CN114765547A - Business system access method, device, equipment and storage medium - Google Patents
Business system access method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN114765547A CN114765547A CN202011627538.7A CN202011627538A CN114765547A CN 114765547 A CN114765547 A CN 114765547A CN 202011627538 A CN202011627538 A CN 202011627538A CN 114765547 A CN114765547 A CN 114765547A
- Authority
- CN
- China
- Prior art keywords
- user
- service system
- access
- service
- accessed
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Abstract
The invention provides a business system access method, a device, equipment and a storage medium, wherein the method comprises the following steps: acquiring a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed; verifying whether the user logs in based on the user identification; if the user is a login user, verifying whether the login user has the access right for accessing the service system to be accessed based on the system information of the service system to be accessed and the access right pre-configured by the unified authorization center; and if the user has the authority, the user accesses the service system to be accessed through the service gateway. In the embodiment of the invention, the service gateway carries out authorization configuration on the service system in advance and provides a unified authorization function and a single sign-on function, so that when a user accesses the service system which is subjected to authorization configuration, the aim of accessing the service system without intrusion can be fulfilled based on the unified authorization function and the single sign-on function provided by the service gateway.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for accessing a service system.
Background
At present, because of enterprise service integration, an enterprise has a plurality of different service systems, and each service system needs to access a unified authorization system, so that a user can log in and access each service system after being authorized by a unified authorization center.
In the prior art, a service system needs to access a unified authorization system through a Software Development Kit (SDK) package or a Representational State Transfer (rest) interface provided by a coding call unified authorization center, and then access the service system through a coding integration Single Sign On (SSO) system, or access the service system through a bridging technology provided by the unified authorization center. In practical application, different service systems need to code and call an SDK packet or a rest interface provided by a unified authorization center for multiple times to access the unified authorization system, and need to code and integrate an SSO system for multiple times to realize access of multiple service systems, which is cumbersome. The bridging technology provided by the unified authorization center can access the service system without coding, but the performance is relatively low and the expandability is poor.
It can be seen that, when a plurality of service systems are accessed by the conventional method, the service systems cannot be accessed simultaneously with high performance without encoding.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, a device, and a storage medium for accessing a service system, so as to solve the problem that the prior art cannot simultaneously satisfy the requirement of completing the access of the service system with high performance without encoding.
In order to achieve the above object, the embodiments of the present invention provide the following technical solutions:
the first aspect of the embodiment of the invention discloses a business system access method, which is applied to a service gateway, wherein the service gateway respectively establishes communication connection with a unified authorization center and a single sign-on system, and the method comprises the following steps:
acquiring a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed;
verifying whether the user logs in based on the user identification;
if the user is a login user, verifying whether the login user has an access right for accessing the service system to be accessed based on the system information of the service system to be accessed and the access right pre-configured by the unified authorization center, wherein the service system to be accessed is a service system which is pre-authorized and configured, and the configuration process of the access right is as follows: the uniform authorization center creates roles in advance according to system information of the service system, binds the created roles with the users and grants access rights of the users to access the service system;
and if the user has the authority, the user accesses the service system to be accessed through the service gateway.
Optionally, the verifying whether the user logs in based on the user identifier includes:
calling the SSO to verify whether the user identification exists or not;
if yes, determining that the user logs in;
and if not, determining that the user does not log in, and popping up a login interface.
Optionally, the process of performing authorization configuration on the service system in advance includes:
acquiring system information of a to-be-authorized configuration service system, wherein the to-be-authorized configuration service system is a service system which has developed service functions and is installed and deployed;
and configuring a uniform resource location mark URL for the service system to be authorized and configured, sending system information of the service system to be authorized and configured, configured with the URL, to a uniform authorization center, and granting different user access rights to the service system to be authorized and configured by the uniform authorization center.
Optionally, the verifying whether the login user has an access right to access the service system to be accessed based on the system information of the service system to be accessed includes:
reading a Uniform Resource Locator (URL) in the system information of the service system to be accessed;
calling the uniform authorization center to confirm the user access authority corresponding to the URL;
verifying whether the user access authority of the user who currently initiates the service system access request conforms to the user access authority or not, wherein the user access authority of the user who currently initiates the service system access request is granted by the uniform authorization center in advance;
if yes, determining that the authority is available;
if not, determining that the authority is not available.
The second aspect of the embodiment of the invention discloses a business system access device, which is applied to a service gateway, wherein the service gateway respectively establishes communication connection with a unified authorization center and a single sign-on system, and the device comprises:
the SSO integrated module of the single sign-on system is used for obtaining a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed, whether the user logs in is verified based on the user identifier, and if the user is a sign-on user, the SSO integrated module executes a unified authorization integrated module;
the unified authorization integration module is used for verifying whether the login user has the access authority for accessing the service system to be accessed based on the system information of the service system to be accessed and the access authority preconfigured by the unified authorization center, and if the login user has the access authority, enabling the user to access the service system to be accessed through the service gateway, wherein the service system to be accessed is a service system which is preconfigured for authorization, and the configuration process of the access authority is as follows: the uniform authorization center creates roles in advance according to system information of the service system, binds the created roles with the users and grants access rights of the users to access the service system;
and the service system access module is used for performing access configuration on the service system to be authorized and configured.
Optionally, the single sign-on system SSO integration module that verifies whether the user logs in based on the user identifier is specifically configured to invoke the single sign-on system SSO to verify whether the user identifier exists, determine that the user logs in if the user identifier exists, determine that the user does not log in if the user identifier does not exist, and pop up a login interface.
Optionally, the service system access module includes:
the system comprises an acquisition unit, a configuration unit and a configuration unit, wherein the acquisition unit is used for acquiring system information of a to-be-authorized configuration service system, and the to-be-authorized configuration service system is a service system which has developed service functions and is installed and deployed;
the configuration unit is used for configuring a uniform resource location mark URL for the service system to be authorized and configured, sending the system information of the service system to be authorized and configured with the URL to a uniform authorization center, and the uniform authorization center grants different user access rights for the service system to be authorized and configured.
A third aspect of the embodiments of the present invention discloses a service gateway, where the service gateway includes the service system access device according to any one of claims 5 to 7, and the service gateway establishes communication connections with a unified authorization center and a single sign-on system, respectively.
A fourth aspect of the embodiments of the present invention discloses a storage medium, where the storage medium includes a stored program, and when the program runs, a device where the storage medium is located is controlled to execute the method for accessing the service system according to any one of claims 1 to 4.
A fifth aspect of an embodiment of the present invention discloses an electronic device, including a processor and a memory, where the memory stores a program, and the processor is configured to execute the program, where the program executes a method for service system access according to any one of claims 1 to 4.
Based on the business system access method, device and storage medium provided by the embodiment of the invention, the business system access method, device and storage medium are applied to the service gateway, the service gateway establishes communication connection with the unified authorization center and the single sign-on system respectively, and the method comprises the following steps: acquiring a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed; verifying whether the user logs in based on the user identification; if the user is a login user, verifying whether the login user has the access right for accessing the service system to be accessed, based on the system information of the service system to be accessed and the access right pre-configured by the unified authorization center, wherein the service system to be accessed is a service system which is pre-authorized and configured; and if the user has the authority, the user accesses the service system to be accessed through the service gateway. In the embodiment of the invention, the service gateway is used for carrying out authorization configuration on the service system in advance and providing the unified authorization function and the single sign-on function, so that when a user accesses the service system which is subjected to authorization configuration, the purpose of accessing the service system without intrusion can be realized based on the unified authorization function and the single sign-on function provided by the service gateway, the workload of system deployment is reduced, and the access performance of the service system is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic architecture diagram of a service access system according to an embodiment of the present invention;
fig. 2 is a schematic flowchart of a service system access method according to an embodiment of the present invention;
fig. 3 is a flow chart illustrating a pre-authorization configuration of a service system according to an embodiment of the present invention;
fig. 4 is a block diagram of a service system access device according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a data processing apparatus 50 according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
It can be known from the background art that when a user accesses a plurality of service systems, different service systems need to encode for multiple times to call an SDK packet or a rest interface provided by a unified authorization center to access the unified authorization system, and need to encode for multiple times to integrate an SSO system to realize access of the plurality of service systems, while a bridging technology provided by the unified authorization center is adopted to access the service systems without encoding, but the performance is relatively low and the expandability is poor.
In the embodiment of the invention, the service gateway is used for carrying out authorization configuration on the service system in advance, and a unified authorization function and a single sign-on function are provided, so that when a user accesses the service system which is subjected to authorization configuration, the user can be logged in and verified based on the unified authorization function and the single sign-on function provided by the service gateway without the participation of the service system in verification, and the aim of accessing the service system without intrusion is fulfilled.
Referring to fig. 1, a schematic structural diagram of a service access system provided in an embodiment of the present invention is shown.
In fig. 1, a plurality of authorized service systems are indicated by service system 21 and service system 22.
The business access system 10 is used for the purpose of non-intrusive user access to multiple business systems.
The service access system 10 includes a service gateway 101, a unified authorization center 102, and an SSO system 103.
The service gateway 101, the unified authorization center 102 and the SSO system 103 establish communication connection.
The authorization configuration process for implementing the service system 21 based on the service system access system disclosed in fig. 1 is as follows:
the administrator inputs system information of the business system 21 into the service gateway 101.
The service gateway 101 obtains system information of the service system 21, registers and configures the system information of the service system 21 through the service system access module, configures a URL (Uniform resource Locator) for the service system 21, and then sends the system information of the service system 21 configured with the URL to the Uniform authorization center 102.
The unified authorization center 102 obtains system information of the service system 21, where the system information carries a URL of the service system 21, registers and configures the system information of the service system 21 through a system authorization module, adds or deletes Access rights of the service system 21 through a menu management module, creates a Role through a Role management module Based on a universal RBAC (Role-Based Access Control) rights model, grants the Access rights of the Role service system 21, binds a user to be authorized with the Role, and grants the Access rights of the service system 21 of the Role to the user.
It should be noted that the access right of the service system 21 serves as a right resource for an administrator to authorize the user to access the service system 21.
Similarly, the method described above is also used to implement the authorization configuration of the service system 22 based on the service access system. That is, the above method can be adopted for realizing the authorization configuration of the service system through the same service access system.
The process of implementing the user access to the service system 21 based on the service system access system disclosed in fig. 1 is as follows:
a user initiates a request for access to the service system 21 through the service gateway 101.
Before this, if the user performs a login operation, the SSO system 103 can be called by the service gateway 101 to perform login.
The service gateway 101 intercepts a service system 21 access request initiated by a user.
It should be noted that the service system 21 access request initiated by the user carries the user identifier and the system information of the service system 21, where the system information includes, but is not limited to, the system name and the URL.
The service gateway 101 calls the login authentication of the SSO system 103 through the SSO system authentication module to confirm whether the user identifier exists, determines that the user logs in if the user identifier exists, and determines that the user does not log in if the user identifier does not exist.
It should be noted that, while the user keeps the login status, the SSO system 103 caches user information, and when the user logs out, the user information cached, including but not limited to the user identifier, is cleared.
If the user does not log in, the SSO system 103 pops up a login interface for the user to log in, and after the user logs in at the login interface, the service gateway calls the login authentication of the SSO system 103 again through the SSO authentication module to confirm whether the user identifier exists.
If the user logs in, the service gateway 101 reads the URL of the service system 21 and the user access right of the user currently initiating the access request of the service system 21, calls the unified authorization center 102 to query the user access right corresponding to the URL through the unified authorization center verification module, compares whether the user access right of the user currently initiating the access request of the service system 21 is consistent with the user access right corresponding to the URL, determines that the user has the right if the user access right is consistent, and determines that the user does not have the right if the user access right is not consistent.
If the user access rights are not consistent, the service gateway 101 exits the user for access, preferably to the 401 interface where the user does not have access rights.
If the user access rights are consistent, the service gateway 101 passes the user access to the business system 21.
Similarly, the above method is also adopted for realizing the user access to the service system 22 based on the service access system. That is, the above method can be used when the user accesses the service system that realizes the authorization configuration through the same service access system.
In the embodiment of the invention, the service gateway is used for carrying out authorization configuration on the service system in advance, and a unified authorization function and a single sign-on function are provided, so that when a user accesses the service system which is subjected to authorization configuration, the aim of accessing the service system in a non-invasive way can be fulfilled based on the unified authorization function and the single sign-on function provided by the service gateway.
Based on the service access system architecture disclosed in the embodiment of the present invention, referring to fig. 2, a schematic flow diagram of a service system access method provided in the embodiment of the present invention is shown, where the method is applied to a service gateway, and the service gateway may be a service gateway 101 in the service access system shown in fig. 1. The business system access method comprises the following steps:
step S201: and acquiring a service system access request initiated by a user.
In step S201, the service system access request carries the user identifier and the system information of the service system to be accessed.
The system information of the service system to be accessed includes, but is not limited to, a system name and a URL.
And the URL of the service system to be accessed is pre-configured by the service gateway when the service system is accessed into the service gateway.
In the process of implementing step S201 specifically, when a user initiates a service system access request, the service gateway intercepts the service system access request, and obtains a user identifier carried in the service system access request and a system name and a URL of a service system to be accessed.
Step S202: and verifying whether the user logs in or not based on the user identification, if the user logs in, executing the step S203, and if the user does not log in, executing the step S204.
In step S202, if the user is in the login state, the user information, including but not limited to the user identifier, is cached in the SSO system.
In the process of implementing step S202, the service gateway invokes an SSO system through an SSO authentication module to verify whether the user identifier exists, and if the user identifier exists, it is determined that the user has logged in, otherwise, it is determined that the user has not logged in.
It should be noted that the SSO system may be the SSO system 103 in the service access system shown in fig. 1.
Step S203: and verifying whether the login user has the access right for accessing the service system to be accessed or not based on the system information of the service system to be accessed and the access right pre-configured by the unified authorization center, if so, executing the step S205, and if not, quitting the access.
In step S203, the service system to be accessed is a service system that is configured by authorization in advance, and the service system to be accessed may be one of the service systems in fig. 1.
In the process of implementing step S203, the service gateway reads the URL in the system information of the service system to be accessed and the user access right of the user currently initiating the service system access request, and invokes the unified authorization center to query the user access right corresponding to the URL through the unified authorization center verification module, and compares whether the user access right of the user currently initiating the service system access request is consistent with the user access right corresponding to the URL. If the user access authority is consistent, the user is determined to have the authority, otherwise, the user is determined not to have the authority, the user exits the access, and preferably, the user can exit the 401 interface without the access authority.
The user access right of the user currently initiating the service system access request and the user access right corresponding to the URL are granted in advance by the unified authorization center, and the granting process is consistent with the process of the unified authorization center, which is designed in the description part corresponding to fig. 1, granting the user access right of the user currently initiating the service system access request and the user access right corresponding to the URL in advance.
It should be noted that the unified authorization center may be a unified authorization center in the service access system shown in fig. 1.
Step S204: and popping up a login interface, and returning to execute the step S202 after login.
Step S205: and enabling the user to access the service system to be accessed through the service gateway.
Based on the service system access method disclosed by the embodiment of the invention, the service gateway calls the SSO system and the uniform authorization center to perform login authentication and permission verification on the service system access request initiated by the user so as to improve the management efficiency of service system access. In the embodiment of the invention, the service gateway carries out authorization configuration on the service system in advance and provides a unified authorization function and a single sign-on function, so that when a user accesses the service system which is subjected to authorization configuration, the aim of accessing the service system without intrusion can be fulfilled based on the unified authorization function and the single sign-on function provided by the service gateway.
Based on the service system access method provided by the above embodiment of the present invention, the service system to be accessed related in step S203 is a service system that is authorized and configured in advance. As shown in fig. 3, a schematic flow chart of performing pre-authorization configuration on a service system provided in an embodiment of the present invention mainly includes the following steps:
step S301: and obtaining system information of the service system to be authorized.
In step S301, the service system to be authorized is configured as a service system that has already developed service functions and installed and deployed.
The system information to be authorized for configuring the business system includes, but is not limited to, a system name.
Step S302: and configuring a URL for the service system to be authorized and configured, sending system information of the service system to be authorized and configured, configured with the URL, to the uniform authorization center, and granting different access rights to the service system to be authorized and configured by the uniform authorization center.
In step S302, the process of granting different access rights to the service system to be authorized and configured by the unified authorization center is consistent with the process of granting different access rights to the service system designed in the description part corresponding to fig. 1.
In the process of implementing step S302, the service gateway reads the system information of the service system to be authorized through the service system access module, registers and configures the system information of the service system to be authorized to the service gateway, configures a URL for the service system, sends the system information of the service system to be authorized and configured, which is configured with the URL, to the uniform authorization center, and grants different access rights to the service system to be authorized and configured by the uniform authorization center.
In an optional implementation manner, the service gateway accesses and configures a service system to be authorized, and configures a URL for the service system to be authorized, which may adopt a manner in table 1:
| business system | URL of service system |
| Business system 1 | URL1 |
| Business system 2 | URL2 |
Table 1 above is merely exemplary.
According to the business system access method disclosed by the embodiment of the invention, the business system is subjected to authorization configuration in advance through the service gateway, and a unified authorization function and a single-point login function are provided, so that when a user accesses the business system subjected to authorization configuration, the purpose of accessing the business system without intrusion can be realized based on the unified authorization function and the single-point login function provided by the service gateway.
Based on the service system access method disclosed in the embodiment of the present invention, the process of accessing the service system without intruding the user is illustrated here:
it is assumed that, as shown in table 2, in order to pre-allocate the URL access right corresponding to the service system, optionally, the service gateway also pre-configures the service system 2.
| Business system | URL of service system | Authority of business system |
| Business system 1 | URL1 | Access rights 1 |
| Business system 2 | URL2 | Access rights 2 |
Table 2 above is by way of example only.
Based on the universal RBAC model, the role is created, the access authority of the role service system is granted, the user and the role are bound to grant the access authority of the corresponding role of the user, and the roles can be identified in a table mode, such as
Shown in Table 3:
tables 2 and 3 above are examples only.
Based on the user, role, URL and access right correspondence shown in table 3:
if the user is bound with the role 1, the role 1 is created by the unified authorization center in advance and is granted with the access authority 1, and then the user has the access authority 1.
If the user is bound with the role 2, the role 2 is created by the unified authorization center in advance and is granted with the access authority 2, and then the user has the access authority 2.
If the user is bound with the role 3, the role 3 is created by the unified authorization center in advance and is granted with the access authority 1 and the access authority 2, and then the user has the access authority 1 and the access authority 2.
In the specific implementation process, when a user initiates a login request, the service gateway calls the SSO system to verify the user, and if the user passes the verification, the user login is implemented.
In the specific implementation process, when a service system access is initiated by a user, the service system access request carries a URL1, the role 3 granted to the user is based on table 2 and table 3, when the service gateway receives the service system access request, the service gateway calls an SSO system to authenticate the user, if the service gateway authenticates that the user is in a login state, the service gateway determines that the service system 1 is accessed by the user based on the URL1,
the service gateway calls the unified authorization center to query the roles, having access rights, of the service system 1 corresponding to the URL1, and as can be seen from table 3, the roles having access rights of the service system 1 are role 1 and role 3, and as can be seen from table 3, the user has access rights 1 to access the service system 1 through the service gateway, and executes access.
In the specific implementation process, when a service system access is initiated by a user, the service system access request carries a URL1, the role 2 granted to the user is based on tables 2 and 3, when the service gateway receives the service system access request, the service gateway calls an SSO system to authenticate the user, if the service gateway authenticates that the user is in a login state, the service gateway determines that the service system 1 is accessed by the user based on the URL1,
the service gateway calls the unified authorization center to query the roles, having access rights, of the service system 1 corresponding to the URL1, and as can be seen from table 3, the roles having access rights of the service system 1 are role 1 and role 3, and as can be seen from table 3, the user does not have access right 1 to access the service system 1 through the service gateway, and exits from access because the user is granted role 2.
According to the business system access method disclosed by the embodiment of the invention, the business system is subjected to authorization configuration in advance through the service gateway, and a unified authorization function and a single-point login function are provided, so that when a user accesses the business system subjected to authorization configuration, the purpose of accessing the business system without intrusion can be realized based on the unified authorization function and the single-point login function provided by the service gateway.
Based on the service system access method provided by the embodiment of the invention, the embodiment of the invention also provides a corresponding service system access device.
Referring to fig. 4, a block diagram of a service system access device according to an embodiment of the present invention is provided, where the service system access device is applied to a service gateway, and the service gateway may be a service gateway 101 in the service access system shown in fig. 1. The business system access device comprises: an SSO system integration module 401, a unified authorization integration module 402 and a service system access module 403.
The SSO system integration module 401 is configured to obtain a service system access request initiated by a user, where the service system access request carries a user identifier and system information of a service system to be accessed, verify whether the user logs in based on the user identifier, and execute the unified authorization integration module if the user is a login user.
Specifically, the SSO system integration module that verifies whether the user logs in based on the user identifier is specifically configured to: and calling the SSO system to verify whether the user identification exists, if so, determining that the user logs in, otherwise, determining that the user does not log in, and popping up a login interface.
A unified authorization integration module 402, configured to verify whether the login user has an access right to access the service system to be accessed based on the system information of the service system to be accessed and an access right preconfigured by the unified authorization center, and if so, enable the user to access the service system to be accessed through the service gateway, where the service system to be accessed is a service system that is configured by authorization in advance, and the configuration process of the access right is as follows: the unified authorization center creates roles in advance according to the system information of the service system, binds the created roles with the users and grants the access authority of the users to access the service system.
The unified authorization integration module 402 optionally includes:
and the acquisition unit is used for reading a uniform resource location mark URL in the system information of the service system to be accessed and calling the uniform authorization center to confirm the user access authority corresponding to the URL.
And the verification unit is used for verifying whether the user access authority is consistent with the user access authority of the user currently initiating the service system access request or not, the user access authority of the user currently initiating the service system access request is granted by the unified authorization center in advance, if so, the user access authority is determined to have the authority, and if not, the user access authority is determined not to have the authority.
A service system access module 403, configured to perform access configuration on a service system to be authorized and configured.
The service system access module 403 optionally includes:
the system comprises an acquisition unit and a configuration unit, wherein the acquisition unit is used for acquiring system information of a to-be-authorized configuration service system, and the to-be-authorized configuration service system is a service system which has developed service functions and is installed and deployed.
The configuration unit is used for configuring a uniform resource location mark URL for the service system to be authorized and configured, sending the system information of the service system to be authorized and configured with the URL to a uniform authorization center, and the uniform authorization center grants different user access rights for the service system to be authorized and configured.
It should be noted that, the specific principle and the execution process of each module in the service system access device disclosed in the embodiment of the present invention are the same as the principle and the execution process of the corresponding part in the service system access method disclosed in the embodiment of the present invention in fig. 2 and fig. 3, and reference may be made to the corresponding part in the service system access method disclosed in the embodiment of the present invention, which is not described herein again.
Based on the service system access device disclosed by the embodiment of the invention, the service gateway calls the SSO system and the uniform authorization center to perform login authentication and permission verification on a service system access request initiated by a user so as to improve the management efficiency of service system access. In the embodiment of the invention, the service gateway carries out authorization configuration on the service system in advance and provides a unified authorization function and a single sign-on function, so that when a user accesses the service system which is subjected to authorization configuration, the aim of accessing the service system without intrusion can be fulfilled based on the unified authorization function and the single sign-on function provided by the service gateway.
Based on the data processing apparatus disclosed in the above embodiment of the present invention, the above modules and units may be implemented by a hardware device composed of a processor and a memory. The method specifically comprises the following steps: the modules and units are stored in a memory as program units, and the program units stored in the memory are executed by a processor to realize data processing.
The processor comprises a kernel, and the kernel calls a corresponding program unit from the memory. The kernel can be set to one or more, and the data processing is realized by adjusting the kernel parameters.
An embodiment of the present invention provides a storage medium on which a program is stored, the program implementing access to a business system when executed by a processor.
An embodiment of the present invention provides a processor, where the processor is configured to execute a program, where the program executes the service system access method disclosed in fig. 2 when running.
An embodiment of the present invention provides a data processing apparatus 50, and as shown in fig. 5, a schematic structural diagram of the data processing apparatus 50 provided in the embodiment of the present invention is shown.
The data processing device in the embodiment of the present invention may be a server, a PC, a PAD, a mobile phone, or the like.
The data processing device comprises at least one processor 501 and at least one memory 502 connected to the processor, and a bus 503.
The processor 501 and the memory 502 communicate with each other via a bus 503. A processor 501 for executing programs stored in the memory 502.
A memory 502 for storing a program for at least: acquiring a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed; verifying whether the user logs in based on the user identification; if the user is a login user, verifying whether the login user has the access right for accessing the service system to be accessed based on the system information of the service system to be accessed and the access right pre-configured by the unified authorization center, and if the user has the access right, enabling the user to access the service system to be accessed through the service gateway, wherein the service system to be accessed is a service system which is pre-authorized and configured, and the configuration process of the access right is as follows: the unified authorization center creates roles in advance according to the system information of the service system, binds the created roles with the users and grants the access authority of the users to access the service system.
The present application further provides a computer program product adapted to perform a program for initializing the following method steps when executed on a data processing device:
acquiring a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed; verifying whether the user logs in based on the user identification; if the user is a login user, verifying whether the login user has an access right for accessing the service system to be accessed based on the system information of the service system to be accessed, wherein the service system to be accessed is a service system which is authorized and configured in advance; and if the user has the authority, the user accesses the service system to be accessed through the service gateway.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a device includes one or more processors (CPUs), memory, and a bus. The device may also include input/output interfaces, network interfaces, and the like.
The memory may include volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM), including at least one memory chip. The memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should be noted that, in this specification, each embodiment is described in a progressive manner, and each embodiment focuses on differences from other embodiments, and portions that are the same as and similar to each other in each embodiment may be referred to. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (10)
1. A business system access method is characterized in that the method is applied to a service gateway, the service gateway establishes communication connection with a unified authorization center and a single sign-on system respectively, and the method comprises the following steps:
acquiring a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed;
verifying whether the user logs in based on the user identification;
if the user is a login user, verifying whether the login user has an access right for accessing the service system to be accessed based on the system information of the service system to be accessed and the access right pre-configured by the unified authorization center, wherein the service system to be accessed is a service system which is pre-authorized and configured, and the configuration process of the access right is as follows: the uniform authorization center creates roles in advance according to system information of the service system, binds the created roles with the users and grants access rights of the users to access the service system;
and if the user has the authority, the user accesses the service system to be accessed through the service gateway.
2. The method of claim 1, wherein said verifying whether the user is logged in based on the user identification comprises:
calling the SSO to verify whether the user identification exists or not;
if yes, determining that the user logs in;
and if not, determining that the user does not log in, and popping up a login interface.
3. The method of claim 1, wherein the pre-authorization configuration of the business system comprises:
acquiring system information of a to-be-authorized configuration service system, wherein the to-be-authorized configuration service system is a service system which has developed service functions and is installed and deployed;
and configuring a uniform resource location mark URL for the service system to be authorized and configured, sending system information of the service system to be authorized and configured, configured with the URL, to a uniform authorization center, and granting different user access rights to the service system to be authorized and configured by the uniform authorization center.
4. The method according to claim 3, wherein the verifying whether the login user has the access right to access the service system to be accessed based on the system information of the service system to be accessed comprises:
reading a Uniform Resource Locator (URL) in the system information of the service system to be accessed;
calling the uniform authorization center to confirm the user access authority corresponding to the URL;
verifying whether the user access right of the user who currently initiates the service system access request accords with the user access right, wherein the user access right of the user who currently initiates the service system access request is pre-granted by the unified authorization center;
if yes, determining that the authority is available;
if not, determining that the authority is not available.
5. A business system access device is characterized in that the business system access device is applied to a service gateway, the service gateway establishes communication connection with a unified authorization center and a single sign-on system respectively, and the device comprises:
the SSO integration module is used for acquiring a service system access request initiated by a user, wherein the service system access request carries a user identifier and system information of a service system to be accessed, verifying whether the user logs in or not based on the user identifier, and if the user is a login user, executing the uniform authorization integration module;
the unified authorization integration module is configured to verify whether the login user has an access right to access the service system to be accessed based on the system information of the service system to be accessed and an access right preconfigured by the unified authorization center, and if the login user has the access right, enable the user to access the service system to be accessed through the service gateway, where the service system to be accessed is a service system that is configured by authorization in advance, and the configuration process of the access right is as follows: the uniform authorization center creates roles in advance according to system information of the service system, binds the created roles with the users and grants access rights of the users to access the service system;
and the service system access module is used for performing access configuration on the service system to be authorized and configured.
6. The apparatus according to claim 5, wherein the SSO integration module for verifying whether the user logs on based on the user identifier is specifically configured to invoke the SSO to verify whether the user identifier exists, determine that the user has logged on if the user identifier exists, and determine that the user has not logged on if the user identifier does not exist, and pop up a login interface.
7. The apparatus of claim 5, wherein the service system access module comprises:
the system comprises an acquisition unit, a configuration unit and a configuration unit, wherein the acquisition unit is used for acquiring system information of a service system to be authorized, and the service system to be authorized is a service system which has developed service functions and is installed and deployed;
the configuration unit is used for configuring a uniform resource location mark URL for the service system to be authorized and configured, sending the system information of the service system to be authorized and configured with the URL to a uniform authorization center, and the uniform authorization center grants different user access rights for the service system to be authorized and configured.
8. A service gateway, characterized in that the service gateway comprises the business system access device of any one of claims 5 to 7, and the service gateway establishes communication connection with a unified authorization center and a single sign-on system respectively.
9. A storage medium, characterized in that the storage medium comprises a stored program, wherein when the program runs, a device in which the storage medium is located is controlled to execute the method for service system access according to any one of claims 1 to 4.
10. An electronic device, comprising a processor and a memory, the memory having a program stored therein, the processor being configured to execute the program, wherein the program when executed performs the method of business system access of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011627538.7A CN114765547A (en) | 2020-12-31 | 2020-12-31 | Business system access method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011627538.7A CN114765547A (en) | 2020-12-31 | 2020-12-31 | Business system access method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114765547A true CN114765547A (en) | 2022-07-19 |
Family
ID=82363143
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011627538.7A Pending CN114765547A (en) | 2020-12-31 | 2020-12-31 | Business system access method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114765547A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
| CN102420836A (en) * | 2012-01-12 | 2012-04-18 | 中国电子科技集团公司第十五研究所 | Sign-on method and sign-on management system for service information system |
| CN105763547A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Third-party authorization method and third-party authorization system |
| CN107493280A (en) * | 2017-08-15 | 2017-12-19 | 中国联合网络通信集团有限公司 | Method, intelligent gateway and the certificate server of user authentication |
| CN109379369A (en) * | 2018-11-09 | 2019-02-22 | 中国平安人寿保险股份有限公司 | Single-point logging method, device, server and storage medium |
| CN111552936A (en) * | 2020-04-26 | 2020-08-18 | 国电南瑞科技股份有限公司 | Cross-system access right control method and system based on scheduling mechanism level |
| CN111614672A (en) * | 2017-05-26 | 2020-09-01 | 朱海燕 | CAS basic verification method and CAS-based authority authentication device |
| CN111695156A (en) * | 2020-06-15 | 2020-09-22 | 北京同邦卓益科技有限公司 | Service platform access method, device, equipment and storage medium |
-
2020
- 2020-12-31 CN CN202011627538.7A patent/CN114765547A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101741817A (en) * | 2008-11-21 | 2010-06-16 | 中国移动通信集团安徽有限公司 | System, device and method for multi-network integration |
| CN102420836A (en) * | 2012-01-12 | 2012-04-18 | 中国电子科技集团公司第十五研究所 | Sign-on method and sign-on management system for service information system |
| CN105763547A (en) * | 2016-02-04 | 2016-07-13 | 中国联合网络通信集团有限公司 | Third-party authorization method and third-party authorization system |
| CN111614672A (en) * | 2017-05-26 | 2020-09-01 | 朱海燕 | CAS basic verification method and CAS-based authority authentication device |
| CN107493280A (en) * | 2017-08-15 | 2017-12-19 | 中国联合网络通信集团有限公司 | Method, intelligent gateway and the certificate server of user authentication |
| CN109379369A (en) * | 2018-11-09 | 2019-02-22 | 中国平安人寿保险股份有限公司 | Single-point logging method, device, server and storage medium |
| CN111552936A (en) * | 2020-04-26 | 2020-08-18 | 国电南瑞科技股份有限公司 | Cross-system access right control method and system based on scheduling mechanism level |
| CN111695156A (en) * | 2020-06-15 | 2020-09-22 | 北京同邦卓益科技有限公司 | Service platform access method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 张石平: "企业信息资源整合平台的研究与设计", 《中国优秀硕士学位论文全文数据库 信息科技辑》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI725958B (en) | Cloud host service authority control method, device and system | |
| US9148405B2 (en) | Client device token based multifactor authentication | |
| US9769266B2 (en) | Controlling access to resources on a network | |
| US20170324731A1 (en) | Technologies for authentication and single-sign-on using device security assertions | |
| CA2797378C (en) | Validating updates to domain name system records | |
| US11044257B1 (en) | One-time access to protected resources | |
| US20160359861A1 (en) | Accessing an application through application clients and web browsers | |
| CN112131021B (en) | Access request processing method and device | |
| EP3694175B1 (en) | System and method for delegating authority through coupled devices | |
| CN115021991A (en) | Single sign-on for unmanaged mobile devices | |
| CN107784221B (en) | Authority control method, service providing method, device and system and electronic equipment | |
| CN106953831B (en) | User resource authorization method, device and system | |
| KR20040049272A (en) | Methods and systems for authentication of a user for sub-locations of a network location | |
| KR101795592B1 (en) | Control method of access to cloud service for business | |
| US20170324719A1 (en) | User authentication framework | |
| CN109086596B (en) | Authentication method, device and system for application program | |
| CN111698250A (en) | Access request processing method and device, electronic equipment and computer storage medium | |
| CN112769735A (en) | Resource access method, device and system | |
| CN111064708A (en) | Authorization authentication configuration method, authorization authentication device and electronic equipment | |
| CN113221093A (en) | Single sign-on system, method, equipment and product based on block chain | |
| CN113271289A (en) | Method, system and computer storage medium for resource authorization and access | |
| US9680814B2 (en) | Method, device, and system for registering terminal application | |
| CN116484338A (en) | Database access method and device | |
| CN114765547A (en) | Business system access method, device, equipment and storage medium | |
| CN116055151A (en) | Service authority token acquisition method, system, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: No. 05-501, 5th floor, No. 229, Middle North Fourth Ring Road (South podium building of Haitai building), Haidian District, Beijing 100083 Applicant after: Beijing guoshuangqianli Technology Co.,Ltd. Address before: No. 05-501, 5th floor, No. 229, Middle North Fourth Ring Road (South podium building of Haitai building), Haidian District, Beijing 100083 Applicant before: Beijing Qianli Richeng Technology Co.,Ltd. |
|
| CB02 | Change of applicant information |