CN114095483A - Password substitution filling method and device, electronic equipment and storage medium - Google Patents

Password substitution filling method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114095483A
CN114095483A CN202111246313.1A CN202111246313A CN114095483A CN 114095483 A CN114095483 A CN 114095483A CN 202111246313 A CN202111246313 A CN 202111246313A CN 114095483 A CN114095483 A CN 114095483A
Authority
CN
China
Prior art keywords
application
user
web
web application
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111246313.1A
Other languages
Chinese (zh)
Inventor
张�育
秦臻
周镇健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202111246313.1A priority Critical patent/CN114095483A/en
Publication of CN114095483A publication Critical patent/CN114095483A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Abstract

The application discloses a password substitution filling method, a password substitution filling device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a Web application access request of a user application, wherein the user application is developed based on a browser kernel; sending the Web application access request to the Web application, and acquiring a response message returned by the Web application; injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page; and sending the response message after the injection code to the user application so that the user application realizes password substitution and filling through the injection code.

Description

Password substitution filling method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of security, and relates to, but is not limited to, a method, an apparatus, an electronic device, and a storage medium for replacing a password.
Background
In the related art, the plug-in password substitution method of the browser has the disadvantages of poor compatibility to the terminal: an IE (Internet Explorer) Browser plug-in needs to be implemented by using technologies such as a conventional COM (Component Object Model) Component and a BHO (Browser Helper Object) Component, and has poor compatibility with a windows system version, an IE version, and settings; part of the browser does not support loading of unofficial plug-ins; the Web application login page has a certain failure rate instead of being filled.
Disclosure of Invention
In view of this, embodiments of the present application provide a password substitution method, apparatus, electronic device, and storage medium.
In a first aspect, an embodiment of the present application provides a method for replacing and filling a password, where the method includes: acquiring a Web application access request of a user application, wherein the user application is developed based on a browser kernel; sending the Web application access request to the Web application, and acquiring a response message returned by the Web application; injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page; and sending the response message after the injection code to the user application so that the user application realizes password substitution and filling through the injection code.
In a second aspect, an embodiment of the present application provides a password substitution device, including: the proxy service is used for acquiring a Web application access request of a user application, and the user application is developed based on a browser kernel; sending the Web application access request to the Web application, and acquiring a response message returned by the Web application; injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page; and sending the response message after the injection code to the user application so that the user application realizes password substitution and filling through the injection code.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory and a processor, where the memory stores a computer program that is executable on the processor, and the processor executes the computer program to implement the steps in the cryptographic padding method according to the first aspect of the embodiment of the present application.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in the cryptographic padding method according to the first aspect of the embodiment of the present application.
In the embodiment of the application, the obtained response message is rewritten through the proxy service, the rewritten response message is sent to the user application, the Web login page of the Web application is loaded by the user application through the rewritten response message, and password substitution filling is executed on the Web login page, so that password substitution filling can be realized without installing a plug-in on the user application, and the influence of high failure rate of password substitution filling caused by incompatibility of the plug-in and the user application is reduced.
Drawings
FIG. 1 is a flowchart illustrating a password substitution method according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of an application page according to an embodiment of the present application;
FIG. 3 is a diagram illustrating an effect of password padding according to an embodiment of the present disclosure;
FIG. 4 is a network topology diagram of cryptographic substitution according to an embodiment of the present application;
fig. 5 is a flowchart illustrating an authentication method according to an embodiment of the present application;
FIG. 6 is a flowchart illustrating a password padding method according to an embodiment of the present disclosure;
FIG. 7 is a schematic diagram illustrating a structure of a password substitution device according to an embodiment of the present disclosure;
fig. 8 is a hardware entity diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solution of the present application is further elaborated below with reference to the drawings and the embodiments.
Fig. 1 is a flowchart illustrating a password substitution method according to an embodiment of the present application, as shown in fig. 1, the method may be applied to a proxy service, and the method includes:
step 102: acquiring a Web application access request of a user application, wherein the user application is developed based on a browser kernel;
the proxy service may be a device providing the proxy service, such as a proxy gateway; the user application may be an application program for use by a user to retrieve, present, and deliver Web information resources, and the user application may be a user browser. The Web application access request may be an HTTP (Hyper Text Transfer Protocol) request, and the HTTP request may be a request message from a client to a server. The HTTP request may include: in the message head line, a request method for a Resource, an Identifier of the Resource, and a protocol used in the request method, the Identifier of the Resource may be a Uniform Resource Identifier (URI), and the URI may be used to indicate an address of a Web page of a Web application to be accessed by the user browser. The Web application access request may also be an HTTPS request.
Step 104: sending the Web application access request to the Web application, and acquiring a response message returned by the Web application;
the response message may be used to load a Web login page of the Web application, and the proxy service may be a seven-layer proxy service, which performs seven-layer load and may identify an HTTP request, so that the proxy service may capture the application message.
Step 106: injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page;
the rewriting of the response message may be to inject a section of code (such as a JS code) into the response message, and when the rewritten response message is loaded, the injected code is run, and then cipher substitution may be performed. The cipher substitution function described herein is: the surrogate user automatically populates with user data (such as a username and password) and automatically performs a login operation based on the user data.
Step 108: and sending the response message after the injection code to the user application so that the user application realizes password substitution and filling through the injection code.
After receiving a response message after the code is injected, the user application can load a Web login page of the Web application through the response message, execute password substitution on the Web login page, and enter an internal page of the Web application after the password substitution is successful.
In the embodiment of the application, the obtained response message is rewritten through the proxy service, the rewritten response message is sent to the user application, the Web login page of the Web application is loaded by the user application through the rewritten response message, and password substitution filling is executed on the Web login page, so that password substitution filling can be realized without installing a plug-in on the user application, and the influence of high failure rate of password substitution filling caused by incompatibility of the plug-in and the user application is reduced.
In addition, in this embodiment of the present application, when the code is injected to implement the password substitution operation, the whole login page may be shielded, or a part of the input user data in the login page may be removed or shielded, and specifically, in the process of injecting the code, the related code of the front-end Web page may be further modified to implement the function, for example, a section of code is added to implement shielding, or a related DOM (Document Object Model) node is deleted to implement the extraction of the part of the input user data.
The embodiment of the application also provides a password substitution and filling method, which comprises the following steps:
step S202: acquiring a Web application access request of a user application, wherein the user application is developed based on a browser kernel;
step S204: under the condition that the Web application access request authentication is not passed, the user application acquires an authentication page by returning redirection information, or acquires the authentication page by accessing the Web application and returns the authentication page to the user application;
the proxy service may authenticate a Web application access request, such as an HTTP request, sent by the user application according to the Web application access request, and the authentication method may be to check a Cookie, which may be data (usually encrypted) stored on a local terminal of the user by Session tracking in order to identify the user identity by a website of some Web applications, and the information is temporarily or permanently stored by a user client computer.
When a user uses a user application to access a website of a Web application supporting Cookie, the user provides personal information including a user name and submits the personal information to a server; then, the server will send back the personal information while transmitting the corresponding hypertext back to the client, and certainly, the information is not stored in the HTTP Response Body (Response Body) but stored in the HTTP Response Header (Response Header); after the client browser receives the response from the server, the browser stores the information in a uniform position; therefore, when the client sends a request to the server again, the corresponding Cookie is sent back to the server again. This time, the Cookie information is stored in an HTTP Request Header (Request Header). With the technical implementation of cookies, after the server receives a request from a client browser, the server can obtain information specific to the client by analyzing the Cookie stored in the request header, thereby dynamically generating content corresponding to the client. Usually, the option of "please remember me" can be seen from the login interfaces of many websites, and if the website is logged in after the option is checked, repeated and tedious login actions are not needed when the website is accessed next time, and the function is realized by Cookie.
And under the condition of authentication failure (namely authentication failure), controlling the user application to access an authentication page of the authentication service for authentication, wherein the address of the authentication page can be http:// auth.com ═ http:// app.com, the user browser can be controlled to access the authentication page of the authentication service for authentication by replying '302' (namely temporary redirection information), and the authentication mode of the proxy service can be a password, a short message and the like, or the Web application http:// app.com is accessed to obtain the authentication page and the authentication page is forwarded to the user application.
Before the user application accesses the Web application to perform password substitution, the authentication service can authenticate the Web application access request of the user application; the proxy authentication service can be a device providing an authentication service and a proxy service, the proxy service and the authentication service can be respectively provided by two devices, the proxy gateway can be used for providing the proxy service, and the authentication gateway can be used for providing the authentication service; it is also possible to provide both authentication service and proxy service by one device. The authentication service can be services of user management, user authentication and the like, the user application needs to be authenticated before accessing the Web application, different users and different Web application substitute-filled accounts (namely user names) and passwords are different, and the access authority between different Web applications also needs to be managed and controlled by an authentication gateway. The proxy service can be a seven-layer proxy service provided for the Web application, and can rewrite the application message of the Web application to realize the password substitution and filling function.
Step S206: receiving a Web application access request which is sent by the user application and carries a bill;
step S208: verifying the bill carried in the Web application access request through a second authentication service;
wherein the URL can be(The Uniform Resource Locator "carries the ticket" xxx "in http:// app. Wherein, token can be a token in identity authentication. The agent service and the authentication service interface by any one of OAuth (Open Authorization), oidc (openid connect) to check the ticket.
Step S210: under the condition that the bill is verified successfully, sending the Web application access request to the Web application, and acquiring a response message returned by the Web application;
the response message may be used to represent that the user application is successfully authenticated; after the verification is successful, Cookie is planted in the application traffic, the traffic is released, and the Web application can be directly accessed when the Web application is accessed again.
Step S212: injecting a code for realizing a password substitution filling function and user data required in the password substitution filling process into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page;
the code of the password substitution filling function and the user data required in the password substitution filling process can be simultaneously injected into the application layer data of the response message to obtain the rewritten response message, so that the user application can directly obtain the user data from the response message rewritten by the proxy service, and the user data can comprise a user name and a password; the password substitution filling can be a process that a program replaces a user to fill in a login information form to realize automatic login, the password substitution filling is to realize a single sign-on function, the single sign-on is that the user does not need to log in other systems after logging in one place under the environment that multiple systems coexist, and namely, the user can obtain the trust of all other systems through one-time login.
Step S214: and sending the response message after the injection code to the user application so that the user application realizes password substitution and filling through the injection code.
In the embodiment of the application, the user data is injected when the code is injected, so that the user data to be replaced and filled can be more efficiently obtained, and the password replacement and filling efficiency is improved; the access request of the user application is authenticated, the user application is authenticated in the modes of passwords, short messages and the like under the condition of authentication failure, and the proxy service is docked with the proxy gateway through the check bill, so that the accuracy of the user application authentication can be improved.
The embodiment of the application also provides a password substitution and filling method, which comprises the following steps:
step S302: acquiring a Web application access request of a user application, wherein the user application is developed based on a browser kernel;
step S304: sending the Web application access request to the Web application, and acquiring a response message returned by the Web application;
step S306: injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page;
step S308: sending the response message after the code is injected to the user application;
step S310: receiving a non-cross-domain user data request sent by the user application when the Web login page is loaded; the non-cross-domain user data request is used for requesting user data used in a password substitution and filling process;
the method comprises the steps that code injected by a user application runs on an application page, so that data requested on the application page comprises cross-domain data and non-cross-domain data; the method comprises the steps that user data is requested from an application page to an application address http:// app.com/… … without cross-domain, and the data request is a non-cross-domain user data request; for example, if the user data is directly requested from the address of the Web application at the Web login page of the Web application, the domain crossing is not required, if the user data is requested from other addresses such as the address http:// auth. com/… … of the authentication service at the application page, the domain crossing is adopted, and the data request is the cross-domain user data request.
Step S312: sending the non-cross-domain user data request to the Web application;
step S314: and receiving user data returned by the Web application, and sending the user data to the user application so that the user application realizes password substitution through the injection code and the user data.
In the embodiment of the application, when the code is injected into the application layer data of the response message, the user data can not be injected, the user application sends the non-cross-domain user data request to the proxy service, the proxy service sends the non-cross-domain user data request to the Web application, and the received user data returned by the Web application is sent to the user application, so that the flexibility of obtaining the user data can be improved; further, user data is requested from the address of the Web application, and the problem of cross-domain can be avoided.
The embodiment of the application also provides a password substitution and filling method, which comprises the following steps:
step S402: acquiring a Web application access request of a user application, wherein the user application is developed based on a browser kernel;
step S404: under the condition that the Web application access request authentication is not passed, the user application acquires an authentication page by returning redirection information, or acquires the authentication page by accessing the Web application and returns the authentication page to the user application;
step S406: receiving a Web application access request which is sent by the user application and carries a bill;
step S408: verifying the bill carried in the Web application access request through a second authentication service;
step S410: under the condition that the bill is verified successfully, sending the Web application access request to the Web application, and acquiring a response message returned by the Web application;
step S412: planting cookies on the Web application access request so as to conveniently judge whether the Web application access request is authenticated through the cookies in the Web application access request;
step S414: injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page;
step S416: sending the response message after the code is injected to the user application;
step S418: receiving a cross-domain user data request sent by the user application when the Web login page is loaded; the cross-domain user data request is used for requesting user data used in a password substitution and filling process;
step S420: sending the cross-domain user data request to a first authentication service;
step S422: and receiving user data returned by the first authentication service, and sending the user data to the user application, so that the user application realizes password substitution through the injection code and the user data.
Wherein the proxy service and the second authentication service are integrated in the same hardware device or software module; or, the agent service and the second authentication service are respectively deployed in different hardware devices or are respectively two independent software modules. The first authentication service and the second authentication service may be the same authentication implementation.
In the embodiment of the application, the user data stored in the first authentication service can be sent to the user application in a cross-domain manner through the proxy service, so that the data interaction between the authentication service and the user application can be more efficiently carried out; the cookie is planted to facilitate the subsequent judgment of whether the Web application access request is authenticated through the cookie in the Web application access request.
In the related art, password substitution needs to be realized by installing a plug-in a browser, and the embodiment of the application mainly comprises the following steps: and performing seven-layer proxy on the application through a proxy gateway (or a software and hardware facility with proxy function), capturing and rewriting the application message by the proxy gateway, and injecting a required code and returning the code to the browser.
And when the browser loads the rewritten Web page, the injected code is operated, the user information is filled and submitted by matching the Web application login page, and finally the password substitution filling is realized.
The main problems and disadvantages of the browser plug-in password substitution scheme in the related art are poor compatibility to the terminal: the IE browser plug-in needs to be realized by utilizing the traditional COM component, BHO component and other technologies, and has poor compatibility to the windows system version, the IE version and the setting; part of the browser does not support loading of unofficial plug-ins; the Web application login page has a certain failure rate instead of being filled.
The technology in the embodiment of the application mainly solves the compatibility problem of the terminal, and most of browsers supporting modern JavaScript can support the scheme.
Taking implementation of IDTrust (unified identity security management platform) as an illustration at present, the password substitution and filling method may include the following steps:
step S601: accessing the address issued by the proxy gateway, and jumping to an authentication page for authentication if detecting that the address is not authenticated;
the user browser can access the address of the application page of the Web application published by the proxy gateway, wherein the address of the application page can be' https://10.66.
Step S602: jumping back to the application after the authentication is successful;
under the condition that the proxy gateway passes the authentication of the user browser, the application page of the Web application can be skipped to; fig. 2 is a schematic diagram of an application page according to an embodiment of the present application, and referring to fig. 2, an address bar 201 may input an address of the application page to be accessed; the proxy gateway controls the user browser to jump to an authentication page for authentication under the condition that the proxy gateway detects that the user browser is not authenticated, wherein the address of the authentication page can be' https://10.66. Php can be the application interior after the password substitution is successful.
Step S603: the browser loads an authentication page of the application to start password substitution, and enters the application after the password substitution is successful;
fig. 3 is a schematic diagram illustrating an effect of password substitution in the embodiment of the present application, where fig. 3 is invisible to a user, that is, the user cannot see a login page (region. Referring to fig. 2, information columns 202 represent status, method, domain name, and file in the case of successful authentication; the information column 203 indicates the state, method, domain name, and file in the case where the application page is returned after the authentication is successful; the information fields 204 represent the state, method, domain name and file in the case of a successful cryptographic completion into the application.
In the embodiment of the present application, a device requiring an authentication service, for example, an IDTrust (unified identity security management platform), provides services such as user management and user authentication, and the password substitution is to implement a single sign-on function, and authentication must be performed before accessing an application. Different users, accounts and passwords filled by different applications are different, and access rights among different applications may need to be controlled. In the embodiment of the present application, a proxy service device is further required to provide seven layers of proxy services for the application, so that the message can be rewritten to implement the subsequent cipher substitution function.
In actual deployment, the proxy service and the authentication service may be provided by two devices, or one device may provide two services at the same time; all requests, traffic in the whole traffic need to flow through the proxy service.
Fig. 4 is a network topology diagram of cryptographic completion according to an embodiment of the present application, and referring to fig. 4, the network topology diagram includes a user browser 401, a proxy service 402, an authentication service 403, a first Web application 404, and a second Web application 405, where:
the user browser 401 may perform application traffic interaction with the first Web application 404 or the second Web application 405 through the proxy service 402, the user browser 401 may also perform authentication traffic interaction with the authentication service 403 through the proxy service 402, the first Web application 404 may be Web application a, and the second Web application 405 may be Web application B.
Fig. 5 is a schematic flowchart of an authentication method according to an embodiment of the present application, and referring to fig. 5, the method may include the following steps:
step 501: the user browser 51 sends an access request to the proxy service 52;
wherein the access request may be an HTTP request requesting access to the Web application 54;
step 502: the proxy service 52 authenticates the HTTP request;
the user browser 51 must perform authentication before accessing the Web application 54 for password substitution, and the traffic authentication for the HTTP request is usually to check a Cookie.
Step 503: proxy service 52 replies 302 with control browser 51 to jump to the authentication page;
step 504: the proxy service 52, in case of failure of the HTTP request traffic authentication, replies 302 to control the user browser 51 to go to the authentication page of the authentication service 53 for authentication;
wherein, the address of the authentication page may be http:// auth.
Step 505: the authentication service 53 authenticates the user browser 51;
the authentication service 53 may support a password, a short message, and the like.
Step 506: the authentication service 53 replies 302 to the application page of the user browser 51 after successful authentication;
after the authentication is successful, the authentication service 53 replies 302 to the application page returned to the user browser 51, but needs to carry a ticket in a URL (Uniform Resource Locator), such as: http:// app.
Step 507: the user browser 51 requests the proxy service 52 to access the Web application 504 with the ticket;
step 508: the proxy service 52 may interface with the authentication service 53 to verify tickets, put traffic;
wherein, the flow can be released after the verification is successful;
step 509: the Web application 504 logs in successfully;
where proxy service 52 puts through traffic and Web application 504 logs in successfully.
Step 510: the user browser 51 is authenticated successfully;
after the authentication is successful, the Web application may send a notification of the successful authentication to the application page of the user browser 51.
The proxy gateway needs to be in butt joint with the authentication gateway to check a bill such as token, and after the check is successful, cookie is planted for the application traffic; the traffic is then put through and the Web application can be switched through when the Web application is accessed again.
It should be noted that fig. 5 may be an abstract diagram and does not represent actual deployment, and in addition, the combination of the proxy service and the authentication service in the above diagram is also a request and logic. In the figure, the OAuth (Open Authorization ) like protocol is docked, the authentication gateway provides authentication service for the proxy gateway, and various docking modes are actually deployed. If the agent and authentication services are the same device, the internal interfaces may be in any form; if the proxy gateway and the Authentication gateway are two devices, they may be connected with a public protocol such as OAuth, oid (OpenId Connect) oid ═ Identity, Authentication) + OAuth 2.0, or may be connected with an internal custom protocol.
Fig. 6 is a flowchart illustrating a cryptographic code padding method according to an embodiment of the present disclosure, and referring to fig. 6, the method may include the following steps:
step 601: the user browser 61 accesses the Web application 64 through the proxy service 62;
step 602: the proxy service 62 may capture the Web messages of the Web application 64;
because the proxy service 62 performs seven layers of load, the proxy service 62 can capture the Web message of the Web application 64;
step 603: the proxy service 62 injects a code into the Web message;
the Web message can be rewritten by injecting a code into the Web message, and the code can be used for acquiring user data and executing password substitution according to the user data.
Step 604: the proxy service 62 sends the rewritten Web message to the user browser;
step 605: the user browser 61 loads the Web message, runs the injected code, and starts to execute password substitution;
the user browser 61 starts loading after receiving the rewritten application message (Web message), and the injected code may start running to execute the process of replacing and filling the password.
Step 606: the user browser 61 requests user data from the proxy service 62;
step 607: the proxy service 62 sends the request for user data to the authentication service 63;
wherein the user browser 61 may request user data from the proxy service 62; the user data may include a username and password, and since password padding requires obtaining the username and password to be used, the user data needs to be requested from the proxy service 62. It should be noted that, when injecting the code, the user name and the password may be injected at the same time, and if the user name and the password are not injected when injecting the code, the user data may be acquired when the injected code is running.
The proxy service 62 sends the request for user data to the authentication service 63; user data is present on the authentication service 63, such as http; com, but the code injected by the browser is running on the application page, such as http:// app.com; thus, there are two ways to obtain user data while the injected code is running: the first method is that data is directly requested from http:// auth.com on an application page, cross-domain is generated, and certain compatibility problem exists; the second is that the user data is requested by the application page to the address http:// app.com of the Web application, and the proxy gateway forwards the request to the authentication gateway; the cross-domain problem can be circumvented by prefix differentiation, such as forwarding http:// app.com/auth/. the request to the authentication gateway.
Step 608: authentication service 63 sends the stored user data to proxy service 62;
step 609: the proxy service 62 sends the user data to the user browser 61;
step 610: the user browser 61 performs password substitution according to the requested user data;
step 611: the user browser 61 succeeds in entering the Web application 64.
In the embodiment of the application, the password substitution filling can be realized without installing a plug-in a user browser. The problem of cross-domain can be avoided by requesting user data from the address of the Web application, and the support of an IE browser and an illegal HTTPS website is obviously improved. When the authentication gateway and the proxy gateway are actually deployed, the authentication gateway and the proxy gateway can be separately deployed, or can be provided by using integrated equipment. The interface between the authentication gateway and the proxy gateway can be realized in various modes such as OAuth, OIDC, custom and the like. The application page and the authentication page are at different addresses, such as http:// app.com and http:// auth.com, but can be implemented without using 302 jumps but directly authenticated at the http:// app.com page, i.e. forwarded to the authentication gateway through the proxy gateway. The user data can be injected together when the application message is rewritten, and can also be actively acquired when the application page code is loaded and operated by a subsequent browser, and the method has two modes of cross-domain and non-cross-domain.
Based on the foregoing embodiments, the present application provides a password substitution device (i.e., a proxy authentication service), which includes various modules, and can be implemented by a processor in an electronic device; of course, the implementation can also be realized through a specific logic circuit; in the implementation process, the processor may be a Central Processing Unit (CPU), a Microprocessor Unit (MPU), a Digital Signal Processor (DSP), a Field Programmable Gate Array (FPGA), or the like.
Fig. 7 is a schematic structural diagram of a password substitution device according to an embodiment of the present application, and as shown in fig. 7, the device 700 includes a proxy service 701, where:
the proxy service 701 is configured to obtain a Web application access request of a user application, where the user application is developed based on a browser kernel; sending the Web application access request to the Web application, and acquiring a response message returned by the Web application;
the proxy service 701 is further configured to inject a code for implementing a cipher substitution filling function into the application layer data of the response packet, so as to obtain a response packet after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page;
the proxy service 701 is further configured to send the response packet after the injection code to the user application, so that the user application realizes password substitution through the injection code.
In an embodiment, the proxy service 701 is further configured to inject a code for implementing a cipher substitution and filling function and user data required in a cipher substitution and filling process into the application layer data of the response packet, so as to obtain the response packet after the code is injected.
In one embodiment, the proxy service 701 is further configured to receive a non-cross-domain user data request sent by the user application when the Web login page is loaded; the non-cross-domain user data request is used for requesting user data used in a password substitution and filling process; sending the non-cross-domain user data request to the Web application; and receiving user data returned by the Web application, and sending the user data to the user application.
In one embodiment, the apparatus further includes a first authentication service, and the proxy service 701 is further configured to receive a cross-domain user data request sent by the user application when loading the Web login page; the cross-domain user data request is used for requesting user data used in a password substitution and filling process; sending the cross-domain user data request to a first authentication service; and receiving user data returned by the first authentication service, and sending the user data to the user application.
In one embodiment, the apparatus further includes a second authentication service, and the proxy service 701 is further configured to, in a case that the Web application access request authentication fails, return redirection information so that the user application acquires an authentication page, or acquire the authentication page by accessing the Web application and return the authentication page to the user application; receiving a Web application access request which is sent by the user application and carries a bill; verifying the bill carried in the Web application access request through a second authentication service; and sending the Web application access request to the Web application under the condition that the ticket is verified successfully.
In one embodiment, the proxy service 701 is further configured to plant a cookie for the Web application access request, so as to determine whether the Web application access request is authenticated through the cookie in the Web application access request subsequently.
In one embodiment, the proxy service and the second authentication service are integrated in the same hardware device or software module; or, the agent service and the second authentication service are respectively deployed in different hardware devices or are respectively two independent software modules.
The above description of the apparatus embodiments, similar to the above description of the method embodiments, has similar beneficial effects as the method embodiments. For technical details not disclosed in the embodiments of the apparatus of the present application, reference is made to the description of the embodiments of the method of the present application for understanding.
Correspondingly, an embodiment of the present application provides an electronic device, fig. 8 is a schematic diagram of a hardware entity of the electronic device according to the embodiment of the present application, and as shown in fig. 8, the hardware entity of the electronic device 800 includes: the device comprises a memory 801 and a processor 802, wherein the memory 801 stores a computer program capable of running on the processor 802, and the processor 802 executes the program to realize the steps of the cryptographic code filling method of the embodiment.
The Memory 801 is configured to store instructions and applications executable by the processor 802, and may also buffer data (e.g., image data, audio data, voice communication data, and video communication data) to be processed or already processed by the processor 802 and modules in the electronic device 800, and may be implemented by a FLASH Memory (FLASH) or a Random Access Memory (RAM).
Accordingly, embodiments of the present application provide a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps in the cryptographic padding method provided in the above embodiments.
Here, it should be noted that: the above description of the storage medium and device embodiments, similar to the above description of the method embodiments, has similar advantageous effects as the device embodiments. For technical details not disclosed in the embodiments of the storage medium and method of the present application, reference is made to the description of the embodiments of the apparatus of the present application for understanding.
It should be appreciated that reference throughout this specification to "one embodiment" or "an embodiment" means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application. The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described device embodiments are merely illustrative, for example, the division of the unit is only a logical functional division, and there may be other division ways in actual implementation, such as: multiple units or components may be combined, or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the coupling, direct coupling or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection between the devices or units may be electrical, mechanical or other forms.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units; can be located in one place or distributed on a plurality of network units; some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment. In addition, all functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may be separately regarded as one unit, or two or more units may be integrated into one unit; the integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as a removable Memory device, a Read Only Memory (ROM), a magnetic disk, or an optical disk. Alternatively, the integrated units described above in the present application may be stored in a computer-readable storage medium if they are implemented in the form of software functional modules and sold or used as independent products. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially implemented or a part contributing to the related art may be embodied in the form of a software product stored in a storage medium, and including a plurality of instructions for enabling a computer device (which may be a mobile phone, a tablet computer, a desktop computer, a personal digital assistant, a navigator, a digital phone, a video phone, a television, a sensing device, etc.) to execute all or part of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a removable storage device, a ROM, a magnetic or optical disk, or other various media that can store program code.
The methods disclosed in the several method embodiments provided in the present application may be combined arbitrarily without conflict to obtain new method embodiments. Features disclosed in several of the product embodiments provided in the present application may be combined in any combination to yield new product embodiments without conflict. The features disclosed in the several method or apparatus embodiments provided in the present application may be combined arbitrarily, without conflict, to arrive at new method embodiments or apparatus embodiments.
The above description is only for the embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (11)

1. A method for replacing a password, which is applied to a proxy service, the method comprising:
acquiring a Web application access request of a user application, wherein the user application is developed based on a browser kernel; sending the Web application access request to the Web application, and acquiring a response message returned by the Web application;
injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page;
and sending the response message after the injection code to the user application so that the user application realizes password substitution and filling through the injection code.
2. The method according to claim 1, wherein injecting a code for implementing a cipher substitution function into the application layer data of the response packet to obtain the response packet after injecting the code comprises:
and injecting a code for realizing the password substitution filling function and user data required in the password substitution filling process into the application layer data of the response message to obtain the response message after the code is injected.
3. The method of claim 1, wherein after the step of sending the response message after the injection code to the user application, the method further comprises:
receiving a non-cross-domain user data request sent by the user application when the Web login page is loaded; the non-cross-domain user data request is used for requesting user data used in a password substitution and filling process;
sending the non-cross-domain user data request to the Web application;
and receiving user data returned by the Web application, and sending the user data to the user application.
4. The method of claim 1, wherein after the step of sending the response message after the injection code to the user application, the method further comprises:
receiving a cross-domain user data request sent by the user application when the Web login page is loaded; the cross-domain user data request is used for requesting user data used in a password substitution and filling process;
sending the cross-domain user data request to a first authentication service;
and receiving user data returned by the first authentication service, and sending the user data to the user application.
5. The method of any of claims 1 to 4, wherein after the step of obtaining a Web application access request of a user application and before the step of sending the Web application access request to the Web application, the method further comprises:
under the condition that the Web application access request authentication is not passed, the user application acquires an authentication page by returning redirection information, or acquires the authentication page by accessing the Web application and returns the authentication page to the user application;
receiving a Web application access request which is sent by the user application and carries a bill;
verifying the bill carried in the Web application access request through a second authentication service;
correspondingly, the sending the Web application access request to the Web application includes:
and sending the Web application access request to the Web application under the condition that the ticket is verified successfully.
6. The method of claim 5, wherein in the event the ticket is verified successfully, the method further comprises:
and planting a cookie for the Web application access request so as to conveniently judge whether the Web application access request is authenticated through the cookie in the Web application access request.
7. The method according to claim 5 or 6, characterized in that the proxy service and the second authentication service are integrated in the same hardware device or software module;
alternatively, the first and second electrodes may be,
the agent service and the second authentication service are respectively deployed on different hardware devices or are respectively two independent software modules.
8. The method of any of claims 1-7, wherein the user application is a user browser.
9. A password substitution apparatus, comprising:
the proxy service is used for acquiring a Web application access request of a user application, and the user application is developed based on a browser kernel; sending the Web application access request to the Web application, and acquiring a response message returned by the Web application;
injecting a code for realizing a password substitution filling function into the application layer data of the response message to obtain the response message after the code is injected; the response message after the code is injected is used for loading a Web login page of the Web application, and password substitution is executed on the Web login page;
and sending the response message after the injection code to the user application so that the user application realizes password substitution and filling through the injection code.
10. An electronic device comprising a memory and a processor, the memory storing a computer program operable on the processor, wherein the processor implements the steps of the cryptographic padding method of any one of claims 1 to 8 when executing the program.
11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the cryptographic padding method of any one of claims 1 to 8.
CN202111246313.1A 2021-10-26 2021-10-26 Password substitution filling method and device, electronic equipment and storage medium Pending CN114095483A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111246313.1A CN114095483A (en) 2021-10-26 2021-10-26 Password substitution filling method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111246313.1A CN114095483A (en) 2021-10-26 2021-10-26 Password substitution filling method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114095483A true CN114095483A (en) 2022-02-25

Family

ID=80297637

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111246313.1A Pending CN114095483A (en) 2021-10-26 2021-10-26 Password substitution filling method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114095483A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242519A (en) * 2022-07-25 2022-10-25 上海格尔安全科技有限公司 Login password substitution method based on reverse proxy

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100017616A1 (en) * 2007-06-22 2010-01-21 Springo Incorporated Web based system that allows users to log into websites without entering username and password information
CN104618449A (en) * 2014-12-31 2015-05-13 北京神州绿盟信息安全科技股份有限公司 Web singe-point login implementing method and device
US20160373420A1 (en) * 2015-06-18 2016-12-22 AVAST Software s.r.o. Injecting credentials into web browser requests
US9596223B1 (en) * 2016-05-10 2017-03-14 Logmein, Inc. Cross-site, TOTP-based two factor authentication
CN107948148A (en) * 2017-11-21 2018-04-20 北京天融信网络安全技术有限公司 It is a kind of to simulate for the method and device filled out
CN111259355A (en) * 2020-02-12 2020-06-09 深信服科技股份有限公司 Single sign-on method, portal system and service platform
CN112769826A (en) * 2021-01-08 2021-05-07 深信服科技股份有限公司 Information processing method, device, equipment and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100017616A1 (en) * 2007-06-22 2010-01-21 Springo Incorporated Web based system that allows users to log into websites without entering username and password information
CN104618449A (en) * 2014-12-31 2015-05-13 北京神州绿盟信息安全科技股份有限公司 Web singe-point login implementing method and device
US20160373420A1 (en) * 2015-06-18 2016-12-22 AVAST Software s.r.o. Injecting credentials into web browser requests
US9596223B1 (en) * 2016-05-10 2017-03-14 Logmein, Inc. Cross-site, TOTP-based two factor authentication
CN107948148A (en) * 2017-11-21 2018-04-20 北京天融信网络安全技术有限公司 It is a kind of to simulate for the method and device filled out
CN111259355A (en) * 2020-02-12 2020-06-09 深信服科技股份有限公司 Single sign-on method, portal system and service platform
CN112769826A (en) * 2021-01-08 2021-05-07 深信服科技股份有限公司 Information processing method, device, equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115242519A (en) * 2022-07-25 2022-10-25 上海格尔安全科技有限公司 Login password substitution method based on reverse proxy

Similar Documents

Publication Publication Date Title
CN109587133B (en) Single sign-on system and method
CN106131079B (en) Authentication method, system and proxy server
US10057251B2 (en) Provisioning account credentials via a trusted channel
CN103220259B (en) The use of Oauth API, call method, equipment and system
US9641513B2 (en) Methods and systems for controlling mobile terminal access to a third-party server
CN104735066B (en) A kind of single-point logging method of object web page application, device and system
US9106642B1 (en) Synchronizing authentication sessions between applications
CN103023918B (en) The mthods, systems and devices logged in are provided for multiple network services are unified
US7475146B2 (en) Method and system for accessing internet resources through a proxy using the form-based authentication
CN111698250B (en) Access request processing method and device, electronic equipment and computer storage medium
CN104378376A (en) SOA-based single-point login method, authentication server and browser
US20100049790A1 (en) Virtual Identity System and Method for Web Services
WO2019218747A1 (en) Third party authorized login method and system
US20150180857A1 (en) Simple user management service utilizing an access token
CN112769826B (en) Information processing method, device, equipment and storage medium
CN115021991A (en) Single sign-on for unmanaged mobile devices
JP2012501010A (en) Method and service integration platform system for providing internet services
KR20060047252A (en) Account creation via a mobile device
CN103001973A (en) Method, system and device used for controlling login and based on two-dimensional code
CN112468481B (en) Single-page and multi-page web application identity integrated authentication method based on CAS
CN103004244A (en) Generic bootstrapping architecture usage with web applications and web pages
EP2310977B1 (en) An apparatus for managing user authentication
KR20130109322A (en) Apparatus and method to enable a user authentication in a communication system
Ferry et al. Security evaluation of the OAuth 2.0 framework
CN108259457B (en) WEB authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination