CN115208579A - Authentication method, device, service system access method, device and storage medium - Google Patents

Authentication method, device, service system access method, device and storage medium Download PDF

Info

Publication number
CN115208579A
CN115208579A CN202210800812.9A CN202210800812A CN115208579A CN 115208579 A CN115208579 A CN 115208579A CN 202210800812 A CN202210800812 A CN 202210800812A CN 115208579 A CN115208579 A CN 115208579A
Authority
CN
China
Prior art keywords
page
authority
target object
authentication
role
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210800812.9A
Other languages
Chinese (zh)
Inventor
梁宇轩
黄春晖
徐凯鹏
张梁
李胜刚
刘富卫
周晓东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN202210800812.9A priority Critical patent/CN115208579A/en
Publication of CN115208579A publication Critical patent/CN115208579A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/321Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority
    • H04L9/3213Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving a third party or a trusted authority using tickets or tokens, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present application relates to an intelligent authentication technology, and in particular, to an authentication method, apparatus, computer device, storage medium, and computer program product. The method comprises the following steps: when a target object accesses a target page in a service system of an access authority engine system, acquiring an authority bit identifier of the target object and an authentication bill acquired by a login authority engine system; the authority bit identifier is matched with the role category of the target object; verifying the authentication ticket, and determining an accessible page link associated with the permission bit identifier and preconfigured when the authentication ticket passes verification; feeding back the accessible page link to the service system; and the fed-back accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link. By adopting the method, the authentication efficiency can be improved. The embodiment of the invention can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like.

Description

Authentication method, device, service system access method, device and storage medium
Technical Field
The present application relates to the field of computer technologies, and in particular, to an authentication method, an authentication apparatus, a service system access method, an authentication apparatus, and a storage medium.
Background
As the service system has wider usage scenarios and functions, the service system also starts to have more and more security issues related to information. For this reason, when a user wants to access the service system, the user needs to be authenticated first to determine whether the user has the right to access the service system.
In the prior art, an independent authority management module is mainly developed for each service system, and whether a user has the authority to access the service system is determined through the authority management module. In this mode, if there are multiple service systems, an authority management module needs to be developed for each service system, and the repeated development workload is large, thereby reducing the authentication efficiency based on the repeated development workload.
Disclosure of Invention
In view of the foregoing, it is necessary to provide an authentication method, an authentication apparatus, a computer device, a computer readable storage medium, and a computer program product capable of improving authentication efficiency.
In a first aspect, the present application provides an authentication method, including:
when a target object accesses a target page in a service system of an access authority engine system, acquiring an authority limit identifier of the target object and an authentication bill obtained by logging in the authority engine system; the permission bit identifier is matched with the role category of the target object;
verifying the authentication bill, and determining an accessible page link associated with the permission bit identifier and pre-configured when the authentication bill passes verification;
feeding back the accessible page link to the business system; and the fed accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link.
In a second aspect, the present application further provides an authentication apparatus, including:
the ticket acquisition module is used for acquiring the authority limit identifier of the target object and an authentication ticket acquired by logging in the authority engine system when the target object accesses a target page in a service system of the access authority engine system; the permission bit identifier is matched with the role category of the target object;
the link acquisition module is used for verifying the authentication ticket and determining a pre-configured accessible page link associated with the authority limit identifier when the authentication ticket passes verification;
the feedback module is used for feeding back the accessible page link to the business system; and the fed-back accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link.
In one embodiment, the authentication apparatus further includes a ticket generating module, configured to generate an authentication ticket according to a login account when the target object logs in the authority engine system, and feed the authentication ticket back to the service system; the fed back authentication bill is used for indicating the service system to cache the authentication bill and set effective time, and when the target object is determined to access the target page and the authentication bill is in the effective time, the authentication bill is sent to the authority engine system.
In one embodiment, the ticket generating module is further configured to trigger display of a login page; the target object logs in the authority engine system through a login page of the authority engine system; the login page is a page displayed when the target object accesses the service system for the first time within a preset time period; and when the target object accesses the service system and the session object of the service system does not comprise an authentication bill or the authentication bill is invalid, determining that the target object accesses the service system for the first time within a preset time period.
In one embodiment, the ticket generating module is further configured to obtain a login account and a login password input through a login page of the authority engine system; when the login account number is matched with the login password, a pre-configured redirection page link is obtained; sending the redirection page link to the front end of the service system; the sent redirection page link is used for triggering the front end of the business system to display a corresponding redirection page, and the redirection page displays an access control used for accessing a target page.
In one embodiment, the bill generation module is further configured to obtain a login account number input through a login page of an authentication system; generating an authorization code according to the login account, and feeding back the authorization code; the fed-back authorization code is used for triggering the service system to generate an authentication bill generation request carrying the authorization code; and receiving an authentication bill generation request sent by the service system, and generating an authentication bill according to an authorization code in the authentication bill generation request.
In one embodiment, the ticket generating module is further configured to analyze the authorization code to obtain a login account of the target object; determining pre-configured object identity information corresponding to the login account; encrypting the object identity information to obtain identity encryption information; and signing the identity encryption information and the object identification of the target object through a preset private key to obtain an authentication bill.
In one embodiment, the ticket generating module is further configured to obtain an encryption function and a key; dividing the object identity information to obtain a plurality of identity information fragments; encrypting each identity information fragment through the encryption function and the secret key to obtain an encrypted fragment corresponding to each identity information fragment; and synthesizing the encrypted fragments corresponding to the identity information fragments to obtain the identity encrypted information.
In one embodiment, the authentication device is further configured to obtain an authorization location identifier obtaining request sent by the service system, and analyze the authorization location identifier obtaining request to obtain an authentication ticket carried by the authorization location identifier obtaining request; analyzing the authentication bill to obtain an object identifier of the target object; determining a corresponding authority bit identifier according to the object identifier, and sending the authority bit identifier to the service system; and the sent authority bit identifier is used for triggering the service system to cache.
In one embodiment, the authentication device is further configured to determine a role category to which the target object belongs according to the object identifier; and searching the preset authority limit associated with the role category to obtain the corresponding authority limit identifier.
In one embodiment, the authentication device is further configured to, when the target object accesses a service system for the first time within a preset time period, obtain a security level of the service system according to a system identifier of the service system; when the security level of the business system is greater than or equal to a preset level threshold, determining whether the target object passes the internal authentication of the enterprise to which the business system belongs; and when the target object passes the internal authentication, determining whether the target object logs in the authority engine system, and triggering the front end of a business system to display an access control for accessing a target page in the business system when the target object is determined to log in the authority engine system.
In one embodiment, the feedback module is further configured to trigger a service system to determine a right of a target object to access the target access page; when the page link of the target page does not belong to the accessible page link, the business system determines that the target object does not have the authority of accessing the target access page; when the target object does not have the authority of accessing the target access page, the business system triggers the front end of the authority engine system to display a role application page, so that the target object applies for the role category required by accessing the target page through the role application page.
In a third aspect, the present application further provides a computer device, where the computer device includes a memory and a processor, where the memory stores a computer program, and the processor implements, when executing the computer program, the steps in any one of the authentication methods provided in the embodiments of the present application.
In a fourth aspect, the present application further provides a computer-readable storage medium, having a computer program stored thereon, where the computer program, when executed by a processor, implements the steps in any one of the authentication methods provided by the embodiments of the present application.
In a fifth aspect, the present application further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps in any one of the authentication methods provided by the embodiments of the present application.
According to the authentication method, the authentication device, the computer equipment, the storage medium and the computer program product, when the target object accesses the target page in the service system, the authority bit identifier and the authentication bill of the target object are obtained, the authentication bill can be verified, and the accessible page link corresponding to the authority bit identifier is obtained after the authentication is passed. By acquiring the accessible page link after the verification is passed, the security of the authentication system can be improved, and the probability of maliciously acquiring the accessible page link is reduced. The accessible page link is obtained, and the accessible page link can be fed back to the business system, so that the business system can determine the access authority of the target object to the target page according to the matching relationship between the page link of the target page and the accessible page link. Because the authority engine system is an open type accessible independent system, the authority engine system can be accessed to a plurality of service systems, so that authority management of the plurality of service systems through one authority engine system is realized, resources consumed by repeatedly developing the authority management module are reduced, and authentication efficiency is improved. In addition, because the method and the device can be refined to manage the access authority of the target page, compared with the traditional rough authority management that whether the target object has the access authority of accessing the business system is determined through the account number and the password, the method and the device can manage the access authority more finely, and realize authority management with finer granularity.
In a first aspect, the present application provides a service system access method, where the method includes:
the method comprises the steps that a permission bit establishing page is displayed in response to the access operation of accessing a service system to a permission engine system, and the established permission bit is displayed in response to the permission bit establishing operation triggered by the permission bit establishing page;
in response to the role editing operation aiming at the permission bit, displaying a role category which is obtained by editing the role editing operation and is associated with the permission bit;
in response to a link editing operation on the permission bit, presenting an accessible page link associated with the permission bit edited by the link editing operation;
in response to completion of the link editing operation, triggering a first association of the permission bit with the accessible page link to take effect at the permission engine system; the first incidence relation is used for authentication when the target object of the role category accesses the page in the service system.
In a second aspect, the present application further provides a service system access apparatus, where the apparatus includes:
the permission level establishing module is used for responding to the access operation of accessing the service system to the permission engine system, displaying a permission level establishing page, and responding to the permission level establishing operation triggered by the permission level establishing page, and displaying the established permission level;
the role category association module is used for responding to the role editing operation aiming at the authority limit and displaying the role category which is obtained by editing the role editing operation and is associated with the authority limit;
the link association module is used for responding to the link editing operation aiming at the permission bit and displaying the accessible page link which is obtained by editing through the link editing operation and is associated with the permission bit; in response to completion of the link editing operation, triggering a first association of the permission bit with the accessible page link to take effect at the permission engine system; the first incidence relation is used for authentication when the target object of the role type accesses the page in the service system.
In one embodiment, the role category association module is further configured to expose a role editing control corresponding to the created permission bit; displaying a role category set in response to a triggering operation for the role editing control; and responding to the selection operation aiming at the role category set, showing a target role category selected by the selection operation, and establishing a second association relationship between the target role category and the created permission limit.
In one embodiment, the business system access is further used for displaying a role management page; the role management page displays role category newly added controls; responding to the trigger operation aiming at the role category newly added control, and displaying a role category newly added page; responding to the input operation aiming at the role category newly added page, displaying the input role information, and generating a role category newly added work order according to the input role information; and when the new role type work order passes the examination and approval, determining that the role type is successfully added.
In one embodiment, the link association module is further configured to expose a link editing control corresponding to the created permission bit; responding to the triggering operation aiming at the link editing control, and displaying a set of functional modules included by the business system; and responding to the selection operation of the functional module set, and taking the page link included by the target functional module selected by the selection operation as the accessible page link associated with the permission bit.
In a third aspect, the present application further provides a computer device, where the computer device includes a memory and a processor, where the memory stores a computer program, and the processor implements the steps in any one of the authentication methods provided in the embodiments of the present application when executing the computer program.
In a fourth aspect, the present application further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the steps in any one of the authentication methods provided in the embodiments of the present application.
In a fifth aspect, the present application further provides a computer program product, which includes a computer program, and when the computer program is executed by a processor, the computer program implements the steps in any one of the authentication methods provided by the embodiments of the present application.
The business system access method, the business system access device, the computer equipment, the storage medium and the computer program product can create the authority limit and display the created authority limit by responding to the authority limit creation operation. By creating an authority limit, in response to a role editing operation aiming at the authority limit, determining and displaying a role category which is obtained by editing through the role editing operation and is associated with the authority limit, and in response to a link editing operation aiming at the authority limit, displaying an accessible page link which is obtained by editing through the link editing operation and is associated with the authority limit, so that when the link editing operation is completed, a first incidence relation between the authority limit and the accessible page link is triggered to take effect in an authority engine system; and the first effective incidence relation is used for authenticating the target object with the role category when the target object accesses the page in the service system. Because the authority management of a plurality of service systems can be realized through one authority engine system only by accessing each service system to the authority engine system, resources consumed by repeatedly developing the authority management module are reduced, and the authentication efficiency is improved.
Drawings
FIG. 1 is a diagram of an application environment of an authentication method in one embodiment;
FIG. 2 is a flow diagram illustrating an authentication method in one embodiment;
FIG. 3 is a diagram illustrating an association between permission bits, accessible page links, and role categories, according to one embodiment;
FIG. 4 is a schematic diagram illustrating a process flow for accessing a destination page in one embodiment;
FIG. 5 is a functional diagram of a rights engine system in one embodiment;
FIG. 6 is a schematic illustration of delivery of an authentication ticket in one embodiment;
FIG. 7 is a diagram of an access configuration page in one embodiment;
FIG. 8 is a schematic diagram of the generation of an authentication ticket in one embodiment;
FIG. 9 is a diagram of a role category management page in one embodiment;
FIG. 10 is a schematic flow chart illustrating authentication in one embodiment;
FIG. 11 is an interaction diagram illustrating role privilege information acquisition in one embodiment;
FIG. 12 is a diagram illustrating access interaction for a destination page in one embodiment;
FIG. 13 is a flow chart illustrating a method for accessing a service system in one embodiment;
FIG. 14 is a schematic diagram of an entitlement management page in one embodiment;
FIG. 15 is a schematic illustration of service system access in one embodiment;
FIG. 16 is a flow diagram illustrating an authentication method in accordance with one embodiment;
fig. 17 is a flowchart illustrating a service system access method in an exemplary embodiment;
FIG. 18 is a block diagram showing the structure of an authentication apparatus according to an embodiment;
FIG. 19 is a block diagram of a service system access device in one embodiment;
FIG. 20 is a diagram of the internal structure of a computer device in one embodiment;
fig. 21 is an internal structural view of a computer device in another embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The authentication method provided by the embodiment of the application can be applied to the application environment shown in fig. 1. Wherein the terminal 102 communicates with the first server 104 via a network and the terminal 102 communicates with the second server 106 via a network. The data storage system may store data that the first server 104 and the second server 106 need to process. The data storage system may be integrated on the first server 104 or the second server 106, or may be located on the cloud or other server. The first server 104 is deployed with a background of the service system, and the second server is deployed with a background of the authority engine system. The target object can access the service system through the terminal 102, and when the target object accesses the service system for the first time within a preset time period, the terminal 102 can display a login page of the authority engine system, so that the second server 106 can generate an authentication bill and send the authentication bill to the first server 104 for caching when the target object is determined to successfully log in the authority engine system. When a target object accesses a target page in the service system through the terminal 102, the terminal 102 may trigger the first server 104 to generate an authentication request carrying an authentication ticket, and send the authentication request to the second server 106, so that the second server 106 searches for a corresponding accessible page link according to the authentication ticket in the authentication request, and returns the accessible page link obtained by searching to the first server 102, and thus the first server 102 may determine an access right of the target object to the target page according to the page link of the target page and the accessible page link.
The terminal 102 may be, but not limited to, various desktop computers, notebook computers, smart phones, tablet computers, smart voice interaction devices, smart home appliances, vehicle terminals, internet of things devices, and portable wearable devices, where the smart home appliances may be smart speakers, smart televisions, smart air conditioners, smart vehicle devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. The first server 104 and the second server 106 may each be implemented as a stand-alone server or a server cluster composed of a plurality of servers. The embodiment of the invention can be applied to various scenes including but not limited to cloud technology, artificial intelligence, intelligent traffic, driving assistance and the like.
The scheme provided by the embodiment of the application relates to the technologies of automatic authentication of artificial intelligence and the like, for example, the authority engine of the application can intelligently authenticate a target object so as to determine whether the target object has the access authority to a target page. Artificial Intelligence (AI) is a theory, method, technique and application system that uses a digital computer or a machine controlled by a digital computer to simulate, extend and expand human Intelligence, perceive the environment, acquire knowledge and use the knowledge to obtain the best results. In other words, artificial intelligence is a comprehensive technique of computer science that attempts to understand the essence of intelligence and produce a new intelligent machine that can react in a manner similar to human intelligence. With the research and progress of artificial intelligence technology, the artificial intelligence technology is researched and applied in a plurality of fields, such as common automatic authentication, smart home, smart wearable equipment, virtual assistant, smart speaker, smart marketing, unmanned driving, automatic driving, unmanned aerial vehicle, robot, smart medical treatment, smart customer service, and the like.
In order to better understand the authentication method in the embodiment of the present application, the following introduces the overall concept of the present application:
in the traditional technical scheme, an independent authority management module is mainly developed for each service system, and whether a user has the authority to access the service system is determined through the authority management module, but the repeated development workload is large in the mode. Therefore, the authority engine system is innovatively developed, and the authorities of a plurality of business systems can be managed through the authority engine system. The authority engine system refers to a system to manage authority of each business system. The authority engine system is an open type accessible independent system, and different service systems can be accessed to the authority engine system, so that after the service system is successfully accessed to the authority engine system, the authority of the accessed service system can be managed through the authority engine system.
In accessing a business system to the rights engine system, a developer may create a plurality of rights bits associated with the business system to be accessed. The authority limit is information pointing to the function module set in the service system, and the authority limit may include an authority limit identifier, an authority limit name, an authority limit sensitivity level, an authority limit storage directory, and the like. The authority bit identifier refers to information uniquely identifying one authority bit, for example, the authority is a number that can identify the authority bit. The authority bit name refers to the name of the authority bit. For example, when the name of the authority bit is "packet-creation, query, operation", the authority bit can be considered to point to the packet creation function module, the packet query function module, and the packet operation function module in the service system. When the name of the permission limit is 'billboard-searching and counting', the permission limit can be considered to point to a billboard content searching functional module and a billboard content counting functional module in the service system. Since the permission bit is information pointing to a set of functional modules in the business system, the permission bit may be associated with at least one accessible page link. For example, in the above example, when the authority limit points to the billboard content searching function module and the billboard content counting function module in the business system, the developer may use the link of the page that can be provided by the billboard content searching function module as the accessible page link, use the link of the page that can be provided by the billboard content counting function module as the accessible page link, and associate the determined accessible page link with the authority limit named "billboard-search, count".
In the process of accessing the business system to the authority engine system, research and development personnel can also associate the role class with the authority limit. The role category refers to the type of the role, for example, the role category may be a general role category, an administrator role category, or the like, and different target objects may be applied to have different role categories. One permission bit may be associated with one or more role categories, and different permission bits may be associated with the same role category or different role categories. After associating the permission bit with the role category, the permission bit identification of the permission bit can be considered to match the role category. For example, when associating a permission bit named "kanban-search, statistics" with a generic role category, that is, the authority bit identifier, named "kanban-search, statistics" authority bit, can be considered to match the generic role category.
When the accessible page link is associated with the permission bit and the role class is associated with the permission bit, the service system can be considered to have successfully accessed the permission engine system, and at the moment, the permission engine system records the association relationship among the permission bit, the accessible page link and the role class. For example, referring to FIG. 3, the permission engine system has access to business systems A-D, each business system having a plurality of role categories associated therewith, each role category associated with a respective permission bit, and the permission bits associated with respective accessible page links. Under the condition that the business system is successfully accessed to the authority engine system, when a target object accesses a target page in the business system, the authority engine system can determine whether the target object has the authority for accessing the target page according to the recorded association relationship among the authority limit, the accessible page link and the role category. Therefore, the purpose of managing the authority of each service system through a unified authority engine system is achieved, and the authentication efficiency is greatly improved. FIG. 3 is a diagram that illustrates an association between permission bits, accessible page links, and role categories, in one embodiment.
In one embodiment, as shown in fig. 2, an authentication method is provided, which is exemplified by applying the method to the second server in fig. 1, wherein the second server runs a system with authority engine, and the authentication method includes the following steps:
step 202, when a target object accesses a target page in a service system of an access authority engine system, acquiring an authority bit identifier of the target object and an authentication bill acquired by a login authority engine system; the permission bit identification matches the role category of the target object.
The service system may be a system capable of executing various service logics, the service logic may be a conference initiation, a session management, a logic operation, an information query, and the like, and the embodiment of the present invention does not limit the types of the service logics. The authentication ticket refers to a ticket generated by the authority engine system to characterize the identity of the target object when the target object logs in the authority engine system, for example, the authentication ticket may be a token.
Specifically, the target object may access a target page in the service system of the access permission engine system through the terminal, for example, after the terminal displays a home page of the service system, the target object may click a page jump control in the home page, so as to access the target page in the service system through the page jump control. The service system caches role authority information and authentication bills of target objects, wherein the role authority information comprises role categories and authority limit identifications of the target objects, and the cached authority limit identifications are matched with the role categories of the target objects. Therefore, when the target object is determined to access the target page in the service system, the service system can generate an authentication request according to the authority limit identification and the authentication bill of the target object and send the authentication request to the authority engine system. When the authority engine system receives the authentication request, the authority engine system can analyze the authentication request to obtain the authority limit identification and the authentication bill of the target object.
In one embodiment, when a target object accesses a service system for the first time within a preset time period, the target object needs to log in a permission engine system first, so that when the target object logs in the permission engine system, the permission engine system can generate an authentication bill according to a login account number when the target object logs in the permission engine system, determine a role category to which the login account number belongs, and determine a permission bit identifier matched with the role category. Further, the authority engine system can feed back the authentication ticket and the authority limit identifier to the service system. When the service system receives the fed-back authentication bill and the authority bit identifier, the service system can cache the authentication bill and the authority bit identifier and set the effective time, and meanwhile, the service system can trigger the terminal to display a specified page, for example, the terminal can be triggered to display a home page of the service system, so that a target object can access a target page of the service system through the home page. The valid time set by the service system can be consistent with the preset time period, so that when the authentication ticket is invalid, the target object can be considered as accessing the service system for the first time in the preset time period, and at the moment, the target object needs to log in the authority engine system again.
In one embodiment, when a target object logs in the authority engine system, the authority engine system may obtain object identity information of the target object according to a login account of the target object, and encrypt the object identity information to obtain an authentication ticket.
And step 204, verifying the authentication ticket, and determining the accessible page link associated with the permission bit identifier and pre-configured when the authentication ticket passes verification.
Specifically, when the authority engine system receives the authentication ticket of the target object, the authority engine may decode the authentication ticket to obtain a decoded authentication ticket. Because the authentication ticket is a token representing the identity of the target object, when the authentication ticket is successfully decoded or the identity information pointed by the decoded authentication ticket is correct and correct, the authority engine system can consider the authentication ticket to be verified, so that the authority engine system can search the accessible page link associated with the received authority limit identifier in the pre-configuration mode. A link refers to an address of a web page, file, picture, email, or even an application, etc.
In one embodiment, the service system may generate an authentication request according to the role authority information of the target object and the authentication ticket, and send the authentication request to the authority engine system. When the authority engine system receives the authentication request, the authority engine system extracts the role category in the role authority information and verifies the role category. When the target object is determined to belong to the role category in the role permission information, the permission engine system verifies the authentication bill, and determines the accessible page link associated with the permission bit identifier in the role permission information after the authentication bill passes verification.
In one embodiment, the authority engine system stores a pair of public and private keys used for encrypting and decrypting object identity information of the target object, and the authority engine system can encrypt the object identity information of the target object through the private key to obtain an authentication ticket. And when receiving the authentication bill, decoding the authentication bill through the public key to obtain the object identity information of the target object.
In one embodiment, when the authentication ticket is verified, the permission engine system can determine a target permission bit having the received permission bit identifier and determine an accessible page link associated with the target permission bit, which is pre-configured when accessing the service system, and the determined accessible page link is used as the accessible page link associated with the received permission bit identifier.
Step 206, feeding back accessible page links to the business system; and the fed-back accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link.
Specifically, when the permission engine system obtains the accessible page link associated with the permission bit identifier, the permission engine system may send the accessible page link to the service system, so that the service system may determine the page link of the target page, and determine whether the target object has an access permission to access the target page according to the page link of the target page and the received accessible page link.
In one embodiment, the service system matches the page link of the target page with the received accessible page link, and when the page link of the target page belongs to the accessible page link, the service system determines that the target object has the access right to access the target page, and at this time, the service system triggers the terminal to display the target page. When the page link of the target page does not belong to the accessible page link, determining that the target object does not have the access authority for accessing the target page, and reminding the target object to apply for the corresponding authority at the moment.
In one embodiment, when the permission engine system determines the accessible page link associated with the received permission bit identifier, the permission engine system may further obtain the page link of the target page in the business system, and determine the authentication result according to the matching relationship between the page link of the target page and the accessible page link. For example, when the page link of the target page belongs to the accessible page link, the authentication result is determined that the target object has the access right to access the target page. Further, the authority engine system returns the authentication result to the service system, and the service system can determine whether to trigger the terminal to display the target page according to the received authentication result, for example, when the authentication result indicates that the target object has an access right to access the target page, the service system sends page data of the target page to the terminal.
In one embodiment, referring to fig. 4, when a business system accesses the permission engine system, the permission engine system can create a system identification corresponding to the accessed business system and create role categories and determine permission bits associated with each role category and determine accessible page links associated with each permission bit. When the target object accesses the target page of the service system, the service system can determine whether the authentication bill of the target object is in an effective state, if not, the service system triggers the terminal to display the login page of the authority engine system, so that when the login is successful, the authority engine system generates the authentication bill and returns the authentication bill to the service system. When the authentication ticket is in a valid state, the business system can determine the role class of the target object and pull the role interface white list from the authentication engine system through the role class of the target object. And the accessible page link associated with the authority bit identifier matched with the role category is recorded in the role interface white list. When the business system obtains the role interface white list, the business system can determine the access authority of the target object to access the target page based on the role interface white list and the page link of the target page. FIG. 4 is a diagram that illustrates the access flow of a destination page in one embodiment.
In one embodiment, referring to FIG. 5, FIG. 5 shows a functional diagram of a rights engine system in one embodiment. In the authority engine system of this embodiment, the authority engine system may include an identity authentication module, a user authentication module, an approval management module, a statistics management module, a work order management module, and an authority management module. For example, the identity of the target object can be authenticated by decoding the authentication ticket, the authority of the target object for accessing the target page can be verified, the work order of the target object for applying the role category can be examined and approved, the number of the accessed service systems can be counted, the authority can be self-evaluated, and the like.
In the authentication method, when the target object accesses the target page in the service system, the authority bit identifier and the authentication bill of the target object are obtained, the authentication bill can be verified, and the accessible page link corresponding to the authority bit identifier is obtained after the authentication is passed. By acquiring the accessible page link after the verification is passed, the security of the authentication system can be improved, and the probability of maliciously acquiring the accessible page link is reduced. The accessible page link is obtained, and the accessible page link can be fed back to the business system, so that the business system can determine the access authority of the target object to the target page according to the matching relationship between the page link of the target page and the accessible page link. Because the authority engine system is an open type accessible independent system, the authority engine system can be accessed to a plurality of service systems, so that authority management of the plurality of service systems through one authority engine system is realized, resources consumed by repeatedly developing the authority management module are reduced, and authentication efficiency is improved. In addition, because the method and the device can be refined to manage the access authority of the target page, compared with the traditional rough authority management that whether the target object has the access authority of accessing the business system is determined through the account number and the password, the method and the device can manage the access authority more finely, and realize authority management with finer granularity.
In one embodiment, before the target object accesses the target page in the service system of the access authority engine system, the method further includes a step of generating an authentication ticket, where the step of generating the authentication ticket includes: when a target object logs in the authority engine system, generating an authentication bill according to a login account when the target object logs in the authority engine system, and feeding back the authentication bill to the service system; the fed back authentication bill is used for indicating the business system to cache the authentication bill and set the effective time, and when the target object is determined to access the target page and the authentication bill is in the effective time, the authentication bill is sent to the authority engine system.
Specifically, before the target object accesses the target page in the business system, the target object needs to log in the authority engine system. For example, the service system may include a service system front end and a service system back end. The front end, namely the foreground part of the website, runs on browsers such as a computer end, a mobile end and the like and is used for showing webpages browsed by target objects. The back end is an application program deployed in the server and provides various service supports for the front end. When the target object enters the service system, the terminal can display the login page of the authority engine firstly. The target object can log in the authority engine system through the displayed login page, and then the authority engine system can acquire the login account number input by the target object through the login page, generate an authentication bill according to the login account number, and return the authentication bill to the background of the service system. The service system background can create a session object, store the received authentication ticket into the session object, and set the validity time of the authentication ticket. The session object may be session, and when the service system background stores the authentication ticket to the session object, the service system background may determine a session object identifier of the session object and send the session object identifier to the terminal, that is, send the session object identifier to the service system front end, so that when the target object accesses the target page of the service system, the service system front end may send the session object identifier to the service system background, and the service system background may find the corresponding session object according to the received session object identifier, extract the authentication ticket from the found session object, and send the extracted authentication ticket to the authority engine system when the extracted authentication ticket is in an effective state.
In one embodiment, since the service system background sets the valid time of the authentication ticket when the service system background caches the authentication ticket, the service system background can determine whether the authentication ticket is in a valid state according to the caching time of the authentication ticket, the current time and the set valid time. For example, when the time for caching the authentication ticket is 12 o 'clock, the valid time is 2 hours, and the current time is 15 o' clock, the authentication ticket is in an invalid state because the current time is beyond 12 o 'clock to 14 o' clock.
In one embodiment, when the target object successfully logs in the authority engine system, the authority engine system may cache the login account and the login password of the target object and set the valid time. For example, the rights engine system may include a rights engine system front-end and a rights engine system back-end. The terminal can run a front end of a permission engine system, when a target object logs in the permission engine system through a login page displayed by the front end of the permission engine system, the front end of the permission engine system can cache a login account and a login password of the target object into the cookie, so that the permission engine system can be automatically logged in through the login account and the login password cached into the cookie when the login account is in an effective time, and further the permission engine system is prevented from being repeatedly logged in. For example, both the first service system and the second service system can be accessed to the permission engine system, and when the target object first accesses the first service system within a preset time period, the target object needs to log in the permission engine system first. At this time, the front end of the authority engine system can cache the login account and the login password of the target object, and set the valid time. When the target object accesses the second service system for the first time in the preset time period within the valid time of the login account, the front end of the authority engine system can realize automatic login according to the cached login account and the login password, so that the target object is prevented from repeatedly logging in the authority engine system. For example, referring to fig. 6, the service systems a to D may all be accessed to the authority engine system, when a target object first accesses the service system a within a preset time period, the target object needs to log in the authority engine system, the authority engine system generates an authentication ticket, and sends the authentication ticket to the service system a. When the login account is in the valid time and the target object accesses the service system B for the first time in the preset time period, the target object does not need to repeatedly login the authority engine system, and the authority engine system sends the generated authentication bill to the service system B accessed by the target object. Therefore, the authentication bill is transmitted among different service systems through the permission engine system in a sharing way. Figure 6 shows a schematic diagram of the delivery of an authentication ticket in one embodiment.
In the embodiment, the authentication ticket used for representing the identity of the target object is generated, so that the identity of the target object can be determined by the authentication ticket when the target object accesses the target page, and the security of page access is improved. By setting the valid time of the authentication bill, the authentication bill can be sent to the authority engine system when the authentication bill is in the valid time, and the safety of page access is further improved. The authentication bill is sent to the service system for storage, cross-body isolation storage can be achieved, and therefore safety and compliance of the authentication engine system are improved in a cross-body isolation storage mode.
In one embodiment, the target object logs in the rights engine system through a login page of the rights engine system; the login page is a page displayed when the target object accesses the service system for the first time within a preset time period; and when the target object accesses the service system and the session object of the service system does not comprise the authentication bill or the authentication bill is invalid, determining that the target object accesses the service system for the first time within a preset time period.
Specifically, the target object may log in the rights engine system through a login page of the rights engine system, where the login page is a page displayed when the target object accesses the business system for the first time within a preset time period. For example, when the preset time period is set to be 2 hours, it may be determined whether the target object accesses the service system for the first time within the first 2 hours after the current time is ended, and if the target object accesses the service system for the first time, the authority engine system needs to be logged in. Illustratively, the business system can comprise a business system front end and a business system background. When a target object enters a service system through a browser in a terminal, a front end of the service system can send a home page display request to a background of the service system, the background of the service system checks whether the home page display request carries a session object identifier, if the home page display request carries the session object identifier, the background of the service system determines a session object corresponding to the session object identifier, and extracts an authentication bill from the session object. The authentication bill is provided with valid time, so that the background of the service system can determine whether the authentication bill is in a valid state according to the set valid time. And when the authentication bill is in a failure state, determining that the target object is accessed to the service system for the first time within a preset time period. And when the authentication ticket is in a valid state, determining that the target object is not the first time to access the service system within a preset time period. When the first page display request does not carry the session object identifier, it may also be determined that the target object is accessing the service system for the first time within the preset time period. It is easy to understand that the target object needs to open the front end of the business system to access the target page in the business system, so the step of logging in the authority engine system occurs before the target object accesses the target page.
In this embodiment, since the target object may be considered not to have logged in the authority engine system when the session object does not include the authentication ticket, the target object needs to log in the authority engine system to generate the authentication ticket. When the authentication ticket in the session object fails, it may be considered that the target object has logged in the rights engine system before the previous preset time period that ends with the current time, and at this time, in order to improve the security of authentication, the target object needs to log in the rights engine system again.
In one embodiment, before generating an authentication ticket according to a login account when a target object logs in a right engine system and before generating the authentication ticket according to the login account when the target object logs in the right engine system, the method further includes acquiring the login account and the login password input through a login page of the right engine system; when the login account number is matched with the login password, acquiring a pre-configured redirection page link; sending the redirection page link to the front end of the service system; the sent redirection page link is used for triggering the front end of the business system to display a corresponding redirection page, and the redirection page is displayed with an access control used for accessing a target page.
Specifically, a redirection page link may be configured when the business system is accessed to the rights engine system. When the business system is successfully accessed into the authority engine system and the target object successfully logs in the authority engine system, the authority engine system can obtain the pre-configured redirection page link and send the redirection page link to the front end of the business system, and then the front end of the business system can display the redirection page corresponding to the redirection page link. That is, the terminal corresponding to the target object may be changed from displaying the login page to displaying the redirection page. And the redirection page can show an access control used for accessing the target page. For example, the redirection page may be a home page of the business system, so that the target object can access the corresponding target page through the home page.
In one embodiment, referring to fig. 7, when the business system is accessed to the rights engine system, the terminal may expose an access configuration page with the rights engine system. A redirection page link input box 701 may be displayed in the access configuration page, and then a system access person may input a redirection page link in the redirection page link input box. The redirection page link input box can input a plurality of redirection page links, and the system access personnel can specify the redirection page links matched with each scene. For example, when the login account number matches the login password, the permission engine system may obtain the redirection page link set, and screen out a target redirection page link matching the login success scenario from the redirection page link set, and then the permission engine system sends the redirection page link to the front end of the service system. Figure 7 illustrates a diagram of an access configuration page in one embodiment.
In the embodiment, by presetting the redirection page link, when it is determined that the target object successfully logs in, the terminal may be triggered to change from the login page of the display permission engine system to the redirection page of the display service system, so that the target object may access the target page of the service system based on the displayed redirection page.
In one embodiment, generating an authentication ticket according to a login account when a target object logs in a right engine system includes: acquiring a login account input through a login page of an authentication system; generating an authorization code according to the login account, and feeding back the authorization code; the feedback authorization code is used for triggering the service system to generate an authentication bill generation request carrying the authorization code; and receiving an authentication bill generation request sent by the service system, and generating an authentication bill according to an authorization code in the authentication bill generation request.
Specifically, when the target object logs in the permission engine system through the login page, the permission engine system may obtain the login account input through the login page, and encode the login account to obtain the authorization code. The coding method adopted for coding the login account number can be freely set according to requirements. Further, the authority engine system can send the authorization code to the service system, and the service system can generate an authentication bill generation request according to the authorization code when receiving the authorization code. Further, the service system can send the authentication bill generation request to the authority engine system, and the authority engine system extracts the authorization code in the authentication bill generation request and generates the authentication bill according to the authorization code.
In one embodiment, when the authorization code is generated by the authority engine system, the authority engine system can send the generated authorization code and the searched redirection page link to the service system background, so that the service system background can send the authorization code and the redirection page link to the service system front end, the service system front end can display the redirection page corresponding to the redirection page link, and after the redirection page is displayed, an authentication bill generation request carrying the authorization code is generated. The front end of the service system can send the generated authentication bill generation request to the authority engine system through the background of the service system, and then the authority engine system analyzes the received authentication bill generation request to obtain an authorization code and generates the authentication bill according to the authorization code.
In the above embodiment, since the authorization code is generated according to the login account when the target object logs in the authority engine system, when the service system receives the authorization code, the service system may determine that the target object has successfully logged in the authority engine system, and thus when it is determined that the target object has logged in the authority engine system, the service system may generate the authentication ticket generation request, which may reduce the probability that the target object sends the authentication ticket generation request to the authority engine system without logging in the authority engine system, thereby improving the generation security of the authentication ticket.
In one embodiment, generating the authentication ticket according to the authorization code in the authentication ticket generation request includes: analyzing the authorization code to obtain a login account of the target object; determining object identity information corresponding to the login account which is pre-configured; encrypting the identity information of the object to obtain identity encryption information; and signing the identity encryption information and the object identification of the target object through a preset private key to obtain an authentication bill.
Specifically, when the authority engine system receives the authentication ticket generation request, the authority engine system may analyze the authentication ticket generation request to obtain the authorization code, and analyze the authorization code to obtain the login account of the target object. Because the target object can apply for the login account and input the object identity information associated with the login account when registering the authority engine system, the authority engine system can search the object identity information matched with the login account when analyzing the authorization code to obtain the login account of the target object. Further, the authority engine system can encrypt the searched object identity information through a preset encryption algorithm to obtain identity encryption information, and signs the identity encryption information and the object identification of the target object through a preset private key to obtain an authentication bill.
In one embodiment, the object identity information may include a node identifier of a node to which the target object belongs in the organizational structure, for example, may include a department identifier to which the target object belongs. The object identity information can also comprise information such as employee identification, name, mobile phone number, postcode and the like. The object identification of the target object refers to information that uniquely identifies one target object, and may be, for example, an ID of the target object.
In one embodiment, referring to fig. 8, the authentication ticket issued by the authority engine system is not forgeable, and a double encryption is used, for example, the object identity information of the target object is encrypted by an encryption algorithm first, and then the encrypted object identity information is signed by a private key. The authority engine system can be ensured to be the only ticket dispatching point through the private key signature, the authentication ticket has a life cycle, and the private key is replaced periodically, so that the reliability of the authentication ticket is improved based on the periodically replaced private key and the authentication ticket with the life cycle. The authority engine system dispatches the authentication bill after the target object is determined to be successfully logged in, so that the reliability of the authentication bill is further improved. And the distributed authentication bill is used for representing the identity of the target object, and when the target object is failed to log in, the distributed authentication bill is also in a failure state. The authority engine system not only sends the authentication bill, but also verifies the received authentication bill, and when the authority engine system sends the authentication bill, the authentication bill is stored in the session object of the service system.
The private key is stored in the authority engine system, the process of signing through the private key is a pure algorithm process, the signed authentication bill is in a centerless storage state, and the probability of being dragged can be reduced even if the logic server has a leak. Figure 8 shows a schematic diagram of the generation of an authentication ticket in one embodiment.
In the above embodiment, the security of the generated authentication ticket can be improved by performing double encryption.
In one embodiment, encrypting the identity information of the object to obtain the identity encryption information includes: acquiring an encryption function and a secret key; dividing the identity information of the object to obtain a plurality of identity information fragments; encrypting each identity information fragment through an encryption function and a secret key to obtain an encrypted fragment corresponding to each identity information fragment; and synthesizing the encrypted fragments corresponding to each identity information fragment to obtain the identity encrypted information.
Specifically, when the object identity information of the target object needs to be encrypted, the rights engine system may obtain a preset encryption function and a preset key. The authority engine system may divide the object identity information of the target object, for example, the authority engine system may encode the object identity information of the target object to obtain a coding sequence, and divide the coding sequence according to a preset division length to obtain a plurality of identity information fragments. Wherein a plurality means more than two. Illustratively, the partition length may be set to 128 bytes, so that the rights engine system may treat every 128 bytes of data in the encoded sequence as one piece of identity information. Further, more than each of the plurality of identity information fragments, the authority engine system may use the current identity information fragment and the obtained key as inputs of the encryption function, so as to output the encrypted fragment corresponding to the current identity information fragment through the encryption function, that is, encrypt the current identity information fragment through the encryption function and the key, and obtain the corresponding encrypted fragment. Further, when the encrypted fragment corresponding to each identity information fragment is obtained, the authority engine system can splice the plurality of encrypted fragments to obtain the identity encrypted information of the target object.
In this embodiment, the object identity information of the target object is divided to obtain a plurality of identity information segments, and each identity information segment is encrypted, so that the encryption complexity can be improved, and the probability that the encrypted identity encryption information is cracked by simple answers can be further reduced.
In one embodiment, after the authentication ticket is fed back to the service system, the method further includes an acquisition process of the permission bit identifier, where the acquisition process of the permission bit identifier includes: acquiring an authority limit identification acquisition request sent by a service system, and analyzing the authority limit identification acquisition request to obtain an authentication bill carried by the authority limit identification acquisition request; analyzing the authentication bill to obtain an object identifier of the target object; determining a corresponding authority bit identifier according to the object identifier, and sending the authority bit identifier to a service system; the transmitted permission bit identifier is used for triggering the service system to cache.
Specifically, after the target object logs in the rights engine system, and the rights engine system generates the authentication ticket and feeds back the authentication ticket to the service system, the service system can pull the rights location identifier corresponding to the target object from the rights engine system. More specifically, the service system generates an authority limit identifier acquisition request carrying an authentication ticket, and sends the generated authority limit identifier acquisition request to the authority engine system. When receiving the authority limit identification acquisition request, the authority engine system can analyze the authority limit identification acquisition request to obtain an authentication bill and verify the authentication bill. For example, the authority engine system may first decode the authentication ticket through the public key to obtain encrypted identity encryption information, and decode the identity encryption information through the secret key to obtain object identity information of the target object and an object identifier of the target object. When the decryption is successful, the authority bit identification acquisition request can be determined to be a legal request, the authentication bill is determined to pass the verification at the moment, when the authentication bill passes the verification, the authority engine system can search the corresponding authority bit identification according to the object identification of the target object, and return the searched authority bit identification to the service system, so that the service system caches the received authority bit identification into the session object, and further when the target object accesses a target page in the service system, the service system can send the cached authority bit identification to the authority engine system.
In this embodiment, the service system may cache the permission bit identifier by obtaining the permission bit identifier, so that when the target object accesses the target page, the corresponding accessible page link may be pulled from the permission engine system based on the permission bit identifier, and the access permission of the target object to the target page may be determined based on the accessible page link obtained by pulling, so as to implement the permission management.
In one embodiment, determining the corresponding permission bit identifier according to the object identifier includes: determining the role type of the target object according to the object identifier; and searching the pre-configured authority limit associated with the role category to obtain the corresponding authority limit identifier.
Specifically, since the role category is associated with the permission bit during the process of accessing the service system, when the object identifier of the target object is obtained, the role category to which the target object belongs can be found according to the object identifier, and then the permission bit pre-configured and associated with the role category is found, so as to obtain the permission bit identifier of the permission bit associated with the role category.
In one embodiment, referring to fig. 9, during the process of accessing the service system, a system access person may enter the authority engine system and trigger the terminal to display a role category management page of the authority engine system. A newly added role category control 901 is displayed in the role category management page, so that a system access person can newly add a role category through the newly added role category control 901. Further, the system access personnel can associate the target object with the newly added role category in the process of newly adding the role category, so that the target object has the corresponding role category. FIG. 9 is a diagram that illustrates a role category management page in one embodiment.
In the above embodiment, since the role category is associated with the permission bit in the process of accessing the service system, the corresponding permission bit identifier can be obtained by quickly querying the role category of the target object.
