to simplify the procedure of the user to log in the internal service system under the condition that the real address of the intranet login system is not exposed is a problem to be solved in the field.
The technical scheme provided by the application can solve the defects.
Fig. 1 is a schematic diagram of a secure login system according to an embodiment of the present application.
In this embodiment, the secure login system includes an information transfer platform, an address management server, a proxy server, a user, and a login management server, where the information transfer platform may receive login request information sent by the user, and after receiving the login request information, convert the login request information into a user login request, and may further forward the user login request to the address management service; the address management server stores the identity information of legal users (i.e. users with access rights corresponding to the login management server) and the real addresses of the login management servers; the login management server is an enterprise intranet login system and is used for providing login management service for a user to login a service system in an enterprise; the proxy server can stream the login request sent by the user to the login management server, and can send the login page fed back by the login management server to the user, so that the user can directly log in the enterprise internal service system based on the login page.
In practical application, users of different enterprises can only access the internal service system of the enterprise to which the users belong, for example, legal users of the enterprise a can only access the internal service system of the enterprise a and cannot access the internal service system of the enterprise B, and correspondingly, legal users of the enterprise B can only access the internal service system of the enterprise B and cannot access the internal service system of the enterprise a, that is, different enterprises have different login management servers, and the login management servers of different enterprises can all access the secure login system provided by the application. Therefore, when a plurality of different login management servers exist in the secure login system, the address management server can also establish a mapping relationship between the user and the login management server, and through the mapping relationship between the user and the login management server, the address management server can query which login management server (i.e. which login management server of an enterprise) can be specifically accessed according to the identity of the legal user.
Referring to fig. 2 and fig. 3 together, the secure login method described in the present application is applied to an address management server, and the method may include the following steps.
S101: and receiving a target user login request forwarded by an information transfer platform, wherein the target user login request is generated by the information transfer platform based on login request information sent by a target user.
In this embodiment, when a user (i.e., a target user) of a certain enterprise needs to log in to an internal service system of its home enterprise, the target user may send login request information to the information transfer platform. Since the home relationship between the user and the enterprise is fixed, the internal service system of the enterprise that the target user needs to log in is also explicit, i.e. the login request information sent by the target user will be used to access a specific intranet login system (i.e. the target login management server). Meanwhile, the login request information sent by the target user also carries the target identity of the target user, wherein the target identity has uniqueness in the safe login system, namely, the identity of any two users in the safe login system is not repeated. After receiving the login request information sent by the target user, the information transfer platform can convert the login request information into a target user login request meeting the identification requirement of the address management server, and adds the target identity of the target user into the target user login request. After the target user login request is generated, the information transfer platform can forward the target user login request to the address management server, and the address management server can know that a user needs to log in an enterprise internal service system after receiving the target user login request forwarded by the information transfer platform.
In practical application, the information transfer platform can be constructed by taking the uniqueness of the identity as the issuing point, namely the information transfer platform can be constructed as follows: all users using the information transfer platform have unique identity marks in the information transfer platform. For example, the information transfer platform may be a short message platform, in which case the mobile phone number of the user is the identity thereof; the information transfer platform can also be a third party authentication platform (e.g. a WeChat platform and a QQ platform), and in this case, the unique identifier (e.g. a WeChat signal and a QQ number) given by the third party authentication platform is the identity identifier of the user. It should be noted that the above-listed sms/QQ platform is only illustrative, and not limiting, and those skilled in the art may also use other forms of information transfer platform based on the concepts of the present application.
For example, if the information transfer platform is a short message platform, when the target user needs to log in the enterprise internal service system, the target user can send a short message (i.e. login request information) in any/specified format to a specified number (i.e. the short message platform), and at this time, the mobile phone number of the target user for sending the short message is the target identity. After receiving the short message, the short message platform can generate a target user login request (such as an http message) meeting the identification requirement of the address management server based on the short message, add the mobile phone number of the target user in the target user login request, and then forward the target user login request to the address management server to inform the address management server that the target user is applying for logging in the enterprise internal service system.
S102: a target dynamic login address is generated based on a proxy server address, wherein the target dynamic login address points to the proxy server.
In this embodiment, the mapping relationship between each proxy server and each login management server and the user id is pre-arranged on the address management server. When the address management server receives the target user login request forwarded by the information transfer platform, the address management server can generate a target dynamic login address for the target user by utilizing the pre-stored proxy server address. It should be noted that the target dynamic login address contains the address of the proxy server, so that when the target user inputs the target dynamic login address in the browser, the browser can access the proxy server through the target dynamic login address.
In one embodiment, before the step of generating the target dynamic login address for the target user, the address management server may determine whether the target user login request is legal based on the target identity of the target user carried in the target user login request. If the address management server judges that the target user login request is illegal, the address management server can discard the target user login request without carrying out subsequent processing on the target user login request. If the address management server judges that the login request of the target user is legal, the address management server can generate a target dynamic login address for the target user.
The address management server judges whether the login request of the target user is legal or not, and the method can be realized by the following steps:
first, the address management server determines whether there is an address of a target login management server corresponding to a target identity in a local record. Specifically, the address management server firstly extracts a target identity in a target user login request, and then queries an address of a target login management server corresponding to the target identity in a mapping relation between a locally stored user and the login management server.
If the address management server is in the local record, the address of the target login management server corresponding to the target identity can be queried, and then the address management server can judge that the login request of the target user is legal; if the address management server does not inquire the address of the target login management server corresponding to the target identity in the local record, the address management server can judge that the login request of the target user is illegal.
When the address management server determines that the target user login request is legal, the address management server may randomly generate a target dynamic character string (e.g., generate a character string using a random algorithm), or generate the target dynamic character string according to the target identity (e.g., encrypt the target identity, thereby generating a character string). After generating the target dynamic character string, the address management server may combine the proxy server address and the target dynamic character string to generate the target dynamic login address.
It should be noted that, when the address management server generates the target dynamic login address and sends the target dynamic login address to the proxy server, the address management server may send the target login management server address corresponding to the target identity to the proxy server at the same time, so that the proxy server may establish and store a mapping relationship between the target dynamic login address and the target login management server address. In this way, in the subsequent step, the proxy server can query the corresponding target login management server address for the target dynamic login address according to the mapping relationship between the target dynamic login address and the target login management server address.
In another embodiment, the address management server may further extract a target identity in the target user login request, and then determine whether the target identity is an identity of a legal user, so as to determine whether the target user login request is legal. If the address management service judges that the target identity is the identity of a legal user, the address management server can judge that the login request of the target user is legal, the address management server can further inquire the target login management server address corresponding to the target identity of the target user from the stored multiple login management server addresses according to the mapping relation between the user and the login management server, and then the address management server can generate a target dynamic login address based on the address of the proxy server and the target login management server address.
In practical application, the enterprise can identify the staff according to the internal rules to determine whether a certain staff has the access right of the login management server, and if the staff has the access right of the login management server, the enterprise can give the staff an identity of a legal user. It should be noted that, the form of the legal user identity is associated with the characteristics of the information transfer platform, for example, when the information transfer platform is a short message platform, the legal user identity can be set as the mobile phone number of the employee; when the information transfer platform is a micro-information platform, the identity of the legal user can be set as an enterprise micro-signal of the staff.
Before receiving the login request of the target user forwarded by the information transfer platform, the address management server can acquire the identity of each legal user in advance, specifically, an operator can build a user permission table in the address management server in advance, and according to the information provided by each enterprise, the identity of all legal users is recorded in the user permission table. Further, an operator may enter the address of the proxy server and the addresses of the login management servers in the address management server, and establish a mapping relationship between the user and the login management server in the address management server.
In practical use, the information transfer platform is usually open at the receiving side, i.e. any user can send a login request to the information transfer platform, and the information transfer platform cannot determine whether a login request is sent by a legal user, which may cause a malicious attack on the server by an illegal user. In order to avoid malicious attacks of illegal users, the secure login system provided by the application can identify the identity information of the users by using the address management server so as to filter the illegal login requests.
In one embodiment, according to the target identity, determining whether the target user login request is legal may be implemented in the following manner:
firstly, judging whether a target identity exists in a user authority table, and if the target identity exists in the user authority table, making a target user login request legal; if the target identity mark does not exist in the user authority list, the target user login request is illegal.
Because the operator has recorded the identity of all legal users in the user authority list in advance, after the address management server extracts the target identity in the target user login request, the address management server can traverse the user authority list to judge whether the record item identical to the target identity exists in the user authority list. If the record item which is the same as the target identity exists in the user authority list, the address management server can determine that the target user login request is sent by a legal user, and further can judge that the target user login request is legal; if the record item which is the same as the target identity is not present in the user authority list, the address management server can determine that the target user login request is not sent by a legal user, and further can judge that the target user login request is illegal. For an illegal target user login request, the address management server can discard the target user login request, and the further address management server can send information to an operator so as to remind the operator of malicious attack.
In one embodiment, after the address management server determines that the target user login request is a legal request, the address management server may further generate a target dynamic login address for the target user based on the proxy server address and the target login management server address. Specifically, the address management server may encrypt the target login management server address corresponding to the target user identity through a random algorithm, so as to generate a target dynamic character string, and then combine the proxy server address and the target dynamic character string to generate the target dynamic login address.
For example, assuming that the proxy address is https:// vpn.wangsu.com and the target login management server address is https:// bpt.edu.cn/logic, the address management server may encrypt https:// bpt.edu.cn/logic using a random number encryption algorithm to obtain the target dynamic string xjhha124lk, and then the address management server combines https:// vpn.wangsu.com with xjhha124lk to obtain the target dynamic login address https:// vpn.wangsu.com/xjhha124lk.
It should be noted that if there are multiple login management servers of different enterprises in the secure login system, when the address management server generates dynamic character strings for users of different enterprises, the address management server first needs to query the address of the login management server corresponding to the identity of the user from the multiple saved login management server addresses according to the mapping relationship between the users and the login management server, and then encrypts the address of the login management server obtained by the query, so as to generate a corresponding dynamic character string for the user.
It should be noted that, after generating the corresponding dynamic character strings for the users of different enterprises, the address management server may combine the obtained dynamic character strings with the proxy server address, so as to generate different dynamic login addresses for the users of different enterprises. Meanwhile, the address management server can also send the different dynamic login addresses to the proxy server, so that the proxy server can locally store the different dynamic login addresses.
In practical applications, when the address management server generates dynamic character strings for users of different enterprises, the address of the login management server is not used, and other information can be used for obtaining the dynamic character strings. For example, the address management server may encrypt the identity of the user, thereby obtaining a corresponding dynamic string; the address management server may also directly generate the dynamic string using a random algorithm.
It should be noted that, when the address management server does not use the address of the login management server to generate the dynamic character string, the address management server may also establish a mapping relationship between the dynamic character string and the login management server, and send the mapping relationship between the dynamic character string and the login management server to the proxy server, so that in a subsequent step, the proxy server may query the dynamic character string for the corresponding login management server address according to the mapping relationship between the dynamic character string and the login management server.
S103: and sending the target dynamic login address to the information transfer platform and the proxy server, so that the information transfer platform forwards the target dynamic login address to the target user, and the proxy server performs authentication management on the target user based on the target dynamic login address when the target user accesses the target dynamic login address.
In this embodiment, after the address management server generates the target dynamic login address, the address management server may send the target dynamic login address to the information transfer platform and the proxy server. After the information transfer platform receives the target dynamic login address, the information transfer platform can transfer the target dynamic login address to a target user, so that the target user can access the proxy server by using the target dynamic login address. And after the proxy server receives the target dynamic login address, the proxy server can store the target dynamic login address locally for subsequent authentication management of the target user.
In practical application, after the target user receives the target dynamic login address, the target user can access the target dynamic login address through the terminal device. For example, the target user inputs the target dynamic login address in the browser, and the target dynamic login address contains the address of the proxy server, so that the access request transmitted by the browser is transmitted to the proxy server. After receiving the access request sent by the target user, the proxy server can compare the dynamic login address carried in the access request with the target dynamic login address stored locally, so as to judge whether the target user can access the target login management server, namely, perform authentication management on the target user.
In one embodiment, when the target user accesses the target dynamic login address, the proxy server performs authentication management on the target user based on the target dynamic login address by the following manner:
firstly, the proxy server judges whether the received access request carries a dynamic character string, if the access request carries the dynamic character string, the proxy server judges whether the dynamic character string is a target dynamic character string in a target dynamic login address;
if the proxy server judges that the dynamic character string is the target dynamic character string in the target dynamic login address, the proxy server searches the target login management server address based on the mapping relation between the target dynamic login address and the target login management server address, forwards the access request to the target login management server pointed by the target login management server address, and sends a system login page fed back by the target login management server to the target user.
In practical application, the access request sent by the target user is led to the proxy server, the proxy server can analyze the URL information carried in the access request after receiving the access request, and judge whether the URL information carries dynamic character strings, if the URL information carries dynamic character strings, the proxy server can determine that the access request is used for logging in the enterprise internal service system.
When the proxy server determines that the received access request is for logging in the enterprise internal service system, the proxy server can extract the dynamic character string carried in the access request, traverse all the locally stored dynamic login addresses, and then compare the extracted dynamic character string with the dynamic character string in all the locally stored dynamic login addresses, so as to judge whether the extracted dynamic character string exists in the locally stored dynamic login addresses. If the extracted dynamic character string exists in the locally stored dynamic login address, the proxy server can determine that the extracted dynamic character string is the target dynamic character string (i.e. the extracted dynamic character string is the same as the target dynamic character string). At this time, the proxy server can find out the corresponding target dynamic login address according to the target dynamic character string, and then the proxy server can find out the corresponding target login management server address for the target dynamic login address according to the mapping relation between the target dynamic login address and the target login management server address.
After the target login management server address is obtained, the proxy server may reconstruct the access request with the target login management server address as a receiving address, thereby directing the access request to the target login management server. After receiving the reconstructed access request, the target login management server can generate a system login page and send the system login page to the proxy server, so that the proxy server can feed back the system login page to the target user. After the target user acquires the system login page, the target user can input an account number and a password in the system login page, so that the target user logs in an internal service system of an enterprise.
In one embodiment, if the address management server generates the target dynamic login address based on the address of the proxy server and the target login management server address. For example, the address management server encrypts the target login management server address through a random algorithm to generate a target dynamic character string, and then combines the proxy server address and the target dynamic character string to generate the target dynamic login address. At this time, the proxy server performs authentication management on the target user based on the target dynamic login address by the following manner:
firstly, the proxy server judges whether the received access request carries a dynamic character string, if the access request carries the dynamic character string, the proxy server judges whether the dynamic character string is a target dynamic character string;
if the proxy server judges that the dynamic character string is the target dynamic character string, the proxy server can decrypt the dynamic character string, so that the target login management server address represented by the dynamic character string is obtained. The proxy server may then forward the access request to the target login management server pointed to by the target login management server address, and send the system login page fed back by the target login management server to the target user.
It should be noted that if the address management server uses other information (such as the identity of the user, the request time, etc. or is automatically and randomly generated based on an algorithm only) instead of using the address of the login management server when generating the dynamic character string, the address management server will establish the mapping relationship between the dynamic character string and the login management server, and will send the mapping relationship between the dynamic character string and the login management server to the proxy server when issuing the target dynamic login address to the proxy server, as described above. Therefore, in this case, the proxy server may query the mapping relationship between the dynamic character string and the login management server, so as to find a corresponding login management server address (i.e., a target login management server address) for the extracted dynamic character string. After the target login management server address is obtained, the proxy server can reconstruct the access request by taking the target login management server address as a receiving address, so that the access request is guided to the target login management server to obtain a system login page fed back by the target login management server.
It should be noted that, in the above description, the access request sent by the target user is taken as an example, and in the secure login system provided in the present application, the proxy server has the function of webvpn server, so that the address of the proxy server can be obtained publicly, which makes any user access to the proxy server address, that is, the access request received by the proxy server is not necessarily sent by the target user. Thus, the proxy server may also filter all access requests received without limiting the access requests sent by the target user. Specifically, the proxy server may analyze all the received access requests to determine whether a dynamic character string exists in the URL information carried by the access requests, if the dynamic character string exists, the proxy server may further compare the dynamic character string with the dynamic character string in all the locally stored dynamic login addresses, and if the locally stored dynamic login addresses have the same content as the dynamic character string, the proxy server may determine that the access request corresponding to the dynamic character string is sent by a legal user. Correspondingly, after the proxy server obtains the login management server address corresponding to the dynamic character string, the proxy server can guide the access request to the corresponding login management server so as to obtain a system login page.
In one embodiment, after the address management server generates the target dynamic login address according to the proxy server address and the target dynamic character string, the address management server may further set a validity period for the target dynamic login address, where a specific value of the validity period may be set according to an empirical value, and this application is not limited in this respect.
After the address management server sets the validity period for the target dynamic login address, correspondingly, when the target user accesses the target dynamic login address, the proxy server performs authentication management on the target user based on the target dynamic login address by the following manner:
firstly, the proxy server judges whether the received access request is valid or not based on a target dynamic login address and a validity period;
if the proxy server judges that the access request is valid, the proxy server directs the access request to the target login management server so that the target login management server feeds back a system login page to the target user.
In practical application, if the target dynamic login address has a validity period, the proxy server needs to consider the problem of whether the target dynamic login address is valid or not when performing authentication management on the target user by using the target dynamic login address. Specifically, after receiving an access request sent by a target user, the proxy server can analyze URL information carried in the access request, judge whether the URL information carries a dynamic character string, and if the URL information carries a dynamic character string, the proxy server can determine that the access request is for logging in an internal service system of an enterprise. At this time, the proxy server may extract the dynamic character string carried in the access request, traverse all the locally stored dynamic login addresses, and then compare the extracted dynamic character string with the dynamic character string in all the locally stored dynamic login addresses, so as to determine whether the extracted dynamic character string exists in the locally stored dynamic login addresses. If the extracted dynamic character string exists in the locally stored dynamic login address, the proxy server can determine that the extracted dynamic character string is consistent with the target dynamic character string, the proxy server can further judge whether the target dynamic login address corresponding to the target dynamic character string is out of date, if the target dynamic login address is not out of date, the proxy server can determine that the access request sent by the target user is valid, and the proxy server can decrypt the extracted dynamic character string, so that the target login management server address represented by the dynamic character string is obtained.
After the target login management server address is obtained, the proxy server may reconstruct the access request with the target login management server address as a receiving address, thereby directing the access request to the target login management server. After receiving the reconstructed access request, the target login management server can generate a system login page and send the system login page to the proxy server, so that the proxy server can feed back the system login page to the target user. After the target user acquires the system login page, the target user can input an account number and a password in the system login page, so that the target user logs in an internal service system of an enterprise.
Referring to fig. 4, the present application further provides a secure login device, where the device is applied to an address management server, and the device includes:
the login request receiving module is used for receiving a target user login request forwarded by the information transfer platform, wherein the target user login request is generated by the information transfer platform based on login request information sent by a target user;
the dynamic address generation module is used for generating a target dynamic login address based on a proxy server address, wherein the target dynamic login address points to the proxy server;
And the dynamic address forwarding module is used for sending the target dynamic login address to the information transfer platform and the proxy server, so that the information transfer platform forwards the target dynamic login address to the target user, and the proxy server performs authentication management on the target user based on the target dynamic login address when the target user accesses the target dynamic login address.
In one embodiment, the dynamic address generating module is further configured to determine whether the target user login request is legal based on the target identity of the target user carried in the target user login request, and if not, not enter the subsequent step.
In one embodiment, the determining whether the target user login request is legitimate includes:
and judging whether the address of the target login management server corresponding to the target identity exists in the local record, if so, the target user login request is legal, and if not, the target user login request is illegal.
In one embodiment, the apparatus further comprises:
the identity recording module is used for acquiring the identity of a legal user, establishing a user permission table and recording the identity of the legal user in the user permission table, wherein the legal user has permission to access a corresponding login management server.
In one embodiment, the dynamic address generation module is further configured to:
judging whether the target identity exists in the user authority list, if so, the target user login request is legal;
and if the target identity mark does not exist in the user authority list, the target user login request is illegal.
In one embodiment, the dynamic address generation module is further configured to:
randomly generating a target dynamic character string or generating the target dynamic character string according to the target identity;
the target dynamic login address is generated based on the proxy address and the target dynamic character string.
In one embodiment, the dynamic address forwarding module is further configured to send the target dynamic login address to the proxy server, and simultaneously send a target login management server address corresponding to the target identity, so that the proxy server establishes and stores a mapping relationship between the target dynamic login address and the target login management server address.
In one embodiment, the proxy server performing authentication management on the target user based on the target dynamic login address includes:
The proxy server judges whether the received access request carries a dynamic character string or not, and if the received access request carries the dynamic character string, the proxy server judges whether the dynamic character string is a target dynamic character string in the target dynamic login address or not;
if yes, searching the target login management server address based on the mapping relation and the target dynamic login address, forwarding the access request to a target login management server pointed by the target login management server address, and sending a system login page fed back by the target login management server to the target user.
In one embodiment, the dynamic address generation module is further configured to:
encrypting a target login management server address corresponding to the target user identity to generate a target dynamic character string;
and generating the target dynamic login address according to the proxy server address and the target dynamic character string.
In one embodiment, when the target user accesses the target dynamic login address, the proxy server performs authentication management on the target user based on the target dynamic login address, including:
The proxy server judges whether the received access request carries a dynamic character string or not, and if the received access request carries the dynamic character string, the proxy server judges whether the dynamic character string is the target dynamic character string or not;
if yes, decrypting the target dynamic character string to acquire the target login management server address, forwarding the access request to a target login management server pointed by the target login management server address, and sending a system login page fed back by the target login management server to the target user.
In one embodiment, the dynamic address generation module is further configured to:
setting a validity period for the target dynamic login address;
correspondingly, when the target user accesses the target dynamic login address, the proxy server performs authentication management on the target user based on the target dynamic login address, including:
and the proxy server judges whether the received access request is valid or not based on the target dynamic login address and the validity period which are stored locally.
Referring to fig. 5, the present application further provides a secure login device, where the secure login device includes a memory and a processor, and the memory is configured to store a computer program, and when the computer program is executed by the processor, the secure login method may be implemented as described above. In particular, at the hardware level, the secure login means may comprise a processor, an internal bus and a memory. The memory may include memory and non-volatile memory. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs. It will be appreciated by those skilled in the art that the configuration shown in fig. 5 is merely illustrative and is not intended to limit the configuration of the secure login device described above. For example, the secure login device may also include more or fewer components than shown in fig. 5, such as may include other processing hardware, such as a GPU (Graphics Processing Unit, image processor), or an external communication port, etc. Of course, in addition to software implementations, this application does not exclude other implementations, such as a logic device or a combination of hardware and software, etc.
In this embodiment, the processor may include a Central Processing Unit (CPU) or a Graphics Processing Unit (GPU), and of course, may also include other singlechips, logic gates, integrated circuits, etc. with logic processing capability, or a suitable combination thereof. The memory according to the present embodiment may be a memory device for storing information. In a digital system, the device capable of holding binary data may be a memory; in the integrated circuit, a circuit with a memory function without physical form can also be a memory, such as a RAM, a FIFO, etc.; in the system, a storage device having a physical form may also be called a memory or the like. When the method is implemented, the memory can also be implemented in a cloud memory mode, and the specific implementation mode is not limited in the specification.
It should be noted that, in the secure login device in the present disclosure, a specific implementation manner may refer to a description of a method embodiment, which is not described herein in detail.
Therefore, according to the technical scheme provided by the application, when a target user needs to log in a service system (namely the target login management server) in an enterprise, the target user can send a target user login request to the information transfer platform, the information transfer platform can forward the target user login request to the address management server after receiving the target user login request, so that the address management server can identify a target identity carried in the target user login request and judge whether the target identity is legal or not according to a prestored legal user identity, if the target identity is legal, the address management server can generate a target dynamic login address based on the proxy server address and the target login management server address, then the target dynamic login address is sent to the information transfer platform and the proxy server, and thus the user can receive the target dynamic login address forwarded by the information transfer platform and the proxy server stores the target dynamic login address. Because the target dynamic login address carries the address of the proxy server, the request of the target user for accessing the target dynamic login address is led to the proxy server, and the proxy server can compare the stored target dynamic login address with the dynamic login address carried in the request sent by the user, thereby carrying out authentication management on the user. When the proxy server judges that the target user has the access right, the proxy server can guide the request to the target login management server, so that the target user can log in directly through a login page fed back by the target login management server. Therefore, by issuing the target dynamic login address to the target user, the risk of exposing the real address of the target login management server is avoided, and the target user can login the service system in the enterprise only by inputting verification information once.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or may be implemented by hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (10)

1. A secure login method, the method being applied to an address management server, the address management server having a proxy address stored therein, the method comprising:
Receiving a target user login request forwarded by an information transfer platform, wherein the target user login request is generated by the information transfer platform based on login request information sent by a target user;
generating a target dynamic login address based on the proxy server address, wherein the target dynamic login address points to the proxy server;
and sending the target dynamic login address to the information transfer platform and the proxy server, so that the information transfer platform forwards the target dynamic login address to the target user, the proxy server locally stores the target dynamic login address, and after receiving an access request sent by the target user, the proxy server compares the dynamic login address in the access request with the locally stored target dynamic login address to judge whether the target user can access the target login management server, and if so, a system login page fed back by the target login management server is sent to the target user.
2. The method according to claim 1, wherein the method further comprises:
Before the step of generating the target dynamic login address, judging whether the target user login request is legal or not based on the target identity of the target user carried in the target user login request, and if not, not entering the subsequent step.
3. The method of claim 2, wherein said determining whether the target user login request is legitimate comprises:
and judging whether the address of the target login management server corresponding to the target identity exists in the local record, if so, the target user login request is legal, and if not, the target user login request is illegal.
4. The method of claim 1 or 2, wherein the generating a target dynamic login address based on a proxy address comprises:
randomly generating a target dynamic character string or generating the target dynamic character string according to the target identity;
the target dynamic login address is generated based on the proxy address and the target dynamic character string.
5. The method of claim 4, wherein the target dynamic login address is sent to the proxy server together with a target login management server address corresponding to the target identity, so that the proxy server establishes and stores a mapping relationship between the target dynamic login address and the target login management server address.
6. The method of claim 5, wherein the proxy server performing authentication management on the target user based on the target dynamic login address comprises:
the proxy server judges whether the received access request carries a dynamic character string or not, and if the received access request carries the dynamic character string, the proxy server judges whether the dynamic character string is a target dynamic character string in the target dynamic login address or not;
if yes, searching the target login management server address based on the mapping relation and the target dynamic login address, forwarding the access request to a target login management server pointed by the target login management server address, and sending a system login page fed back by the target login management server to the target user.
7. The method of claim 1 or 2, wherein the generating a target dynamic login address based on a proxy address comprises:
encrypting a target login management server address corresponding to the target user identity to generate a target dynamic character string;
the target dynamic login address is generated based on the proxy address and the target dynamic character string.
8. The method of claim 7, wherein the proxy server performing authentication management on the target user based on the target dynamic login address comprises:
the proxy server judges whether the received access request carries a dynamic character string or not, and if so, judges whether the dynamic character string is the target dynamic character string or not;
if yes, decrypting the target dynamic character string to acquire the target login management server address, forwarding the access request to a target login management server pointed by the target login management server address, and sending a system login page fed back by the target login management server to the target user.
9. The method of claim 1, wherein after the generating the target dynamic login address based on the proxy server address, the method further comprises:
setting a validity period for the target dynamic login address;
correspondingly, when the target user accesses the target dynamic login address, the proxy server performs authentication management on the target user based on the target dynamic login address, including:
And the proxy server judges whether the received access request is valid or not based on the target dynamic login address and the validity period.
10. A secure login device, characterized in that the device comprises a memory and a processor, the memory being for storing a computer program which, when executed by the processor, implements the method according to any of claims 1 to 9.
CN202110515972.4A 2021-05-12 2021-05-12 Safe login method and device Active CN113381978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110515972.4A CN113381978B (en) 2021-05-12 2021-05-12 Safe login method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110515972.4A CN113381978B (en) 2021-05-12 2021-05-12 Safe login method and device

Publications (2)

Publication Number Publication Date
CN113381978A CN113381978A (en) 2021-09-10
CN113381978B true CN113381978B (en) 2023-06-27

Family

ID=77572513

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110515972.4A Active CN113381978B (en) 2021-05-12 2021-05-12 Safe login method and device

Country Status (1)

Country Link
CN (1) CN113381978B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002123491A (en) * 2000-10-13 2002-04-26 Nippon Telegr & Teleph Corp <Ntt> Authentication proxy method, device and system
CN110287682A (en) * 2019-07-01 2019-09-27 北京芯盾时代科技有限公司 A kind of login method, apparatus and system

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103916366A (en) * 2012-12-31 2014-07-09 中国移动通信集团公司 Login method, maintenance terminal, data management service equipment and login system
CN105141632B (en) * 2015-09-21 2018-09-14 北京百度网讯科技有限公司 Method and apparatus for checking the page
CN107770140A (en) * 2016-08-22 2018-03-06 南京中兴软件有限责任公司 A kind of single sign-on authentication method and device
CN106131079B (en) * 2016-08-29 2020-08-11 腾讯科技(北京)有限公司 Authentication method, system and proxy server
CN110519379A (en) * 2019-08-29 2019-11-29 泰康保险集团股份有限公司 Request processing method and equipment based on micro services
CN110855766A (en) * 2019-11-06 2020-02-28 北京天融信网络安全技术有限公司 Method and device for accessing Web resources and proxy server
CN111200655A (en) * 2019-12-31 2020-05-26 北京奇才天下科技有限公司 Intranet access method, system and electronic equipment based on proxy server
CN112272158A (en) * 2020-09-16 2021-01-26 厦门网宿有限公司 Data proxy method, system and proxy server
CN112702425B (en) * 2020-12-22 2022-12-23 杭州易安联科技有限公司 WEB application access proxy method, device and storage medium based on domain name extensive resolution

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002123491A (en) * 2000-10-13 2002-04-26 Nippon Telegr & Teleph Corp <Ntt> Authentication proxy method, device and system
CN110287682A (en) * 2019-07-01 2019-09-27 北京芯盾时代科技有限公司 A kind of login method, apparatus and system

Also Published As

Publication number Publication date
CN113381978A (en) 2021-09-10

Similar Documents

Publication Publication Date Title
WO2017028804A1 (en) Web real-time communication platform authentication and access method and device
WO2016015436A1 (en) Platform authorization method, platform server, application client, system, and storage medium
CN114679293A (en) Access control method, device and storage medium based on zero trust security
US9219722B2 (en) Unclonable ID based chip-to-chip communication
US20230328071A1 (en) Method and device for securely accessing intranet application
WO2019062666A1 (en) System, method, and apparatus for securely accessing internal network
WO2015062378A1 (en) User registration method, mobile terminal and server of client application program
US10250589B2 (en) System and method for protecting access to authentication systems
CN106911684A (en) A kind of method for authenticating and system
WO2024011863A1 (en) Communication method and apparatus, sim card, electronic device, and terminal device
JP2001186122A (en) Authentication system and authentication method
Huang et al. A token-based user authentication mechanism for data exchange in RESTful API
CN114157434A (en) Login verification method and device, electronic equipment and storage medium
CN112836206B (en) Login method, login device, storage medium and computer equipment
CN108629164A (en) The generation method for encrypting the page and the retroactive method after encryption page leakage
CN110213232B (en) fingerprint feature and key double verification method and device
CN112565156B (en) Information registration method, device and system
CN107612691A (en) Authentication information transmission method and device and user information authentication system
CN113381978B (en) Safe login method and device
CN112039857A (en) Calling method and device of public basic module
CN110875903B (en) Security defense method and device
Schulz et al. d 2 Deleting Diaspora: Practical attacks for profile discovery and deletion
WO2022193494A1 (en) Permission control method, server, terminal, storage medium, and computer program
CN114090996A (en) Multi-party system mutual trust authentication method and device
JP2002073562A (en) Method and device for accessing plural sites by single user password

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant