CN115001840B - Agent-based authentication method, system and computer storage medium - Google Patents

Agent-based authentication method, system and computer storage medium Download PDF

Info

Publication number
CN115001840B
CN115001840B CN202210705809.9A CN202210705809A CN115001840B CN 115001840 B CN115001840 B CN 115001840B CN 202210705809 A CN202210705809 A CN 202210705809A CN 115001840 B CN115001840 B CN 115001840B
Authority
CN
China
Prior art keywords
page
sub
request information
server
token
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210705809.9A
Other languages
Chinese (zh)
Other versions
CN115001840A (en
Inventor
曾波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Acoinfo Technology Co ltd
Original Assignee
Beijing Acoinfo Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Acoinfo Technology Co ltd filed Critical Beijing Acoinfo Technology Co ltd
Priority to CN202210705809.9A priority Critical patent/CN115001840B/en
Publication of CN115001840A publication Critical patent/CN115001840A/en
Application granted granted Critical
Publication of CN115001840B publication Critical patent/CN115001840B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention relates to an authentication method, a system and a computer storage medium based on a proxy, wherein the method comprises the following steps: the browser acquires main page request information, the server verifies the main page request information, and if the main page request information passes the verification, the main page is loaded and trust connection is established between the main page and the main page; the browser acquires sub-page request information, and the server generates a sub-page special token based on the trust connection established with the main page according to the sub-page request information; the browser sends HTTP request information to the server based on the sub-page special token, wherein the HTTP request information comprises the sub-page special token; and the server verifies the HTTP request information based on the HTTP proxy service and sends the verified HTTP request information to the browser so that the browser loads corresponding sub-page information. The user verification information of the sub-page is processed through the HTTP proxy service, so that the privacy of the user is prevented from being leaked, and the authentication system is realized through a unified proxy, so that the system resource is saved.

Description

Agent-based authentication method, system and computer storage medium
Technical Field
The present invention relates to the field of computers, and in particular, to an authentication method and system based on a proxy, and a computer storage medium.
Background
In the prior art, in order to ensure the security of the system, an authentication link is generally set, and mainly a server authenticates whether an authentication request of a user has a right to access the system or an operating system.
At present, the mainstream authentication mode in the market comprises session-cookie and token verification, and the basic authentication principle of cookie session is to generate session data related to a user at a server side and store a session-id sent to a client side in a cookie, so that whether the server side has the session data can be verified by taking the session-id when the client side requests, and the user authentication is completed. The authentication mode can better control the session at the server side, because of the randomness of the session-id randomness, the security is higher, but the server side needs to store the session data and needs a plurality of servers to store the data (such as a memory or a database), thereby undoubtedly increasing the maintenance cost and weakening the expandability.
JWT (json web token) is currently the most popular cross-domain authentication solution. The traditional session-cookie mode is replaced by a token mode and is used for a server and a client to transmit information signature verification. token verification is a stateless authentication mode of a server, and the server does not need to store token data. After the user is verified, the server generates a token (hash or encrypt) and sends the token to the client, the client can be placed in a cookie or a local Storage, the token is carried in a Header when the request is made, and the server can confirm the identity of the user after receiving the token and passing the verification. Compared with the authentication mode of the cookie, the authentication mode is simpler, the server does not need to store authentication data, the maintenance and the expansibility are easy, and the token has a local Storage to avoid CSRF. However, the token authentication method has some performance overhead during encryption or decryption, and some symmetric encryption has potential safety hazards.
In the above verification manner, when a complex scene in which multiple Web applications run on the same server is encountered, they are isolated from each other and untrusted, and then, for a system developer: when a plurality of Web applications need Cross-domain (Cross-Origin) authentication, each Web application needs to realize an authentication system, and needs to maintain user information in a plurality of authentication systems, and simultaneously faces the problem of data synchronization; with the increasing number of applications, the possibility of system errors is increased, and user information also faces security problems. For the user: the user must log in different application systems to use different applications, and each system has an own account system and is not trusted with each other. Thus, it may be inconvenient and unsafe for a user to remember an unused username and password.
Disclosure of Invention
Therefore, it is necessary to provide an agent-based authentication method, system and computer storage medium for solving the problems of high system error rate and unsafe information in the above authentication method.
A proxy-based authentication method comprising:
the browser acquires main page request information, the server verifies the main page request information, and if the main page request information passes the verification, the main page is loaded and trust connection is established between the main page and the main page;
the browser acquires sub-page request information, and the server generates a sub-page special token based on establishing trust connection with the main page according to the sub-page request information;
the browser sends HTTP request information to the server based on the sub-page specific token, wherein the HTTP request information comprises the sub-page specific token;
and the server filters and verifies the HTTP request information based on HTTP proxy service, and sends the verified HTTP request information to the browser so as to enable the browser to load corresponding sub-page information.
In one preferred embodiment, the obtaining, by the browser, sub-page request information, and the generating, by the server, a sub-page dedicated token based on establishing a trusted connection with the main page according to the sub-page request information includes:
the browser acquires at least two sub-page request messages, and the server respectively generates sub-page special tokens based on the trust connection established with the main page according to the corresponding sub-page request messages.
In one preferred embodiment, the server filters and verifies the HTTP request information based on an HTTP proxy service, and sends the verified HTTP request information to a browser, so that the browser loads corresponding sub-page information, including:
and the server uniformly filters and verifies the corresponding HTTP request information based on HTTP proxy service, and sends the verified HTTP request information to the browser so as to enable the browser to load the corresponding sub-page information.
In one preferred embodiment, the acquiring, by the browser, the main page request information, verifying, by the server, the main page request information, and if the main page request information passes verification, loading the main page and establishing a trusted connection with the main page includes:
the method comprises the steps that a browser obtains main page request information, wherein the main page request information comprises main page identity authentication information;
the server acquires the main page request information to verify the main page identity authentication information, and if the main page identity authentication information passes the verification, the server sends a main page trust token to the main page so as to establish trust connection between the main page and the server.
In one preferred embodiment, the obtaining, by the browser, sub-page request information, and the generating, by the server, a sub-page dedicated token based on establishing a trusted connection with the main page according to the sub-page request information, includes:
the browser acquires sub-page request information, and the main page sends token request information to the server according to the sub-page request information;
and the server generates a sub-page special token according to the token request information and based on the trust connection established with the main page, and sends the sub-page special token to the main page, and the main page returns the corresponding sub-page special token to the corresponding sub-page port.
In one preferred embodiment, the browser sends HTTP request information to the server based on the sub-page specific token, the HTTP request information including the sub-page specific token, including:
and the sub-page port generates sub-page identity authentication information according to the special token of the sub-page, and sends HTTP request information to the server based on the sub-page identity authentication information.
In one preferred embodiment, the server filters and verifies the HTTP request information based on an HTTP proxy service, and sends the verified HTTP request information to a browser, so that the browser loads corresponding sub-page information, including:
the server preprocesses the HTTP request information based on HTTP proxy service so as to analyze whether the HTTP request information comprises a sub-page special token;
if the HTTP request information comprises a sub-page special token, judging whether the sub-page special token is matched with a sub-page special token generated by the server, and if so, passing authentication.
In one preferred embodiment, the server preprocesses the HTTP request information based on an HTTP proxy service, including:
and filtering noise information of the HTTP request information, wherein the noise information comprises static page resources.
In one preferred embodiment, the method further comprises:
and the browser creates environment isolation sandboxes corresponding to the number of the loaded pages according to the sub-page request information, so that the main page and the sub-pages operate in the corresponding environment isolation sandboxes respectively.
The proxy-based authentication method disclosed by the embodiment of the invention processes the user authentication information of the sub-page through the HTTP proxy service, avoids the potential safety hazard caused by user privacy disclosure and cross-domain sharing of the authentication information, realizes the single sign-on problem among a plurality of mutually untrusted applications, opens up an account system among the plurality of untrusted applications, and enables a user model and the account system to be shared among the plurality of applications. The back end does not need to independently realize the authentication system of the back end, and the authentication system is realized through a unified agent, so that the system resources are saved.
A proxy-based authentication system comprising:
the main page acquisition module is used for enabling the browser to acquire main page request information, the server verifies the main page request information, and if the main page request information passes the verification, the main page is loaded and trust connection is established between the main page and the server;
the sub-page token generation module is used for enabling the browser to obtain sub-page request information, and the server generates a sub-page special token according to the sub-page request information and based on the trust connection established with the main page;
an HTTP request information sending module configured to cause the browser to send HTTP request information to the server based on the sub-page specific token, where the HTTP request information includes the sub-page specific token;
and the sub-page information verification module is used for enabling the server to filter and verify the HTTP request information based on the HTTP proxy service, and sending the verified HTTP request information to the browser so as to enable the browser to load the corresponding sub-page information.
The authentication system based on the proxy disclosed by the embodiment of the invention processes the user authentication information of the sub-page through the HTTP proxy service, avoids the potential safety hazard caused by the leakage of user privacy and cross-domain sharing of the authentication information, realizes the single sign-on problem among a plurality of mutually untrusted applications, opens up an account system among the plurality of untrusted applications, and enables a user model and the account system to be shared among the plurality of applications. The back end does not need to independently realize the authentication system of the back end, and the authentication system is realized through a unified agent, so that the system resources are saved.
A computer storage medium comprising a stored program, wherein the program, when executed, controls an apparatus in which the storage medium is located to perform the method described above.
The computer storage medium disclosed in the above embodiment of the present invention processes the user verification information of the sub-page by the HTTP proxy service by executing the computer program, thereby avoiding the potential safety hazard caused by the leakage of user privacy and cross-domain sharing of authentication information, achieving the problem of single sign-on between a plurality of mutually untrusted applications, opening up an account system between a plurality of untrusted applications, and allowing the user model and the account system to be shared among a plurality of applications. The back end does not need to independently realize the authentication system of the back end, and the authentication system is realized through a unified agent, so that the system resources are saved.
Drawings
Fig. 1 is a flowchart of an agent-based authentication method according to a first preferred embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a step of subdividing S10 of a proxy-based authentication method according to a first preferred embodiment of the present invention;
fig. 3 is a schematic diagram illustrating the step of subdividing S20 of a proxy-based authentication method according to a first preferred embodiment of the present invention;
fig. 4 is a schematic diagram illustrating a step of subdividing S40 of a proxy-based authentication method according to a first preferred embodiment of the present invention;
fig. 5 is a schematic diagram of interaction between a browser and a server in a proxy-based authentication method according to a first preferred embodiment of the present invention;
fig. 6 is a block diagram of an authentication system based on a proxy according to a second preferred embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It will be understood that when an element is referred to as being "disposed on" another element, it can be directly on the other element or intervening elements may also be present. When an element is referred to as being "connected" to another element, it can be directly connected to the other element or intervening elements may also be present. The terms "vertical," "horizontal," "left," "right," and the like as used herein are for illustrative purposes only and do not represent the only embodiments.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The terminology used in the description of the invention herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used herein, the term "and/or" includes any and all combinations of one or more of the associated listed items.
As shown in fig. 1 and fig. 5, a preferred embodiment of the present invention discloses an authentication method based on proxy, which includes:
s10: the browser acquires main page request information, the server verifies the main page request information, and if the main page request information passes the verification, the main page is loaded and trust connection is established between the main page and the main page;
in the step S10 in this embodiment, the main page request information includes a main page domain name, website information, and the like, a user may input a corresponding domain name or website information of the main page in a corresponding input window in a browser, the browser may establish a connection with a server, the server verifies the main page request information output by the main page, and if the verification is passed, the corresponding main page is loaded and a trusted connection is established with the loaded main page.
Specifically, as shown in fig. 2, the step S10 in the present embodiment specifically includes the following steps:
s11: the method comprises the steps that a browser obtains main page request information, wherein the main page request information comprises main page identity authentication information;
s12: the server acquires the main page request information to verify the main page identity authentication information, and if the main page identity authentication information passes the verification, the server sends a main page trust token to the main page so as to establish trust connection between the main page and the server.
In embodiment 1, an operator may access a home page by using a browser, the operator inputs a website URL, https:// a.com, corresponding to the home page in a corresponding input box in the browser, the server returns a corresponding verification page to the browser according to the website or domain name URL, https:// a.com, corresponding verification page identity authentication information, which may include a user name, a password, and the like, is input on the corresponding verification page by the operator, the server verifies the input home page identity authentication information, if the verification passes, the server returns a page corresponding to the home page https:// a.com to the browser, the browser presents content corresponding to the home page https:// a.com, and after the user name and the password are verified by the server, the server also returns a token to the home page, the home page reaches the token, and the server establishes a trusted connection with the home page, so that the home page and the server trust each other at this time.
S20: the browser acquires sub-page request information, and the server generates a sub-page special token based on establishing trust connection with the main page according to the sub-page request information;
in this embodiment, the operator may click an interactive element in the content of the main page presented in step S10 to send the sub-page request information, or may input a domain name related to the sub-page to send the page request information.
Specifically, as shown in fig. 3, the above S20 includes the following steps:
s21: the browser acquires sub-page request information, and the main page sends token request information to the server according to the sub-page request information;
s22: and the server establishes a trust connection with the main page according to the token request information and based on the token request information, generates a sub-page special token and sends the sub-page special token to the main page, and the main page returns the corresponding sub-page special token to the corresponding sub-page port.
In this embodiment, the browser obtains at least two sub-page request messages, and the server generates sub-page dedicated tokens respectively based on establishing a trusted connection with the main page according to the corresponding sub-page request messages;
the operator clicks the links requested by the sub-pages in the related content of the main page presented above, for example, the links requested by the three sub-pages are clicked to request the related content of the sub-page A, B, C to be loaded, at the moment, a corresponding port of the browser sub-page firstly initiates a request to the main page to apply for the main page to replace the main page to send request token request information to the server; after receiving the sub-page request information from different ports of the three sub-pages, the main page replaces the different ports of the sub-pages to initiate token request information to the server, and since the trusted connection is established between the browser and the server in the step S10, the server receives the request of the main page, respectively generates a sub-page dedicated token srand for the sub-page A, B, C, and returns the sub-page dedicated token srand to the main page; after receiving the special token srad of the sub-page, the main page returns to the corresponding sub-page ports respectively;
in this step, the server receives the token request information sent by the main page proxy sub-page, and generates an independent sub-page dedicated token, where the sub-page dedicated token is an independent and random dedicated token generated by the server and used for sub-page authentication, and the sub-page dedicated token is not added with any sub-page or other additional information.
In this embodiment, the browser establishes the environment isolation sandbox and the sub-page environment isolation sandbox by setting an inline frame. In other words, the ports to which the sub-pages A, B, C correspond are actually three sub-page environment isolation sandboxes embedded in the main page, each running on a different port. And respectively operating the main page and the sub-page in the corresponding main page environment isolation sandbox and the sub-page environment isolation sandbox. In the above embodiment, when the sub-page no longer responds to the synchronization request of the main page, the main page may actively close (inline frame) iframe, thereby releasing the resource.
The browser respectively creates operating environment sandboxes for the pages of the two different ports by using a homologous security isolation mechanism. JavaScript programs of the two pages run in an isolated context environment, data isolation is naturally achieved, and safety is guaranteed. Among them, the homologous security isolation mechanism is how documents or scripts loaded from one source interact with resources from another source, which is a key security mechanism for isolating potentially malicious files. Wherein the internal cookie, localStorage and indexDB cannot be read, DOM cannot be obtained, and AJAX requests cannot be sent.
As discussed in connection with embodiment 1 above, when a user accessing an interactive element through the main page https:// a.com requires a sub-pagehttps:// a.com: xx, https:// a.com: yy, https:// a.com: zz, a JavaScript program corresponding to the main page https:// a.com requests a browser to create an inline frame (iframe), a port corresponding to a sub-page (https:// a.com: yy, https:// a.com: zz) sends sub-page request information to the main page (https:// a.com), the main page (https:// a.com: zz) receives the sub-page request information, and, according to the sub-page request information, the sub-page request information is executed in the main page (https:// a.com), the sub-page request information is sent to a proxy server (https:// a.com:// a.. The JavaScript (JS) is a lightweight, interpreted, or just-in-time programming language with function priority. JavaScript is based on prototypical programming, multi-modal dynamic scripting languages, and supports object-oriented, imperative, declarative, functional programming paradigms.
The server receives the token request information sent by the main page (https:// a.com) and generates a sub-page specific token for the sub-page of the sub-page (https:// a.com: xx, https:// a.com: yy, https:// a.com: zz) domain, for example: srand returns the sub-page specific token srand as a response to the request to the front-end program of the main page (https:// a.com).
S30: the browser sends HTTP request information to the server based on the sub-page specific token, wherein the HTTP request information comprises the sub-page specific token;
in this step, the sub-page A, B, C receives the token (srad) specific to the sub-page, and then initiates an HTTP request to the server, and adds the token (srad) specific to the sub-page to HTTP request information, so that the HTTP request information includes the token specific to the sub-page
As discussed in connection with example 1 above, the main page (https:// a.com) sends the sub-page specific token srandd to the corresponding sub-page (https:// a.com: xx, https:// a.com: yy, https:// a.com: zz). And the sub-page (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) respectively generates HTTP request information according to the sub-page special token srand feeds the HTTP request information back to the server.
S40: and the server filters and verifies the HTTP request information based on HTTP proxy service, and sends the verified HTTP request information to the browser so as to enable the browser to load corresponding sub-page information.
In this step, the server verifies whether the HTTP request information generated by the sub-page includes a sub-page dedicated token based on an HTTP proxy service, and if the HTTP request information includes the sub-page dedicated token, the server sends the verified HTTP request information to the browser and loads the sub-page information through verification. In the present embodiment, the HTTP proxy service corresponds to a relay server.
Specifically, as shown in fig. 4, the step S40 includes the following steps:
s41: the server preprocesses the HTTP request information based on HTTP proxy service so as to analyze whether the HTTP request information comprises a sub-page special token;
s42: and if the HTTP request information comprises a sub-page special token, judging whether the sub-page special token is matched with the sub-page special token generated by the server, and if so, passing the authentication.
In step S41, the server preprocesses the HTTP request information based on the HTTP proxy service, specifically, filters noise information of the HTTP request information, where the noise information includes static page resources. For example, the method may include that the server first preprocesses the request by an HTTP proxy service before processing the request, at this time, the HTTP proxy monitors ports of all sub-pages, authentication is not required for non-sensitive resources such as static page resources HTML, CSS, js, and the like, the request may be directly forwarded to the server, the server responds, the static resource of the page is loaded and presented, and whether the HTTP request information includes key information (username, password, phone number), which also includes a sub-page dedicated token, and the like is analyzed.
In step S42, if the HTTP request message includes the sub-page specific token, determining whether the sub-page specific token received by the server matches the sub-page specific token previously generated by the server;
the HTTP request information comprises a sub-page special token, and the sub-page special token is consistent with a sub-page special token generated by the server, the authentication is passed, the server forwards a legal request to the server of the sub-page A, B, C through the HTTP proxy to process other services, and corresponding data is returned to the sub-page A, B, C of the browser after the processing is completed. If the authentication is not passed, the request is rejected and an error code is returned.
As discussed in connection with embodiment 1 above, the server in step S40 receives the HTTP request information sent by the main page (HTTPs:// a.com), and the server preprocesses the HTTP request information sent by the sub-pages (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) based on the HTTP proxy service, while the HTTP proxy listens to the ports of all sub-pages (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz), and does not require authentication for non-sensitive resources such as static page resources, HTML, js, etc., and can directly forward the request to the server, and the server responds, the static resources of the page are loaded and presented, and the sub-pages are parsed, and the sub-pages (HTTPs:// a.com: xx, HTML, js:// a.com: zz) also include the key information of the user name, the phone name, the password, and the sub-page (HTTPs: zhcom: zz).
If the HTTP request information comprises the sub-page special token, respectively judging whether the sub-page special token sent by the sub-page (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) received by the server is matched with the sub-page special token srand generated by the server before;
the HTTP request information contains a sub-page special token, and the sub-page special token is consistent with a sub-page special token srandd generated by the server side, the authentication is passed, the server side forwards a legal request to a sub-page (HTTPs:// a.com: yy, HTTPs:// a.com: zz) through an HTTP proxy, processes other services, and returns corresponding data to the sub-page (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) of the browser side after the processing is completed. If the authentication is not passed, the request is rejected and an error code is returned. Such as 401, 403.
The authentication method based on the proxy disclosed by the embodiment of the invention processes the user authentication information of the sub-page through the HTTP proxy service, avoids the potential safety hazard caused by the leakage of user privacy and cross-domain sharing of the authentication information, realizes the single sign-on problem among a plurality of mutually untrusted applications, opens up an account system among the plurality of untrusted applications, and enables a user model and the account system to be shared among the plurality of applications. The back end does not need to independently realize the authentication system of the back end, and the authentication system is realized through a unified agent, so that the system resources are saved.
As shown in fig. 6, a second preferred embodiment of the present invention discloses an authentication system 100 based on a proxy, the authentication system 100 comprising: the main page verification method comprises a main page acquisition module 110, a sub-page token generation module 120, an HTTP request information sending module 130 and a sub-page information verification module 140.
The home page obtaining module 110 is configured to enable the browser to obtain home page request information, verify the home page request information by the server, and if the verification is passed, load the home page and establish a trusted connection with the home page;
the main page request information in the main page obtaining module 110 includes a main page domain name, website information, etc., a user may input a corresponding domain name or website information of a main page in a corresponding input window in a browser, the browser may establish a connection with a server, the server verifies the main page request information output by the main page, and if the verification is passed, the corresponding main page is loaded and a trusted connection is established with the loaded main page.
The main page obtaining module 110 includes a main page information obtaining unit and a main page verifying unit.
The main page information acquisition unit is used for acquiring main page request information, and the main page request information comprises main page identity authentication information;
the main page verification unit is used for obtaining main page request information through a server to verify the main page identity authentication information, and if the main page identity authentication information passes the verification, the server sends a main page trust token to the main page so as to enable the main page to establish trust connection with the server.
In embodiment 1, an operator may access a home page by using a browser, the operator inputs a website URL, https:// a.com, corresponding to the home page in an input frame corresponding to the browser, the home page information obtaining unit returns a corresponding verification page to the browser through a server according to the website or domain name URL, https:// a.com, corresponding verification page, and then the operator inputs home page authentication information, which may include a user name, a password, and the like, on the corresponding verification page, the home page verification unit verifies the input home page authentication information through the server, and if the verification passes, the server returns a page corresponding to the home page https:/a.com to the browser, the browser presents content corresponding to the home page htps:// a.com, and after the server verifies the user name and the password, the server also returns a token to the home page, the home page takes the home page/to the token, and then a trusted connection is established between the server and the home page.
A sub-page token generation module 120 is configured to enable the browser to obtain sub-page request information, and the server generates a sub-page dedicated token according to the sub-page request information and based on establishing a trusted connection with the main page;
in this embodiment, the main page obtaining module 110 clicks an interactive element in the content of the main page to send the sub-page request information, or may send the page request information by inputting a domain name related to the sub-page.
The sub-page token generation module 120 includes a sub-page request information acquisition unit and a token generation unit.
The sub-page request information acquisition unit is used for acquiring sub-page request information through the browser, and the main page sends token request information to the server according to the sub-page request information;
the token generating unit is used for generating a sub-page special token and sending the sub-page special token to the main page through the server according to the token request information and based on the trust connection established with the main page, and the main page returns the corresponding sub-page special token to the corresponding sub-page port.
In this embodiment, the browser obtains at least two sub-page request messages, and the server generates sub-page dedicated tokens respectively based on establishing a trusted connection with the main page according to the corresponding sub-page request messages;
the operator clicks the links of the sub-page requests in the related content of the main page presented above, for example, to request to load the related content of the sub-page A, B, C, respectively, at this time, the corresponding port of the browser sub-page will first initiate a request to the main page to apply for the main page to replace it to send request token request information to the server; after receiving sub-page request information from different ports of the three sub-pages, the main page replaces the different ports of the sub-pages to initiate token request information to the server, and based on the fact that trust connection is established between the browser and the server, after receiving the request of the main page, the server respectively generates sub-page special tokens srand for the sub-pages A, B, C and returns the sub-page special tokens to the main page; after receiving the token srad special for the sub-page, the main page returns to the corresponding sub-page ports respectively;
the server receives the token request information sent by the main page proxy sub-page and generates an independent sub-page special token, the sub-page special token is an independent and random special token generated by the server and used for sub-page authentication, and the sub-page special token is not added with any sub-page or other additional information.
In this embodiment, the browser establishes the environment isolation sandbox and the sub-page environment isolation sandbox by setting an inline frame. In other words, the ports corresponding to the sub-page A, B, C are actually three sub-page environment isolation sandboxes embedded in the main page, each running on a different port. And respectively operating the main page and the sub-page in the corresponding main page environment isolation sandbox and the sub-page environment isolation sandbox. In the above embodiment, when the sub-page no longer responds to the synchronization request of the main page, the main page may actively close (inline frame) iframe, thereby releasing the resource.
The browser respectively creates operating environment sandboxes for pages of two different ports by using a homologous security isolation mechanism. JavaScript programs of the two pages run in an isolated context environment, data isolation is naturally achieved, and safety is guaranteed. Among them, the homologous security isolation mechanism is how documents or scripts loaded from one source interact with resources from another source, which is a key security mechanism for isolating potentially malicious files. Wherein the internal cookie, localStorage and indexDB cannot be read, DOM cannot be obtained, and AJAX requests cannot be sent.
As discussed in connection with embodiment 1 above, when a user accessing an interactive element through the main page https:// a.com requires a sub-pagehttps:// a.com: xx, https:// a.com: yy, https:// a.com: zz, a JavaScript program corresponding to the main page https:// a.com requests a browser to create an inline frame (iframe), a port corresponding to a sub-page (https:// a.com: yy, https:// a.com: zz) sends sub-page request information to the main page (https:// a.com), the main page (https:// a.com: zz) receives the sub-page request information, and, according to the sub-page request information, the sub-page request information is executed in the main page (https:// a.com), the sub-page request information is sent to a proxy server (https:// a.com:// a.. The JavaScript (JS) is a lightweight, interpreted, or just-in-time programming language with function priority. JavaScript is based on prototypical programming, multi-modal dynamic scripting languages, and supports object-oriented, imperative, declarative, functional programming paradigms.
The server receives the token request information sent by the main page (https:// a.com) and generates a sub-page specific token for the sub-page of the sub-page (https:// a.com: xx, https:// a.com: yy, https:// a.com: zz) domain, for example: srand returns the sub-page specific token srand as a response to the request to the front-end program of the main page (https:// a.com).
An HTTP request information sending module 130 is configured to enable the browser to send HTTP request information to the server based on the sub-page specific token, where the HTTP request information includes the sub-page specific token;
after the sub-page A, B, C receives the token (srad), the HTTP request information sending module 130 sends an HTTP request to the server, and adds the token (srad) to the HTTP request information, so that the HTTP request information includes the token (srad)
As discussed in connection with example 1 above, the main page (https:// a.com) sends the sub-page specific token srandd to the corresponding sub-page (https:// a.com: xx, https:// a.com: yy, https:// a.com: zz). The HTTP request information transmitting module 130 causes the sub-pages (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) to generate HTTP request information according to the sub-page dedicated token srand, and feeds back the HTTP request information to the server.
The sub-page information verification module 140 is configured to enable the server to filter and verify the HTTP request information based on the HTTP proxy service, and send the verified HTTP request information to the browser, so that the browser loads corresponding sub-page information.
The sub-page information verification module 140 verifies, by the server, whether the HTTP request information generated by the sub-page includes a sub-page dedicated token based on the HTTP proxy service, and if the HTTP request information includes the sub-page dedicated token, sends, by verification, the HTTP request information that passes the verification to the browser and loads the sub-page information.
The sub-page information verification module 140 includes a preprocessing unit and a token authentication unit
The preprocessing unit is used for preprocessing the HTTP request information through the server based on HTTP proxy service so as to analyze whether the HTTP request information comprises a sub-page special token or not;
the token authentication unit is used for judging whether the sub-page special token is matched with the sub-page special token generated by the server or not if the HTTP request information comprises the sub-page special token, and if the sub-page special token is matched with the sub-page special token, the token passes authentication.
The preprocessing unit preprocesses the HTTP request information based on HTTP proxy service, specifically, filtering noise information of the HTTP request information, wherein the noise information includes static page resources. For example, the method may include that the server first preprocesses the request by an HTTP proxy service before processing the request, where the HTTP proxy monitors ports of all sub-pages, authentication is not required for non-sensitive resources such as static page resources HTML, CSS, js, and the like, the request may be directly forwarded to the server, the server responds, the static resource of the page is loaded and presented, and whether the HTTP request information includes key information (a username, a password, a telephone number), and the key information also includes a token dedicated to the sub-page.
If the HTTP request information comprises the sub-page special token, the token authentication unit judges whether the sub-page special token received by the server is matched with a sub-page special token generated by the server before;
the HTTP request information comprises a sub-page special token, and the sub-page special token is consistent with a sub-page special token generated by the server, the authentication is passed, the server forwards a legal request to the server of the sub-page A, B, C through the HTTP proxy to process other services, and corresponding data is returned to the sub-page A, B, C of the browser after the processing is completed. If the authentication is not passed, the request is rejected and an error code is returned.
As discussed in connection with embodiment 1 above, the server receives the above HTTP request information sent by the main page (HTTPs:// a.com), the server preprocesses the HTTP request information sent by the sub-pages (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) based on the HTTP proxy service, respectively, when the HTTP proxy listens to the ports of all sub-pages (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz), does not require authentication for example of the non-sensitive resources of the static page resources HTML, js, etc., the request can be directly forwarded to the server side, the server responds, the static resources of the page are loaded and presented, and parses the sub-pages (HTTPs:// a.com: xx, HTTP:// a.com: yy, password, etc.) and also includes the private sub-page information of the user name, the password, the sub-page number, the sub-page, etc.
If the HTTP request information comprises the sub-page special token, respectively judging whether the sub-page special token sent by the sub-page (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) received by the server is matched with the sub-page special token srand generated by the server before;
the HTTP request information contains a sub-page special token, and the sub-page special token is consistent with a sub-page special token srandd generated by the server side, the authentication is passed, the server side forwards a legal request to a sub-page (HTTPs:// a.com: yy, HTTPs:// a.com: zz) through an HTTP proxy, processes other services, and returns corresponding data to the sub-page (HTTPs:// a.com: xx, HTTPs:// a.com: yy, HTTPs:// a.com: zz) of the browser side after the processing is completed. If the authentication is not passed, the request is rejected and an error code is returned. Such as 401, 403.
The proxy-based authentication system disclosed by the embodiment of the invention processes the user verification information of the sub-page through the HTTP proxy service, avoids the potential safety hazard caused by user privacy disclosure and cross-domain sharing of the authentication information, realizes the single sign-on problem among a plurality of mutually untrusted applications, opens up an account system among the plurality of untrusted applications, and enables a user model and the account system to be shared among the plurality of applications. The back end does not need to independently realize the authentication system of the back end, and the authentication system is realized through a unified agent, so that the system resources are saved.
A third preferred embodiment of the present invention discloses a computer storage medium, which includes a stored program, wherein when the program runs, a device in which the storage medium is located is controlled to execute the method described above.
The computer storage medium disclosed in the above embodiment of the present invention processes the user verification information of the sub-page by the HTTP proxy service by executing the computer program, thereby avoiding the potential safety hazard caused by the leakage of user privacy and cross-domain sharing of authentication information, achieving the problem of single sign-on between a plurality of mutually untrusted applications, opening up an account system between a plurality of untrusted applications, and allowing the user model and the account system to be shared among a plurality of applications. The back end does not need to independently realize the authentication system of the back end, and the authentication system is realized through a unified agent, so that the system resources are saved.
It should be noted that the computer readable medium of the present disclosure may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
The computer readable medium may be embodied in the electronic device; or may be separate and not incorporated into the electronic device.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of simplicity of description, all possible combinations of the technical features in the above embodiments are not described, however, as long as there is no contradiction between the combinations of the technical features, the technical features should be considered as the scope of description in the present specification.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is specific and detailed, but not to be understood as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the inventive concept, which falls within the scope of the present invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.

Claims (8)

1. A proxy-based authentication method, comprising:
the browser acquires main page request information, the server verifies the main page request information, and if the main page request information passes the verification, the main page is loaded and trust connection is established with the main page;
the browser acquires at least two sub-page request messages, and the server respectively generates sub-page special tokens based on the trust connection established with the main page according to the sub-page request messages;
the browser sends HTTP request information to the server based on the sub-page specific token, wherein the HTTP request information comprises the sub-page specific token;
and the server filters and uniformly verifies the HTTP request information based on HTTP proxy service, and sends the verified HTTP request information to the browser so as to enable the browser to load corresponding sub-page information.
2. The agent-based authentication method of claim 1, wherein the browser obtains a home page request message, the server verifies the home page request message, and if the verification is passed, the home page is loaded and a trusted connection is established with the home page, comprising:
the method comprises the steps that a browser obtains main page request information, wherein the main page request information comprises main page identity authentication information;
the server acquires the main page request information to verify the main page identity authentication information, and if the main page identity authentication information passes the verification, the server sends a main page trust token to the main page so as to establish trust connection between the main page and the server.
3. The agent-based authentication method according to claim 1, wherein the browser obtains sub-page request information, and the server generates a sub-page dedicated token according to the sub-page request information and based on establishing a trusted connection with the main page, comprising:
the browser acquires sub-page request information, and the main page sends token request information to the server according to the sub-page request information;
and the server establishes a trust connection with the main page according to the token request information and based on the token request information, generates a sub-page special token and sends the sub-page special token to the main page, and the main page returns the corresponding sub-page special token to the corresponding sub-page port.
4. The proxy-based authentication method according to claim 1, wherein the server filters and verifies the HTTP request information based on a HTTP proxy service, and sends the verified HTTP request information to a browser, so that the browser loads corresponding sub-page information, comprising:
the server preprocesses the HTTP request information based on HTTP proxy service so as to analyze whether the HTTP request information comprises a sub-page special token or not;
and if the HTTP request information comprises a sub-page special token, judging whether the sub-page special token is matched with the sub-page special token generated by the server, and if so, passing the authentication.
5. The proxy-based authentication method according to claim 4, wherein the server preprocesses the HTTP request message based on HTTP proxy service, comprising:
and filtering noise information of the HTTP request information, wherein the noise information comprises static page resources.
6. The agent-based authentication method of claim 1, wherein the method further comprises:
and the browser creates environment isolation sandboxes corresponding to the number of the loaded pages according to the sub-page request information, so that the main page and the sub-pages operate in the corresponding environment isolation sandboxes respectively.
7. A proxy-based authentication system, comprising:
the main page acquisition module is used for enabling the browser to acquire main page request information, the server verifies the main page request information, and if the main page request information passes the verification, the main page is loaded and trust connection is established between the main page and the server;
the sub-page token generation module is used for enabling the browser to obtain at least two pieces of sub-page request information, and the server respectively generates sub-page special tokens according to the sub-page request information and based on the trust connection established with the main page;
an HTTP request information sending module configured to cause the browser to send HTTP request information to the server based on the sub-page specific token, where the HTTP request information includes the sub-page specific token;
and the sub-page information verification module is used for enabling the server to filter and uniformly verify the HTTP request information based on HTTP proxy service, and sending the verified HTTP request information to the browser so as to enable the browser to load corresponding sub-page information.
8. A computer storage medium, characterized in that the storage medium comprises a stored program, wherein the program, when executed, controls an apparatus in which the storage medium is located to perform the method according to any one of claims 1-6.
CN202210705809.9A 2022-06-21 2022-06-21 Agent-based authentication method, system and computer storage medium Active CN115001840B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210705809.9A CN115001840B (en) 2022-06-21 2022-06-21 Agent-based authentication method, system and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210705809.9A CN115001840B (en) 2022-06-21 2022-06-21 Agent-based authentication method, system and computer storage medium

Publications (2)

Publication Number Publication Date
CN115001840A CN115001840A (en) 2022-09-02
CN115001840B true CN115001840B (en) 2023-03-24

Family

ID=83036839

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210705809.9A Active CN115001840B (en) 2022-06-21 2022-06-21 Agent-based authentication method, system and computer storage medium

Country Status (1)

Country Link
CN (1) CN115001840B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116827933B (en) * 2023-08-30 2023-11-10 中航金网(北京)电子商务有限公司 Control method and device of cloud server, electronic equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7673135B2 (en) * 2005-12-08 2010-03-02 Microsoft Corporation Request authentication token
CN102088465B (en) * 2011-03-16 2014-04-16 中国科学院软件研究所 Hyper text transport protocol (HTTP) Cookie protection method based on preposed gateway
CN113746811A (en) * 2021-08-13 2021-12-03 网宿科技股份有限公司 Login method, device, equipment and readable storage medium
CN113992446B (en) * 2021-12-28 2022-03-29 北京翼辉信息技术有限公司 Cross-domain browser user authentication method, system and computer storage medium

Also Published As

Publication number Publication date
CN115001840A (en) 2022-09-02

Similar Documents

Publication Publication Date Title
US20220086192A1 (en) Reverse proxy for cloud security
US8832782B2 (en) Single sign-on system and method
US9722991B2 (en) Confidence-based authentication discovery for an outbound proxy
Sun et al. The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems
US8832857B2 (en) Unsecured asset detection via correlated authentication anomalies
US8984621B2 (en) Techniques for secure access management in virtual environments
CN111698250B (en) Access request processing method and device, electronic equipment and computer storage medium
US20150188779A1 (en) Split-application infrastructure
RU2755675C2 (en) Identification of security vulnerabilities in application program interfaces
CN112468481B (en) Single-page and multi-page web application identity integrated authentication method based on CAS
US9003540B1 (en) Mitigating forgery for active content
CN110958237A (en) Authority verification method and device
CN111970116A (en) Virtual delivery device and system with remote authentication and related methods
CN113949566B (en) Resource access method, device, electronic equipment and medium
CN113761509B (en) iframe verification login method and device
CN112511565B (en) Request response method and device, computer readable storage medium and electronic equipment
US10897458B1 (en) Enhancing secure client experience through selective encryption of cookies
CN113821784A (en) Multi-system single sign-on method and device and computer readable storage medium
CN115001840B (en) Agent-based authentication method, system and computer storage medium
Rocchetto et al. Model-based detection of CSRF
CN108462671A (en) A kind of authentication protection method and system based on reverse proxy
CN113992446B (en) Cross-domain browser user authentication method, system and computer storage medium
CN112910915A (en) Trusted connection authentication method, device, equipment and computer readable storage medium
CN115190483B (en) Method and device for accessing network
Wang et al. A framework for formal analysis of privacy on SSO protocols

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant