CN114374529B

CN114374529B - Resource access method, device, system, electronic equipment, medium and program

Info

Publication number: CN114374529B
Application number: CN202111406965.7A
Authority: CN
Inventors: 任博涛
Original assignee: Qax Technology Group Inc; Secworld Information Technology Beijing Co Ltd
Current assignee: Qax Technology Group Inc; Secworld Information Technology Beijing Co Ltd
Priority date: 2021-11-24
Filing date: 2021-11-24
Publication date: 2024-06-28
Anticipated expiration: 2041-11-24
Also published as: CN114374529A

Abstract

The invention provides a resource access method, a device, a system, an electronic device, a medium and a program, wherein the method comprises the following steps: sending a login request to an enterprise portal server so that the enterprise portal server can carry out identity authentication on a user; receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes; sending a verification request to a virtual private network server through a virtual private network client to enable the virtual private network server to verify the identity of a user; wherein the authentication request carries the authorization credential; and under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client so as to access intranet resources through the encrypted communication tunnel. The invention realizes silent login without repeated input of identity authentication information by the user, thereby improving the security of the process of logging in the virtual private network server.

Description

Resource access method, device, system, electronic equipment, medium and program

Technical Field

The present invention relates to the field of internet technologies, and in particular, to a method, an apparatus, a system, an electronic device, a medium, and a program for accessing resources.

Background

With the popularization of the Web and the rise of remote office, more and more enterprises adopt a virtual private network technology to enable staff to access to an enterprise network. With the increase of enterprise scale, the identities of enterprise employees are also diverse, including formal employees, outsourcing employees, and the like. Staff of various identities have a need to access the enterprise network, while enterprise applications that staff of different identities can access are not identical. Some applications are directly accessible on the internet and some require connection to the virtual private network via a virtual private network client.

Because the Web browser and the virtual private network client belong to different application programs, sessions between the different application programs cannot be shared due to the security policy of the operating system. Therefore, when the user logs in the enterprise portal server through the Web browser, the user needs to log in authentication, and when the user accesses the intranet resource of the enterprise network, the user needs to access the virtual private network and log in the virtual private network server again. The repeated login not only brings bad user experience, but also increases the risk of password leakage of the user and reduces the security of the whole system due to the fact that the account number and the password are input for many times.

For the defects of the prior art that multiple logins are needed in order to access intranet resources of an enterprise network, the login process is complex and the security is low, a technical scheme capable of overcoming the defects is needed.

Disclosure of Invention

The invention provides a resource access method, a system, electronic equipment, a storage medium and a program, which are used for solving the defects that in the prior art, in the process of accessing internal network resources of enterprises, multiple logins are needed, the login process is complex, and the security is low, and realizing rapid and safe login.

The invention provides a resource access method, which comprises the following steps:

sending a login request to an enterprise portal server so that the enterprise portal server can carry out identity authentication on a user;

receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes;

Sending a verification request to a virtual private network server through a virtual private network client to enable the virtual private network server to verify the identity of a user; wherein the authentication request carries the authorization credential;

and under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client so as to access intranet resources through the encrypted communication tunnel.

According to the resource access method provided by the invention, after the login request is sent to the enterprise portal server, before the verification request is sent to the virtual private network server through the virtual private network client, the method further comprises the following steps:

detecting whether the virtual private network client is installed or not;

Prompting to install the virtual private network client under the condition that the virtual private network client is not detected; after the installation is completed, the step of detecting whether the virtual private network client is installed is executed again;

And starting the virtual private network client under the condition that the virtual private network client is detected.

According to the resource access method provided by the invention, the verification request carries the IP address information of the verification request initiator, and the authorization credential carries the IP address information of the login request initiator, so that the virtual network server can verify the IP address consistency.

The invention also provides a resource access method, which comprises the following steps:

Receiving a verification request sent by a user terminal; wherein the authentication request carries an authorization credential;

Requesting user information from an enterprise portal server according to the authorization credential;

receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information;

And under the condition that the authentication is passed, sending authentication passing information to the user terminal, and establishing an encrypted communication tunnel between the user terminal and the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel.

According to the resource access method provided by the invention, the verification request carries the IP address information of the verification request initiator, and the authorization credential carries the IP address information of the login request initiator;

Accordingly, after receiving the authentication request of the user terminal, before requesting the user information from the enterprise portal server according to the authorization credential, the method further includes:

Under the condition that the IP address information of the verification request initiator carried in the verification request is inconsistent with the IP address information of the login request initiator carried by the authorization credential, confirming that the verification of the verification request is not passed;

And executing the step of requesting the user information from the enterprise portal server according to the authorization credential under the condition that the IP address information of the authentication request initiator carried in the authentication request is consistent with the IP address information of the login request initiator carried in the authorization credential.

The invention also provides a resource access method, which comprises the following steps: receiving a login request sent by a user terminal;

Sending an authorization credential to the user terminal if the login request passes;

Receiving a user information request sent by a virtual special network server;

And under the condition that the user information request carries the authorization credential, corresponding user information is sent to the virtual private network server according to the authorization credential so that the virtual private network server can verify the verification request sent by the user terminal.

According to the resource access method provided by the invention, after sending the authorization credential to the user terminal under the condition that the login request passes, the method further comprises:

And responding to the open resource access request of the user terminal, and returning an open resource link to the user terminal so as to enable the user terminal to access the corresponding open resource.

According to the resource access method provided by the invention, when the user information request carries the authorization credential, the method further comprises the steps of:

And under the condition that the verification request corresponding to the authorization credential passes, responding to the intranet resource access request of the user terminal, and returning intranet resource link to the user terminal so that the user terminal can access the corresponding intranet resource by utilizing the encrypted communication tunnel established with the virtual special network server.

The invention also provides a resource access device, which comprises:

A login request sending unit, configured to send a login request to an enterprise portal server, so that the enterprise portal server performs identity authentication on a user;

The authorization credential receiving unit is used for receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes;

The authentication request sending unit is used for sending an authentication request to the virtual private network server through the virtual private network client so that the virtual private network server can carry out identity authentication on a user; wherein the authentication request carries the authorization credential;

And the first encryption communication unit is used for establishing an encryption communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client under the condition that the verification request passes verification so as to access intranet resources through the encryption communication tunnel.

The invention also provides a resource access device, which comprises:

the authentication request receiving unit is used for receiving an authentication request sent by the user terminal; wherein the authentication request carries an authorization credential;

the user information request unit is used for requesting user information from the enterprise portal server according to the authorization credential;

The verification request verification unit is used for receiving the user information returned by the enterprise portal server and verifying the verification request according to the user information;

And the second encryption communication unit is used for sending verification passing information to the user terminal under the condition that the verification passes, and establishing an encryption communication tunnel between the second encryption communication unit and the user terminal so that the user terminal can access intranet resources through the encryption communication tunnel.

The invention also provides a resource access device, which comprises:

a login request receiving unit, configured to receive a login request sent by a user terminal;

An authorization credential sending unit, configured to send an authorization credential to the user terminal when the login request passes;

an information request receiving unit, configured to receive a user information request sent by a virtual private network server;

And the user information sending unit is used for sending corresponding user information to the virtual special network server according to the authorization credential under the condition that the user information request carries the authorization credential so as to verify the verification request sent by the user terminal by the virtual special network server.

The invention also provides a resource access method system, which comprises the following steps: the system comprises a user terminal, a virtual special network server and an enterprise portal server;

The user terminal is used for sending a login request to the enterprise portal server so that the enterprise portal server can carry out identity authentication on a user; receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes; sending a verification request to a virtual private network server through a virtual private network client to enable the virtual private network server to verify the identity of a user; wherein the authentication request carries the authorization credential; when the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client so as to access intranet resources through the encrypted communication tunnel;

The virtual special network server is used for receiving a verification request sent by the user terminal; wherein the authentication request carries an authorization credential; requesting user information from an enterprise portal server according to the authorization credential; receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information; under the condition that verification is passed, sending verification passing information to a user terminal, and establishing an encrypted communication tunnel between the user terminal and the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel;

The enterprise portal server is used for receiving a login request sent by the user terminal; sending an authorization credential to the user terminal if the login request passes; receiving a user information request sent by a virtual special network server; and under the condition that the user information request carries the authorization credential, corresponding user information is sent to the virtual private network server according to the authorization credential so that the virtual private network server can verify the verification request sent by the user terminal.

The invention also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, said processor implementing all or part of the steps of any of the above described resource access methods when said program is executed.

The present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements all or part of the steps of a resource access method as described in any of the above.

In the embodiment of the invention, after the enterprise portal server is directly logged in through the internet, the verification request carrying the authorization credential is automatically sent to the virtual private network server to realize silent login, and the user does not need to repeatedly input identity authentication information; and under the condition that the verification request passes the verification, the user terminal establishes an encrypted communication tunnel with the virtual private network server through the virtual private network client, so that the user terminal is convenient to safely and conveniently access the intranet resources managed in the enterprise portal server.

Drawings

In order to more clearly illustrate the invention or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.

FIG. 1 is a network structure diagram corresponding to a resource access method provided by the invention;

FIG. 2 is a schematic flow chart of a resource access method provided by the invention;

FIG. 3 is a flow chart of another method for accessing resources provided by the present invention;

FIG. 4 is a flow chart of yet another method for accessing resources provided by the present invention;

FIG. 5 is a schematic diagram of a resource access device according to the present invention;

FIG. 6 is a schematic diagram of another resource access device according to the present invention;

FIG. 7 is a schematic diagram of a configuration of a resource access device according to another embodiment of the present invention;

FIG. 8 is a schematic diagram of a resource access system according to the present invention;

fig. 9 is a schematic structural diagram of an electronic device provided by the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

A Web portal refers to a Web site that organizes, stores, and presents information of different sources in a well-ordered fashion. The user can screen and obtain all content published in the web portal based on information source, information type, keyword retrieval, and other means. The enterprise portal refers to a Web portal system built by enterprise IT departments for enterprise staff, the staff can quickly access network resources provided by the enterprise through the enterprise portal system to acquire information such as notification, news and the like of the enterprise, and the enterprise portal is an important information channel of the enterprise for the staff.

With the rise of remote office, an employee needs to remotely access an enterprise portal, but the employee remotely accesses the enterprise portal by logging in through the internet directly to access an open resource (i.e., a resource which is open to the internet and can be accessed after logging in through the internet) in the enterprise portal, and for an internal network resource (i.e., an intranet resource) with a higher security level in the enterprise portal, a virtual private network (Virtual Private Network, i.e., VPN) needs to be connected to access the enterprise portal, so that when the remote employee accesses the intranet resource, the remote employee needs to input an account number and a password multiple times (the account number and the password of two logins may be consistent or inconsistent). The repeated login not only brings bad user experience, but also increases the risk of password leakage of the user and reduces the security of the whole system due to the fact that the account number and the password are input for many times.

The invention provides a resource access method, a device, a system, electronic equipment, a medium and a program, so that enterprise staff can log in and connect with a virtual private network according to needs after logging in an enterprise portal, thereby accessing internal network resources of an enterprise.

A resource access method, apparatus, system, electronic device, medium, and program of the present invention are described below with reference to fig. 1 to 9.

In order to facilitate understanding of the resource access method provided by the present invention, a network structure corresponding to the resource access method provided by the present invention is described below. Fig. 1 is a network structure diagram corresponding to a resource access method provided by the present invention, where, as shown in fig. 1, an enterprise network is divided into an internet accessible portion and an internet inaccessible portion, and an enterprise portal server is deployed in the internet accessible portion in the enterprise network, where the enterprise portal server manages an open resource link (or an open resource portal) and an intranet resource link (or an intranet resource portal). The open resources are resources (data resources and service resources) with lower safety requirements and can be obtained by directly logging in through the Internet, and the intranet resources are resources (data resources and service resources) with higher safety requirements and can not be obtained by directly logging in through the Internet. The user terminal in the Internet can directly log in the enterprise portal server through the browser, but can only access the open resource link managed by the enterprise portal server after directly logging in the enterprise portal server through the Internet, and access the open resource server deployed in the Internet accessible part in the enterprise network through the open resource link; the user terminal in the internet can also be connected with the virtual special network server through the virtual special network client, after the intranet resource link is acquired in the enterprise portal, the user terminal accesses the intranet resource server deployed in the inaccessible part of the internet in the enterprise network through the virtual special network server, accesses the intranet resource corresponding to the intranet resource link, and the virtual special network provides an encrypted communication tunnel for the user terminal of the external network to access the enterprise portal server, so that the intranet resource can be safely accessed.

Fig. 2 is a flow chart of a resource access method provided by the present invention, where the method is applied to a user terminal, as shown in fig. 2, and the method includes:

S21, sending a login request to an enterprise portal server so that the enterprise portal server can carry out identity authentication on a user;

Specifically, the user terminal is located on the internet, and the enterprise portal server is deployed in a directly accessible part of the internet in the enterprise network. The user terminal sends a login request to the enterprise portal server for the enterprise portal to authenticate the user identity. The login client for sending the login request may be a browser installed in the user terminal, that is, the login request is sent to the enterprise portal server through a browser login webpage.

The login request carries identity authentication information, for example, the login request can carry account number and password information of the user, or carry biometric information (such as voice, fingerprint, face, iris and the like) of the user, so that the enterprise portal server can authenticate the identity of the user.

S22, receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes;

Specifically, the enterprise portal server authenticates the user according to the identity authentication information carried in the login request, and under the condition that authentication is passed, the user terminal can directly access an open resource link in the enterprise portal server (without going through a virtual private network server in the following), so as to obtain a corresponding open resource. And, in the event that the authentication passes, the enterprise portal server also returns an authorization credential, which may be a non-plain encrypted string that may be used by a third party application to access the enterprise portal server. The authorization credential may also be configured with credential information for a time-to-live so that the third party application temporarily accesses the enterprise portal server during the time-to-live period to promote security of enterprise portal management.

It can be appreciated that in the case that the enterprise portal server fails to authenticate the login request, feedback information of authentication failure is returned. Further, the user may be prompted at the user terminal to reenter the authentication information.

S23, sending a verification request to a virtual private network server through a virtual private network client side so as to enable the virtual private network server to verify the identity of a user; wherein the authentication request carries the authorization credential;

Specifically, after receiving an authorization credential returned by the enterprise portal server, the browser sending the login request in the user terminal transmits the authorization credential to a virtual private client installed in the user terminal, and the virtual private client sends a verification request with the authorization credential to the virtual private network server so as to acquire virtual private network service. It should be noted that, the virtual special client automatically sends the verification request according to the authorization credential, the process does not need account numbers, password information or biological characteristic information of the user, and the like, and the user does not need manual input, so that silent login is realized.

In addition, it should be noted that, when the user terminal is a terminal located in the intranet, the user terminal does not need to be connected to a virtual private network, and can directly access the intranet resources with corresponding rights. Further, for the authentication of the intranet user terminal, the quick authentication can be performed according to the IP address of the login request, and if the IP address of the login request is confirmed to belong to the intranet IP address, the authentication is directly determined to pass.

And S24, under the condition that the verification request passes, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client so as to access intranet resources through the encrypted communication tunnel.

Specifically, under the condition that the virtual private network server verifies the verification request, virtual private network service is provided for the user terminal, and an encrypted communication tunnel between the user terminal and the virtual private network server is established. After the encrypted communication tunnel is established, the communication information between the user terminal and the virtual private network server is encrypted data, so that the safety of data transmission in the network is improved, and at the moment, after the user terminal acquires the intranet resource link in the enterprise portal, the user terminal can access the intranet resource server corresponding to the intranet resource link through the virtual private network server so as to acquire corresponding intranet resources.

In addition, it should be noted that Virtual Private Networks (VPNs) may be divided into client-based available VPNs and network-based available VPNs. The available client-based VPN is a virtual private network created between a single user and a remote network, the available client-based VPN typically involves an application program, the user typically manually initiates the available VPN client and uses a username and password to log in for authentication, the client creates an encrypted tunnel between the user computer and the remote network for the user to access the remote network through the encrypted tunnel; the available network-based VPN enables two networks to be securely connected together across an untrusted network. The invention provides a single-point remote login for the user, so that a virtual private network based on a client is adopted.

In this embodiment, after the user logs in the enterprise portal server directly through the internet, a verification request carrying an authorization credential is automatically sent to the virtual private network server to realize silent login, and no user is required to repeatedly input identity authentication information, and because the authorization credential is an encryption character string with non-plaintext and is not identity authentication information of the user logging in the enterprise portal server, the security of the process of logging in the virtual private network server is improved; and under the condition that the verification request passes the verification, the user terminal establishes an encrypted communication tunnel with the virtual private network server through the virtual private network client, so that the user terminal is convenient to safely and conveniently access the intranet resources managed in the enterprise portal server.

Based on any of the foregoing embodiments, in one embodiment, after the sending the login request to the enterprise portal server, before the sending the authentication request to the virtual private network server through the virtual private network client, the method further includes:

detecting whether the virtual private network client is installed or not;

Specifically, a specific local port can be used for monitoring, and the monitoring port can return expected response information for detecting and judging the installation state of the virtual private network client in the user terminal. The detection process can be completed through an integrated JavaScript SDK, and can also be realized through a program which is written by a user according to the needs. Under the condition that the virtual private network client is not detected, prompting to install the virtual private network client, and returning to the step of detecting the installation state of the virtual private network client in the user terminal after the installation is completed, so that the virtual private network client is smoothly and automatically started; in the event that a virtual private network client is detected, the virtual private network client is started to automatically send a validation request to the virtual private network server to establish an encrypted communication tunnel with the enterprise portal server.

In the implementation, the virtual private network client is automatically detected and started, and the user does not need to repeatedly input the password manually to connect the virtual private network, so that the user experience is improved.

Based on any of the foregoing embodiments, in one embodiment, the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator, so that the virtual network server verifies IP address consistency.

Specifically, for the implementation of silent login connection with the virtual private network server, the user terminal transmits the authorization credential acquired by the browser of the login enterprise portal server to the virtual private network client for connecting with the virtual private network server, so as to prevent the authorization credential from being stolen/tampered by hackers through XSS loopholes and other modes, and therefore, the virtual private network client needs to verify the consistency of the user IP source when logging in the virtual private network server. Specifically, the verification request needs to carry the IP address information of the verification request initiator, the authorization credential carries the IP address information of the login request initiator, so that after the virtual network server receives the verification request, the virtual network server verifies the IP address of the verification request initiator and the IP address of the login request initiator carried in the authorization credential, if the two are consistent, the authorization credential is not stolen or tampered, if the two are inconsistent, the user terminal can possibly have holes such as XSS, and the user terminal carries out alarm prompt.

It should be noted that, XSS vulnerability refers to a web page program that enables a user to load and execute an attacker to maliciously manufacture by injecting malicious instruction codes into the web page. These malicious web programs are typically JavaScript, but may in fact include Java, VBScript, activeX, flash or even ordinary HTML. After the attack is successful, the attacker may get various contents including, but not limited to, higher rights (e.g., performing dangerous operations), private web content, sessions, cookies, etc.

In this embodiment, the authentication request carries the IP address information of the authentication request initiator, and the authorization credential carries the IP address information of the login request initiator, so that the virtual network server verifies the consistency of the IP address, thereby further ensuring the security of the silent login process.

Based on any of the foregoing embodiments, in one embodiment, the virtual private network client is a secure socket layer protocol based virtual private network client, and the virtual private network server is a secure socket layer protocol based virtual private network server.

Specifically, a virtual private network (SSLVPN) based on a secure socket layer protocol is not affected by a conversion device (NAT device) such as a firewall installed between a client and a server, and has strong penetration capability; the method can be connected to corresponding network resources by any equipment at any place, and is the best choice for enterprise remote security access. Among other things, secure socket layer protocols (SSL protocols) include SSL recording protocols and handshake protocols, which together provide authentication, encryption, and tamper-resistant functions for application access connections. The SSL handshake protocol is mainly used for mutual authentication between a server and a client, and negotiates an encryption algorithm and a MAC (Message Authentication Code-message authentication code) algorithm for generating encryption and authentication keys used in the SSL recording protocol, with respect to IKE (internet key exchange protocol) protocol in the IPSEC protocol hierarchy.

In the embodiment, the encrypted communication tunnel between the user terminal and the enterprise portal server is conveniently and safely established by adopting the virtual private network client based on the secure socket layer protocol and the virtual private network server based on the secure socket layer protocol.

Based on any of the above embodiments, in one embodiment, the method further comprises:

displaying the resources in the enterprise portal server which can be accessed at the current moment as a first color;

and displaying the resources in the enterprise portal server which are not accessible at the current moment as a second color.

Specifically, the user terminal also performs color distinguishing display on the resources in the enterprise portal server, for example, after logging in through the browser, the open resources in the accessible enterprise portal server are displayed as a white background, the intranet resources in the inaccessible enterprise portal server are displayed as a gray background, for example, after the user terminal logs in and connects with the virtual private network server in a silent manner, the user terminal can access the open resources and the intranet resources in the enterprise portal server, and at this time, the open resources and the intranet resources are all adjusted to the white background, and of course, font color can also be set. The specific color settings of the first color and the second color can be adjusted according to the user's needs, which is not limited herein.

In addition, when silent login is performed, a user may be prompted in the user terminal, for example, to prompt "currently logging into the virtual private network".

In this embodiment, the resources in the enterprise portal server that can be accessed at the current moment are displayed as a first color; and displaying the resources in the enterprise portal server which cannot be accessed at the current moment as a second color, and distinguishing and displaying the resources, so that the user experience is improved.

Fig. 3 is a flow chart of another resource access method provided by the present invention, where the method is applied to a virtual private network server, as shown in fig. 3, and the method includes:

S31, receiving a verification request sent by a user terminal; wherein the authentication request carries an authorization credential;

s32, requesting user information from an enterprise portal server according to the authorization credential;

S33, receiving user information returned by the enterprise portal server, and verifying the verification request according to the user information;

And S34, sending verification passing information to the user terminal under the condition that the verification passes, and establishing an encrypted communication tunnel between the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel.

In particular, the virtual private network server is located in an internet accessible portion of the enterprise network. The virtual private network server receives a verification request sent by a user terminal, confirms whether the user is a legal user according to the verification request, and determines whether to provide virtual private network service or not; the verification request carries an authorization credential obtained when a user directly connects with the Internet to log in the enterprise portal server, and the virtual private network server requests user information from the enterprise portal server according to the authorization credential. User information such as: a user name, whether there is a remote access right to an intranet resource, etc. And the virtual special network server verifies the verification request according to the user information after receiving the user information returned by the enterprise portal server according to the authorization credential so as to confirm whether the user is legal, whether the user has the authority of remotely accessing the intranet resource and the like. And under the condition that the verification is passed, the virtual special network server sends the verification passing information to the user terminal, and establishes an encrypted communication tunnel between the user terminal and the virtual special network server so that the user terminal can access intranet resources through the encrypted communication tunnel.

It should be noted that, before executing the method, the virtual private network server and the enterprise portal server need to be pre-configured to interface, for example, configure a communication address, a port number, an authorization credential format, a user information format, etc., so as to smoothly execute the subsequent silent login process.

In the embodiment, according to the user credentials carried in the verification request sent by the user terminal, user information is requested to the enterprise portal server, and the verification request sent by the user terminal is verified according to the user information, and because the authorization credentials are non-plaintext encrypted character strings and are not identity authentication information of the user logging in the enterprise portal server, the security of silent logging in the virtual private network server is improved; by requesting the user information from the enterprise portal server according to the authorization credentials, the authority of the user to remotely access the intranet resources is accurately and conveniently managed.

Based on any of the foregoing embodiments, in one embodiment, the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator;

Specifically, the user terminal transmits the authorization credential acquired by the login client of the login enterprise portal to the virtual private network client for connecting with the virtual private network server, so as to prevent the authorization credential from being stolen/tampered by a hacker in an XSS vulnerability mode and the like, and therefore, when the virtual private network client logs in the virtual private network server, the virtual private network server needs to verify the consistency of the user IP source. Specifically, the verification request is required to carry the IP address information of the verification request initiator, the authorization credential is required to carry the IP address information of the login request initiator, so that after the virtual network server receives the verification request, the verification is carried out on the IP address of the verification request initiator and the IP address of the login request initiator carried in the authorization credential, if the IP address of the verification request initiator and the IP address of the login request initiator are consistent, the verification result shows that the authorization credential is not stolen/tampered, and the next verification operation can be executed; if the two are inconsistent, the fact that the loopholes such as XSS possibly exist is indicated, and information that verification is not passed is sent to the user terminal, so that the user terminal can carry out alarm prompt.

It should be noted that, XSS vulnerability refers to a web page program that enables a user to load and execute an attacker to maliciously manufacture by injecting malicious instruction codes into the web page. These malicious web programs are typically JavaScript, but may in fact include Java, VBScript, activeX, flash or even ordinary HTML. After the attack is successful, the attacker may get various contents including, but not limited to, higher rights (e.g., perform some operations), private web content, sessions, cookies, etc.

In this embodiment, the authentication request carries the IP address information of the authentication request initiator, the authorization credential carries the IP address information of the login request initiator, and the virtual network server verifies the consistency of the IP address, so as to further ensure the security of the silent login process.

FIG. 4 is a flow chart of yet another resource access method provided by the present invention, the method being applied to an enterprise portal server, as shown in FIG. 4, the method comprising:

s41, receiving a login request sent by a user terminal;

S42, sending an authorization credential to the user terminal under the condition that the login request passes;

S43, receiving a user information request sent by a virtual special network server;

And S44, under the condition that the user information request carries the authorization credential, corresponding user information is sent to the virtual private network server according to the authorization credential so that the virtual private network server can verify the verification request sent by the user terminal.

Specifically, the enterprise portal server is deployed in an internet accessible part of the enterprise network, and after receiving a login request sent by the user terminal through the internet, the enterprise portal server authenticates the user identity information according to the identity authentication information carried in the login request so as to determine whether the login request of the user is passed. The enterprise portal server can configure the identity authentication function by itself, for example, authentication is performed on a login request of a user terminal according to a pre-stored user identity information database, and identity authentication information in the login request can be forwarded to an identity authentication platform for authentication, and the identity authentication platform provides a centralized identity authentication function for multiple parties.

Rejecting a login request under the condition that the authentication of the user identity information fails, and prompting the user to log in again by the user terminal; in the case of successful authentication, the user's login request is granted and authorization credentials, which may be an encrypted string of non-plaintext, are sent to the user, which may be used by a third party application to access the enterprise portal server. The authorization credential may also be configured with credential information for a time-to-live so that the third party application temporarily accesses the enterprise portal server during the time-to-live period to promote security of enterprise portal management.

The enterprise portal server also receives a user information request sent by the virtual special network server, and returns corresponding user information according to the authorization credential. Specifically, when receiving a login request of a user and generating an authorization credential, the enterprise portal server also records the corresponding relation between the authorization credential and user information, so that when receiving the user information request sent by the virtual private network server, the enterprise portal server returns the corresponding user information according to the authorization credential. In addition, for the authorization credential with a certain survival time, the enterprise portal server also needs to determine whether the current verification request time is within the survival time period of the authorization credential, and determine that the user information corresponding to the authorization credential is returned within the survival time period. After receiving the user information, the virtual private network server can verify the verification request sent by the user terminal.

In the embodiment, the enterprise portal server returns an authorization credential to the user terminal through which the login request passes, and the authorization credential is used for authentication in the process of accessing the intranet resource by the login virtual private network, so that identity authentication information of a user is not needed, and the security is improved; and returning corresponding user information to the virtual private network according to the authorization credential so that the virtual private network server can verify to determine whether to establish an encrypted communication tunnel, thereby conveniently managing the process of remotely accessing the enterprise portal server by the user and improving convenience.

Based on any of the foregoing embodiments, in one embodiment, after the sending of the authorization credential to the user terminal if the login request passes, the method further includes:

Specifically, when the login request authentication of the user terminal for directly logging in the enterprise portal server through the internet passes, the user terminal can directly access the open resource link in the enterprise portal server, access the open resource server deployed in the internet accessible part in the enterprise network through the open resource link, and acquire the corresponding open resource.

In this embodiment, an open resource service is provided for a user who logs in to the enterprise portal server directly through the internet and logs in to the enterprise portal server.

Based on any of the foregoing embodiments, in one embodiment, when the user information request carries the authorization credential, after sending the corresponding user information to the virtual private network server according to the authorization credential, the method further includes:

Specifically, after the virtual network server verifies the user terminal according to the user information and passes the verification request, an encrypted communication tunnel is established between the virtual private network server and the user terminal, and the user terminal can acquire the corresponding intranet resources through the encrypted communication tunnel after acquiring the intranet resource link in the enterprise portal. Because the data in the encrypted communication tunnel are all encrypted data, the user can safely and remotely access the intranet resources.

In the embodiment, under the condition that the verification request corresponding to the authorization credential passes the verification, the intranet resource service is conveniently and safely provided for the user through the encryption communication tunnel established between the special network server and the user terminal.

Based on any of the foregoing embodiments, in one embodiment, after the receiving the login request sent by the user terminal, before sending the authorization credential to the user terminal if the login request passes, the method further includes:

forwarding the login request to an identity authentication platform for authentication;

and determining whether the login request passes or not according to an authentication result returned by the identity authentication platform.

Specifically, the enterprise portal server can configure the identity authentication function, and can also forward the identity authentication information in the login request to an identity authentication platform for authentication, wherein the identity authentication platform provides a centralized identity authentication function for multiple parties.

Accordingly, the virtual private network server can also verify the verification request of the user terminal through the identity authentication platform. After receiving the verification request of the user terminal, the virtual special network server requests the user information from the identity authentication platform according to the authorization credential, receives the user information returned by the identity authentication platform, verifies the verification request of the user terminal according to the user information, sends verification passing information to the user terminal under the condition of passing the verification, and establishes an encrypted communication tunnel between the user terminal and the virtual special network server.

In the embodiment, the login request is forwarded to the identity authentication platform for authentication, so that the user identity information is authenticated conveniently and rapidly at low cost.

The resource access device provided by the invention is described below, and the resource access device described below and the resource access method described above can be referred to correspondingly.

Fig. 5 is a schematic structural diagram of a resource access device (corresponding to the following user terminal 51) provided by the present invention, as shown in fig. 5, the device includes:

a login request sending unit 511, configured to send a login request to an enterprise portal server, so that the enterprise portal server performs identity authentication on a user;

An authorization credential receiving unit 512, configured to receive an authorization credential returned by the enterprise portal server when the login request passes;

A verification request sending unit 513, configured to send a verification request to a virtual private network server through a virtual private network client, so that the virtual private network server performs identity verification on a user; wherein the authentication request carries the authorization credential;

and the first encryption communication unit 514 is configured to establish an encryption communication tunnel with the virtual private network server by using the virtual private network client when the verification request passes, so as to access intranet resources through the encryption communication tunnel.

Based on the above embodiments, in one embodiment, the apparatus further includes:

the detection unit is used for detecting whether the virtual private network client is installed or not;

A prompt installation unit, configured to prompt installation of the vpn client if the vpn client is not detected; after the installation is completed, the step of detecting whether the virtual private network client is installed is executed again;

And the starting unit is used for starting the virtual private network client under the condition that the virtual private network client is detected.

Based on any of the above embodiments, in one embodiment, the apparatus further comprises:

The first display unit is used for displaying the resources in the enterprise portal server which can be accessed at the current moment as a first color;

and the second display unit is used for displaying the resources in the enterprise portal server which cannot be accessed at the current moment as a second color.

Fig. 6 is a schematic structural diagram of a resource access device (corresponding to the following virtual private network server 61) according to the present invention, as shown in fig. 6, the device includes:

An authentication request receiving unit 611, configured to receive an authentication request sent by a user terminal; wherein the authentication request carries an authorization credential;

A user information request unit 612, configured to request user information from the enterprise portal server according to the authorization credential;

a verification request verification unit 613, configured to receive user information returned by the enterprise portal server, and verify the verification request according to the user information;

And the second encryption communication unit 614 is configured to send verification passing information to a user terminal when verification passes, and establish an encryption communication tunnel with the user terminal, so that the user terminal accesses intranet resources through the encryption communication tunnel.

Based on any of the foregoing embodiments, in one embodiment, the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator; correspondingly, the device further comprises:

The first pre-verification unit is used for confirming that the verification request is not verified under the condition that the IP address information of the verification request initiator carried in the verification request is inconsistent with the IP address information of the login request initiator carried in the authorization credential;

And the second pre-verification unit is used for executing the step of requesting the user information from the enterprise portal server according to the authorization credential under the condition that the IP address information of the authentication request initiator carried in the authentication request is consistent with the IP address information of the login request initiator carried by the authorization credential.

Fig. 7 is a schematic structural diagram of a resource access device (corresponding to the enterprise portal server 71 below) provided in the present invention, as shown in fig. 7, the device includes:

a login request receiving unit 711, configured to receive a login request sent by a user terminal;

an authorization credential transmitting unit 712 configured to transmit an authorization credential to the user terminal if the login request passes;

An information request receiving unit 713 for receiving a user information request transmitted from the virtual private network server;

and the user information sending unit 714 is configured to send, when the user information request carries the authorization credential, corresponding user information to the virtual private network server according to the authorization credential, so that the virtual private network server verifies the verification request sent by the user terminal.

And the open resource response unit is used for responding to the open resource access request of the user terminal and returning an open resource link to the user terminal so as to enable the user terminal to access the corresponding open resource.

And the intranet resource response unit is used for responding to the intranet resource access request of the user terminal under the condition that the verification request corresponding to the authorization credential passes, and returning intranet resource links to the user terminal so that the user terminal can access the corresponding intranet resources by utilizing the encrypted communication tunnel established with the virtual special network server.

The following describes a resource access system provided by the present invention, and the resource access system described below and the resource access method described above may be referred to correspondingly. Fig. 8 is a schematic structural diagram of a resource access system according to the present invention, as shown in fig. 8, the system includes: a user terminal 51, a virtual private network server 61, and an enterprise portal server 71;

the user terminal 51 includes:

The virtual private network server 61 includes:

Enterprise portal server 71, comprising:

In the embodiment, after the user terminal directly logs in the enterprise portal server through the internet, the user terminal automatically sends a verification request carrying an authorization credential to the virtual private network server to realize silent login, and no user is required to repeatedly input identity authentication information, and the authorization credential is an encryption character string with non-plaintext and is not identity authentication information of the user logging in the enterprise portal, so that the security of the silent login process of the virtual private network server is improved; and an encryption communication tunnel is established between the user terminal and the virtual special network server, so that the user terminal can safely and conveniently access the intranet resources managed in the enterprise portal server.

The following describes an interaction process between execution subjects in the resource access method provided by the present invention through a preferred embodiment:

the preparation stage:

① . The SSLVPN server and the enterprise Web portal server finish authentication docking, network resource configuration and the like.

② . The IT personnel pre-installs the SSLVPN client for the user terminal of the staff.

A login stage:

① . When enterprise staff is at home or at business trip and the like and needs to do remote processing, the enterprise staff logs in an enterprise Web portal server through a user terminal by using an account number and a password which are distributed for the staff by the enterprise;

② . The enterprise Web portal server performs identity authentication on the login request through the unified identity authentication platform, receives an authentication result of the unified identity authentication platform, acquires an authorization credential, and returns the authentication result and the authorization credential to the user Web browser;

③ . The user terminal inquires the SSLVPN client through a port provided by the SDK, prompts to install the SSLVPN client when the SSLVPN client is detected to be not installed, and starts the SSLVPN client when the SSLVPN client is detected to be installed;

④ . The Web browser transmits the authorization credentials of the user to the SSLVPN client;

⑤ . The SSLVPN client initiates a verification request to the SSLVPN server, wherein the verification request carries an authorization credential;

⑥ . The SSLVPN server requests and acquires user information from the unified identity authentication platform according to the authorization credential;

⑦ . And the SSLVPN server verifies the user verification request according to the returned user information, and establishes an encrypted communication tunnel between the user terminal and the SSLVPN server under the condition that the verification is passed.

In the embodiment, after the user terminal directly logs in the enterprise portal server through the internet, the user terminal automatically sends a verification request carrying an authorization credential to the virtual private network server to realize silent login, and no user is required to repeatedly input identity authentication information, and the authorization credential is an encryption character string with non-plaintext and is not identity authentication information of the user logging in the enterprise portal server, so that the security of the silent login process of the virtual private network server is improved; and the user terminal establishes an encrypted communication tunnel with the virtual special network server, so that the user terminal can safely and conveniently access intranet resources managed in the enterprise portal server.

Fig. 9 illustrates a physical schematic diagram of an electronic device, as shown in fig. 9, which may include: processor 910, communication interface (Communications Interface) 920, memory 930, and communication bus 940, wherein processor 910, communication interface 920, and memory 930 communicate with each other via communication bus 940. Processor 910 may invoke logic instructions in memory 930 to perform all or part of the steps of the resource access method provided above.

Further, the logic instructions in the memory 930 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, are capable of performing all or part of the steps of the resource access method provided above.

In yet another aspect, the present invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform all or part of the steps of the resource access method provided above.

The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.

From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.

Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims

1. A resource access method, which is applied to a user terminal, wherein the user terminal is a terminal located in the internet, the method comprising:

sending a login request to an enterprise portal server so that the enterprise portal server can carry out identity authentication on a user; the enterprise portal server is deployed in an Internet directly accessible part of the enterprise network;

receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes; the authorization certificate is an encryption character string of a non-plaintext, and a non-user logs in the identity authentication information of the enterprise portal server;

And under the condition that the verification request passes the verification, establishing an encrypted communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client so as to access intranet resources through the encrypted communication tunnel, wherein the intranet resource server corresponding to the intranet resources is deployed in an inaccessible part of the Internet in the enterprise network.

2. The method for accessing resources according to claim 1, wherein after said sending a login request to the enterprise portal server, before said sending a verification request to the virtual private network server through the virtual private network client, the method further comprises:

detecting whether the virtual private network client is installed or not;

3. The resource access method of claim 1, wherein the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator, so that the virtual network server can verify IP address consistency.

4. A method for accessing resources, comprising:

Receiving a verification request sent by a user terminal; the verification request is a verification request sent by the user terminal to a virtual private network server through a virtual private network client; the verification request carries an authorization credential; the user terminal is a terminal positioned on the Internet; the authorization certificate is an encryption character string with non-plaintext, and a non-user logs in identity authentication information of an enterprise portal server; the enterprise portal server is deployed in an Internet directly accessible part of the enterprise network;

And under the condition that the verification is passed, sending verification passing information to the user terminal, and establishing an encrypted communication tunnel between the user terminal and the user terminal so that the user terminal can access intranet resources through the encrypted communication tunnel, wherein intranet resource servers corresponding to the intranet resources are deployed in an inaccessible part of the Internet in the enterprise network.

5. The method according to claim 4, wherein the authentication request carries IP address information of an authentication request initiator, and the authorization credential carries IP address information of a login request initiator;

6. A method for accessing resources, comprising:

receiving a login request sent by a user terminal; the user terminal is a terminal positioned on the Internet;

Sending an authorization credential to the user terminal if the login request passes; the authorization certificate is an encryption character string with non-plaintext, and a non-user logs in identity authentication information of an enterprise portal server; the enterprise portal server is deployed in an Internet directly accessible part of the enterprise network;

Receiving a user information request sent by a virtual special network server;

And under the condition that the user information request carries the authorization credential, corresponding user information is sent to the virtual special network server according to the authorization credential so that the virtual special network server can verify the verification request sent by the user terminal, and under the condition that the verification request passes, an encrypted communication tunnel between the virtual special network client and the virtual special network server is established by utilizing the virtual special network client so as to access intranet resources through the encrypted communication tunnel, and an intranet resource server corresponding to the intranet resources is deployed in an inaccessible part of the Internet in the enterprise network.

7. The method according to claim 6, wherein after sending authorization credentials to the user terminal in case the login request passes, the method further comprises:

8. The method according to claim 6, wherein when the user information request carries the authorization credential, after sending the corresponding user information to the virtual private network server according to the authorization credential, the method further comprises:

9. A resource access device, applied to a user terminal, the user terminal being a terminal located on the internet, the device comprising:

a login request sending unit, configured to send a login request to an enterprise portal server, so that the enterprise portal server performs identity authentication on a user; the enterprise portal server is deployed in an Internet directly accessible part of the enterprise network;

The authorization credential receiving unit is used for receiving an authorization credential returned by the enterprise portal server under the condition that the login request passes; the authorization certificate is an encryption character string of a non-plaintext, and a non-user logs in the identity authentication information of the enterprise portal server;

and the first encryption communication unit is used for establishing an encryption communication tunnel between the virtual private network client and the virtual private network server by utilizing the virtual private network client under the condition that the verification request passes so as to access intranet resources through the encryption communication tunnel, and an intranet resource server corresponding to the intranet resources is deployed in an internet inaccessible part of the enterprise network.

10. A resource access device, comprising:

The authentication request receiving unit is used for receiving an authentication request sent by the user terminal; the verification request is a verification request sent by the user terminal to a virtual private network server through a virtual private network client; the verification request carries an authorization credential; the user terminal is a terminal positioned on the Internet; the authorization certificate is an encryption character string with non-plaintext, and a non-user logs in identity authentication information of an enterprise portal server; the enterprise portal server is deployed in an Internet directly accessible part of the enterprise network;

and the second encryption communication unit is used for sending verification passing information to the user terminal under the condition that the verification passes, establishing an encryption communication tunnel between the user terminal and the second encryption communication unit so that the user terminal can access intranet resources through the encryption communication tunnel, and disposing an intranet resource server corresponding to the intranet resources in an inaccessible part of the Internet in the enterprise network.

11. A resource access device, comprising:

a login request receiving unit, configured to receive a login request sent by a user terminal; the user terminal is a terminal positioned on the Internet;

an authorization credential sending unit, configured to send an authorization credential to the user terminal when the login request passes; the authorization certificate is an encryption character string with non-plaintext, and a non-user logs in identity authentication information of an enterprise portal server; the enterprise portal server is deployed in an Internet directly accessible part of the enterprise network;

And the user information sending unit is used for sending corresponding user information to the virtual special network server according to the authorization credential under the condition that the user information request carries the authorization credential, so that the virtual special network server can verify the verification request sent by the user terminal, and establishing an encrypted communication tunnel between the virtual special network client and the virtual special network server by utilizing the virtual special network client under the condition that the verification request passes, so as to access intranet resources through the encrypted communication tunnel, wherein the intranet resource server corresponding to the intranet resources is deployed in an internet inaccessible part in an enterprise network.

12. A resource access system, comprising: the system comprises a user terminal, a virtual special network server and an enterprise portal server;

the user terminal performing the steps of the resource access method of any of claims 1-3;

The virtual private network server performing the steps of the resource access method of any of claims 4-5;

the enterprise portal server performing the steps of the resource access method of any of claims 6-8.

13. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor, when executing the program, implements all or part of the steps of the resource access method according to any of claims 1 to 3, or implements all or part of the steps of the resource access method according to any of claims 4 to 5, or implements all or part of the steps of the resource access method according to any of claims 6 to 8.

14. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor performs all or part of the steps of the resource access method according to any of claims 1 to 3, or performs all or part of the steps of the resource access method according to any of claims 4 to 5, or performs all or part of the steps of the resource access method according to any of claims 6 to 8.

15. A computer program product comprising computer executable instructions for performing all or part of the steps of the resource access method according to any of claims 1 to 3, or performing all or part of the steps of the resource access method according to any of claims 4 to 5, or performing all or part of the steps of the resource access method according to any of claims 6 to 8 when executed.