CN114374529A

CN114374529A - Resource access method, device, system, electronic device, medium, and program

Info

Publication number: CN114374529A
Application number: CN202111406965.7A
Authority: CN
Inventors: 任博涛
Original assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Current assignee: Qianxin Technology Group Co Ltd; Secworld Information Technology Beijing Co Ltd
Priority date: 2021-11-24
Filing date: 2021-11-24
Publication date: 2022-04-19

Abstract

The invention provides a resource access method, device, system, electronic equipment, medium and program, the method includes: sending a login request to an enterprise portal server so that the enterprise portal server can perform identity authentication on a user; receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes; sending a verification request to a virtual private network server through a virtual private network client so that the virtual private network server can verify the identity of a user; wherein, the authentication request carries the authorization certificate; and under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by using the virtual private network client so as to access intranet resources through the encrypted communication tunnel. The invention realizes silent login without repeatedly inputting identity authentication information by a user, and improves the safety of the process of logging in the virtual private network server.

Description

Resource access method, device, system, electronic device, medium, and program

Technical Field

The present invention relates to the field of internet technologies, and in particular, to a method, an apparatus, a system, an electronic device, a medium, and a program for accessing resources.

Background

With the popularity of the Web and the rise of remote offices, more and more enterprises adopt virtual private network technology to enable employees to access enterprise networks. With the increase of the scale of the enterprise, the identities of the enterprise employees are also various, such as formal employees and outsourcing employees. Employees of various identities have a need to access the enterprise network, while enterprise applications accessible by employees of different identities are different. Some applications can be directly accessed to the internet, and some applications can be accessed after being connected to the virtual private network through the virtual private network client.

Since the Web browser and the virtual private network client belong to different applications, sessions between the different applications cannot be shared, limited by the security policy of the operating system. Therefore, a user needs to perform login authentication when logging in the enterprise portal server through the Web browser, and needs to access the virtual private network and log in the virtual private network server again when accessing intranet resources of the enterprise network. Repeated login brings not only bad user experience, but also increases the risk of password leakage of the user due to the fact that the account and the password are input for many times, and reduces the safety of the whole system.

For the defects that in the prior art, in order to access the intranet resources of the enterprise network, multiple logins are required, the login process is complex, and the security is low, a technical scheme capable of overcoming the defects is urgently needed.

Disclosure of Invention

The invention provides a resource access method, a resource access system, electronic equipment, a storage medium and a program, which are used for overcoming the defects that in the prior art, in the process of accessing internal network resources of an enterprise, login needs to be performed for multiple times, the login process is complex, and the safety is low, and realizing rapid and safe login.

The invention provides a resource access method, which comprises the following steps:

sending a login request to an enterprise portal server so that the enterprise portal server can perform identity authentication on a user;

receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes;

sending a verification request to a virtual private network server through a virtual private network client so that the virtual private network server can verify the identity of a user; wherein, the authentication request carries the authorization certificate;

and under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by using the virtual private network client so as to access intranet resources through the encrypted communication tunnel.

According to a resource access method provided by the present invention, after sending a login request to an enterprise portal server and before sending an authentication request to a virtual private network server through a virtual private network client, the method further comprises:

detecting whether the virtual private network client is installed;

prompting installation of the virtual private network client if the virtual private network client is not detected; after the installation is finished, the step of detecting whether the virtual private network client is installed is executed again;

starting the virtual private network client in case the virtual private network client is detected.

According to the resource access method provided by the invention, the authentication request carries the IP address information of an authentication request initiator, and the authorization certificate carries the IP address information of a login request initiator, so that the virtual network server can verify the consistency of IP addresses.

The invention also provides a resource access method, which comprises the following steps:

receiving a verification request sent by a user terminal; wherein the authentication request carries an authorization credential;

requesting user information from an enterprise portal server according to the authorization certificate;

receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information;

and under the condition of passing the verification, sending verification passing information to the user terminal, and establishing an encrypted communication tunnel between the user terminal and the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel.

According to the resource access method provided by the invention, the verification request carries IP address information of a verification request initiator, and the authorization certificate carries the IP address information of a login request initiator;

correspondingly, after receiving the authentication request of the user terminal and before requesting the user information from the enterprise portal server according to the authorization credential, the method further comprises:

confirming that the verification request fails to pass the verification under the condition that the IP address information of the verification request initiator carried in the verification request is inconsistent with the IP address information of the login request initiator carried by the authorization certificate;

and under the condition that the IP address information of the verification request initiator carried in the verification request is consistent with the IP address information of the login request initiator carried in the authorization certificate, executing the step of requesting the user information from the enterprise portal server according to the authorization certificate.

The invention also provides a resource access method, which comprises the following steps: receiving a login request sent by a user terminal;

sending an authorization credential to the user terminal if the login request passes;

receiving a user information request sent by a virtual private network server;

and under the condition that the user information request carries the authorization certificate, sending corresponding user information to the virtual private network server according to the authorization certificate so that the virtual private network server can verify the verification request sent by the user terminal.

According to a resource access method provided by the present invention, after sending an authorization credential to the user terminal when the login request passes, the method further comprises:

and responding to the open resource access request of the user terminal, and returning an open resource link to the user terminal so that the user terminal can access the corresponding open resource.

According to the resource access method provided by the present invention, after sending the corresponding user information to the virtual private network server according to the authorization credential under the condition that the user information request carries the authorization credential, the method further comprises:

and under the condition that the verification request corresponding to the authorization certificate passes, responding to the intranet resource access request of the user terminal, and returning an intranet resource link to the user terminal so that the user terminal can access the corresponding intranet resource by using the encrypted communication tunnel established with the virtual special network server.

The invention also provides a resource access device, comprising:

the system comprises a login request sending unit, a login request sending unit and a login authentication unit, wherein the login request sending unit is used for sending a login request to an enterprise portal server so that the enterprise portal server can perform identity authentication on a user;

the authorization credential receiving unit is used for receiving the authorization credential returned by the enterprise portal server under the condition that the login request passes;

the authentication request sending unit is used for sending an authentication request to the virtual private network server through the virtual private network client so that the virtual private network server can authenticate the identity of the user; wherein, the authentication request carries the authorization certificate;

and the first encryption communication unit is used for establishing an encryption communication tunnel between the virtual private network client and the virtual private network server by using the virtual private network client under the condition that the verification request passes the verification so as to access intranet resources through the encryption communication tunnel.

The invention also provides a resource access device, comprising:

the authentication request receiving unit is used for receiving an authentication request sent by a user terminal; wherein the authentication request carries an authorization credential;

the user information request unit is used for requesting user information from the enterprise portal server according to the authorization certificate;

the verification request verification unit is used for receiving the user information returned by the enterprise portal server and verifying the verification request according to the user information;

and the second encryption communication unit is used for sending verification passing information to the user terminal under the condition of passing the verification, and establishing an encryption communication tunnel between the second encryption communication unit and the user terminal so that the user terminal can access intranet resources through the encryption communication tunnel.

The invention also provides a resource access device, comprising:

a login request receiving unit, configured to receive a login request sent by a user terminal;

an authorization credential sending unit, configured to send an authorization credential to the user terminal when the login request passes;

an information request receiving unit, configured to receive a user information request sent by a virtual private network server;

and the user information sending unit is used for sending corresponding user information to the virtual private network server according to the authorization certificate under the condition that the user information request carries the authorization certificate so that the virtual private network server can verify the verification request sent by the user terminal.

The invention also provides a resource access method and a system, comprising the following steps: the system comprises a user terminal, a virtual private network server and an enterprise portal server;

the user terminal is used for sending a login request to the enterprise portal server so that the enterprise portal server can perform identity authentication on a user; receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes; sending a verification request to a virtual private network server through a virtual private network client so that the virtual private network server can verify the identity of a user; wherein, the authentication request carries the authorization certificate; under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by using the virtual private network client so as to access intranet resources through the encrypted communication tunnel;

the virtual private network server is used for receiving a verification request sent by a user terminal; wherein the authentication request carries an authorization credential; requesting user information from an enterprise portal server according to the authorization certificate; receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information; under the condition that the verification is passed, sending verification passing information to a user terminal, and establishing an encrypted communication tunnel between the user terminal and the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel;

the enterprise portal server is used for receiving a login request sent by a user terminal; sending an authorization credential to the user terminal if the login request passes; receiving a user information request sent by a virtual private network server; and under the condition that the user information request carries the authorization certificate, sending corresponding user information to the virtual private network server according to the authorization certificate so that the virtual private network server can verify the verification request sent by the user terminal.

The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize all or part of the steps of any one of the resource access methods.

The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs all or part of the steps of any of the resource access methods described above.

In the embodiment of the invention, after directly logging in an enterprise portal server through the Internet, the authentication request carrying the authorization certificate is automatically sent to the virtual private network server to realize silent logging without repeatedly inputting identity authentication information by a user, and the security of the process of logging in the virtual private network server is improved because the authorization certificate is a plaintext encryption character string and is not the identity authentication information of logging in the enterprise portal by the user; and under the condition that the verification request passes the verification, the user terminal establishes an encrypted communication tunnel with the virtual private network server through the virtual private network client, so that the intranet resources managed in the enterprise portal server can be conveniently and safely accessed.

Drawings

In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.

Fig. 1 is a network structure diagram corresponding to a resource access method provided by the present invention;

FIG. 2 is a flow chart illustrating a resource access method provided by the present invention;

FIG. 3 is a flow chart illustrating another method for accessing resources provided by the present invention;

FIG. 4 is a flow chart illustrating a further method for accessing resources according to the present invention;

FIG. 5 is a schematic structural diagram of a resource access device provided in the present invention;

FIG. 6 is a schematic structural diagram of another resource access device provided by the present invention;

FIG. 7 is a schematic structural diagram of another resource access device provided in the present invention;

FIG. 8 is a schematic structural diagram of a resource access system provided in the present invention;

fig. 9 is a schematic structural diagram of an electronic device provided by the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Web portals refer to Web sites that organize, store, and present information from various sources in an orderly fashion. The user can filter and acquire all the contents published in the portal website according to information sources, information types, keyword retrieval and other ways. The enterprise portal refers to a Web portal system constructed by an enterprise IT department aiming at enterprise employees, the employees can quickly access network resources provided by the enterprise through the enterprise portal system to acquire information of the enterprise such as notification and news, and the enterprise portal is an important information channel of the enterprise to the employees.

With the rise of remote office, an employee needs to remotely access a portal of an enterprise, however, the employee remotely and directly logs in to access the enterprise portal through the internet and can only access open resources in the enterprise portal (i.e., resources which are open to the internet and can be accessed after being directly connected and logged in through the internet), and for internal Network resources (i.e., intranet resources) with higher security level in the enterprise portal, the employee needs to connect a Virtual Private Network (i.e., VPN) to access the internal Network resources, so that the employee needs to input an account and a password for many times when accessing the intranet resources (account and password of two login may be consistent or may not be consistent). Repeated login brings not only bad user experience, but also increases the risk of password leakage of the user due to the fact that the account and the password are input for many times, and reduces the safety of the whole system.

The invention provides a resource access method, a device, a system, electronic equipment, a medium and a program, which can enable enterprise staff to conveniently log in and connect a virtual private network without perception according to needs after logging in an enterprise portal so as to access internal network resources of an enterprise.

A resource access method, apparatus, system, electronic device, medium, and program of the present invention are described below with reference to fig. 1 to 9.

To facilitate understanding of the resource access method provided by the present invention, a network structure corresponding to the resource access method provided by the present invention is described below. Fig. 1 is a network structure diagram corresponding to a resource access method provided by the present invention, as shown in fig. 1, an enterprise network is divided into an internet-accessible portion and an internet-inaccessible portion, the internet-accessible portion in the enterprise network is deployed with an enterprise portal server, and the enterprise portal server manages an open resource link (or an open resource entry) and an intranet resource link (or an intranet resource entry). The open resources are resources (data resources and service resources) with low safety requirements and capable of being directly logged in through the internet, and the intranet resources are resources (data resources and service resources) with high safety requirements and incapable of being directly logged in through the internet. A user terminal in the internet can directly log in an enterprise portal server through a browser, but only can access an open resource link managed by the enterprise portal server after directly logging in the enterprise portal server through the internet, and access an open resource server deployed in an internet accessible part in an enterprise network through the open resource link; the user terminal in the internet can also be connected with the virtual private network server through the virtual private network client, after the intranet resource link is obtained in the enterprise portal, the intranet resource server deployed in the internet inaccessible part in the enterprise network is accessed through the virtual private network server, the intranet resource corresponding to the intranet resource link is accessed, and the virtual private network provides an encrypted communication tunnel for the user terminal in the extranet to access the enterprise portal server, so that the intranet resource can be safely accessed.

Fig. 2 is a schematic flowchart of a resource access method provided by the present invention, where the method is applied to a user terminal, and as shown in fig. 2, the method includes:

s21, sending a login request to an enterprise portal server to allow the enterprise portal server to perform identity authentication on a user;

specifically, the user terminal is located on the internet, and the enterprise portal server is deployed in a directly accessible portion of the internet in the enterprise network. And the user terminal sends a login request to the enterprise portal server so that the enterprise portal can authenticate the user identity. The login client sending the login request may be a browser installed in the user terminal, that is, the login request is sent to the enterprise portal server through a browser login webpage.

The login request carries identity authentication information, for example, an account number and password information of the user, or biometric information (such as voice, fingerprint, face, iris, etc.) of the user, so that the enterprise portal server authenticates the identity of the user.

S22, receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes;

specifically, the enterprise portal server authenticates the user according to the identity authentication information carried in the login request, and under the condition that the authentication is passed, the user terminal can directly access an open resource link in the enterprise portal server (without going through a virtual private network server hereinafter), so as to acquire a corresponding open resource. And under the condition that the authentication is passed, the enterprise portal server also returns an authorization certificate, wherein the authorization certificate can be a non-plaintext encryption character string, and the authorization certificate can be used for a third-party application to access the enterprise portal server. The authorization credential may also be set to credential information with a certain time-to-live, so that a third-party application temporarily accesses the enterprise portal server during the time-to-live, to improve security of enterprise portal management.

It can be understood that, in the case that the enterprise portal server fails to authenticate the login request, feedback information of authentication failure is returned. Further, the user may be prompted at the user terminal to re-enter the authentication information.

S23, sending a verification request to a virtual private network server through a virtual private network client to ensure that the virtual private network server performs identity verification on a user; wherein, the authentication request carries the authorization certificate;

specifically, after receiving an authorization credential returned by the enterprise portal server, a browser sending a login request in the user terminal transmits the authorization credential to a virtual private client installed in the user terminal, and the virtual private client sends a verification request with the authorization credential to the virtual private network server to obtain the virtual private network service. It should be noted that, the virtual private client automatically sends the authentication request according to the authorization credential, and in this process, no account, password information, or biometric information of the user is needed, and no manual input by the user is needed, so that silent login is achieved.

In addition, it should be noted that, when the user terminal is a terminal located in an enterprise intranet, the user terminal can directly access intranet resources with corresponding rights without connecting to a virtual private network. Further, for the identity authentication of the intranet user terminal, the fast authentication can be performed according to the IP address of the login request, and if the IP address of the login request is confirmed to belong to the intranet IP address, the authentication is directly determined to be passed.

And S24, under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by using the virtual private network client, so as to access intranet resources through the encrypted communication tunnel.

Specifically, under the condition that the virtual private network server passes the verification of the verification request, the virtual private network server provides the virtual private network service for the user terminal, and establishes an encrypted communication tunnel between the user terminal and the virtual private network server. After the encrypted communication tunnel is established, the communication information between the user terminal and the virtual private network server is encrypted data, so that the safety of data transmission in the network is improved, and at the moment, after the user terminal acquires the intranet resource link in the enterprise portal, the intranet resource server corresponding to the intranet resource link can be accessed through the virtual private network server to acquire the corresponding intranet resource.

In addition, it should be noted that Virtual Private Networks (VPNs) can be divided into client-based available VPNs and network-based available VPNs. The client-based available VPN is a virtual private network created between an individual user and a remote network, the client-based available VPN typically involves an application, the user typically manually initiates the available VPN client and logs in for authentication using a username and password, the client creates an encrypted tunnel between the user's computer and the remote network for the user to access the remote network through the encrypted tunnel; available network-based VPNs can securely connect two networks together across untrusted networks. The invention is a single-point remote login for users, so a virtual private network based on a client is adopted.

In the embodiment, after directly logging in the enterprise portal server through the Internet, the authentication request carrying the authorization certificate is automatically sent to the virtual private network server, so that silent logging is realized, the user does not need to repeatedly input identity authentication information, and the security of the process of logging in the virtual private network server is improved because the authorization certificate is a non-plaintext encryption character string and is not the identity authentication information of the user logging in the enterprise portal server; and under the condition that the verification request passes the verification, the user terminal establishes an encrypted communication tunnel with the virtual private network server through the virtual private network client, so that the intranet resources managed in the enterprise portal server can be conveniently and safely accessed.

Based on any of the above embodiments, in an embodiment, after the sending the login request to the enterprise portal server, before the sending, by the virtual private network client, the authentication request to the virtual private network server, the method further includes:

detecting whether the virtual private network client is installed;

Specifically, a specific local port may be used for monitoring, and the monitoring port may return expected response information for detecting and determining the installation state of the virtual private network client in the user terminal. The detection process can be completed through an integrated JavaScript SDK, and can also be realized through a program written by a user according to the requirement. Under the condition that the virtual private network client is not detected, prompting to install the virtual private network client, and returning to the step of detecting the installation state of the virtual private network client in the user terminal after the installation is finished so as to smoothly and automatically start the virtual private network client; in the event that a virtual private network client is detected, the virtual private network client is started to automatically send an authentication request to the virtual private network server to establish an encrypted communication tunnel with the enterprise portal server.

In the implementation, the virtual private network client is automatically detected and automatically started, and the user does not need to repeatedly and manually input the password to connect the virtual private network, so that the user experience is improved.

Based on any of the above embodiments, in an embodiment, the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator, so that the virtual network server verifies IP address consistency.

Specifically, for the implementation of silent login to connect the vpn server, the user terminal transmits the authorization credential obtained by the browser of the login enterprise portal server to the vpn client for connecting the vpn server, so as to prevent the authorization credential from being stolen/tampered by hackers through XSS bugs, and the like. Specifically, the authentication request needs to carry IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator, so that after receiving the authentication request, the virtual network server verifies the IP address of the authentication request initiator and the IP address of the login request initiator carried in the authorization credential, if the two are consistent, the authorization credential is not stolen/tampered, and if the two are inconsistent, a vulnerability such as XSS may exist, and the user terminal performs an alarm prompt.

It should be noted that an XSS vulnerability refers to a web page program that is made malicious by an attacker by injecting malicious instruction codes into a web page so that a user loads and executes the web page program. These malicious web programs are typically JavaScript, but may in fact include Java, VBScript, ActiveX, Flash, or even ordinary HTML. After the attack is successful, the attacker may obtain various contents including, but not limited to, higher rights (e.g., performing dangerous operations), private web page contents, sessions, and cookies.

In the embodiment, the authentication request carries the IP address information of the authentication request initiator, and the authorization certificate carries the IP address information of the login request initiator, so that the consistency of the IP addresses can be verified by the virtual network server, and the safety of the silent login process is further ensured.

Based on any of the above embodiments, in an embodiment, the virtual private network client is a virtual private network client based on a secure socket layer protocol, and the virtual private network server is a virtual private network server based on a secure socket layer protocol.

Specifically, a secure socket layer protocol-based virtual private network (SSLVPN) is not affected by a firewall or other translation equipment (NAT equipment) installed between a client and a server, and has a strong penetration capability; the method can be used for connecting to corresponding network resources at any place by using any equipment, and is the best choice for remote security access of enterprises. The secure socket layer protocol (SSL protocol) includes an SSL logging protocol and a handshake protocol, which together provide authentication, encryption, and tamper-resistant functions for application access connections. The SSL handshake protocol is mainly used for mutual Authentication between the server and the client, and for negotiating an encryption algorithm and a MAC (Message Authentication Code) algorithm, which are used to generate encryption and Authentication keys used in the SSL recording protocol, relative to an IKE (internet key exchange protocol) protocol in the IPSEC protocol architecture.

In the embodiment, the encrypted communication tunnel between the user terminal and the enterprise portal server is conveniently and safely established by adopting the virtual private network client based on the secure socket layer protocol and the virtual private network server based on the secure socket layer protocol.

Based on any of the above embodiments, in an embodiment, the method further includes:

displaying resources in an enterprise portal server which can be accessed at the current moment as a first color;

and displaying the resources in the enterprise portal server which cannot be accessed at the current moment as a second color.

Specifically, the user terminal further performs color-differentiated display on resources in the enterprise portal server, for example, after logging in through a browser, open resources in the enterprise portal server that can be accessed are displayed as a white background, and intranet resources in the enterprise portal server that cannot be accessed are displayed as a gray background, and for example, after the user terminal is connected to the virtual private network server in a silent login manner, the user terminal can access the open resources and the intranet resources in the enterprise portal server, and both the open resources and the intranet resources are adjusted to be the white background at this time, and of course, the user terminal may also perform setting for font color. The specific color settings of the first color and the second color can be adjusted according to the user's needs, and are not limited herein.

In addition, when silent login is performed, a user may also be prompted in the user terminal, for example, to "currently login to the virtual private network".

In this embodiment, resources in the enterprise portal server that can be accessed at the current moment are displayed as a first color; resources in the enterprise portal server which cannot be accessed at the current moment are displayed as a second color, the resources are displayed in a distinguishing mode, and user experience is improved.

Fig. 3 is a schematic flowchart of another resource access method provided by the present invention, which is applied to a virtual private network server, as shown in fig. 3, and the method includes:

s31, receiving a verification request sent by a user terminal; wherein the authentication request carries an authorization credential;

s32, requesting user information from the enterprise portal server according to the authorization voucher;

s33, receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information;

and S34, sending verification passing information to the user terminal under the condition that the verification passes, and establishing an encrypted communication tunnel between the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel.

In particular, the virtual private network server is located in an internet accessible portion of the enterprise network. The virtual private network server receives a verification request sent by a user terminal, confirms whether the user is a legal user according to the verification request and determines whether to provide virtual private network service; the authentication request carries an authorization certificate obtained when the user directly connects with the Internet to log in the enterprise portal server, and the virtual private network server requests the user information from the enterprise portal server according to the authorization certificate. The user information is, for example: user name, whether remote access authority of intranet resources exists, and the like. And after receiving the user information returned by the enterprise portal server according to the authorization certificate, the virtual private network server verifies the verification request according to the user information so as to confirm whether the user is legal or not, whether the user has the authority of remotely accessing intranet resources or not and the like. And under the condition that the authentication is passed, the virtual private network server sends information that the authentication is passed to the user terminal, and an encrypted communication tunnel between the user terminal and the virtual private network server is established so that the user terminal can access intranet resources through the encrypted communication tunnel.

It should be noted that, before executing the method, the vpn server and the enterprise portal server need to be configured in advance for interfacing, for example, configuring a communication address, a port number, an authorization credential format, a user information format, and the like, so as to smoothly execute a subsequent silent login process.

In this embodiment, according to a user credential carried in a verification request sent by a user terminal, user information is requested from an enterprise portal server, and the verification request sent by the user terminal is verified accordingly, since an authorization credential is a non-plaintext encryption character string and is not identity authentication information of a user logging in the enterprise portal server, security of logging in a virtual private network server in a silent manner is improved; the authority of the user for remotely accessing the intranet resources is accurately and conveniently managed by requesting the user information from the enterprise portal server according to the authorization certificate.

Based on any one of the above embodiments, in one embodiment, the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator;

Specifically, the user terminal transmits an authorization credential acquired by a login client that logs in to the enterprise portal to the virtual private network client for connecting to the virtual private network server, and in order to prevent the authorization credential from being stolen/tampered by a hacker through XSS bugs and the like, the virtual private network server needs to verify the consistency of the user IP source when the virtual private network client logs in to the virtual private network server. Specifically, the authentication request needs to carry IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator, so that after the virtual network server receives the authentication request, the virtual network server verifies the IP address of the authentication request initiator and the IP address of the login request initiator carried in the authorization credential, and if the two are consistent, the authorization credential is not stolen/tampered, and the next authentication operation can be executed; if the two are not consistent, it indicates that there may be vulnerabilities such as XSS, and then sends the information that the verification fails to pass to the user terminal, so that the user terminal performs alarm prompt.

It should be noted that an XSS vulnerability refers to a web page program that is made malicious by an attacker by injecting malicious instruction codes into a web page so that a user loads and executes the web page program. These malicious web programs are typically JavaScript, but may in fact include Java, VBScript, ActiveX, Flash, or even ordinary HTML. After the attack is successful, the attacker may obtain various contents including, but not limited to, higher rights (e.g., performing some operations), private web page contents, sessions, and cookies.

In the embodiment, the authentication request carries the IP address information of the authentication request initiator, the authorization certificate carries the IP address information of the login request initiator, and the consistency of the IP addresses is verified through the virtual network server, so that the safety of the silent login process is further ensured.

Fig. 4 is a schematic flowchart of another resource access method provided by the present invention, which is applied to an enterprise portal server, as shown in fig. 4, and the method includes:

s41, receiving a login request sent by a user terminal;

s42, sending authorization voucher to the user terminal under the condition that the login request passes;

s43, receiving a user information request sent by the virtual private network server;

and S44, under the condition that the user information request carries the authorization certificate, sending corresponding user information to the virtual private network server according to the authorization certificate, so that the virtual private network server can verify the verification request sent by the user terminal.

Specifically, the enterprise portal server is deployed in a part accessible by the internet in the enterprise network, and after receiving a login request sent by the user terminal through the internet, the enterprise portal server authenticates the user identity information according to the identity authentication information carried in the login request to determine whether the user login request passes through. The enterprise portal server can configure an identity authentication function, for example, a login request of a user terminal is authenticated according to a pre-stored user identity information database, and identity authentication information in the login request can be forwarded to an identity authentication platform for authentication, and the identity authentication platform provides a centralized identity authentication function for multiple parties.

Under the condition that the user identity information authentication fails, the login request is refused, and the user terminal prompts the user to log in again; in the event that authentication is successful, the user's login request is granted and authorization credentials, which may be a non-clear text encrypted string, are sent to the user, which may be used by the third-party application to access the enterprise portal server. The authorization credential may also be set to credential information with a certain time-to-live, so that a third-party application temporarily accesses the enterprise portal server during the time-to-live, to improve security of enterprise portal management.

The enterprise portal server also receives a user information request sent by the virtual private network server and returns corresponding user information according to the authorization certificate. Specifically, when receiving a login request of a user and generating an authorization credential, the enterprise portal server also records the corresponding relationship between the authorization credential and user information, so that when receiving a user information request sent by the virtual private network server, corresponding user information is returned according to the authorization credential. In addition, for an authorization credential with a certain survival time, the enterprise portal server needs to determine whether the time of the current authentication request is within the survival time period of the authorization credential, and only returns the user information corresponding to the authorization credential after determining that the time is within the survival time period. After receiving the user information, the virtual private network server can verify the verification request sent by the user terminal.

In the embodiment, the enterprise portal server returns the authorization certificate to the user terminal through which the login request passes, and the authorization certificate is used for authentication in the process of logging in the virtual private network to access the intranet resource, so that identity authentication information of the user is not needed, and the safety is improved; and corresponding user information is returned to the virtual private network according to the authorization certificate so that the virtual private network server can verify and determine whether to establish an encrypted communication tunnel, the process of remotely accessing the enterprise portal server by the user is conveniently managed, and convenience is improved.

Based on any one of the above embodiments, in an embodiment, after the sending an authorization credential to the user terminal in a case that the login request passes, the method further includes:

Specifically, under the condition that the login request authentication of the user terminal directly logging in the enterprise portal server through the internet is passed, the user terminal can directly access the open resource link in the enterprise portal server, and access the open resource server deployed in the internet accessible part in the enterprise network through the open resource link to obtain the corresponding open resource.

In the embodiment, the open resource service is provided for the user who directly logs in the enterprise portal server through the Internet and passes the login.

Based on any one of the above embodiments, in an embodiment, after the sending, according to the authorization credential, the corresponding user information to the vpn server under the condition that the user information request carries the authorization credential, the method further includes:

Specifically, after the virtual network server passes the verification of the verification request of the user terminal according to the user information, an encrypted communication tunnel is established between the virtual private network server and the user terminal, and the user terminal can obtain the corresponding intranet resources through the encrypted communication tunnel after obtaining the intranet resource link in the enterprise portal. Because the data in the encrypted communication tunnel are all encrypted data, the user can safely and remotely access the intranet resources.

In this embodiment, under the condition that the verification request corresponding to the authorization credential passes the verification, an intranet resource service is conveniently and safely provided for the user through an encrypted communication tunnel established between the dedicated network server and the user terminal.

Based on any one of the above embodiments, in an embodiment, after receiving a login request sent by a user terminal, before sending an authorization credential to the user terminal in a case that the login request passes, the method further includes:

forwarding the login request to an identity authentication platform for authentication;

and determining whether the login request passes according to an authentication result returned by the identity authentication platform.

Specifically, the enterprise portal server can configure an identity authentication function, and can also forward identity authentication information in a login request to an identity authentication platform for authentication, and the identity authentication platform provides a centralized identity authentication function for multiple parties.

Correspondingly, the virtual private network server can also verify the verification request of the user terminal through the identity authentication platform. After receiving a verification request of a user terminal, the virtual private network server requests user information from the identity authentication platform according to the authorization certificate, receives the user information returned by the identity authentication platform, verifies the verification request of the user terminal according to the user information, sends verification passing information to the user terminal under the condition that the verification passes, and establishes an encrypted communication tunnel between the user terminal and the virtual private network server.

In the embodiment, the login request is forwarded to the identity authentication platform for authentication, so that the user identity information is authenticated conveniently at low cost.

The resource access device provided by the present invention is described below, and the resource access device described below and the resource access method described above may be referred to correspondingly.

Fig. 5 is a schematic structural diagram of a resource access device (corresponding to the following user terminal 51) provided by the present invention, and as shown in fig. 5, the device includes:

a login request sending unit 511, configured to send a login request to an enterprise portal server, so that the enterprise portal server performs identity authentication on a user;

an authorization credential receiving unit 512, configured to receive an authorization credential returned by the enterprise portal server when the login request passes;

an authentication request sending unit 513, configured to send an authentication request to a virtual private network server through a virtual private network client, so that the virtual private network server performs authentication on a user; wherein, the authentication request carries the authorization certificate;

a first encrypted communication unit 514, configured to establish an encrypted communication tunnel with the virtual private network server by using the virtual private network client, so as to access intranet resources through the encrypted communication tunnel, if the authentication request passes the authentication.

Based on the above embodiments, in one embodiment, the apparatus further includes:

a detection unit, configured to detect whether the virtual private network client is installed;

a prompt installation unit, configured to prompt installation of the virtual private network client if the virtual private network client is not detected; after the installation is finished, the step of detecting whether the virtual private network client is installed is executed again;

a starting unit, configured to start the virtual private network client when the virtual private network client is detected.

Based on any one of the above embodiments, in an embodiment, the apparatus further includes:

the first display unit is used for displaying the resources in the enterprise portal server which can be accessed at the current moment as a first color;

and the second display unit is used for displaying the resources in the enterprise portal server which cannot be accessed at the current moment as a second color.

Fig. 6 is a schematic structural diagram of a resource access device (corresponding to the following virtual private network server 61) provided by the present invention, as shown in fig. 6, the device includes:

an authentication request receiving unit 611, configured to receive an authentication request sent by a user terminal; wherein the authentication request carries an authorization credential;

a user information request unit 612, configured to request user information from the enterprise portal server according to the authorization credential;

an authentication request authentication unit 613, configured to receive user information returned by the enterprise portal server, and authenticate the authentication request according to the user information;

and a second encryption communication unit 614, configured to send verification passing information to the user terminal when the verification passes, and establish an encryption communication tunnel with the user terminal, so that the user terminal accesses intranet resources through the encryption communication tunnel.

Based on any one of the above embodiments, in one embodiment, the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator; correspondingly, the device further comprises:

the first pre-authentication unit is used for confirming that the authentication of the authentication request is not passed under the condition that the IP address information of the authentication request initiator carried in the authentication request is inconsistent with the IP address information of the login request initiator carried by the authorization certificate;

and the second pre-authentication unit is used for executing the step of requesting the user information from the enterprise portal server according to the authorization certificate under the condition that the IP address information of the authentication request initiator carried in the authentication request is consistent with the IP address information of the login request initiator carried by the authorization certificate.

Fig. 7 is a schematic structural diagram of a resource access device (corresponding to the following enterprise portal server 71) provided by the present invention, as shown in fig. 7, the device includes:

a login request receiving unit 711, configured to receive a login request sent by a user terminal;

an authorization credential sending unit 712, configured to send an authorization credential to the user terminal if the login request passes;

an information request receiving unit 713, configured to receive a user information request sent by a virtual private network server;

a user information sending unit 714, configured to send, according to the authorization credential, corresponding user information to the virtual private network server under the condition that the user information request carries the authorization credential, so that the virtual private network server verifies the verification request sent by the user terminal.

and the open resource response unit is used for responding to the open resource access request of the user terminal and returning an open resource link to the user terminal so that the user terminal can access the corresponding open resource.

and the intranet resource response unit is used for responding the intranet resource access request of the user terminal and returning an intranet resource link to the user terminal under the condition that the verification request corresponding to the authorization certificate passes, so that the user terminal can access the corresponding intranet resource by using the encrypted communication tunnel established with the virtual special network server.

In the following, a description is given of a resource access system provided by the present invention, and the resource access system described below and the resource access method described above may be referred to correspondingly. Fig. 8 is a schematic structural diagram of a resource access system provided in the present invention, and as shown in fig. 8, the system includes: a user terminal 51, a virtual private network server 61, and an enterprise portal server 71;

the user terminal 51 includes:

Virtual private network server 61, comprising:

Enterprise portal server 71, comprising:

In the embodiment, after directly logging in the enterprise portal server through the Internet, the user terminal automatically sends the verification request carrying the authorization certificate to the virtual private network server to realize silent logging without repeatedly inputting identity authentication information by the user; and an encrypted communication tunnel is established between the user terminal and the virtual private network server, so that the user terminal can safely and conveniently access intranet resources managed in the enterprise portal server.

The following describes an interaction process between execution subjects in the resource access method provided by the present invention by a preferred embodiment:

a preparation stage:

firstly, the SSLVPN server and the enterprise Web portal server complete authentication and docking, network resource allocation and the like.

And secondly, the IT personnel pre-install the SSLVPN client for the user terminal of the staff.

A login stage:

firstly, when enterprise employees need to remotely work at home or on business, and the like, logging in an enterprise Web portal server through a user terminal by using account numbers and passwords allocated by an enterprise for the employees;

secondly, the enterprise Web portal server performs identity authentication on the login request through the unified identity authentication platform, receives an authentication result of the unified identity authentication platform, acquires an authorization certificate, and returns the authentication result and the authorization certificate to the user Web browser;

inquiring the SSLVPN client by the user terminal through a port provided by the SDK, prompting the installation of the SSLVPN client when detecting that the SSLVPN client is not installed, and starting the SSLVPN client when detecting the SSLVPN client;

fourthly, the Web browser transmits the authorization certificate of the user to the SSLVPN client;

the SSLVPN client side sends a verification request to the SSLVPN server, and the verification request carries an authorization certificate;

sixthly, the SSLVPN server requests the unified identity authentication platform according to the authorization certificate and acquires user information;

and the SSLVPN server verifies the user verification request according to the returned user information, and establishes an encrypted communication tunnel between the user terminal and the SSLVPN server under the condition that the verification is passed.

In the embodiment, after directly logging in the enterprise portal server through the Internet, the user terminal automatically sends the verification request carrying the authorization certificate to the virtual private network server to realize silent logging without repeatedly inputting identity authentication information by the user; and the user terminal and the virtual private network server establish an encrypted communication tunnel, so that the user terminal can safely and conveniently access intranet resources managed in the enterprise portal server.

Fig. 9 illustrates a physical structure diagram of an electronic device, and as shown in fig. 9, the electronic device may include: a processor (processor)910, a communication Interface (Communications Interface)920, a memory (memory)930, and a communication bus 940, wherein the processor 910, the communication Interface 920, and the memory 930 communicate with each other via the communication bus 940. Processor 910 may invoke logic instructions in memory 930 to perform all or a portion of the steps of the resource access methods provided above.

Furthermore, the logic instructions in the memory 930 may be implemented in software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.

In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform all or part of the steps of the resource access methods provided above.

In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor is implemented to perform all or part of the steps of the resource access methods provided above.

The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.

Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims

1. A method for accessing resources, comprising:

2. The method according to claim 1, wherein after sending the login request to the enterprise portal server and before sending the authentication request to the virtual private network server through the virtual private network client, the method further comprises:

detecting whether the virtual private network client is installed;

3. The method according to claim 1, wherein the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator, so that the virtual network server verifies IP address consistency.

4. A method for accessing resources, comprising:

5. The method according to claim 4, wherein the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator;

6. A method for accessing resources, comprising:

receiving a login request sent by a user terminal;

receiving a user information request sent by a virtual private network server;

7. The method according to claim 6, wherein after sending the authorization credential to the user terminal if the login request passes, the method further comprises:

8. The method according to claim 6, wherein when the user information request carries the authorization credential, after sending the corresponding user information to the vpn server according to the authorization credential, the method further comprises:

9. A resource access apparatus, comprising:

10. A resource access apparatus, comprising:

11. A resource access apparatus, comprising:

12. A resource access system, comprising: the system comprises a user terminal, a virtual private network server and an enterprise portal server;

the user terminal performing the steps of the resource access method according to any one of claims 1-3;

the virtual private network server performing the steps of the resource access method according to any one of claims 4-5;

the enterprise portal server performing the steps of the resource access method according to any of claims 6-8.

13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements all or part of the steps of the resource access method according to any one of claims 1 to 3, or implements all or part of the steps of the resource access method according to any one of claims 4 to 5, or implements all or part of the steps of the resource access method according to any one of claims 6 to 8.

14. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements all or part of the steps of the resource access method according to any one of claims 1 to 3, or implements all or part of the steps of the resource access method according to any one of claims 4 to 5, or implements all or part of the steps of the resource access method according to any one of claims 6 to 8.

15. A computer program product comprising computer executable instructions for performing all or part of the steps of the resource access method according to any one of claims 1 to 3, or for performing all or part of the steps of the resource access method according to any one of claims 4 to 5, or for performing all or part of the steps of the resource access method according to any one of claims 6 to 8, when executed.