In one embodiment, after feeding back the accessible page link to the business system, the method further includes: when the page link of the target page does not belong to the accessible page link, the business system determines that the target object does not have the authority of accessing the target access page; when the target object does not have the authority of accessing the target access page, the business system triggers the front end of the authority engine system to display the role application page, so that the target object applies for the role category required by accessing the target page through the role application page.
Specifically, when the business system obtains the accessible page link sent by the authority engine system, the business system may determine a matching relationship between the page link of the target page and the accessible page link. And when the page link of the target page is matched with the accessible page link, determining that the target object has the right to access the target page. When the page link of the target page is determined to belong to the accessible page link, the page link of the target page is determined to be matched with the accessible page link. When the page link of the target page is not matched with the accessible page link, the target object is determined not to have the access right for accessing the target page, when the business system determines that the target object does not have the access right for accessing the target page, the business system acquires the role application page link in the right engine system, and displays the role application page corresponding to the role application page link through the front end of the business system, so that the target object can apply for the role category required for accessing the target page through the displayed role application page.
When the target object applies for the role category required by accessing the target page through the role application page, the authority engine system can generate a role application work order, and when the role application work order is determined to be approved, the authority engine system associates the object identifier of the target object with the applied role category, so that the target object has the role category obtained through application.
In the embodiment, by displaying the role application page, the target object can apply for the corresponding role category through the displayed role application page, and the flexibility of role category application is improved.
In one embodiment, before the target object accesses the target page in the business system of the access right engine system, the method further includes: when a target object accesses a service system for the first time within a preset time period, acquiring the security level of the service system according to the system identifier of the service system; when the security level of the business system is greater than or equal to a preset level threshold, determining whether the target object passes the internal authentication of the enterprise to which the business system belongs; when the target object passes the internal authentication, determining whether the target object has logged in the authority engine system, and when determining that the target object has logged in the authority engine system, triggering the front end of the business system to display an access control for accessing a target page in the business system.
Specifically, when the target object accesses the service system for the first time within a preset time period, the authority engine system may obtain a system identifier of the service system, and determine the security level of the service system according to the system identifier. When the security level of the business system is greater than or equal to the level threshold, the business system is considered to be a high-sensitivity system, and the authority engine system judges whether the target object passes the internal authentication of the enterprise to which the business system belongs. For example, the authority engine system may determine whether the target object successfully logs in an OA (Office Automation) system of an enterprise to which the business system belongs. If the target object passes the internal authentication, the authority engine system judges whether the target object is successfully logged in, for example, the authority engine system judges whether an authentication bill of the target object is dispatched to the business system, and when the authority engine system is determined that the target object is logged in, the front end of the business system is triggered to display an access control for accessing a target page in the business system, for example, the front end of the business system is triggered to display a home page of the business system.
In one embodiment, referring to fig. 10, when a target object inputs a system link of a business system in a browser to enter the business system, the browser may acquire a system identifier of the business system, redirect to a login page showing a rights engine system, and send the system identifier to the rights engine system. The authority engine system can determine the security level of the service system according to the received system identification, and perform internal login authentication and authority engine login authentication on the target object when the determined security level is greater than or equal to a level threshold. And when the authentication is passed, the authority engine system returns the authorization code to the service system. The service system authenticates the authorization code, triggers the browser to display the redirection page of the service system, and sends an authentication bill generation request to the authority engine system, so that the authority engine system generates an authentication bill and sends the authentication bill to the service system. Figure 10 shows a flow diagram of authentication in one embodiment.
In the above embodiment, the access security of the service system can be improved by performing double authentication on the service system with a high security level.
In one embodiment, referring to fig. 11, fig. 11 shows an interaction diagram of role authority information acquisition in one embodiment. When a target object accesses the service system, the service system front end sends a system access request to the service system background, when the service system background receives the system access request, the service system background judges whether an authentication bill of the target object is stored in the session object, and judges whether the authentication bill is in an effective state when the authentication bill is determined to exist. When the session object does not have the authentication bill or the authentication bill is in an invalid state, the background of the service system triggers the front end of the authority engine to display a login page. When a target object logs in the authority engine system through a login page, the authority engine system background generates an authorization code according to a login account of the target object and sends the authorization code to the front end of the authority engine. And the right engine front end transmits the authorization code to the service system front end and triggers the service system front end to display the redirection page. When the front end of the service system displays the redirection page, the front end of the service system generates an authentication bill generation request according to the authorization code, the authentication bill generation request is sent to the background of the service system, and the background of the service system sends the authentication bill generation request to the background of the authority engine. The authority engine background generates an authentication bill and sends the generated authentication bill to the service system background, when the service system background receives the authentication bill, the service system background caches the authentication bill in the session object and sets effective time, and generates a role authority information acquisition request according to the authentication bill, and sends the role authority information acquisition request to the authority engine system background, so that the authority engine system background searches the role class of the target object and the authority bit identification associated with the role class after successfully verifying the authentication bill, and returns the searched role class and authority bit identification to the service system background as the role authority information. And the service system background receives the role authority information, caches the role authority information into the session object, and sets the effective time of the role authority information.
In one embodiment, referring to FIG. 12, FIG. 12 shows an access interaction diagram of a target page in one embodiment. The authority engine system can comprise an authority engine system front end and an authority engine system background. When a target object accesses a target page in the service system, the service system front end sends a target page access request to the service system background, and when the service system background receives the target page access request, the service system background extracts an authentication bill of the target object from the session object and judges whether the authentication bill is in an effective state. If the authentication bill does not exist in the session object or the authentication bill is in an invalid state, the background of the service system triggers the background of the authentication bill to regenerate the authentication bill. When the session object has the authentication bill and the authentication bill is in an effective state, the service system background extracts the authority limit identifier from the session object, generates an authentication request according to the authentication bill and the authority limit identifier, and sends the authentication request to the authority engine system background. And the permission engine system background searches the accessible page link associated with the permission bit identifier in the authentication request and sends the searched accessible page link to the service system background. And the service system background determines whether the target object has the access right for accessing the target page according to the matching relationship between the page link of the target page and the accessible page link. When the target object has the access right, the background of the service system returns page data of the target page to the front end of the service system; and when the target object does not have the access right, the background of the service system triggers the right engine front end to display a role category application page.
In an embodiment, as shown in fig. 13, a service system access method is provided, which is described by taking the application of the method to the terminal in fig. 1 as an example, and the service system access method includes the following steps:
step 1302, in response to the access operation of accessing the service system to the authority engine system, displaying an authority limit creation page, and in response to the authority limit creation operation triggered by the authority limit creation page, displaying a created authority limit.
Specifically, when the business system is accessed to the authority engine system, the system access personnel can trigger the terminal to display a front-end page of the authority engine system, wherein the front-end page of the authority engine system can include an authority limit management page. Referring to fig. 14, an authority tile list 1401 and an authority tile creation control 1402 can be presented in an authority tile management page. When it is determined that the system access person triggers the permission level creation control, the terminal may present a permission level creation page, create a permission level in response to a permission level creation operation triggered by the permission level creation page, and present the created permission level in a permission level list of a permission level management page. FIG. 14 illustrates a schematic diagram of an entitlement management page in one embodiment.
In one embodiment, the system access personnel can input information such as name, number, belonged catalog, identification, extension field, permission bit description and the like of the permission bit to be created through the permission bit creation page. The directory to which the data belongs refers to a directory in which authority limit information of the authority limit to be created is stored. And when the system access personnel is confirmed to click the storage control, the terminal sends the information input through the permission limit page to the permission engine system background so that the permission engine system background creates the permission limit based on the received information and returns the creation result to the terminal, namely to the front end of the permission engine system. And when the terminal receives the creation result and the creation result is successful, the terminal can display the created permission bit in the permission bit list of the permission bit management page.
In step 1304, in response to the role editing operation for the authority limit, the role category associated with the authority limit obtained by editing through the role editing operation is displayed.
Specifically, the authority limit management page may further show role edit controls, for example, referring to fig. 14, a role edit control 1403 corresponding to each created authority limit may be shown in the authority limit list. When it is determined that the system access personnel clicks the role editing control, the terminal can respond to the clicking operation of the role editing control and display the role editing page, and then the system access personnel can specify the role category associated with the corresponding permission limit through the role editing page.
In one embodiment, before the business system is connected to the authority engine system, a plurality of default role categories can be preset in the authority engine system. When the system access personnel expect to add the role category, the system access personnel can also trigger the terminal to display the role category management page, and add the role category through a newly added role category control in the role category management page. For instance, referring to FIG. 9, FIG. 9 illustrates a role category management page in one embodiment. The role category management page may display a role category list 902 in which role categories created for the business system are displayed. An editing control 903 may also be displayed in the role category list, and the created role category may be edited through the editing control, for example, editing a name, a role description, and the like of the created role category.
In one embodiment, a batch freeze control 904 and a batch unfreeze control 905 may also be exposed in the role category management page. When it is determined that the system access personnel click the batch freezing control, the authority engine system freezes the role categories created by the business system, and at the moment, the target object cannot access the target page through the role categories to which the target object belongs. And when the fact that the system access personnel click the batch unfreezing control is determined, the permission engine system unfreezes the role category established by the business system.
Step 1306, in response to the link editing operation for the permission bit, presenting the accessible page link associated with the permission bit edited by the link editing operation.
In particular, link edit controls can also be shown in the permission bit management page, for example, referring to fig. 14, a link edit control (associated URL control) 1404 can be shown in the permission bit list for each created permission bit. When it is determined that the system access person clicks the link editing control, the terminal can respond to the clicking operation of the link editing control to display the link editing page, and then the system access person can specify the accessible page link associated with the corresponding permission bit through the link editing page. It will be readily appreciated that one permission bit may be associated with multiple role categories and that one accessible page link may also be associated with multiple permission bits, thereby allowing more granular control of the permission bits.
In one embodiment, the link editing page can display accessible page links corresponding to the functional modules in the industrial system, so that the system access personnel can determine the functional module corresponding to the authority limit according to the requirement and determine the associated accessible page link according to the determined functional module.
In one embodiment, an accessible page link input box can be displayed in the link editing page, the system access personnel can input the accessible page link through the accessible page link input box, and the permission engine system background associates the accessible page link input by the system access personnel with the corresponding permission bit.
Step 1308, in response to the completion of the link editing operation, triggering the association relationship between the permission bit and the accessible page link to take effect in the permission engine system; the incidence relation is used for authentication when the target object of the role category accesses the page in the service system.
Specifically, when the role editing operation is completed, the terminal can send the created permission bits and the role categories obtained through the role editing operation editing to the permission engine system background, so that the permission engine system background can establish a second association relationship between the permission bits and the role categories. When the link editing operation is completed, the terminal can send the created permission bit and the accessible page link obtained through editing of the link editing operation to the permission engine system background, and therefore the permission engine system background can establish a first incidence relation between the permission bit and the accessible page link. The first association relation between the permission bit and the accessible page link can be used for authenticating the access permission of the target object when the target object with the role category accesses the target page in the service system.
In one embodiment, referring to fig. 7, when the business system is accessed to the authority engine system, the system access personnel may also trigger the terminal to display an access configuration page of the authority engine system. A redirection page link input box 701, a system address input box 702, a system description input box 703, a security level input box 704, and the like can be displayed in the access configuration page. A redirect page link may be entered through the redirect page link input box; the home page link of the business system can be input through the system address input box; the description information of the system can be input through the system description input box; the security level of the system may be entered via the security level entry box.
In one embodiment, referring to fig. 15, fig. 15 shows a schematic diagram of service system access in one embodiment. The permission engine system can be accessed to a plurality of different business systems, and when the plurality of different business systems are accessed to the permission engine system, the permission engine system can generate system identifications respectively corresponding to the different business systems, create permission bits respectively corresponding to each business system, determine role classes respectively associated with each permission bit, and determine accessible page links respectively associated with each permission bit. The authority engine can realize cross-platform and cross-frame system access in a webpage mode.
It will be readily appreciated that in addition to creating the permission bits during the process of accessing the business system to the permission engine system, and associating the role categories and accessible page links with the created permission bits, permission bits may be added and edited during the process of accessing the business system by subsequent target objects.
In the service system access method, the permission bit can be created and displayed by responding to the permission bit creation operation. By creating an authority limit, in response to a role editing operation aiming at the authority limit, determining and displaying a role category which is obtained by editing through the role editing operation and is associated with the authority limit, and in response to a link editing operation aiming at the authority limit, displaying an accessible page link which is obtained by editing through the link editing operation and is associated with the authority limit, so that when the link editing operation is completed, a first incidence relation between the authority limit and the accessible page link is triggered to take effect in an authority engine system; and the first effective incidence relation is used for authenticating the target object with the role category when the target object accesses the page in the service system. Because the authority management of a plurality of service systems can be realized through one authority engine system only by accessing each service system to the authority engine system, resources consumed by repeatedly developing the authority management module are reduced, and the authentication efficiency is improved.
In one embodiment, in response to a role editing operation for an authority limit, presenting a role category associated with the authority limit edited by the role editing operation includes: displaying a role editing control corresponding to the created permission limit; responding to the triggering operation aiming at the role editing control, and displaying the role category set; and responding to the selection operation aiming at the role category set, displaying the target role category selected by the selection operation, and establishing a second incidence relation between the target role category and the created permission limit.
Specifically, the terminal can display the role editing control corresponding to the created permission bit, and respond to the triggering operation of the system access personnel on the role editing control to display the role category set. The role category set comprises a plurality of role types of different categories. The terminal can respond to the selection operation of the role categories in the role category set, and the target role category selected by the selection operation is determined and displayed. When the target role category is determined, the terminal can establish a second incidence relation between the target role category and the created permission limit, and send the second incidence relation between the target role category and the created permission limit to the permission engine system background for storage.
In one embodiment, before presenting the set of role categories, the method further includes: displaying a role management page; the role management page displays the role type newly added control; responding to the trigger operation aiming at the role category newly added control, and displaying the role category newly added page; responding to the input operation of the role category newly added page, displaying the input role information, and generating a role category newly added work order according to the input role information; and when the new role type work order passes the examination and approval, determining that the role type is successfully added.
Specifically, before the role category set is displayed, a role category can be added. The system access personnel can add new role categories through the role management page, and further can associate the added role categories with the authority limit. Thus, the flexibility of role category association is improved.
In one embodiment, in response to a link editing operation for an authority bit, exposing an accessible page link associated with the authority bit edited by the link editing operation includes: displaying a link editing control corresponding to the created permission bit; responding to the triggering operation aiming at the link editing control, and displaying a functional module set included by the business system; and responding to the selection operation of the set of functional modules, and taking the page link included by the target functional module selected by the selection operation as the accessible page link associated with the permission bit.
In particular, since the permission bits may point to a functional module in the business system, the accessible page link associated with the permission bit may be determined by selection of the functional module. The terminal can display a link editing control corresponding to the created permission bit, and when the system access personnel click the link editing control, the terminal can display a function module set included in the business system, so that the system access personnel can select the target function module. Since the target function module may include a plurality of pages, for example, the kanban module may include a kanban display page, a kanban content statistics page, and the like, the terminal may use a link of a page included in the target function module as an accessible page link associated with the permission bit, and send the accessible page link to the permission engine system background, so that the permission engine system background generates a first association relationship between the permission bit and the accessible page link.
In the embodiment, the accessible page link associated with the permission bit is determined through selection of the functional module, and compared with the method of sequentially inputting the accessible page links, the obtaining efficiency of the accessible page links is greatly improved.
In one embodiment, referring to fig. 16, there is provided an authentication method including:
s1602, the authority engine system acquires a login account and a login password input through a login page of the authority engine system; and when the login account number is matched with the login password, generating an authorization code according to the login account number, feeding back the authorization code and acquiring a pre-configured redirection page link.
S1604, the authority engine system sends the authorization code and the redirection page link to the front end of the service system; the sent redirection page link is used for triggering the front end of the service system to display a corresponding redirection page; the fed-back authorization code is used for triggering the service system to generate an authentication bill generation request carrying the authorization code.
S1606, when receiving the authentication bill generation request, the authority engine system analyzes the authorization code to obtain a login account of the target object; determining pre-configured object identity information corresponding to a login account; and encrypting the identity information of the object to obtain identity encryption information.
S1608, the authority engine system signs the identity encryption information and the object identification of the target object through the preset private key to obtain the authentication bill, and sends the authentication bill to the service system.
S1610, the authority engine system obtains the authority limit identification obtaining request sent by the service system according to the received authority limit identification obtaining request, and analyzes the authority limit identification obtaining request to obtain the authentication bill carried by the authority limit identification obtaining request.
S1612, the authority engine system analyzes the authentication bill to obtain an object identifier of the target object; determining a corresponding authority bit identifier according to the object identifier, and sending the authority bit identifier to a service system; the transmitted permission bit identifier is used for triggering the service system to cache.
S1614, when the target object accesses the target page in the service system of the access authority engine system, the authority engine system acquires the authority bit identifier of the target object and the authentication bill acquired by the login authority engine system; the permission bit identification matches the role category of the target object.
S1616, the authority engine system verifies the authentication ticket, and when the authentication ticket passes the verification, determines the pre-configured accessible page link associated with the authority bit identifier.
S1618, the authority engine system feeds back the accessible page link to the service system; and the fed-back accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link.
Because the authority engine system is an open type accessible independent system, the authority engine system can be accessed to a plurality of service systems, so that authority management of the plurality of service systems through one authority engine system is realized, resources consumed by repeatedly developing the authority management module are reduced, and authentication efficiency is improved.
In one embodiment, referring to fig. 17, a service system access method is provided, including:
s1702, the terminal responds to the access operation of accessing the service system to the authority engine system, displays an authority limit creating page, and responds to the authority limit creating operation triggered by the authority limit creating page, and displays the created authority limit.
S1704, the terminal displays a role management page; the role management page displays the role type newly added control; and responding to the trigger operation of the role category newly added control, and displaying the role category newly added page.
S1706, the terminal responds to the input operation of the role category newly added page, displays the input role information and generates a role category newly added work order according to the input role information; and when the new role type work order passes the examination and approval, determining that the role type is successfully added.
S1708, the terminal displays a role editing control corresponding to the created permission limit; and displaying the role category set in response to the triggering operation of the role editing control.
S1710, the terminal responds to the selection operation aiming at the role category set, displays the target role category selected by the selection operation, and establishes a second association relationship between the target role category and the created permission limit.
S1712, the terminal displays a link editing control corresponding to the created permission bit; and responding to the triggering operation aiming at the link editing control, and showing the set of functional modules included by the business system.
S1714, the terminal responds to the selection operation aiming at the functional module set, and the page link included in the target functional module selected by the selection operation is used as the accessible page link associated with the permission bit.
S1716, the terminal responds to the completion of the link editing operation, and triggers the first incidence relation between the permission bit and the accessible page link to take effect in the permission engine system; the first incidence relation is used for authentication when the target object of the role category accesses the page in the service system.
Because the authority engine system is an open type accessible independent system, the authority engine system can be accessed to a plurality of service systems, so that authority management of the plurality of service systems through one authority engine system is realized, resources consumed by repeatedly developing the authority management module are reduced, and authentication efficiency is improved.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides an authentication device for implementing the above-mentioned authentication method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so the specific limitations in one or more embodiments of the authentication device provided below can refer to the limitations on the authentication method in the above, and are not described herein again.
In one embodiment, as shown in fig. 18, there is provided an authentication apparatus 1800 comprising: a ticket acquisition module 1802, a link acquisition module 1804, and a feedback module 1806, wherein:
a ticket acquiring module 1802, configured to acquire an authority bit identifier of a target object and an authentication ticket acquired by a login authority engine system when the target object accesses a target page in a service system of the access authority engine system; the permission bit identification is matched with the role category of the target object;
the link obtaining module 1804 is used for verifying the authentication ticket and determining a preconfigured accessible page link associated with the permission bit identifier when the authentication ticket is verified;
a feedback module 1806, configured to feed back an accessible page link to the service system; and the fed-back accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link.
In one embodiment, the authentication apparatus 1800 further includes a ticket generating module 1808, configured to generate an authentication ticket according to a login account when the target object logs in the rights engine system, and feed back the authentication ticket to the service system; the fed back authentication bill is used for indicating the business system to cache the authentication bill and set the effective time, and when the target object is determined to access the target page and the authentication bill is in the effective time, the authentication bill is sent to the authority engine system.
In one embodiment, the ticket generating module 1808 is further configured to trigger displaying a login page; the target object logs in the authority engine system through a login page of the authority engine system; the login page is a page displayed when the target object accesses the service system for the first time within a preset time period; and when the target object accesses the service system and the session object of the service system does not comprise the authentication bill or the authentication bill is invalid, determining that the target object accesses the service system for the first time within a preset time period.
In one embodiment, the ticket generating module 1808 is further configured to obtain a login account and a login password input through a login page of the authority engine system; when the login account number is matched with the login password, acquiring a pre-configured redirection page link; sending the redirection page link to the front end of the service system; the sent redirection page link is used for triggering the front end of the business system to display a corresponding redirection page, and the redirection page is displayed with an access control used for accessing a target page.
In one embodiment, the ticket generating module 1808 is further configured to obtain a login account number input through a login page of the authentication system; generating an authorization code according to the login account, and feeding back the authorization code; the fed-back authorization code is used for triggering the service system to generate an authentication bill generation request carrying the authorization code; and receiving an authentication bill generation request sent by the service system, and generating an authentication bill according to an authorization code in the authentication bill generation request.
In one embodiment, the authentication ticket generating module 1808 is further configured to analyze the authorization code to obtain a login account of the target object; determining pre-configured object identity information corresponding to a login account; encrypting the identity information of the object to obtain identity encryption information; and signing the identity encryption information and the object identification of the target object through a preset private key to obtain an authentication bill.
In one embodiment, the ticket generating module 1808 is further configured to obtain an encryption function and a key; dividing the identity information of the object to obtain a plurality of identity information fragments; encrypting each identity information fragment through an encryption function and a secret key to obtain an encrypted fragment corresponding to each identity information fragment; and synthesizing the encrypted fragments corresponding to each identity information fragment to obtain the identity encrypted information.
In one embodiment, the authentication device 1800 is further configured to obtain an authorization location identifier obtaining request sent by the service system, and analyze the authorization location identifier obtaining request to obtain an authentication ticket carried by the authorization location identifier obtaining request; analyzing the authentication bill to obtain an object identifier of the target object; determining a corresponding authority bit identifier according to the object identifier, and sending the authority bit identifier to a service system; the transmitted permission bit identifier is used for triggering the service system to cache.
In one embodiment, the authentication apparatus 1800 is further configured to determine, according to the object identifier, a role category to which the target object belongs; and searching the preset authority limit associated with the role category to obtain the corresponding authority limit identification.
In one embodiment, the authentication apparatus 1800 is further configured to, when the target object accesses the service system for the first time within a preset time period, obtain a security level of the service system according to a system identifier of the service system; when the security level of the business system is greater than or equal to a preset level threshold, determining whether a target object passes the internal authentication of an enterprise to which the business system belongs; when the target object passes the internal authentication, whether the target object logs in the authority engine system or not is determined, and when the target object logs in the authority engine system is determined, an access control used for accessing a target page in the business system is displayed at the front end of the business system.
In one embodiment, the feedback module 1806 is further configured to trigger the service system to determine the permission of the target object to access the target page; when the page link of the target page does not belong to the accessible page link, the business system determines that the target object does not have the authority of accessing the target access page; when the target object does not have the authority of accessing the target access page, the business system triggers the front end of the authority engine system to display the role application page, so that the target object applies for the role category required by accessing the target page through the role application page.
Based on the same inventive concept, the embodiment of the present application further provides a service system access apparatus for implementing the service system access method. The implementation scheme for solving the problem provided by the apparatus is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the service system access apparatus provided below may refer to the limitations on the service system access method in the foregoing, and details are not described here.
In one embodiment, as shown in fig. 19, there is provided a service system access apparatus 1900, including: a permission bit creation module 1902, a role category association module 1904, and a link association module 1906, wherein:
an authority limit creation module 1902, configured to display an authority limit creation page in response to an access operation of accessing the service system to the authority engine system, and display a created authority limit in response to an authority limit creation operation triggered by the authority limit creation page;
a role category association module 1904, configured to, in response to a role editing operation for an authority limit, display a role category associated with the authority limit obtained through editing by the role editing operation;
a link association module 1906, configured to, in response to a link editing operation on an authority bit, present an accessible page link associated with the authority bit edited by the link editing operation; in response to completion of the link editing operation, triggering a first incidence relation between the permission bit and the accessible page link to take effect in the permission engine system; the first incidence relation is used for authentication when the target object of the role category accesses the page in the service system.
In one embodiment, the role category association module 1904 is further configured to expose a role edit control corresponding to the created permission bit; responding to the triggering operation aiming at the role editing control, and displaying the role category set; and responding to the selection operation aiming at the role category set, displaying the target role category selected by the selection operation, and establishing a second incidence relation between the target role category and the created permission limit.
In one embodiment, business system access 1900 is further configured to present a role management page; the role management page displays the role type newly added control; responding to the triggering operation of the role category newly added control, and displaying a role category newly added page; responding to the input operation of the role category newly added page, displaying the input role information, and generating a role category newly added work order according to the input role information; and when the new role class list is approved, determining that the new role class is successfully added.
In one embodiment, the link association module 1906 is further configured to expose a link edit control corresponding to the created permission bit; responding to the triggering operation aiming at the link editing control, and displaying a functional module set included by the business system; and in response to the selection operation on the functional module set, taking the page link included by the target functional module selected by the selection operation as the accessible page link associated with the permission bit.
All or part of each module in the authentication device and the service system access device can be realized by software, hardware and a combination thereof. The modules can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, and its internal structure diagram may be as shown in fig. 20. The computer device includes a processor, a memory, an Input/Output interface (I/O for short), and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing authentication data. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement an authentication method.
In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 21. The computer apparatus includes a processor, a memory, an input/output interface, a communication interface, a display unit, and an input device. The processor, the memory and the input/output interface are connected by a system bus, and the communication interface, the display unit and the input device are connected by the input/output interface to the system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The input/output interface of the computer device is used for exchanging information between the processor and an external device. The communication interface of the computer device is used for communicating with an external terminal in a wired or wireless manner, and the wireless manner can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a business system access method. The display unit of the computer equipment is used for forming a visual picture, and can be a display screen, a projection device or a virtual reality imaging device, the display screen can be a liquid crystal display screen or an electronic ink display screen, the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It will be appreciated by those skilled in the art that the configurations shown in fig. 20-21 are only block diagrams of some configurations relevant to the present disclosure, and do not constitute a limitation on the computing devices to which the present disclosure may be applied, and a particular computing device may include more or less components than those shown, or combine certain components, or have a different arrangement of components.
In an embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, in which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In one embodiment, a computer program product or computer program is provided that includes computer instructions stored in a computer-readable storage medium. The computer instructions are read by a processor of a computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the steps in the above-mentioned method embodiments.
It should be noted that the user information, the object identity information, the object information (including but not limited to the user device information, the user personal information, etc.) and the data (including but not limited to the data for analysis, the stored data, the displayed data, etc.) referred to in the present application are all information and data authorized by the user or sufficiently authorized by each party, and the collection, use and processing of the related data need to comply with the relevant laws and regulations and standards of the relevant country and region.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, which may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), magnetic Random Access Memory (MRAM), ferroelectric Random Access Memory (FRAM), phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (20)

1. A method of authentication, the method comprising:
when a target object accesses a target page in a service system of an access authority engine system, acquiring an authority limit identifier of the target object and an authentication bill obtained by logging in the authority engine system; the permission bit identifier is matched with the role category of the target object;
verifying the authentication bill, and determining an accessible page link associated with the permission bit identifier and pre-configured when the authentication bill passes verification;
feeding back the accessible page link to the business system; and the fed accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link.
2. The method of claim 1, wherein before the target object accesses a target page in a business system of an access rights engine system, the method further comprises:
when the target object logs in the authority engine system, generating an authentication bill according to a login account when the target object logs in the authority engine system, and feeding the authentication bill back to the service system;
the fed back authentication ticket is used for indicating the service system to cache the authentication ticket and set the valid time, and when the target object is determined to access the target page and the authentication ticket is in the valid time, the authentication ticket is sent to the authority engine system.
3. The method of claim 2, wherein the target object logs into the rights engine system through a login page of the rights engine system; the login page is a page displayed when the target object accesses the service system for the first time within a preset time period; and when the target object accesses the service system and the session object of the service system does not comprise an authentication bill or the authentication bill is invalid, determining that the target object accesses the service system for the first time within a preset time period.
4. The method of claim 2, wherein before generating an authentication ticket according to a login account when the target object logs in the rights engine system, the method further comprises:
acquiring a login account and a login password input through a login page of the authority engine system;
when the login account number is matched with the login password, acquiring a pre-configured redirection page link;
sending the redirection page link to the front end of the service system; the sent redirection page link is used for triggering the front end of the business system to display a corresponding redirection page, and the redirection page is displayed with an access control used for accessing a target page.
5. The method of claim 2, wherein generating an authentication ticket according to a login account when the target object logs in the rights engine system comprises:
acquiring a login account input through a login page of an authentication system;
generating an authorization code according to the login account, and feeding back the authorization code; the fed-back authorization code is used for triggering the service system to generate an authentication bill generation request carrying the authorization code;
and receiving an authentication bill generation request sent by the service system, and generating an authentication bill according to an authorization code in the authentication bill generation request.
6. The method of claim 5, wherein generating an authentication ticket based on the authorization code in the authentication ticket generation request comprises:
analyzing the authorization code to obtain a login account of the target object;
determining pre-configured object identity information corresponding to the login account;
encrypting the object identity information to obtain identity encryption information;
and signing the identity encryption information and the object identification of the target object through a preset private key to obtain an authentication bill.
7. The method according to claim 6, wherein said encrypting the object identity information to obtain identity encryption information comprises:
acquiring an encryption function and a secret key;
dividing the object identity information to obtain a plurality of identity information fragments;
encrypting each identity information fragment through the encryption function and the secret key to obtain an encrypted fragment corresponding to each identity information fragment;
and synthesizing the encrypted fragments corresponding to the identity information fragments to obtain the identity encrypted information.
8. The method of claim 2, wherein after the feeding back the authentication ticket to the service system, the method further comprises:
acquiring an authority limit identifier acquisition request sent by the service system, and analyzing the authority limit identifier acquisition request to obtain an authentication bill carried by the authority limit identifier acquisition request;
analyzing the authentication bill to obtain an object identifier of the target object;
determining a corresponding authority bit identifier according to the object identifier, and sending the authority bit identifier to the service system; and the sent authority bit identifier is used for triggering the service system to cache.
9. The method according to claim 8, wherein said determining the corresponding permission bit id according to the object id comprises:
determining the role type of the target object according to the object identifier;
and searching the preset authority limit associated with the role category to obtain the corresponding authority limit identifier.
10. The method of claim 1, wherein before the target object accesses a target page in a business system of an access rights engine system, the method further comprises:
when the target object accesses a service system for the first time within a preset time period, acquiring the security level of the service system according to the system identification of the service system;
when the security level of the business system is greater than or equal to a preset level threshold, determining whether the target object passes the internal authentication of the enterprise to which the business system belongs;
and when the target object passes the internal authentication, determining whether the target object logs in the authority engine system, and triggering the front end of a business system to display an access control for accessing a target page in the business system when the target object is determined to log in the authority engine system.
11. The method of claim 1, wherein after said feeding back said accessible page link to said business system, said method further comprises:
when the page link of the target page does not belong to the accessible page link, the business system determines that the target object does not have the authority of accessing the target access page;
when the target object does not have the authority of accessing the target access page, the business system triggers the front end of the authority engine system to display a role application page, so that the target object applies for the role category required by accessing the target page through the role application page.
12. A service system access method, the method comprising:
the method comprises the steps that a permission bit establishing page is displayed in response to the access operation of accessing a service system to a permission engine system, and the established permission bit is displayed in response to the permission bit establishing operation triggered by the permission bit establishing page;
in response to the role editing operation aiming at the permission bit, displaying a role category which is obtained by editing the role editing operation and is associated with the permission bit;
in response to a link editing operation on the permission bit, presenting an accessible page link associated with the permission bit edited by the link editing operation;
in response to completion of the link editing operation, triggering a first association of the permission bit with the accessible page link to take effect at the permission engine system; the first incidence relation is used for authentication when the target object of the role category accesses the page in the service system.
13. The method of claim 12, wherein the exposing the role category associated with the permission bit edited by the role editing operation in response to the role editing operation for the permission bit comprises:
displaying a role editing control corresponding to the created permission limit;
displaying a role category set in response to a triggering operation for the role editing control;
and responding to the selection operation aiming at the role category set, displaying a target role category selected by the selection operation, and establishing a second incidence relation between the target role category and the created permission limit.
14. The method of claim 13, wherein prior to said presenting the set of role categories, the method further comprises:
displaying a role management page; the role management page displays the role type newly added control;
responding to the triggering operation aiming at the role category newly added control, and displaying a role category newly added page;
responding to the input operation aiming at the role category newly added page, displaying the input role information, and generating a role category newly added work order according to the input role information;
and when the new role type work order passes the examination and approval, determining that the role type is successfully added.
15. The method of claim 12, wherein exposing accessible page links associated with the permission bits edited by the link editing operation in response to the link editing operation for the permission bits comprises:
displaying a link editing control corresponding to the created permission bit;
responding to the triggering operation aiming at the link editing control, and displaying a set of functional modules included by the business system;
and responding to the selection operation of the set of functional modules, and taking the page link included in the target functional module selected by the selection operation as the accessible page link associated with the permission bit.
16. An authentication apparatus, characterized in that the apparatus comprises:
the ticket acquisition module is used for acquiring the authority limit identifier of the target object and an authentication ticket acquired by logging in the authority engine system when the target object accesses a target page in a service system of the access authority engine system; the permission bit identifier is matched with the role category of the target object;
the link acquisition module is used for verifying the authentication ticket and determining a pre-configured accessible page link associated with the authority limit identifier when the authentication ticket passes verification;
the feedback module is used for feeding back the accessible page link to the business system; and the fed accessible page link is used for indicating the business system to determine the access authority of the target object to the target page according to the matching relation between the page link of the target page and the accessible page link.
17. A service system access apparatus, the apparatus comprising:
the permission level establishing module is used for responding to the access operation of accessing the service system to the permission engine system, displaying a permission level establishing page, and responding to the permission level establishing operation triggered by the permission level establishing page, and displaying the established permission level;
the role category association module is used for responding to the role editing operation aiming at the authority limit and displaying the role category which is obtained by editing the role editing operation and is associated with the authority limit;
the link association module is used for responding to the link editing operation aiming at the permission bit and showing the accessible page link which is obtained by editing through the link editing operation and is associated with the permission bit; in response to completion of the link editing operation, triggering a first association of the permission bit with the accessible page link to take effect at the permission engine system; the first incidence relation is used for authentication when the target object of the role type accesses the page in the service system.
18. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 11 or 12 to 15.
19. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 11 or 12 to 15.
20. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 11 or 12 to 15.
CN202210800812.9A 2022-07-08 2022-07-08 Authentication method, device, service system access method, device and storage medium Pending CN115208579A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210800812.9A CN115208579A (en) 2022-07-08 2022-07-08 Authentication method, device, service system access method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210800812.9A CN115208579A (en) 2022-07-08 2022-07-08 Authentication method, device, service system access method, device and storage medium

Publications (1)

Publication Number Publication Date
CN115208579A true CN115208579A (en) 2022-10-18

Family

ID=83580447

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210800812.9A Pending CN115208579A (en) 2022-07-08 2022-07-08 Authentication method, device, service system access method, device and storage medium

Country Status (1)

Country Link
CN (1) CN115208579A (en)

Similar Documents

Publication Publication Date Title
US11637703B2 (en) Zero-knowledge environment based social networking engine
US11399079B2 (en) Zero-knowledge environment based networking engine
JP6985576B2 (en) Business process systems, business data processing methods and equipment
US11451392B2 (en) Token-based secure data management
US8539231B1 (en) Encryption key management
WO2017107956A1 (en) Data processing method, client and server
CN103051600A (en) File access control method and system
US10951396B2 (en) Tamper-proof management of audit logs
CN111291394B (en) False information management method, false information management device and storage medium
US8848922B1 (en) Distributed encryption key management
CN110569643A (en) traffic management method and device based on block chain network
US11711350B2 (en) Systems and processes for vaultless tokenization and encryption
CN112150113A (en) Method, device and system for borrowing file data and method for borrowing data
CN103095663B (en) Information interacting method between a kind of A non logged-on user and device
EP4120096A1 (en) Method and device for data retrieval, electronic device, and storage medium
CN113129008A (en) Data processing method and device, computer readable medium and electronic equipment
CN112995014B (en) Method and device for mass sending of messages
CN115756255A (en) Method, device and equipment for processing equipment parameters of parking lot equipment and storage medium
CN115801317A (en) Service providing method, system, device, storage medium and electronic equipment
CN115208579A (en) Authentication method, device, service system access method, device and storage medium
US11070534B2 (en) Systems and processes for vaultless tokenization and encryption
CN111125734B (en) Data processing method and system
CN113554315A (en) Service data tracking method and device, computer equipment and storage medium
CN116346486A (en) Combined login method, device, equipment and storage medium
CN116842541A (en) Data encryption and decryption processing method and device, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
REG Reference to a national code

Ref country code: HK

Ref legal event code: DE

Ref document number: 40075321

Country of ref document: HK